A simple Phishing Framework Library with a CLI tool. The project was born out of necessity on projects. Even though there are many projects out there, we were not able to find a suitable solution that gave us both easy of use and customizability.
Cartero is a modular project divided into commands that perform independent tasks (i.e. Mailer, Cloner, Listener, AdminConsole, etc...). In addition each sub-command has options.
For example, if we wanted to clone gmail.com, we simply have to perform the following commands.
❯❯❯ ./cartero Cloner --url https://gmail.com --path /tmp --webserver gmail_com
❯❯❯ ./cartero Listener --webserver /tmp/gmail_com -p 80
Launching mongodb
Puma starting in single mode...
* Version 2.8.2 (ruby 2.1.1-p76), codename: Sir Edmund Percival Hillary
* Min threads: 4, max threads: 16
* Environment: production
* Listening on tcp://0.0.0.0:80
Use Ctrl-C to stopOnce we have a site up and running we can simply use the Mailer command to send templated emails to our testing victims:
❯❯❯ ./cartero Mailer --data victims.json --server gmail2 --subject "Internal Memo" --htmlbody email_html.html --attachment payload.pdf --from "John Doe <[email protected]>"
Sending [email protected]
Sending [email protected]
Sending [email protected]
❯❯❯ \curl -sSL https://get.rvm.io | bash -s stable --rubyOn OSX:
❯❯❯ brew install mongodbOn Ubuntu / Kali / Debian
❯❯❯ apt-get install mongodbOn Arch Linux
❯❯❯ pacman -Syu mongodb
❯❯❯ git clone github.com/section9labs/Cartero
❯❯❯ cd Cartero
❯❯❯ gem install bundle
❯❯❯ bundle install
❯❯❯ cd binCartero is a very simple to use CLI.
❯❯❯ ./cartero
Usage: cartero [options]
List of Commands:
AdminConsole, AdminWeb, Mailer, Cloner, Listener, Servers, Templates
Global options:
--proxy [HOST:PORT] Sets TCPSocket Proxy server
-c, --config [CONFIG_FILE] Provide a different cartero config file
-v, --[no-]verbose Run verbosely
-p [PORT_1,PORT_2,..,PORT_N], Global Flag fo Mailer and Webserver ports
--ports
-m, --mongodb [HOST:PORT] Global Flag fo Mailer and Webserver ports
-d, --debug Sets debug flag on/off
--editor [EDITOR] Edit Server
Common options:
-h, --help [COMMAND] Show this message
--list-commands Prints list of commands for bash completion
--version Shows cartero CLI versionThis is a simple Wrapper for MongoDB that allows us to start stop the database with the corresponding commands and on the correct ~/.cartero path.
❯❯❯ ./cartero Mongo
Usage: Cartero Mongo [options]
-s, --start Start MongoDB
-k, --stop Stop MongoDB
-r, --restart Restart MongoDB
-b, --bind [HOST:PORT] Set MongoDB bind_ip and port
Common options:
-h, --help Show this message
--list-options Show list of available optionsA simple WebSite Cloner. It allows us to download and convert a website into a Cartero WebServer application. In this way we can easily customize the website to Harvest Credentials, Server Payloads, or create a fully customized website.
❯❯❯ ./cartero Cloner
Usage: Cartero Cloner [options]
-U, --url [URL_PATH] Full Path of site to clone
-W, --webserver [SERVER_NAME] Sets WebServer name to use
-p, --path [PATH] Sets path to save webserver
-P, --payload [PAYLOAD_PATH] Sets payload path
--useragent [UA_STRING] Sets user agent for cloning
--wget Use wget to clone url
--apache Generate Apache Proxy conf
Common options:
-h, --help Show this message
--list-options Show list of available optionsBy default the command users our own internal system to download and convert links to render, but we also support a --wget option that will use wget system command.
The listener is the system responsible of running the WebServer created through Cloner or manually. By default we also have a very simple WebServer if none is provided.
❯❯❯ ./cartero Listener
Usage: Cartero Listener [options]
-i, --ip [1.1.1.1] Sets IP interface, default is 0.0.0.0
-p [PORT_1,PORT_2,..,PORT_N], Sets Email Payload Ports to scan
--ports
-s, --ssl Run over SSL. [this also requires --sslcert and --sslkey]
-C, --sslcert [CERT_PATH] Sets Email Payload Ports to scan
-K, --sslkey [KEY_PATH] Sets SSL key to use for Listener.
-V, --views [VIEWS_FOLDER] Sets SSL Certificate to use for Listener.
-P, --public [PUBLIC_FOLDER] Sets a Sinatra public_folder
-W [WEBSERVER_FOLDER], Sets the sinatra full path from cloner.
