Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2025-11-04 04:55:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Mariusz B. / mgeeky
2021-10-27 02:52:17 +02:00
parent 815e394005
commit 13db757a28
2 changed files with 249 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -5,7 +5,7 @@ Most of them came handy at least once during my real-world engagements.
**Notice:** In order to clone this repository properly - use `--recurse-submodules` switch: **Notice:** In order to clone this repository properly - use `--recurse-submodules` switch:
``` ```
bash$ git clone --recurse-submodules https://github.com/mgeeky/Penetration-Testing-Tools git clone --recurse https://github.com/mgeeky/Penetration-Testing-Tools.git
``` ```
Most of these files were initially shared on my [Gists](https://gist.github.com/mgeeky) but eventually got moved into this repository. Most of these files were initially shared on my [Gists](https://gist.github.com/mgeeky) but eventually got moved into this repository.

292
phishing/decode-spam-headers.py
View File

@@ -325,7 +325,7 @@ class SMTPHeadersAnalysis:
'mailgun', 'sendgrid', 'mailchimp', 'x-ses', 'x-avas', 'X-Gmail-Labels', 'X-vrfbldomain', 'mailgun', 'sendgrid', 'mailchimp', 'x-ses', 'x-avas', 'X-Gmail-Labels', 'X-vrfbldomain',
'mandrill', 'bulk', 'sendinblue', 'amazonses', 'mailjet', 'postmark', 'postfix', 'dovecot', 'roundcube', 'mandrill', 'bulk', 'sendinblue', 'amazonses', 'mailjet', 'postmark', 'postfix', 'dovecot', 'roundcube',
'seg', '-IP', 'crosspremises', 'brightmail', 'check', 'exim', 'postfix', 'exchange', 'microsoft', 'office365', 'seg', '-IP', 'crosspremises', 'brightmail', 'check', 'exim', 'postfix', 'exchange', 'microsoft', 'office365',
'dovecot', 'sendmail' 'dovecot', 'sendmail', 'score', 'report', 'status',
) )
Headers_Known_For_Breaking_Line = ( Headers_Known_For_Breaking_Line = (
@@ -574,6 +574,20 @@ class SMTPHeadersAnalysis:
), ),
} }
Barracuda_Score_Thresholds = [
[0.0, 2.99, logger.colored('Delivered to Inbox', 'green')],
[3.0, 4.99, logger.colored('Delivered to Inbox. Subject line tagged with [Suspected SPAM]', 'yellow')],
[5.0, 6.99, logger.colored('Delivered to Barracuda Quarantine Inbox', 'red')],
[7.0, 10.0, logger.colored('Blocked from delivery', 'red')],
]
Barracuda_Aggressive_Score_Thresholds = [
[0.0, 1.99, logger.colored('Delivered to Inbox', 'green')],
[2.0, 3.49, logger.colored('Delivered to Inbox. Subject line tagged with [SPAM?]', 'yellow')],
[3.5, 5.00, logger.colored('Delivered to Barracuda Quarantine Inbox', 'red')],
[5.1, 10.0, logger.colored('Blocked from delivery', 'red')],
]
Trend_Type_AntiSpam = { Trend_Type_AntiSpam = {
1 : logger.colored('Spam', 'red'), 1 : logger.colored('Spam', 'red'),
2 : logger.colored('Phishing', 'red'), 2 : logger.colored('Phishing', 'red'),
@@ -909,7 +923,6 @@ class SMTPHeadersAnalysis:
) )
def __init__(self, logger, resolve, decode_all): def __init__(self, logger, resolve, decode_all):
self.text = '' self.text = ''
self.results = {} self.results = {}
@@ -1120,7 +1133,6 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
('ARC-Authentication-Results', self.testARCAuthenticationResults), ('ARC-Authentication-Results', self.testARCAuthenticationResults),
('Received-SPF', self.testReceivedSPF), ('Received-SPF', self.testReceivedSPF),
('Mail Client Version', self.testXMailer), ('Mail Client Version', self.testXMailer),
('X-Originating-IP', self.testXOriginatingIP),
('User-Agent Version', self.testUserAgent), ('User-Agent Version', self.testUserAgent),
('X-Forefront-Antispam-Report', self.testForefrontAntiSpamReport), ('X-Forefront-Antispam-Report', self.testForefrontAntiSpamReport),
('X-Microsoft-Antispam-Mailbox-Delivery', self.testAntispamMailboxDelivery), ('X-Microsoft-Antispam-Mailbox-Delivery', self.testAntispamMailboxDelivery),
@@ -1153,7 +1165,6 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
('X-IronPort-SenderGroup', self.testXIronPortSenderGroup), ('X-IronPort-SenderGroup', self.testXIronPortSenderGroup),
