# How does email spoofing work? ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988407158/7f2c5a2d-c918-45f5-9ba9-2edfdd95a31c.jpeg) Email spoofing has always been something I've found interesting since day 1! But I never really tried or knew how to do it. I recently found out how it's done and I thought I’d write about it for other people who are as curious as me! Disclaimer: This is strictly for educational purposes only. Enough of me blabbering! Let's get into it :) * * * > __Step 1 — Installing The Social-Engineer Toolkit (SET)__ We will be using the SET framework to help us perform the “Attack”. So let's go ahead and install it! ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988408983/3ce57e3a-f1d4-4a77-9a5c-0385c58e70bb.png) apt-get install set To verify if the framework is successfully installed on the machine, enter the command “setoolkit” and see if anything pops up. ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988411053/e195ba87-a6a1-4b0c-aeff-ccba989ec487.png) If you see this, you have successfully installed the framework! * * * > __Step 2 — Setting up an SMTP mail server__ For this, we will be using MAILGUN as it offers a free service for beginners will limited bandwidth. Head to the site and create a free account for a trial. ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988412838/eeefd8e6-2117-413e-bc7d-dba63f767047.png) The first step will be to set up your SMTP user account for verification like so. ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988415003/e9fe6289-1895-409c-bcf9-36fc6a7ec828.png) If you had followed the steps correctly, you would see your SMTP user added in the user settings. There would also be some connection information at the bottom. Heads up: If you missed your password the first time it showed up just hit reset password and a new one will be showed to you. Remember to copy it and keep it safe!! * * * > __Step 3 — Initiating the attack (demo)__ Since this is a simulated attack, I will be spoofing an email to my own personal inbox. ****(THIS IS STRICTLY FOR EDUCATIONAL PURPOSES ONLY!!)**** Now, lets try and spoof this email right here. First, open the setoolkit with the command `setoolkit` ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988416981/2fca019d-ab65-48c2-a299-47e02da8b3af.png) Next up, select option 1 as we are going to conduct a type of social engineering attack. ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988418915/8529f584-2d5f-44be-b7be-e65244f90b83.png) In this menu, we are going to select option 5 which will allow us to send spoofed emails. ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988420858/ca53c593-f022-4ad7-a872-78553484d6e7.png) In this menu, we are going to select option 1 for our use case. After choosing option 1 we will be able to enter all the details we need for the program to successfully spoof an email ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988422799/e82e019b-cc5c-4087-825b-41eabc91af85.png) Send email to: recipient's address THEN SELECT `USE YOUR OWN SERVER OR OPEN RELAY` From address: The address you want the recipient to see From name: The "from" name you want the recipient to see Username for open-relay: can be found on mailgun's dashboard Password for open-relay: can be found on mailgun's dashboard SMTP email server adderss: smtp.mailgun.org Flag this message/s as high priority? YES/NO (up to u) Do u want to attach a file - Y/N: (up to u) Do u want to attach an inline file - Y/N: (up to u) Email subject: (up to u)Send the message as html or plain - h/p: (up to u) Enter body: (up to u); Remember to type `END` after u are done Here's a brief walkthrough on what you need to enter in the various fields. If you have followed the steps correctly, you would have seen the following. ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988424158/0f5887ae-27d4-4c68-a033-fbbf6a5ad950.png) Now head to your inbox and check if the email has been sent. ![How does email spoofing work?](https://cdn.hashnode.com/res/hashnode/image/upload/v1680988426196/7d9b739f-8111-49c8-acf9-c19ecff6f2f4.png) * * * BOOM! There we go :) that's how you spoof an email address and successfully get it into your target’s mailbox. side note: you can get rid of the “via — line by paying for a proper personal SMTP server” I hope this has helped my fellow curious tech heads out there :) JUST A REMINDER! Please do not misuse this! This was strictly for educational purposes only!! Cheers! ~Nee * * *