forked from TobinShields/Zaqar_EmailSpoofer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
302 lines (253 loc) · 17.6 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
<!--
######################################################
_____ _____ _ _ ____ __
|__ /__ _ __ _ __ _ _ __ | ____|_ __ ___ __ _(_) | / ___| _ __ ___ ___ / _| ___ _ __
/ // _` |/ _` |/ _` | '__| | _| | '_ ` _ \ / _` | | | \___ \| '_ \ / _ \ / _ \| |_ / _ \ '__|
/ /| (_| | (_| | (_| | | | |___| | | | | | (_| | | | ___) | |_) | (_) | (_) | _| __/ |
/____\__,_|\__, |\__,_|_| |_____|_| |_| |_|\__,_|_|_| |____/| .__/ \___/ \___/|_| \___|_|
|_| |_|
Zaqar: The Email Spoofer v1.3
Created by: Tobin Shields
Other contributors: [None as of now]
Github: https://github.com/TobinShields/Zaqar_EmailSpoofer
Resources Used:
Bootstrap 4
(Front-end Framework)
https://getbootstrap.com/
Simditor
(Ritch Text Editor)
http://simditor.tower.im/
PHPMailer
(The classic email sending library for PHP)
https://github.com/PHPMailer/PHPMailer
Subtle Patterns
(Background image)
https://www.toptal.com/designers/subtlepatterns/
######################################################
-->
<!DOCTYPE html>
<html lang="en">
<head>
<title>Zaqar | Spoof all the emails!</title>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- HTML5 Ritch Text Simditor CSS -->
<link rel="stylesheet" type="text/css" href="simditor/css/simditor.css" />
<!-- Bootstrap CSS -->
<!-- If you want to use the CDN insted of the local file, simply uncomment the line below and remove the local link -->
<!-- <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"> -->
<link rel="stylesheet" href="bootstrap-4.0.0/css/bootstrap.min.css">
<!-- App styles -->
<link rel="stylesheet" href="zaqar.css">
<!-- Favicon -->
<link rel="icon" href="favicon.ico">
</head>
<!-- Background image set here -->
<body style="background-image: url('img/bg.png');">
<!-- Github sticky -->
<div class="github-sticky">
<p>Zaqar v1.3 - Support this project on <a href="https://github.com/TobinShields/Zaqar_EmailSpoofer">Github</a></p>
</div>
<!-- Main container. It is thinner so it's using a col-6 with an offset -->
<div class="col-md-6 offset-md-3">
<!-- Zaqar Icon -->
<!-- This is a generic icon, in future updates a custom icon would be awesome -->
<img src="img/zaqar-icon.png" alt="Zaqar Icon" class="img-fluid mt-4 mb-4" id="email-icon">
<!-- Start Form -->
<form class="form" role="form" autocomplete="off" action="mailer.php" method="post" enctype="multipart/form-data">
<fieldset>
<!-- Open Card -->
<div class="card card-outline-secondary">
<!-- Card header -->
<div class="card-header text-center">
<h1 class="mb-0">Zaqar: The Email Spoofer</h1>
<h4><span class="lead">Spoof all the emails!</span></h4>
</div>
<!-- Card Body -->
<div class="card-body">
<!-- Zaqar Quote -->
<blockquote cite="https://en.wikipedia.org/wiki/Zaqar">
<p class="mb-0">In Mesopotamian mythology, Zaqar is the messenger of the god Sin. He relays these messages to mortals through his power over their dreams and nightmares.</p>
</blockquote>
<!-- Application Description -->
<p>Zaqar is designed to aid penetration testers in creating spoofed emails to conduct social engineering attacks. This sleek, simple tool allows testers to send an email looking as if it came from any email address with options of using a rich text editor or raw text. </p>
<!-- FROM NAME -->
<label for="fromName">From Name</label>
<div class="row mb-1">
<div class="col-lg-12">
<input type="text" name="fromName" class="form-control" data-toggle="tooltip" data-placement="left" title="This is the name that will appear in the FROM field of the spoofed email" required>
</div>
</div>
<!-- FROM EMAIL -->
<label for="fromMail">From Email Address</label>
<div class="row mb-1">
<div class="col-lg-12">
<input type="email" name="fromEmail" class="form-control" data-toggle="tooltip" data-placement="left" title="The spoofed email will look as if it appeared from this email addrress" required>
</div>
</div>
<!-- TO EMAIL -->
<label for="toMail">To Email Address(s)</label>
<div class="row mb-1">
<div class="col-lg-12">
<input type="email" name="toEmail" class="form-control" data-toggle="tooltip" data-placement="left" title="This is the email address that you want to send the spoofed email to" required>
<p><strong>Pro Tip: </strong> You can send to multiple addresses at once if you seperate each address with a comma</p>
<!-- More Options -->