('X-Policy', self.testXPolicy), ('X-Policy', self.testXPolicy),
('X-IronPort-MailFlowPolicy', self.testXIronPortMailFlowPolicy), ('X-IronPort-MailFlowPolicy', self.testXIronPortMailFlowPolicy),
('X-Remote-IP', self.testXRemoteIP),
('X-SEA-Spam', self.testXSeaSpam), ('X-SEA-Spam', self.testXSeaSpam),
('X-FireEye', self.testXFireEye), ('X-FireEye', self.testXFireEye),
('X-AntiAbuse', self.testXAntiAbuse), ('X-AntiAbuse', self.testXAntiAbuse),
@@ -1173,10 +1184,18 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
('X-Scanned-By', self.testXScannedBy), ('X-Scanned-By', self.testXScannedBy),
('X-Mimecast-Spam-Signature', self.testXMimecastSpamSignature), ('X-Mimecast-Spam-Signature', self.testXMimecastSpamSignature),
('X-Mimecast-Bulk-Signature', self.testXMimecastBulkSignature), ('X-Mimecast-Bulk-Signature', self.testXMimecastBulkSignature),
('X-Sender-IP', self.testXSenderIP),
('X-Forefront-Antispam-Report-Untrusted', self.testForefrontAntiSpamReportUntrusted), ('X-Forefront-Antispam-Report-Untrusted', self.testForefrontAntiSpamReportUntrusted),
('X-Microsoft-Antispam-Untrusted', self.testForefrontAntiSpamUntrusted), ('X-Microsoft-Antispam-Untrusted', self.testForefrontAntiSpamUntrusted),
('X-Mimecast-Impersonation-Protect', self.testMimecastImpersonationProtect), ('X-Mimecast-Impersonation-Protect', self.testMimecastImpersonationProtect),
('X-Proofpoint-Spam-Details', self.testXProofpointSpamDetails),
('X-Proofpoint-Virus-Version', self.testXProofpointVirusVersion),
('SPFCheck', self.testSPFCheck),
('X-Barracuda-Spam-Score', self.testXBarracudaSpamScore),
('X-Barracuda-Spam-Status', self.testXBarracudaSpamStatus),
('X-Barracuda-Spam-Report', self.testXBarracudaSpamReport),
('X-Barracuda-Bayes', self.testXBarracudaBayes),
('X-Barracuda-Start-Time', self.testXBarracudaStartTime),
# #
# These tests shall be the last ones. # These tests shall be the last ones.
@@ -1258,7 +1277,7 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
raise raise
for k in self.results.keys(): for k in self.results.keys():
if len(self.results[k]) == 0: if not self.results[k] or len(self.results[k]) == 0:
continue continue
for kk in ['description', 'header', 'value']: for kk in ['description', 'header', 'value']:
@@ -1366,6 +1385,68 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
'description' : '', 'description' : '',
} }
def testXProofpointSpamDetails(self):
(num, header, value) = self.getHeader('X-Proofpoint-Spam-Details')
if num == -1: return []
result = '- Proofpoint Email Protection Spam details report\n'
self.securityAppliances.add('Proofpoint Email Protection')
return self._parseProofpoint(result, '', num, header, value)
def _parseProofpoint(self, topic, description, num, header, value):
value = SMTPHeadersAnalysis.flattenLine(value)
parts = value.split(' ')
result = topic
for part in parts:
if '=' not in part:
result += f'\t- {part}\n'
else:
(k, v) = part.split('=')
col = 'yellow'
if k.lower() == 'rule':
if v.lower() == 'notspam': col = 'green'
elif v.lower() == 'spam': col = 'red'
elif 'definitive' in v.lower(): col = 'red'
elif 'malware' in v.lower(): col = 'red'
elif 'phish' in v.lower(): col = 'red'
elif 'quarantine' in v.lower(): col = 'red'
v = self.logger.colored(v.upper(), col)
elif k.lower() == 'vendor':
v = self.logger.colored(v, 'green')
else:
try:
num = float(v)
if num > 0:
v = self.logger.colored(v, 'yellow')
else:
v = self.logger.colored(v, 'green')
except:
pass
result += f'\t- {k: <20}: {v}\n'
return {
'header': header,
'value' : value,
'analysis' : result,
'description' : description,
}
def testXProofpointVirusVersion(self):
(num, header, value) = self.getHeader('X-Proofpoint-Virus-Version')
if num == -1: return []
result = '- Proofpoint Email Protection Anti-Virus version\n'
self.securityAppliances.add('Proofpoint Email Protection')
return self._parseProofpoint(result, '', num, header, value)
def testXTMVersion(self): def testXTMVersion(self):
(num, header, value) = self.getHeader('X-TMASE-Version') (num, header, value) = self.getHeader('X-TMASE-Version')
