Mass email senders is not a new topic for ethical hacking community . Certainly we need to send mass emails during penetration test / phishing tests (to be more specific) . While Phishing tests penetration testers often need to send Bulk emails to the employees of an organisation we are conducting the penetration test for .
Though there are many Bulk Mail sending softwares available out there but there is nothing as good as bulk sending tool that is already present in our favourate penetration testing OS : KALI Linux
Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you
In this post I will be sending mass emails using Kali Linux and SET (Social Engineering Toolkit)
To begin with the Mass email attack , you first we need a Email list that we have either harvested or has been supplied to us by the organisation we are conducting the penetration test for .
Now I will be opening Social Engineering Toolkit , SET :
Simply Open Termial and type :
se-toolkitAnd SET opens Up
Select Social engineering i.e Option 1
Now as we need to do a mass email Attack (Mass Mailer attack select option 5)
Option 5 : Mass Mailer AttackThen select Option 2 for email mass mailer as this tutorial we deal with Email Mass sender and not the Single Email Address . The Option 1 might be useful spear-phish attacks .
Now you need to define the path to the email list . This is email_list in our case , just add the file-name with the path .
Now select Option 1 as we will be using a gmail account for sending the Mass emails as we dont have our own SMTP server . In case you have a self email server / SMTP (as done by the proffessional spammers)server feel free to explore the other options .
Option 1 : Use a Gmail account for email attackEnter the gmail address . The email address must be correct and you must also have the password for the same to successfully send the emails .
Now enter the name that you want the email recipients to see in the Inbox . This is the Name that will flash first in front of your victim . Pay attention to this field specifically , as this where the actual social engineering takes place .
This could be “Admin” in case of a spear phish attack .
Now the SET will ask you to enter the password for the email account .
Enter the gmail password
Now you have an option to specify weather or not you want to flag this message as high priority . Sometimes this may work and sometimes might make the victim suspicious . So I suggest to use this option as per your suitability .
Now SET will ask you to enter the subject of the email .
Enter the subject of the email
Now the SET will ask you if you want the body of the message to be HTML or Plain Text .
P for plain text or H for html
Enter the body textEnter the body of the email here . If you chose HTML message then add the HTML tags as well .
Enter Control+C to send the email .
Enter to go back to the main menu
This is how hackers perform mass email attack.