// EPS · Documentation

Email Pentest Sidekick

v1.0.0 Linux x86-64 GUI + CLI ● Live
Authorised use only. EPS is designed for contracted penetration tests, red team exercises, and security audits on domains you own or are explicitly authorised to test. Always obtain written permission before testing any infrastructure you do not own.
Installation

EPS ships as a single static binary — no runtime dependencies, no Python environment, no Docker. Download from the customer portal and run it directly.

1
Download from the portal
Log in to portal.nohathacker.com, go to the Download section, and click Download EPS. You will receive eps-latest-linux-x86_64.tar.gz.
2
Extract the archive
tar -xzf eps-latest-linux-x86_64.tar.gz
cd eps-1.0.0-linux-x86_64/
3
Place your license key
mkdir -p ~/.config/nohathacker/eps
cp your-license.key ~/.config/nohathacker/eps/license.key
Your license key is shown in the portal under My License → License Key. Click to copy it.
4
Launch the GUI
chmod +x eps-gui eps
./eps-gui
The GUI requires a display server (X11 or Wayland). For headless environments, use the CLI binary instead.
License & Login

Every time EPS launches it reads ~/.config/nohathacker/eps/license.key and validates it against the license server. On first run you will be prompted for a 3FA login:

  1. Email address — the address registered in the portal
  2. Email OTP — 8-character code sent to that address
  3. TOTP code — 6-digit code from your authenticator app

After a successful login, a session is cached locally for 1 hour. You will not be prompted again until the session expires.

Demo vs Commercial
CapabilityDemo (7 days)Commercial
Intel / SPF Walk / Permutations / HeadersFull accessFull access
Relay Hunter — scan & discoverFull accessFull access
Dark Web — search & view resultsFull accessFull access
Templates — view built-insFull accessFull access
Start SMTP serverDisabledEnabled
Send / Campaign — deliver emailsDisabledEnabled
Password Spray — executeDisabledEnabled
Relay Hunter — save discovered relaysDisabledEnabled
LogsDisabledFull history
Report — generate & exportDisabledEnabled
Demo mode lets you fully explore the reconnaissance and analysis features so you can evaluate EPS before purchasing. The send/spray/report actions require a commercial licence.
Intel

The Intel tab is a built-in reference panel for the consultant. It is not an active tool — it is a lookup reference that keeps essential frameworks in front of you during an engagement without needing a browser.

🧠
Intel — Reference Panel
Offline attack surface and compliance reference
  • OWASP Top 10 (A02/A05/A06/A07/A09) — relevant email-related categories with descriptions
  • MITRE ATT&CK — technique IDs for phishing, credential access, and execution via email
  • CVE database excerpts — notable email infrastructure CVEs
Use this to reference technique IDs when writing assessment notes or mapping findings to a compliance framework.
Server

The Server tab controls EPS's built-in SMTP server. This is used as a local relay — it receives email from the GUI and forwards it directly to the target MX, or via an open relay you have discovered.

Server — Local SMTP
Start/stop the internal SMTP relay
  • Start / Stop — toggle the local SMTP listener (default port 2525, configurable)
  • Bind address — set to 0.0.0.0 for remote access or 127.0.0.1 for localhost only
  • Server log — live SMTP session transcript (EHLO, MAIL FROM, DATA) for debugging
You need the server running if you plan to use Direct MX relay mode in the Send tab. For ESP relay modes (SendGrid, M365 etc.) the local server is not required.
Send

The primary attack delivery surface. Compose and send individual phishing or spear-phishing emails with full control over every header, relay, and evasion option. The right-side domain intelligence panel auto-populates SPF/DMARC/MX data for the From and To domains as you type.

📧
Send — Email Delivery
Compose, configure, and deliver test emails
Basic fields
  • Scenario — select from 21 built-in phishing templates or switch to Custom to write your own
  • From / To / Subject / Body — standard email fields; From can differ from the SMTP envelope sender
  • Envelope-From override — sets the SMTP MAIL FROM independently of the visible From header; SPF checks the envelope, not the header From
Relay mode
ModeSPFDKIMDMARCWhen to use
Direct MXFails if -allNoFailsTarget has no DMARC policy
Open relayVariableNoVariableRelay found via Relay Hunter
ESP relay (API key)PASSMaybeMaybeStolen/found ESP credential
M365 / Gmail accountPASSPASSPASSGold credential from Dark Web
Evasion options
OptionEffect
Fake Received headersSimulates a legitimate relay chain — hides origin in email clients that show basic headers
Thread hijackingAdds In-Reply-To / References — email appears as a reply to an existing conversation
Business-hours timestampSnaps the Date: header to 09:00–17:00 on a weekday — passes time-anomaly filters
Corporate HTML templateWraps body in a professional header/footer with unsubscribe link — reduces spam score
Base64 body encodingDefeats keyword-based content scanners that read plain text
Tracking pixelEmbeds a 1×1 image beacon — logs email opens via your callback URL
Lure attachmentsInvoice PDF, Contract DOCX, Payroll XLSM, ZIP, HTML — one-click attach
MUA / MTA Impersonation

MUA impersonation sets the X-Mailer / User-Agent header and Message-ID format to match a specific mail client (Outlook, Apple Mail, Gmail app, Thunderbird, Yahoo Mail). MTA impersonation spoofs the EHLO hostname so the Received: header at the target looks like it came from a legitimate relay node (SendGrid, Mailgun, SES, Google Workspace, Exchange Online).

