HHS Lesson 9: Hacking Email - Hacker Highschool

LESSON 9: HACKING

EMAIL

Lesson 9: Hacking Email

WARNING

The Hacker Highschool Project is a learning tool and as with any learning tool there are dangers. Some lessons if abused may result in physical injury. Some additional dangers may also exist where there is not enough research on possible effects of emanations from particular technologies. Students using these lessons should be supervised yet encouraged to learn, try, and do. However ISECOM cannot accept responsibility for how any information herein is abused. The following lessons and workbooks are open and publicly available under the following terms and conditions of ISECOM: All works in the Hacker Highschool Project are provided for non-commercial use with elementary school students, junior high school students, and high school students whether in a public institution, private institution, or a part of home-schooling. These materials may not be reproduced for sale in any form. The provision of any class, course, training, or camp with these materials for which a fee is charged is expressly forbidden without a license including college classes, university classes, trade-school classes, summer or computer camps, and similar. To purchase a license, visit the LICENSE section of the HHS web page at . The HHS Project is an open community effort and if you find value in this project we ask that you support us through the purchase of a license, a donation, or sponsorship.

2

Lesson 9: Hacking Email

Table of Contents

WARNING....................................................................................................................................................2 Contributors................................................................................................................................................4 Introduction................................................................................................................................................5 Overall: How Email Works.........................................................................................................................6 Feed Your Head: Email Headers.............................................................................................................9 Dig Me.......................................................................................................................................................12 Game On: The Bug Trap.........................................................................................................................14 The Risky Business of Email Composition..............................................................................................17 Receiving Email........................................................................................................................................18 Responding to Email...............................................................................................................................19 Cryptography Protecting Contents From Disclosure.........................................................................20

PGP and GPG......................................................................................................................................21 MIME Your Manners............................................................................................................................21 Key Trust................................................................................................................................................22 Sending An Encrypted Email Using GPG.........................................................................................22 Receiving An Encrypted Email Using GPG......................................................................................22 GPG Implications................................................................................................................................22 Email Server-Side Vulnerabilities and Threats......................................................................................24 Bandwidth Eating................................................................................................................................24 Email Server Vulnerabilities.................................................................................................................25 Email Server Threats............................................................................................................................25 Email for Fun and Profit...........................................................................................................................25 The Key to Success..............................................................................................................................26 Email Client-Side Vulnerabilities and Threats..................................................................................27 Turn On The Lights................................................................................................................................27 Malware, Trojans, And Rootkits, Oh My...........................................................................................28 This Email Looks Legitimate, Let's Open It Up..................................................................................28 Exciting Tricks With Email Systems (Hacking the Postman)................................................................29 SEAK And Ye Shall Find.......................................................................................................................29 Spoofing Versus Malware...................................................................................................................30 Stupid Email Tricks................................................................................................................................31 Outsmarting The Email Bots (Email Obfuscation) ..........................................................................31 Conclusion................................................................................................................................................33 The Ultimate Disclaimer..........................................................................................................................34

3

Lesson 9: Hacking Email

Contributors

Pete Herzog, ISECOM Bob Monroe, ISECOM Greg Playle, ISECOM Marco Ivaldi, ISECOM Simone Onofri, ISECOM Peter Houppermans Andrea Zwirner

4

Lesson 9: Hacking Email

Introduction

Email has been around for a long time; like longer than those socks stuffed under your bed. It predates the Internet (not your dirty socks), and is one of the first forms of electronic information exchange. Before email, we had smoke signals, half-naked guys running as messengers, bricks with notes attached, Morse code, large rocks slung over castle walls with curse words written on them, and a variety of other analog communication methods like the telephone and paper "snail mail" (not really delivered by snails). Many of these original message transmission required special tools, training, or lots of rocks. Luckily, enterprising authors created text that could be written on stone tablets or bound in books and thrown at people or read by them. One of the first books was Smoke Signals for Dummies. Email is based on simple store and forward principles. It can be relatively easy to use (unless you are in a huge hurry), very robust and so cheap that it is often abused for commercial and criminal purposes. Its asynchronous design allows communication to take place without the need for sender and receiver to both be online at the same time. Kind of like when your mother is talking to you and you're not paying attention until she asks you a question. You are not there for the transmission but you better be a quick deceiver. Um, receiver. A quick receiver. In this lesson, we will focus on modern Internet email and hacking or security issues you can use for fun and profit.

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download