<button type="button" class="btn-sm btn-primary mb-3" data-toggle="collapse" data-target="#more-options" id="more-options-btn"><span id="show-more">Show</span> More Sending Options</button>
<div class="collapse alert alert-secondary" id="more-options">
<p class="m-0"><strong>Note: </strong> You still want to add at least one "to" address, as many anti-spam filters will discard messages with no "to" field in the header. It does not have to be a real address.</p>
<div class="row">
<div class="col">
<label for="cc">Cc: Email Address(s)</label>
<input type="text" name="cc" class="form-control">
</div>
<div class="col">
<label for="bcc">Bcc: Email Address(s)</label>
<input type="text" name="bcc" class="form-control">
</div>
</div>
</div>
</div>
</div>
<!-- SUBJECT LINE -->
<label for="subjectLine">Subject Line</label>
<div class="row mb-1">
<div class="col-lg-12">
<input type="text" name="subjectLine" class="form-control" data-toggle="tooltip" data-placement="left" title="Whatever you type here will appear in the subject line of the spoofed email" maxlength="50" required>
</div>
</div>
<!-- About Message Body -->
<label>Message Body</label>
<p>When crafting your email you have two options: you can either build it using the rich text editor (which will convert the message to HTML) or you can send the message as raw text. While rich text allows more flexibility in how a message can be presented, not all mail clients render HTML correctly or at all. You need to research your target in order to know if the rich text editor is appropriate--when in doubt, use the raw editor.</p>
<!-- Message Body Input -->
<div class="row mb-1">
<div class="col-lg-12">
<!-- BS Tabs navigation -->
<ul class="nav nav-tabs" role="tablist">
<li class="nav-item">
<a class="nav-link active" data-toggle="tab" href="#rich-text" role="tab">Rich Text</a>
</li>
<li class="nav-item">
<a class="nav-link" data-toggle="tab" href="#raw-text" role="tab">Raw Text</a>
</li>
</ul>
<!-- BS Tab Content -->
<div class="tab-content">
<!-- Rich Text Tab -->
<div class="tab-pane active" id="rich-text" role="tabpanel">
<!-- This using the simditor rich text editor. You call this using the id="editor" with a textarea tag and some JS down below-->
<textarea id="editor" name="richMessageText" rows="6" cols="40" class="form-control"></textarea>
</div>
<!-- Raw Text Content -->
<div class="tab-pane" id="raw-text" role="tabpanel">
<textarea name="rawMessageText" rows="12" cols="40" class="form-control"></textarea>
</div>
</div>
</div>
</div> <!-- / message input -->
<!-- FILE Attachments -->
<div class="row mb-3 mt-3">
<!-- <input type="file" name="attachment"> -->
<div class="col-12">
<strong>File Attachment</strong>
<p>You have the option to send an attatchment with your email. Make sure that your webserver php.ini file allows for file uploads, and that the max upload size is set to at least the size of your attatchment. This may be the case by default, and an error will be presented if it does not work.</p>
<div class="custom-file">
<input type="file" class="custom-file-input" id="customFile" name="attachment" onchange="fileNameChange()">
<label class="custom-file-label" for="customFile"><span style="font-weight: normal; font-style: italic;" id="customFileText">Choose file</span></label>
</div>
</div>
</div>
<div class="mt-5">
<input type="checkbox" onchange="document.getElementById('submitBtn').disabled = !this.checked;"/>
By checking this box you agree to the <a href="#" data-toggle="modal" data-target="#termsOfUsage">basic terms of usage</a> for this application
</div>
<!-- Terms of Usage -->
<!-- Modal -->
<div class="modal fade" id="termsOfUsage" tabindex="-1" role="dialog" aria-labelledby="termsOfUsageTitle" aria-hidden="true">
<div class="modal-dialog modal-dialog-centered" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="exampleModalLongTitle">Terms of Usage</h5>
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">×</span>
</button>
</div>
<div class="modal-body">
<p>Okay, so I am not a lawyer but this is me trying to cover my ass the best that I can. By checking this box you are agreeing to <strong>only</strong> send a spoofed email if either of the two situation are true:</p>
<ol>
<li>
You are conducting a formal and legal penetration test in which you have the explicit permission of the organization that represents the target, and such a targeted attack is outlined in your planned attack scope.
