Sometimes you might receive some emails that might seem suspicious, sometimes you might get the actual.eml file from someone else. either way there are ways to check the email by analyzing the headers of the email. I honestly just grab the .eml file and rename to a .txt extensions that give me a lot of information and details with the email it-self. I am not telling you do what I do, what I am telling you is that do what works for you and explore different ways to check those email headers.
Now a days I would think emails is the worst nightmare for all IT professionals that are in charge of guarding the network, you might say, why is that? Well the fact that an attacker can use any computer to pivot inside the network is very scary. In fact a well skilled attacker will take over the whole organization if there are no safeguards in placed.
Some Websites that I found out that are really cool to play with while analyzing email headers are:
https://md5file.com/calculator
Why that site: you might want to keep make sure you do not want to mess with the file at the same time that hash allows you to kind of verify that trust. Me I just think out of the box and I like disposable emails, some how in the analysis process I always end up using one here is the link:
https://www.guerrillamail.com
Now into the more technical part, you can grab the headers of the email and paste them in this site.
https://mxtoolbox.com/EmailHeaders.aspx
the site give you some good information about the email sometimes you might even get an IP. Another website that I discover is very good to Analyze email header is:
https://mailheader.org/
You might even be able to get a map with the IP location using the advance features. if you want to play games and try to find more info about the email you can use the tool GRABIFY IP LOGGER 😉 I was told about this tool by my Boss, My boss is the best I have ever seen doing this kind of stuff. The website it self have instructions on how to use it. Here is the link:
https://grabify.link/
As some of you know my favorite language is PHP with that being said know that there is a lot of crazy stuff that you can do with PHP to include sending emails via a script. Here is a working example of the PHP mail function 🙂
https://www.w3schools.com/php/func_mail_mail.asp
Want to get some payback from the person keep sending you emails, you can always use a PHP email injection example from here:
https://resources.infosecinstitute.com/topic/email-injection/
If you want to know or learn more about mail injections there is this youtube video.
https://www.youtube.com/watch?v=123TBnzk02A&ab_channel=MotasemHamdan
keep in mind that you might need a proxy but that’s just a piece of cake, after I started learning all this stuff and knowing how you can set variables in the browser I finally understand how this can be abused. As a Developer I understood the GET and POST methods but never really understood how can they be abused. in theory the fact that you can probably add a piece of code there to tell you if the email got open or not is crazy. Keep in mind that PHP is a server side language. But what else you can use with PHP? Javascript. Here is how you can get a Shell with Javascript.
https://kalilinuxtutorials.com/jsshell/
To keep the investigation and the analysis going you might need to find more info on that IP associated with the email for that, you can use the terminal or the website whois look up.
https://whois.domaintools.com/
Another way to confirm the IP is using the Website Hurricane Electric IS. Here:
https://bgp.he.net/
If you want to have more fun you and learn how to create a payload that you can encrypt and make it undetected you can learn around on google or here:
https://linuxhint.com/create-payload-with-metasploit/
You can also check if the person that send you the email got passwords in the dark web or you can always use a tool such as H8mail, Here is more info. Exploit Recycled Credentials with H8mail to Break into User Accounts
https://null-byte.wonderhowto.com/how-to/exploit-recycled-credentials-with-h8mail-break-into-user-accounts-0188600/
All This could be automated with PHP.
I know I have not been writing in a while but now it is a must do. I am back in the Cyber Game and I guess as a developer the more efficient that you work, the less you have to worry about stuff. I will compile all this links in my Github in a .html file or a .PHP file.
Come check out https://www.cyberdefenseservices.net/
This is all for now, I will keep blogging more often. I know I am not a pro when it comes to this shit but it is what it is, Can’t really win the marathon if you don’t run. Life is a marathon and life is about learning.
I want to say thanks to my Boss Zachary M for the opportunity given to me.
Thank you.
Very Respectfully,
Santi