DKIM Signing

Click Generate to create a 2048-bit RSA keypair. EPS signs with RFC 6376 relaxed/relaxed canonicalization. Note: the signing domain (d=) is attacker-controlled, not the target domain — this only helps when DMARC is absent or set to p=none.

Campaign

Campaign mode sends the same payload to a list of targets with configurable pacing and automatic credential rotation through the vault.

🎯
Campaign — Bulk Delivery
Send to multiple targets with credential rotation
  • Target list — paste one email per line
  • Delay (ms) — milliseconds between sends; increase to avoid triggering rate limits
  • Credential rotation — cycles through all LIVE vault credentials round-robin per target, distributing send volume across multiple accounts
  • Live log — per-target delivery status updated in real time
  • Stop on first hit (optional) — halts after the first confirmed delivery to a target's inbox (useful for relay verification)
Templates

EPS ships with 21 built-in phishing scenarios covering the most common BEC and social engineering pretexts. You can also create, edit, and save custom templates.

✏️
Templates — Scenario Library
21 built-in BEC/phishing templates + custom editor
Built-in scenarios (sample)
  • CEO Fraud — Urgent Wire Transfer
  • CFO Invoice Approval
  • DocuSign — NDA Urgent Signature
  • IT Helpdesk — Password Reset
  • MFA Enrollment Required
  • VPN Credentials Expired
  • PayPal Security Alert
  • Bank Security Alert
  • Supply Chain — Purchase Order Confirmation
  • AWS Account — Unusual API Activity
  • … and 11 more
Custom templates

Click + New to create a template with Name, Category, Severity, From email/name, Subject, and Body. Templates are stored locally in ~/.config/nohathacker/eps/config.json. Click Reset to original to revert to the built-in defaults.

Relay Hunter

Relay Hunter is a 3-panel OSINT tool for discovering open or misconfigured SMTP relays. It combines internet-wide search APIs (FOFA, ZoomEye, Censys, Shodan) with a direct CIDR port-25 scanner, and verifies discovered relays by attempting to route a test email through them.

📡
Relay Hunter — Three-Panel Layout
Config | Live probes | Hits & verification
Left panel — Configuration
  • FOFA, ZoomEye, Censys, Shodan — enter your API credentials and query strings (e.g., port=25 && country=BR)
  • CIDR Scan — directly probe a list of CIDR ranges for port 25 with a MAIL FROM/RCPT TO relay test; tabs for Africa / LATAM / Asia-Pac / Mid-East / All
  • Concurrency — number of parallel probes
  • Search / Stop — trigger the scan
Centre panel — Live probes

Shows all IPs currently being probed with the running probe/total count. Updates in real time.

Right panel — Port-25 hits
  • Lists all IPs where port 25 is open
  • Relay verification — send a test email to a controlled inbox to confirm end-to-end delivery
  • Use button — pre-fills the Send tab relay config with this IP and switches tabs
Creds

The Credential Vault stores SMTP/ESP credentials collected during reconnaissance. It tests them live and classifies results so you always know which credentials are usable and which match the target domain's SPF policy.

🗝
Creds — Credential Vault
Store, test, and classify SMTP/ESP credentials
  • Add credential — Provider (SendGrid, Mailgun, Amazon SES, Mandrill, SparkPost, Postmark, Brevo, MailerSend, Mailjet, Microsoft 365, Custom), host, port, username, password/API key
  • Bulk import — paste breach dump lines in host:port:user:pass format; EPS imports and queues all for testing
  • Test all untested — runs SMTP AUTH against every untested credential; handles STARTTLS automatically
  • Status: Live / Dead / Untested / Error
  • SPF match banner — if the target domain's SPF includes the ESP, a green banner highlights matching credentials and offers a Use as relay one-click shortcut
Credentials are stored in ~/.config/nohathacker/eps/creds.json. All credential data stays local — nothing is transmitted to Adamantware servers.
SPF Walk

SPF Walk recursively follows a domain's SPF record — resolving every include: and redirect= — to produce a complete map of which IP ranges are authorised to send email as that domain, and which ESPs those ranges belong to.

