ebug – get IP address and system info from hidden image in emailPenetration Testing

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Penetration Testing ebug – get IP address and system info from hidden image in email

This topic contains 5 replies, has 3 voices, and was last updated by  Anonymous 1 year, 9 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
  • #109904


    Updated scripts, added http basic auth logger, improved installer (V3)

    So I assume some of you are aware of this Email Web Beacon it’s been around for a while and still not used to it’s full potential but today for *reasons* I needed to get some WAN IP addresses of some computers which where very tricky get get hold of. I went down the route of an Email Beacon to do this, as, well…there are tools out there but most aren’t effective, or they get the IP address of the SMTP server at best. So when you want something done sometimes you have to do it yourself.

    Long story short, essentially all you do is:

    >Send the target en email
    [they don’t even need to respond, they just need to read it]
    >once they open the email, I have put a hidden 1×1 pixel image within it which will load with the email
    >the image points to a php script on my server and runs to do…whatever I want, in this case steal system info/IP addresses
    >It then creates a log file with the IP address (WAN/Internet accessible), there operating system and browser

    Spoiler alert: It worked like a charm.

    I simply setup XAMPP (with apache/php on it) configured the port (and port forwarded on my router), enabled apache mod rewrite so it will legitimately be an image which is converted to php when executed and created my php script to steal the info and log it. This may sound a little fiddly and it was, but within ~1 hour or so it was up and running smoothly to do the job. In my testing phase I took some screen shots as reference, see below:

    Inserting the HTML image [NOTICE the email@target.com this is because anything after ? in the URL is ignored, however this way I can track who I sent the email to
    email preview
    target receiving the email
    target opening the email
    the log file it puts on my server 🙂

    As you can see, this is very effective! what’s more is there are a lot more things you can do. One of which I recently experimented with is to send a HTTP BASIC AUTH request, whereby the target would receive a login pop-up when they open the email asking them to re-login, amongst many other things. Moreover, this isn’t restricted to email either, it’s essentially anything that loads images – websites, forums and so on.

    Obviously some email clients will countermeasure this, but surprisingly most of them don’t, and if you’re crafty enough (encode url’s etc) you can bypass a lot of AV filters too.

    This of course, is all in the name of research and development purposes.

    Anyway, rather than you guys have to re-create the whole thing I saved the scripts and even created an installer because I am kind like that 🙂 so you can have the same thing up ‘n running in minutes. If you wanna make a donation then please do so here and thanks in advance.

    DOWNLOAD the scripts/installer here, very easy to setup

    Note: That is for Linux, I’ll make a Windows version soon.

    For anyone curious about the scripts I made without wanting to download, here:

    Setup bash script:

    PHP Script


    Also as a demo, I made a thread which will pop up a HTTP BASIC AUTH dialogue box – you can see how sweet it is 🙂 here

    • This topic was modified 1 year, 9 months ago by  . Reason: linked to pastebin
    • This topic was modified 1 year, 9 months ago by  . Reason: updated links
    • This topic was modified 1 year, 9 months ago by  . Reason: updated various things
    • This topic was modified 1 year, 9 months ago by  .
    • This topic was modified 1 year, 9 months ago by  .


    Pretty good info and write up! If you haven’t already, Id recommend throwing that on the OP3N section to hopefully get more visibility. I always enjoy it when internal info is able to be gleaned from your targets. Its unrelated to your attack, but while fuzzing some common directories, I noticed some 301 redirects that gave up the internal server. Fun times.




    Yeah I just submitted it. Also I just created another thread which, as a demo, will pop up a HTTP BASIC AUTH dialogue box – you can see how sweet it is 🙂 here






    I think this is fantastic. Thank you for sharing!



    Glad you enjoyed dude, also check out my login demo on the other thread here https://www.cybrary.it/forums/topic/warning-this-thread-will-pop-up-a-login-dialogue/

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?