goCabrito – Super Flexible Script for Sending Phishing Campaigns

goCabrito - Super Flexible Script for Sending Phishing Campaigns xploitlab


Super organized and flexible script for sending phishing campaigns.


  • Sends to a single email
  • Sends to lists of emails (text)
  • Sends to lists emails with first, last name (csv)
  • Supports attachments
  • Splits emails in groups
  • Delays sending emails between each group
  • Support Tags to be placed and replaced in the message’s body
    • Add {{name}} tag into the HTML message to be replaced with name (used with –to CSV).
    • Add {{track-click}} tag to URL in the HTML message.
    • Add {{track-open}} tag into the HTML message.
    • Add {{num}} tag to be replaced with a random phone number.
  • Supports individual profiles for different campaigns to avoid mistakes and confusion.
  • Supports creating database for sent emails, each email with its unique hash (useful with getCabrito)
  • Supports dry test, to run the script against your profile without sending the email to test your campaign before the launch.

Why not use goPhish?

goPhish is a gerat choice too. But I prefer flexibility and simplicity at the same time. I used goPhish various times but at somepoint, I’m either find it overwhelming or inflexible.

Most of the time, I don’t need all these statistics, I just need a flixable way to prepare my phishing campaigns and send them. Each time I use goPhish I’ve to go and check the documentations about how to add a website, forward specific requests, etc. So I created goCabrito and getCabrito.

getCabrito optionally generates unique URL for email tracking.

  • Email Opening tracking: Tracking Pixel
  • Email Clicking tracking

by generate a hash for each email and append it to the end of the URL or image URL and store these information along with other things that are useful for getCabrito to import and servering. This feature is the only thing connects goCabrito with getCabrito script, so no panic!.


Install gems’ dependencies

sudo apt-get install build-essential libsqlite3-dev

Install gems

gem install mail sqlite3

How you really use it?

  1. I create directory for each customer
  2. Under the customer’s directory, I create a directory for each campaign. This sub directory contains
  • The profile
  • The To, CC & BCC lists in CSV format
  • The message body in HTML format
  1. I configure the profile and prepare my HTML
  2. Execute the campaign profile in dry mode first (check the profile file dry value)
ruby goCabrito.rb -P CUSTOMER/3/camp3.json –dry

  1. I remove the --dry switch and make sure the dry value is false in the config file
  2. Send to a test email
  3. Send to the real lists


SMTP authentication issues

Nowadays, many cloud-based email vendors block SMTP authentication by default (e.g. Office365, GSuite). This of course will cause an error. To solve this, here are some steps to help you enabling AMTP authentication on different vendors.

Enable SMTP Auth Office 365

To globally enabling SMTP Auth, use powershell.

Click here to see the details instructions

Then follow the following steps

  1. Go to Asure portal (https://aad.portal.azure.com/) from admin panel (https://admin.microsoft.com/)
  2. Select All Services
  3. Select Tenant Properties
  4. Click Manage Security defaults
  5. Select No Under Enable Security defaults

Google GSuite

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + 17 =