if num == -1: return [] if num == -1: return []
@@ -1385,6 +1466,105 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
'analysis' : result, 'analysis' : result,
'description' : '', 'description' : '',
} }
def _parseThresholdsBasedScore(self, value, thresholds):
score = 0
try:
score = float(value.strip())
except:
return ''
for step in thresholds:
if score >= step[0] and score <= step[1]:
return step[2]
return ''
def testXBarracudaSpamScore(self):
(num, header, value) = self.getHeader('X-Barracuda-Spam-Score')
if num == -1: return []
result = '- Barracuda Email Security Spam Score\n'
self.securityAppliances.add('Barracuda Email Security')
thresholds = SMTPHeadersAnalysis.Barracuda_Score_Thresholds
aggressive = False
if aggressive:
thresholds = SMTPHeadersAnalysis.Barracuda_Aggressive_Score_Thresholds
score = self._parseThresholdsBasedScore(value, thresholds)
result += f'\t- Score: {value.strip()}'
if score != '':
result += f' - {score}'
return {
'header': header,
'value' : value,
'analysis' : result + '\n',
'description' : '',
}
def testXBarracudaSpamStatus(self):
(num, header, value) = self.getHeader('X-Barracuda-Spam-Status')
if num == -1: return []
result = '- Barracuda Email Security Spam Status (based on SpamAssassin)\n\n'
self.securityAppliances.add('Barracuda Email Security')
thresholds = SMTPHeadersAnalysis.Barracuda_Score_Thresholds
aggressive = False
if aggressive:
thresholds = SMTPHeadersAnalysis.Barracuda_Aggressive_Score_Thresholds
return self._parseSpamAssassinStatus(result, '', num, header, value, thresholds)
def testXBarracudaSpamReport(self):
(num, header, value) = self.getHeader('X-Barracuda-Spam-Report')
if num == -1: return []
result = f'- Barracuda Email Security Spam Report:\n\t- {value.strip()}\n'
self.securityAppliances.add('Barracuda Email Security')
return {
'header': header,
'value' : value,
'analysis' : result,
'description' : '',
}
def testXBarracudaBayes(self):
(num, header, value) = self.getHeader('X-Barracuda-Bayes')
if num == -1: return []
result = f'- Barracuda Email Security Spam Bayesian analysis:\n\t- {value.strip()}\n'
self.securityAppliances.add('Barracuda Email Security')
return {
'header': header,
'value' : value,
'analysis' : result,
'description' : '',
}
def testXBarracudaStartTime(self):
(num, header, value) = self.getHeader('X-Barracuda-Start-Time')
if num == -1: return []
ts = int(value.strip())
val = datetime.utcfromtimestamp(ts).strftime('%Y-%m-%d %H:%M:%S')
result = f'- Barracuda Email Security Start Time: {self.logger.colored(val, "green")} ({ts})\n'
self.securityAppliances.add('Barracuda Email Security')
return {
'header': header,
'value' : value,
'analysis' : result,
'description' : '',
}
def testXTMProductVer(self): def testXTMProductVer(self):
(num, header, value) = self.getHeader('X-TM-AS-Product-Ver') (num, header, value) = self.getHeader('X-TM-AS-Product-Ver')
@@ -1712,6 +1892,21 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
'description' : '', 'description' : '',
} }
def testSPFCheck(self):
(num, header, value) = self.getHeader('SPFCheck')
if num == -1: return []
result = f'- SPF Check:\n'
for line in value.split(','):
result += f'\t- {line.strip()}\n'
return {
'header': header,
'value' : value,
'analysis' : result,
'description' : '',
}
def testXTMASSMTP(self): def testXTMASSMTP(self):
(num, header, value) = self.getHeader('X-TM-AS-SMTP') (num, header, value) = self.getHeader('X-TM-AS-SMTP')
if num == -1: return [] if num == -1: return []
@@ -1836,27 +2031,6 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
'description' : '', 'description' : '',
} }
def testXSenderIP(self):
(num, header, value) = self.getHeader('X-Sender-IP')
if num == -1: return []
result = f'- Connecting Client probably leaved its IP address: '
return self._originatingIPTest(result, '', num, header, value)
def testXRemoteIP(self):
(num, header, value) = self.getHeader('X-Remote-IP')
if num == -1: return []