--webserver
--payload [PAYLOAD] Sets a payload download to serve on /download
--customapp [CUSTOM_SINATRA] Sets a custom Sinatra::Base WebApp. Important, WebApp name should be camelized of filename
Common options:
-h, --help Show this message
--list-options Show list of available options
The WebServers support ssl keys, different public and view paths. Additionally the servers can also be hosted on multiple ports at the same time and they can be bind to a specific IP address as well.
In order to send emails campaigns we need to setup servers. This is a command that would help Cartero to create, store and list servers. All data is stored on .cartero configuration directory.
./cartero Servers
Usage: Cartero Servers [options]
-a, --add [NAME] Add Server
-e, --edit [NAME] Edit Server
-d, --delete [NAME] Edit Server
-l, --list List servers
Configuration options:
-T, --type [TYPE] Set the type
-U, --url [DOMAIN] Set the Mail or WebMail url/address
-M, --method [METHOD] Sets the WebMail Request Method to use [GET|POST]
--api-access [API_KEY] Sets the Linkedin API Access Key
--api-secret [API_SECRET] Sets the Linkedin API Secret Key
--oauth-token [OAUTH_TOKEN] Sets the Linkedin OAuth Token Key
--oauth-secret [OAUTH_SECRET]
Sets the Linkedin OAuth Secret Key
Common options:
-h, --help Show this message
--list-options Show list of available optionsJust like Servers, email campaigns also need to send a body or html body. This will allow you to keep track, create, list and edit templates being used for each email. It is worth noting that this are not necessary to use and the Mailer command takes direct path to emails templates as well.
❯❯❯ ./cartero Templates
Usage: Cartero Templates [options]
-a, --add [NAME] Add Template
-e, --edit [NAME] Edit Template
-d, --delete [NAME] Edit Template
-l, --list List Templates
-h, --help Show this messageThis is the main command and component in our Framework. Mailer allows Cartero users to send custom templated emails to one or more email addresses. Each email can be customized using the powerful erb Template engine, allowing users to create complex programming within the templates and send massive, but yet very targeted emails. For more information on how to build custom templates, please refer to our Examples.
❯❯❯ ./cartero Mailer
Usage: Cartero Mailer [options]
-D, --data [DATA_FILE] File containing template data sets
-S, --server [SERVER_NAME] Sets Email server to use
-s, --subject [EMAIL_SUBJECT] Sets Email subject
-f, --from [EMAIL_FROM] Sets Email from
-r, --reply-to [EMAIL_REPLY_TO] Sets Email from
-b, --body [FILE_PATH] Sets Email Text Body
-B, --htmlbody [FILE_PATH] Sets Email HTML Body
-c, --charset [CHARSET] Sets Email charset
-C [CONTENT_TYPE], Sets Email content type
--content-type
-a [FILE_1,FILE_2,..,FILE_N], Sets Email Attachments
--attachment
-p [PORT_1,PORT_2,..,PORT_N], Sets Email Payload Ports to scan
--ports
Common options:
-h, --help Show this message
--list-options Show list of available optionsThis new command is an add on to support yet another known method to send messages using known vulnerabilities or anonymous sending services on the web via web requests.
❯❯❯ ./cartero WebMailer
Usage: Cartero WebMailer [options]
-R, --raw [RAW_REQUEST_FILE] Sets WebMail Raw Request
-S, --server [SERVER_NAME] Sets WebMail server to use
-U, --url [URL:PORT] Sets WebMail server url to use
-H [HEADER:VAL\nHEADER:VAL], Sets WebMail Headers to use
--headers
-C, --cookies [COOKIES] Sets WebMail Cookies to use
-D, --data [DATA_FILE] File containing template data sets
-s, --subject [EMAIL_SUBJECT] Sets Email subject
-f, --from [EMAIL_FROM] Sets Email from
-r, --reply-to [EMAIL_REPLY_TO] Sets Email reply-to
-b, --body [REQUEST_FILE_PATH] Sets Email Text request query Body
-p [PORT_1,PORT_2,..,PORT_N], Sets Email Payload Ports to scan
--ports
Common options:
-h, --help Show this message
--list-options Show list of available options
The Command can be used in two main ways. One using a raw command such as the one we get from Intercepting traffic with a web proxy (i.e. Burp Proxy) and or using the servers command available on Cartero.
#####Example of webmail server for send-mail.org
{
"name": "send-email",
"type": "webmail",
"options": {
"url": "http://send-email.org/send",
"method": "POST",
"cookies": "",
"headers": {
"Host": "send-email.org",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Referer": "http://send-email.org/",
"Content-Length": "126",
"Connection": "keep-alive",
"Pragma": "no-cache"
}
},
"confirmation" : "Your message was sent!"