🌐
SPF Walk — Chain Walker
Recursive SPF tree with ESP fingerprinting
  • Enter a domain and click Walk SPF tree
  • Output shows an indented tree: each node is an include or redirect, with the resolved IPv4/IPv6 ranges indented beneath it
  • ESP detection — any IP range matched to a known ESP is highlighted with a ★ star and the relay hostname (e.g., smtp-relay.gmail.com:587)
  • Summary line — total nodes, IPv4 ranges, and ESP matches

Why this matters: A target may include spf.protection.outlook.com two levels deep, meaning any stolen Microsoft 365 credential delivers with SPF PASS as the target domain.

Permutations

Domain Permutations generates hundreds of lookalike domains from a single target domain name, then optionally checks DNS to see which are already registered — identifying pre-existing typosquatting infrastructure or available domains for the assessment.

🎭
Permutations — Domain Lookalikes
Typosquatting & homoglyph generation with DNS check
TechniqueExample (google.com)
ASCII homoglyphsg00gle.com, g0ogle.com
Transpositionsgooogle.com, ogoogle.com
Missing charactergogle.com, googe.com
Double charactergooggle.com, goooogle.com
Adjacent QWERTY keyfoogle.com, hoogle.com
Combosquatting prefix/suffixsecure-google.com, google-verify.com
TLD swapsgoogle.net, google.io, google.app
Subdomain spoofingmail.google.com, accounts.google.com

Click Check DNS registrations to run async batch DNS lookups. Results are colour-coded: ★ REG+MX (can receive email), registered (no MX), free.

Filter the list by technique type using the filter bar above the results.

Dark Web

Dark Web Credential Search routes all queries through Tor and searches multiple breach databases and paste sites for credentials associated with the target domain. Results are tiered by their attack value — gold credentials (M365/Gmail accounts) can achieve full DMARC-pass delivery.

🌑
Dark Web — Breach Credential Search
Tor-routed multi-source credential hunting
Search sources
SourceCostBest for
ProxyNova COMBFree3.2B entry SMTP hostname + API key prefix search
Scylla.shFreeStructured breach DB — email, password, hash, source
Onion paste sitesFree + TorDirect Tor-indexed dump search
LeakCheck.ioAPI keyEmail/domain breach with attribution
DeHashedAPI keyComprehensive @domain search
IntelXAPI keyPaste + .onion indexed content
SnusbaseAPI keyStructured records with full field parsing
HIBP enrichment
  • Breach + stealer log lookup (API key) — lists all breaches for an email, and whether a stealer captured live credentials
  • Pwned Passwords (free, no key) — checks every found plaintext against 847M+ hashes using k-anonymity (password never sent in full)
Confidence tiers
TierWhat it meansDMARC result
★★★ GOLDM365 / Gmail / Google Workspace accountPASS
★★ SILVERESP API key (SendGrid / Mailgun / SES / Postmark / Brevo)Pass if domain uses ESP
★ BRONZEOther SMTP relay credentialVariable
🔑 PasswordPlaintext — test against known SMTP hosts
# HashNeeds cracking first
EPS auto-generates 13 queries from the target domain — email breach lookups plus ESP SMTP hostname prefixes (SG., smtp.sendgrid.net, smtp.office365.com, etc.) — so you don't have to build these manually.
Tor must be running (tor service or the Tor browser bundle) before the Dark Web tab can connect. Check Tor status with the Check Tor button and configure the SOCKS proxy if using a non-default port.
Headers

The Header Analyser scores email headers for suspiciousness and reveals authentication results, relay chain anomalies, and forensic indicators. It has two modes: analyse received headers or preview what your own outgoing email headers will look like.

🔬
Headers — Forensic Analyser
Suspicion scoring + authentication breakdown
Modes
  • Analyse — paste raw headers from any email (Gmail: More → Show Original; Outlook: File → Properties)
  • Preview my outgoing email — builds the MIME with your current Send settings and scores it before you send
What it checks
  • SPF / DKIM / DMARC / ARC authentication results
  • DKIM-Signature tag analysis (a=, c=, d=, h=, l= body-length tag warning)
  • Received hop routing anomalies and timestamp deltas
  • Return-Path / From mismatch, Reply-To hijack detection
  • Message-ID domain mismatch, X-Mailer fingerprinting
  • Duplicate From headers

Verdict: a 0–100 suspicion score with verdict label: Clean / Suspicious / Likely Spoofed / Definitely Spoofed. Individual findings are listed below the score with severity labels.

Spray

Password Spray performs SMTP AUTH attempts across multiple target accounts using a common password wordlist. Stealth mode ensures only one password is tested per account per session to stay under lockout thresholds.

