I’ve been experimenting with the SET toolkit that comes with Kali, trying to to send an email with an infected PDF to my test VM using a Gmail address, but Gmail catches and kills it every time. I’ve played with the encoders, but can’t seem to get any of the built-in ones to do the the trick. How do you get these payloads out the door undetected?
Of course, gmail has good security, but even if you do something to make gmail allow this file, the victim computer’s antivirus might detect it, there is no guarantee to make a payload totally undetectable. I recommend you to learn C++ and create your own Trojan which is much more hard to detect and even more secure, you can also use some methods for your Trojan to reduce the chance of detection. After all, client side attacks are not so technical, it’s better to spent your time with server side attacks
Just send the mail directly yourself. Exim4 is a breeze to setup: dpkg-reconfigure exim4-config
You’ll likely need a business account with your ISP or have something like a VPS that allows outbound SMTP. If you’re testing this locally, you’ll need to setup a POP/IMAP/web mail server that the client will access as well.
As noted above, default attacks in common tools are almost always caught, and you will want to use something custom in practice. However, the defaults are fine to play around with while you’re learning.