goCabrito : Super Organized And Flexible Script For Sending Phishing Campaigns

goCabrito is a super organized and flexible script for sending phishing campaigns.

Features

• Sends to a single email
• Sends to lists of emails (text)
• Sends to lists emails with first, last name (csv)
• Supports attachments
• Splits emails in groups
• Delays sending emails between each group
• Support Tags to be placed and replaced in the message’s body
  • Add {{name}} tag into the HTML message to be replaced with name (used with –to CSV).
  • Add {{track-click}} tag to URL in the HTML message.
  • Add {{track-open}} tag into the HTML message.
  • Add {{num}} tag to be replaced with a random phone number.
• Supports individual profiles for different campaigns to avoid mistakes and confusion.
• Supports creating database for sent emails, each email with its unique hash (useful with getCabrito)
• Supports dry test, to run the script against your profile without sending the email to test your campaign before the launch.

Prerequisites

Install gems’ dependencies

sudo apt-get install build-essential libsqlite3-dev

Install gems

gem install mail sqlite3

Usage

goCabrito.rb — A simple yet flexible email sender.
Help menu:
-s, –server HOST:PORT SMTP server and its port.
e.g. smtp.office365.com:587
-u, –user USER Username to authenticate.
e.g. user@domain.com
-p, –pass PASS Password to authenticate
-f, –from EMAIL Sender’s email (mostly the same as sender email)
e.g. user@domain.com
-t, –to EMAIL|LIST|CSV The receiver’s email or a file list of receivers.
e.g. user@domain.com or targets.lst or targets.csv
The csv expected to be in fname,lname,email format without header.
-c, –copy EMAIL|LIST|CSV The CC’ed receiver’s email or a file list of receivers.
-b, –bcopy EMAIL|LIST|CSV The BCC’ed receiver’s email or a file list of receivers.
-B, –body MSG|FILE The mail’s body string or a file contains the body (not attachements.)
For click and message opening and other trackings:
Add {{track-click}} tag to URL in the HTML message.
eg: http://phisher.com/file.exe/{{track-click}}
Add {{track-open}} tag into the HTML message.
eg:Hi{{track-open}}
Add {{name}} tag into the HTML message to be replaced with name (used with –to CSV).
eg:Dear {{name}},
Add {{num}} tag to be replaced with a random phone number.
-a, –attachments FILE1,FILE2 One or more files to be attached seperated by comma.
-S, –subject TITLE The mail subject/title.
–no-ssl Do NOT use SSL connect when connect to the server (default: false).
-g, –groups NUM Number of receivers to send mail to at once. (default all in one group)
-d, –delay NUM The delay, in seconds, to wait after sending each group.
-P, –profile FILE A json file contains all the the above settings in a file
-D, –db FILE Create a sqlite database file (contains emails & its tracking hashes) to be imported by ‘getCabrito’ server.
–dry Dry test, no actual email sending.
-h, –help Show this message.
Usage:
goCabrito.rb
Examples:
$goCabrito.rb -s smtp.office365.com:587 -u user1@domain.com -p P@ssword1 \
-f user1@domain.com -t targets1.csv -c targets2.lst -b targets3.lst \
-B msg.html -S “This’s title” -a file1.docx,file2.xlsx -g 3 -d 10
$goCabrito.rb –profile prf.json

How you really use it?

• I create directory for each customer
• Under the customer’s directory, I create a directory for each campaign. This sub directory contains

• The profile
• The To, CC & BCC lists in CSV format
• The message body in HTML format

• I configure the profile and prepare my HTML
• Execute the campaign profile in dry mode first (check the profile file dry value)

ruby goCabrito.rb -P CUSTOMER/3/camp3.json –dry

• I remove the --dry switch and make sure the dry value is false in the config file
• Send to a test email
• Send to the real lists