💧
Spray — SMTP AUTH Password Spray
Low-and-slow credential testing with lockout avoidance
  • Single target / Multi target — toggle mode; multi target accepts one email per line
  • Stealth mode — one password tested per account per session, rotating across accounts rather than exhausting one (avoids 5-bad-attempts lockout)
  • SMTP host / Port — target mail server (typically smtp.office365.com:587 or smtp.gmail.com:587)
  • Delay (ms) — pause between attempts; increase for conservative pacing
  • Stop on first hit — halts the spray the moment a live credential is found
  • Wordlists — bundled Ignis series: ignis-1K (1k), ignis-10K (10k), ignis-100K (810k), ignis-1M (8.4MB), plus language-specific lists (Cantonese, Croatian, Danish, Estonian, Finnish, French, and more)
Hits are automatically imported into the Credential Vault with status Live and can be used immediately as relay credentials in the Send tab.
Logs

The Logs tab shows a timestamped record of every test email sent during the session. Use it to track what was delivered, to which target, and with what result.

📋
Logs — Test History
Time / Type / From / Target / Result per send
  • Columns: Time, Type (scenario name), From address, Target address, Result (Delivered / Blocked / Error)
  • Refresh — reload from the log file
  • Clear — wipe the current session log

Logs are persisted to ~/.config/nohathacker/eps/est_tests.log and are included in the Report output.

Report

One click generates a client-ready HTML pentest report summarising the entire assessment — findings, credential tiers, domain analysis, test history, and colour-coded recommendations.

📊
Report — Assessment Report
Professional HTML output with risk ratings
  • Generate & Open in Browser — creates and immediately opens the report in your default browser
  • Save HTML — saves to ~/.config/nohathacker/eps/reports/eps_report_YYYYMMDD_HHMM.html
  • Print to PDF — use the browser's Print → Save as PDF for client deliverables
Report sections
  1. Overall risk level banner (CRITICAL / HIGH / MEDIUM / LOW) with score
  2. Executive summary — sent / delivered / blocked / delivery rate / gold creds found / SMTP creds found
  3. Domain security analysis — SPF / DMARC policy / MX provider / ESPs for each tested domain
  4. Credentials found — tier badges / email / relay host / HIBP count / breach source
  5. Full test send history
  6. Recommendations — CRITICAL to LOW, colour-coded with remediation steps
CLI Reference

The eps binary provides a headless CLI for all core send operations — useful for scripted tests and CI pipelines.

eps list                                    # List all 21 built-in scenarios

eps test -s 1 -t victim@company.com \
  --smtp-host smtp.example.com \
  --smtp-port 587

eps custom \
  --from-email ceo@company.com \
  --from-name "CEO Name" \
  --subject "Wire transfer request" \
  --body "Please process..." \
  -t victim@company.com \
  --smtp-host localhost --smtp-port 2525

eps server --host 0.0.0.0 --port 2525      # Start local SMTP relay
eps logs --lines 50                         # Show last 50 log entries
eps report --output report.html            # Generate report to file
Attack Chain Walkthrough

This walkthrough shows how the modules connect in a real engagement against company.com.

TARGET: company.com

1. RECONNAISSANCE
   SPF Walk tab  →  find include:sendgrid.net at depth 2
   SPF Walk tab  →  DMARC check: p=none (monitoring only — no enforcement)
   Permutations  →  company-secure.com is free to register

2. CREDENTIAL HUNTING  (Dark Web tab, all traffic through Tor)
   ProxyNova     →  smtp.sendgrid.net:587:apikey:SG.xxx → SILVER
   HIBP stealer  →  ceo@company.com: outlook.com in stealer domains → GOLD candidate
   DeHashed      →  ceo@company.com:P@ssword123 → test O365

3. VAULT + TEST  (Creds tab)
   Import SG. key  → Test → LIVE (SendGrid)
   ceo@company.com:P@ssword123 on smtp.office365.com → LIVE (GOLD)

4. SEND  (Send tab)
   From:       boss@company.com
   Relay:      smtp.office365.com (stolen CEO account)
   MUA:        Microsoft Outlook (Windows)
   MTA spoof:  Exchange Online EHLO
   Evasion:    thread hijack + business hours date + corporate HTML template
   Attachment: Invoice_2024.pdf
   Result:     SPF PASS + DKIM PASS (Microsoft signs) + DMARC PASS → Inbox

5. REPORT  (Report tab)
   Generate → Professional HTML → Print to PDF → deliver to client
Configuration & Files

All state is stored under ~/.config/nohathacker/eps/.

FileContents
license.keyYour Adamantware license key — read on every launch
config.jsonScenarios, API keys, preferences
creds.jsonCredential vault
relays.jsonDiscovered open relays
est_tests.logTest result history
reports/Generated HTML pentest reports
session.jsonCached 1-hour login session
None of these files are synced to Adamantware servers. License validation is the only network call made to our infrastructure during normal operation.