}Using this pre-configured request, we can easily send message using the same datasets for Mailer and using the same type of templates. As it is shown on /templates/mail/sample.web
#####Sample Command:
❯❯❯ ./cartero WebMailer -S webmail -D ~/sample.json -b ../templates/mail/sample.web -r [email protected]The LinkedIn command is the first Social Network addition to the Cartero Framework. Allowing attackers to use the message platform to send messages and attack users from LinkedIn.
❯❯❯ ./cartero LinkedIn
Usage: Cartero LinkedIn [options]
-D, --data [DATA_FILE] File containing template data sets
-S, --server [SERVER_NAME] Sets Email server to use
-s, --subject [MESSAGE_SUBJECT] Sets LinkedIn Message subject
-b, --body [FILE_PATH] Sets LinkedIn Message Body
-l, --list [CONNECTIONS|GROUPS] List json of (connections or groups)
--send [MESSAGE|GROUP_UPDATE]
Send one or more (message/s or group/s updates)
-o, --save [FILE_PATH] Sets LinkedIn Message Body
Common options:
-h, --help Show this message
--list-options Show list of available optionsThe command requires a developer API and oauth key on the attackers profile. This can be easily obtained in https://www.linkedin.com/secure/developer. and a new server template can be created with the Servers command.
After reading some news on how Chinese spammers are abusing the fact that iMessage messages will be displayed on all devices linked to the account/s, a quick command was developer to allow Cartero users to also have this feature available to the Framework. Important: This will only work on OSX, for now
❯❯❯ ./cartero IMessage
Usage: Cartero IMessage [options]
IMPORTANT: This command only works on OSX
-D, --data [DATA_FILE] File containing template data sets
-A, --attachment [ATTACHMENT] Sets iMessage file path to send
-b, --body [BODY_FILE] Sets iMessage message
-m, --message [MESSAGE] Sets iMessage message
Common options:
-h, --help Show this message
--list-options Show list of available optionsMessages do not allow to send a single message containing both text and attachments, but we both are provided we will split the message and send it as two individual ones. #####Sample command
❯❯❯ ./cartero IMessage --data /Users/cartero/Desktop/test.json -b ../templates/mail/sample.imsg -a /Users/cartero/Downloads/jon.jpgIf you have a GoogleVoice account and want to automatically send SMS this might be a nice way to do it. It follows the same infrastructure as all other commands.
❯❯❯ ./cartero GoogleVoice
Usage: Cartero GoogleVoice [options]
-D, --data [DATA_FILE] File containing template data sets
-S, --server [SERVER_NAME] Sets SMS server to use
-b, --body [FILE_PATH] Sets SMS Text Body
-m, --message [MESSAGE] Sets SMS message
-u, --username [USER] Sets Google Voice Username
-p, --password [PWD] Sets Google Voice password
Common options:
-h, --help Show this message
--list-options Show list of available options
If you have a Twilio account and want to automatically send SMS this might yet another way to send SMS. It is worth noting this is a paid service and it requires a valid access token (sid) and secret (secret_token). For more information please refer to Twilio's website at https://www.twilio.com/sms/api
❯❯❯ ./cartero Twilio
Usage: Cartero Twilio [options]
-D, --data [DATA_FILE] File containing template data sets
-S, --server [SERVER_NAME] Sets SMS server to use
-f, --from [NUMBER] Sets SMS from number to use
-b, --body [FILE_PATH] Sets SMS Text Body
-m, --message [MESSAGE] Sets SMS message
-u, --sid [SID] Sets Twilio Username
-p, --token [TOKEN] Sets Twilio password
-A, --attachment [PATH_1||PATH_2||PATH_3] Sets Twilio MMS URL image paths to send
Common options:
-h, --help Show this message
--list-options Show list of available options
The Admin Web is a simple Web-Application that allows to list information about each Campaign.
❯❯❯ ./cartero AdminConsole
Usage: Cartero AdminConsole [options]
-i, --ip [1.1.1.1] Sets IP interface, default is 0.0.0.0
-p [PORT_1,PORT_2,..,PORT_N], Sets Email Payload Ports to scan
--ports
-s, --ssl Run over SSL. [this also requires --sslcert and --sslkey]
-C, --sslcert [CERT_PATH] Sets Email Payload Ports to scan
-K, --sslkey [KEY_PATH] Sets Email Payload Ports to scan
Common options:
-h, --help Show this message
--list-options Show list of available optionsThe Admin Console is CLI tool that allows to list information about Persons, Campaigns, Hits and Credentials gathered.
