Introducing SETmail

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

I have wanted to use the Social Engineering Toolkit for quite a while but didn't want to setup Sendmail. I know you can use a gmail account but I wanted to spoof an address and Sendmail was the only option until now. I built a ruby script to implement an open relay that can be used with SET. I used code from here and here to get started.

To use SETmail you need to configure SET to use Sendmail. After that, run the SETmail script, which will start an SMTP server on port 25 on the localhost.

Next, go through the SET menu until you get to

[-] Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.
[-] Sendmail can take up to three minutes to start FYI.
[*] Sendmail is set to ON
set:phishing> Start Sendmail? [yes|no]:

Do not start Sendmail. Answer a few more questions and you will get here.

set:phishing> Send email to:stephen@averagesecurityguy.info

  1. Use a gmail Account for your email attack.
  2. Use your own server or open relay

set:phishing>2
set:phishing> From address (ex: moo@example.com):stephen@averagesecurityguy.net
set:phishing> Username for open-relay [blank]:  
Password for open-relay [blank]: 
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):127.0.0.1
set:phishing> Port number for the SMTP server [25]:
set:phishing> Flag this message/s as high priority? [yes|no]:no

After that your email will be sent.

If you want to bypass spam filters with your custom domain name, you will need to setup an MX and SPF record for your custom domain.

You can get SETmail here.