• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Bucharest: +40 316 301 707 
  • Tokyo: +81 (3) 4588 8181 

Phemail.py: another social engineering tool

You are here



Phemail.py: another social engineering tool

Phemail.py which stands for Phishing Email is another social engineering tool that proves who clicked on the email and gets as much information as possible. Social Engineering is defined as the process of inducing people into giving away access or confidential information. From a security consultant point of view this topic is not new and there are many tools which can be used against the target. Probably the most popular social engineering tool is SET (http://www.social-engineer.org/framework/…), the Social Engineering Toolkit. SET is a Python script which attempts to automate all the processes required during a typical client-side test. What you can do with SET is send a phishing email with a malicious URL. The malicious URL will redirect the user to a webserver managed by Metasploit which will launch several exploits in order to exploit the victim’s web browser, to gain a Meterpreter shell. The problem of this approach is that most of the time Meterpreter will be detected by antivirus software running on the victim’s machine, so a successful exploitation is not going to be completed. Moreover so far SET doesn’t have any option to prove who clicked on the phishing email without using Meterpreter. So for this reason I started to develop phemail.py - Phishing EMAIL. The main purpose of this tool is to prove who clicked on the phishing email without attempting to exploit the web browser but collecting as much information as possible. For this reason it will be 100% undetectable by any antivirus and it will obtain sufficient data to have an initial proof of concept for the client. Microsoft phishing email

The first step is to find corporate email addresses. Phemail has an option for harvesting corporate email addresses on search engines and save these into a file as shown in the example below: # phemail.py -g1@example.com Gathering emails from domain: example.com 100% Completed! test@example.com test2@example.com […] emails.txt updated Once you have corporate email addresses the next step is to create a phishing email template. The template needs to have string

“{0}” in each URL as the script will replace this string with the correct URL automatically. A real example used during a client side testing is shown below:


Then you need to install php on the web server and copy the php file “index.php” - that you will find inside the package at the bottom of this article - in the web root directory. This file contains Javascript code which attempts to collect web browser information and save it in a log file in /tmp directory. After this you are ready to run the script specifying with the option” –w” the webserver where the php file “index.php” is uploaded as shown in the following example: # phemail.py -e test-emails.txt -f "Fast Holiday " -r "Fast Holiday " -s "Last Minute Holiday" -b body.txt -w http://YOUR-WEBSITE.com SMTP server: mail.example.com Sent to test@example.com Error: sending to notExist-email@example.com Phishing URLs point to http://YOUR-WEBSITE.com Phemail.py log file saved: phemail-log-12-07-2012_15-42.txt Then you need to wait and hopefully if someone clicks on the phishing email you will gain some web browser information from the victim as below: Email: test@example.com Date: Thu 12/07/2012 11:00:13 IP: User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 appCodeName: Mozilla appName: Netscape appVersion: 5.0 (Windows) appMinorVersion: undefined product: Gecko cookieEnabled: true cpuClass: undefined onLine: true opsProfile: undefined userProfile: undefined language: en-US platform: Win32 systemLanguage: undefined userLanguage: undefined flash: Enabled Plugins: Google Update Shockwave Flash 11.3 r300 Google Talk Plugin Video Accelerator version: Version 5.1.10411.0 Adobe PDF Plug-In For Firefox and Netscape 10.1.3 NPRuntime Script Plug-in Library for Java™ Deploy Vmware Remote Console and Client Integration Plug-in BlackBerry WebSL Browser Plug-In Bing Bar The plug-in allows you to open and edit files using Microsoft Office applications Office Authorization plug-in for NPAPI browsers The code is available for download as phemail.zip.

Posted by Mike

Leave a comment