❯❯❯ ./cartero AdminConsole
Usage: Cartero AdminConsole [options]
-p, --persons [LATEST_N] Display the list of persons that responded
-i, --hits [LATEST_N] Display the list of hits
-c, --creds [LATEST_N] Display the list of Credentials
-a, --all Sets Email Payload Ports to scan
-f, --filter flag to search by parameters
--email [EMAIL] Display the list of hits
--campaign [CAMPAIGN] Display the list of hits
--ip [IP_ADDRESS] Display the list of hits
Common options:
-h, --help Show this message
--list-options Show list of available options
Commands have a fairly easy infrastructure. Default Framework commands are stored on Cartero/lib/cartero/commands/*.rb and ~/.cartero/commands/*.rb.
module Cartero
module Commands
class CommandName < Cartero::Command
def initialize
super do |opts|
#OptionsParser options available here.
opts.on("-x", "--xoption [DATA_FILE]", String,
"Description of command option") do |data|
@options.xoption = data
end
opts.on("-y", "--yoption [DATA_FILE]", String,
"Description of command option") do |data|
@options.xoption = data
end
# help() option already provided.
# --list-options for auto-complete automatic.
end
end
def setup
# This will be hooked and run before run().
# It is meant as a method so the commands can run everything before that.
end
def run
# Everything that will run.
end
def after
# This is the place to run clean-up code.
end
end
end
endEmails are simple txt files or limited HTML files, depending on the type of format being used. Cartero allows to build and tempaltes both formats. In order to allow complex templating we use erb ruby gem, also used in many projects like Sinatra, Rails, etc.
Files can be extremely customized given erb allows for programatically edits on run time. Additionally we add an encrypted self[:payload] to each email template that allows Cartero to indentify each specific entity regardless. Last, but not least, this payload is encrypted using a key that is randomly generated and only exists on the Cartero config directory, allowing attackers to keep data secure and away from detection.
SAMPLE DATA FILE
[{
"email": "[email protected]",
"name": "John Doe"
}, {
"email": "[email protected]",
"name": "Gas Hill"
}, {
"email": "[email protected]",
"name": "John Doe 2"
}, {
"email": "[email protected]",
"name": "Jane Doe - Hotmail",
"subject": "Hotmail Test 123"
}]HTML SAMPLE TEMPLATE
<html>
<body>
<h3> Hello Spear Phishing World <%= self[:name] %>,</h3>
<p> This is an automated email to your email <%= self[:email] %>.<p>
<% if self[:ports] %>
<% self[:ports].each do |port| %>
<img alt="" width="1" height="1" border="0" style="height:1px !important;width:1px !important;border-width:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-right:0 !important;margin-left:0 !important;padding-top:0 !important;padding-bottom:0 !important;padding-right:0 !important;padding-left:0 !important;" src="http://localhost:<%= port %>/image?key=<%= self[:payload] %>">
<% end %>
<% end %>
</body>
</html>TEXT SAMPLE TEMPLATE
Hola <%= self[:name] %>,
This email needs to be displayed as HTML.
This is an automated email to your email<%= self[:email] %>.
In addition, this email can also be displayed securely
on http://192.168.1.216:8080/click?key=<%= self[:payload] %>
cheers,
<%= self[:from_name] %>
Servers can be managed using the Cartero Servers command, which allows to add, edit and delete servers. Additionally, anyone can easily create them manually and store them in ~/.cartero/servers/*.json
####smtp
{
"name": "gmail",
"type": "smtp",
"options": {
"address": "smtp.yourserver.com",
"port": 25,
"user_name": "user",
"password": "password",
"authentication": "plain",
"domain": "localhost.localdomain"
}
}{
"name": "linkedin",
"type": "linkedin",
"options": {
"api_access": "api_access",
"api_secret": "api_secret",
"oauth_token": "oauth_token",
"oauth_secret": "oauth_secret"
}
}####webmail
{
"name": "webmail-sample",
"type": "webmail",
"options": {
"url": "http://www.send-email.com/data/send/email",
"method": "POST",
"cookies": "sdajsda09s7das923i3j2l131;21381903810",
"headers": {
"x-forward": "asdadadasad"
}
},
"confirmation" : null
}.
#####Coding:
- msfvenon user-agent based dynamic shell payloads to Cloner
- Evaluate/Add tracking methods available to people.
- Research the concept of handling project/s.
- Interactive shell ?
- Add payload Cloner add-on and payload directory loading.
#####Documentation:
- Add Samples to each Command Section
- More Screenshots
- Upload Videos