</li>
<li>
You are a student or learning about mail systems and want to learn more about mail security. If this is the case, you should only be spoofing accounts that you have legal access to, or have otherwise gotten permission to use. Spoofed emails sent for the sake of learning should not attempt to steal credentials or other sensitive information, even as a ‘joke’ or ‘prank.’
</li>
</ol>
<p>Using this application for any other reason falls outside of its intended use and is not endorsed, encouraged, or approved by the application’s creator or its contributors. This is especially true if this application is being used to send spam messages or commit fraud. This mailer does little to protect the identity of where it was truly sent and the message can be easily tracked back to the originator. It only masks the identity on a surface level inside of a mail client. </p>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-dismiss="modal">Okay, Got It</button>
</div>
</div>
</div>
</div>
</div> <!-- /card body -->
</div> <!-- /card -->
<!-- SUBMIT -->
<div class="form-group">
<div class="checkbox">
</div>
<button type="submit" class="btn btn-primary btn-lg mt-3" style="display: block; margin:auto; width:100%;" id="submitBtn" name="submit" disabled>Send Spoofed Email</button>
</div>
</fieldset>
</form>
<!-- /form user info -->
</div>
<!--/col-->
<!-- Optional JavaScript -->
<!-- If you want to use th CDN and not the local jquery file to save space then uncomment the CDN script tags and remove the local script tags. -->
<!-- JQUERY -->
<!-- <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>-->
<script src="bootstrap-4.0.0/js/jquery-3.2.1.slim.min.js"></script>
<!-- BOOTSTRAP -->
<!-- <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script> -->
<script src="bootstrap-4.0.0/js/bootstrap.bundle.min.js"></script>
<!-- Ritch Text Editor Simditor JS -->
<script src="simditor/js/module.js"></script>
<script src="simditor/js/hotkeys.js"></script>
<script src="simditor/js/uploader.js"></script>
<script src="simditor/js/simditor.js"></script>
<!-- Custom Scripts -->
<script>
// Required snippit to initalize simditor. It is looking for the ID of the textara as listed above
var editor = new Simditor({
textarea: $('#editor')
//optional options added here
});
// Required snippit to initalize the tooltips in Bootstrap
$(function () {
$('[data-toggle="tooltip"]').tooltip()
})
// Toggle show more btn text
// Not sure if this is the ideal way to do this, but it works
var showMoreOptions = false; // Start with false, because it is hidden by default
$('#more-options-btn').click(function(){ // On click check if var is true or false
if(!showMoreOptions) {
// When it expands content switch to hide
$('#show-more').replaceWith("<span id='show-less'>Hide</span>");
showMoreOptions = true;
} else {
// She collapsed switch to show
$('#show-less').replaceWith("<span id='show-more'>Show</span>");
showMoreOptions = false;
}
});
// File Upload change
function fileNameChange(){
var fileName = document.getElementById("customFile").files[0].name;
console.log("User uploaded " + fileName);
document.getElementById("customFileText").innerHTML = fileName;
};
</script>
</body>
</html>