W23 SPR100 Lab 6 v3 (1)

SPR100 Labs Lab 6: A Happy Day Phishing (2%) Overview: In this lab assignment you’ll be learning about phishing attacks and email header spoofing. Specifically, you’ll be doing the following:  Downloading and installing a mail client  Connecting the mail client to the mail server  Exchanging normal emails and with display information changed  Logging in to the mail server and sending bogus emails  Testing yourself to see if you can identify a phishing attack Note:  All screen-shots must have your command-line title with name, date and time visible Objective: 1. Demonstrate how SMTP commands can be used to forge email headers 2. Learn how to identify a Phishing attack Background: SMTP and Email Headers Email spoofing is a technique, used by many web-based attacks, which creates a forged email header so that the message appears to have originated from someone or somewhere other than the actual source. Most spoofed e-mail falls into the "nuisance" category and requires little action other than deletion, the more malicious varieties can cause serious problems and security risks. For example, phishing scams and spammers often spoof addresses in order to get recipients to open, and possibly even respond to, their solicitations. A phishing scam will often send a spoofed e-mail which purports to be from someone in a position of authority, asking for sensitive data, such as passwords, credit card numbers, or other personal information. A spammer may send a spoofed email which appears to be from personal friend sending an attachment which when clicked redirects the user to a malicious web site which downloads and installs spyware, a key logger or a rootkit – a technique called “drive-by downloads”. The goal of spammers can be criminal such as the theft of personal information, which they sell, or commercial, profiling the user in order to send him\her targeted advertisements. This lab explains how and why such attacks are successful. E-mail forging is possible because the Simple Mail Transfer Protocol (SMTP), used by email servers to exchange emails does not perform any verification or authentication mechanism. The fact that anyone can send anonymous or forged emails is exploited by unscrupulous people for personal gain. Your e- Page 1 of 5

SPR100 Labs mail client uses SMTP to send a message to the mail server, and the mail server uses SMTP to relay that message to the correct receiving mail server. To prevent abuse of an SMTP server, the server must be configured as follows: 1. To accept a message, either the sender’s or the recipient’s address must belong to the same domain as the server 2. To send a message, the sender must belong to the same domain as the mail server and the server will only forward the message to a server of that domain. NB: Spoofing anyone other than yourself is illegal. The Lab Activities Part 1: Mail Client Setup (Security Lab) 1. Check that your VMM and Win10 VM have the correct configurations for access the Security Lab network 2. Start up the Window’s 10 VM and login 3. If the Thunderbird mail client is not already installed on your Win 10 VM do the following:  Download the mail client Thunderbird from the Security Lab server – Under SPR100  Install Thunderbird on to the VM 4. Configure Thunderbird based on the e-mail address you have been assigned by the instructor and using the details given in Figure 1 below Note: you will substitute your own name for “Your name” and your mail address is ‘mail<number>@securitylab.net’. The <number> can be found by doing ‘ipconfig /all’ command and looking at the Host Name. Use the middle number in the host name for <number>. 5. The password will be given in class . Figure 1: Thunderbird account configuration 6. Take a screen-shot of the set-up account screen above and save it as MSU_mail_config.jpg and insert it into your lab report under the heading: “ Mail Configuration ” 7. Click ‘Continue’, it should then find the configuration for ingoing and outgoing mail. You should then get a ‘Warning’ dialog. Check ‘I understand the risks’ and click ‘Done’ 8. For ‘System Integration’, select ‘Skip Integration’ Page 2 of 5

SPR100 Labs To do this you’ll be using the SMTP server. The six SMTP commands to use are HELO, MAIL FROM, RCPT TO, DATA, SUBJECT and QUIT. What to type after each command is displayed in bold.  HELO: – identifies the host to the SMTP server – mail.ifslab.net  MAIL FROM: – this is your fake address– source email address  RCPT TO: – destination email address – mail<n> @securitylab.net  DATA: – identifies the beginning of the email message content  Subject: – identifies the subject line of the email message -- enter your email subject here  . – a period on a line by itself ends the data stream  QUIT – terminates the session Note:  Press the Enter key wherever the (ENTER KEY) is shown.  Back-spacing does not actually work even though it seems to allow you to backspace . You will need to re-enter to whole message again. Steps: 1. Open a command window on the Security Lab workstation desktop 2. Type the following command on the command-line telnet smtp.securitylab.net 25 (ENTER KEY) Note: If the above does not work, do the following on your Windows 10 VM  Open Putty  Change the connection type to Telnet and specify port number to be 25  Enter the host address as: smtp.securitylab.net  Click on ‘ Open’. A command prompt window should open and you should enter the command below. 3. Using the command-line type the following, substituting information where required to send a forged email to yourself e.g. for the MAIL FROM entry. HELO (ENTER KEY) HELO mail.securitylab.net (ENTER KEY) MAIL FROM : you@domain.com (ENTER KEY) RCPT TO : mail<n>@securitylab.net (ENTER KEY) DATA (ENTER KEY) SUBJECT : SPR100 <Your Name> (ENTER KEY) Type your message here! (Type the . to end the message being sent) . QUIT Page 4 of 5

SPR100 Labs Figure 4 gives you an example of what the commands look like. Figure 4 : Complete SMTP session Take a screenshot of: o SMTP session, saving it as “MSU_smtp.jpg” and insert it into your lab report under the heading “ SMTP Session ”. o The received forged message and save it as “MSU_forgedmail.jpg” and insert it into your lab report under the heading “ Forged Email ” 4. Repeat the above sending a forged email to the instructor. Ensure you include your name in the subject line of the email . Not doing so means the instructor will not know who sent the message! Part 5: Phishing (Internet) Phishing is a specialized form of social engineering and "injection" technique which “spoof” an entire web site and trick a user into giving confidential information to the attacker. The best line of defense is to recognize emails and web messages that could be phishing attacks: 1. Navigate to https://www.opendns.com/phishing-quiz/ This web site presents you with a quiz of real phishing scams and educates users on how to spot them. The quiz consists of 14 fake and genuine email messages. 2. Do the quiz and take a screen shot of the page that has your final scores and save the file a “MSU_test.jpg”. Insert the screenshot into your lab report under the heading “ Phishing Quiz ”. Report Submission Now that you have filled out the lab report, you need to submit it along with you elog book. This is done through the submission link given with the lab on Blackboard. Page 5 of 5