result = f'- Connecting Client probably leaved its IP address: '
return self._originatingIPTest(result, '', num, header, value)
def testXOriginatingIP(self):
(num, header, value) = self.getHeader('x-originating-ip')
if num == -1: return []
result = f'- Connecting Client leaved its IP address: '
return self._originatingIPTest(result, '', num, header, value)
def testXIronPortRemoteIP(self): def testXIronPortRemoteIP(self):
(num, header, value) = self.getHeader('X-IronPort-RemoteIP') (num, header, value) = self.getHeader('X-IronPort-RemoteIP')
if num == -1: return [] if num == -1: return []
@@ -2534,17 +2708,22 @@ Src: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA
self.securityAppliances.add('SpamAssassin') self.securityAppliances.add('SpamAssassin')
result = '- SpamAssassin spam report\n\n' result = '- SpamAssassin spam report\n\n'
return self._parseSpamAssassinStatus(result, '', num, header, value)
def _parseSpamAssassinStatus(self, topic, description, num, header, value, thresholds):
parsed = {} parsed = {}
result = topic
col = 'green' col = 'green'
parsed['_result'] = value.strip().split(',')[0] _result = value.strip().split(',')[0]
parsed['_result'] = _result
if parsed['_result'].lower() == 'yes': if parsed['_result'].lower() == 'yes':
col = 'red' col = 'red'
parsed['_result'] = self.logger.colored(value.strip().split(',')[0], col) parsed['_result'] = self.logger.colored(value.strip().split(',')[0].upper(), col)
pos = len(parsed['_result'])+2 pos = len(_result)+2
extranum = 0
stop = False stop = False
while pos < len(value): while pos < len(value):
@@ -2552,6 +2731,15 @@ Src: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA
if pose == -1: break if pose == -1: break
k = value[pos:pose] k = value[pos:pose]
pos2 = len(k) - 1
while pos2 >= 0:
if k[pos2] == ' ':
parsed[f'extra{extranum}'] = k[:pos2]
k = k[pos2+1:]
extranum += 1
break
pos2 -= 1
l = len(k) - len(k.lstrip()) l = len(k) - len(k.lstrip())
if l > 0: if l > 0:
@@ -2580,27 +2768,43 @@ Src: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA
if stop: if stop:
break break
keys = [x.lower() for x in parsed.keys()]
if 'tag_level' in keys:
level = float(parsed[list(parsed.keys())[keys.index('tag_level')]])
thresholds[0][1] = level - 0.01
thresholds[1][0] = level
if 'quarantine_level' in keys:
level = float(parsed[list(parsed.keys())[keys.index('quarantine_level')]])
thresholds[1][1] = level - 0.01
thresholds[2][0] = level
if 'kill_level' in keys:
level = float(parsed[list(parsed.keys())[keys.index('kill_level')]])
thresholds[2][1] = level - 0.01
thresholds[3][0] = level
for k, v in parsed.items(): for k, v in parsed.items():
if k in SMTPHeadersAnalysis.SpamAssassin_Spam_Status[1].keys(): if k in SMTPHeadersAnalysis.SpamAssassin_Spam_Status[1].keys():
k0 = self.logger.colored(k, 'magenta') k0 = self.logger.colored(k, 'magenta')
result += f'\t- {k0}: ' + SMTPHeadersAnalysis.SpamAssassin_Spam_Status[1][k] + '\n' result += f'\t- {k0}: ' + SMTPHeadersAnalysis.SpamAssassin_Spam_Status[1][k] + '\n'
if type(v) == str:
result += f'\t\t- {v}\n'
else:
result += f'\t\t- elements {len(v)}:\n'
for a in v:
result += f'\t\t\t- {a}\n'
else: else:
k0 = self.logger.colored(k, 'magenta') k0 = self.logger.colored(k, 'magenta')
result += f'\t- {k0}: \n' result += f'\t- {k0}: \n'
if type(v) == str: if k.lower() == 'score':
result += f'\t\t- {v}\n' score = self._parseThresholdsBasedScore(v, thresholds)
else: if score != '':
result += f'\t\t- elements {len(v)}:\n' v += f' - {score}'
for a in v:
result += f'\t\t\t- {a}\n' if type(v) == str:
result += f'\t\t- {v}\n'
else:
result += f'\t\t- elements {len(v)}:\n'
for a in v:
result += f'\t\t\t- {a}\n'
result += '\n' result += '\n'
@@ -2608,7 +2812,7 @@ Src: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA
'header' : header, 'header' : header,
'value': value, 'value': value,
'analysis' : result, 'analysis' : result,
'description' : '', 'description' : description,
} }
def testDomainImpersonation(self): def testDomainImpersonation(self):