Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
Phishing engagements they can uncover how susceptible are the employees of a company in this type of attack. The fact that almost anybody can implement very fast a phishing scam in order to obtain valid credentials and other sensitive information makes it important for companies to test the security awareness of their users and to include phishing exercises into their security testing program. Most of the times this type of attack is successful because it is exploiting the user trust in conjunction awith the lack of security awareness of the user.
However even though as a community through the years we have built frameworks and tools for almost every type of assessment we never had a tool which it will implement and manage a phishing engagement very fast, simple and with the stats that we need for our clients. Phishing Frenzy is here to close this gap and to assist the penetration testers that conduct phishing engagements.
Phishing Frenzy is a tool which created by @zeknox , a security consultant and researcher from Accuvant Labs. One of the main advantages compared to other similar tools is that you can manage your phishing tests more efficiently as you can include the scope of your engagement as well when you create a new phishing campaign.
Installation of Phishing Frenzy
Clone the Phishing Frenzy repository to your system
#git clone https://github.com/pentestgeek/phishing-frenzy.git /var/www/phishing-frenzy
We are going to use RVM to install ruby and ruby on rails. For additional details on how to install RVM please see: https://rvm.io/rvm/install
Install RVM and Ruby
#curl -L https://get.rvm.io | bash -s stable –ruby
Pay attention to the install notes here, you may be required to run a command similar to the following in order to get rvm working properly. You may also be asked to logout / login or open a new shell before rvm is functioning properly.
Load .bashrc to make rvm useable
Install Ruby on Rails. We can use rvm to get the job done.
#rvm all do gem –no-rdoc –no-ri install rails
Install mod_passenger for Apache
#rvm all do gem –no-rdoc –no-ri install passenger
If you do not have the required software to install passenger, the script will let you know which additional software needs to be install.
#apt-get install libcurl4-openssl-dev apache2-threaded-dev libapr1-dev libaprutil1-dev
You will need to invoke the passenger-install-apache2-module to continue
Also you will need to add the following line which is used to manage the virtual hosts.
This addition to inclue pf.conf tells Apache to look at this file within the Apache directory (/etc/apache2/pf.conf) and serve up whatever website is configured.
Now that Apache is configured to process the pf.conf configuration file everytime Apache reloads or restarts we need to create the file and add the following content to pf.conf. ‘ServerName’ should be changed to whichever domain name that Phishing Frenzy is running under. This tells Apache which website to serve up when a request for phishingfrenzy.com is made.
# !!! Be sure to point DocumentRoot to ‘public’!
# This relaxes Apache security settings.
# MultiViews must be turned off.
LoadModule passenger_module /usr/local/rvm/gems/ruby-2.0.0-p247/gems/passenger-4.0.20/buildout/apache2/mod_passenger.so
Ensure PF can write to the httpd.conf file
Change ownership of apache config to allow Phishing Fenzy manage virtual hosts. If you currently have entries within the httpd.conf file, backup the file now because Phishing Frenzy will delete all entries in this file when managing virtual hosts for phishing campaigns.
#chown www-data:www-data /etc/apache2/httpd.conf
#service mysql start
Create Rails Database for Phishing Frenzy:
#mysql -u root -p
#mysql> create database pf_dev;
#mysql> grant all privileges on pf_dev.* to ‘pf_dev’@’localhost’ identified by ‘bhuvi’;
Ruby on Rails Configuration
Make sure app/config/database.yml file is properly configured or the rake tasks will fail. The database.yml file will tell your rails application how to properly authenticate to database server and access the database. If either of the rake tasks fail, it will render Phishing Frenzy worthless, so ensure the rake tasks are completed successfully before continuing on.
Ensure that you are in the root of the rails application before running any rake commands. rake commands will most certainly fail to run because of the required approot/Rakefile required.
Before you chmod these files, you may be required to create the log directory or even the development.log file if the rails application has never been started.
#chmod 0666 /var/www/phishing-frenzy/log/development.log
#chmod 0666 /var/www/phishing-frenzy/db/schema.rb
Create Database schema using Rails Migrations:
Populate database with content using Rails Seeds helper:
If you would like to install the 2 default templates (efax and intel password checker) you can do so by simply running the following rake task.
Phishing Frenzy uses Sidekiq to send emails in the background. Sidekiq depends on Redis to manage the job queue. At this time, Phishing Frenzy does not use asynchronous processing by default so you do not need to install Redis and Sidekiq. The feature can be enabled from the Global Settings view in the Admin section.
In order to allow for Sidekiq process monitoring, you must start Sidekiq with a configuration that places the Sidekiq pid in /tmp/pids/sidekiq.pid
#tar xzf redis-stable.tar.gz
If you would like to bind redis to the loopback interface checkout redis documentation for more details.
Start the sidekiq server to interact with redis
#chown www-data:www-data -R /var/wwwphishing-frenzy
#bundle exec sidekiq -C config/sidekiq.yml
Change ownership and permissions of the web application to the same account Apache is running as. In most cases this will be the ‘www-data’ account.
#chown -R www-data:www-data phishing-frenzy/
#chmod a+rw /var/www/phishing-frenzy/public/templates/
#chmod o+rw phishing-frenzy/public/uploads/
Edit /etc/sudoers to allow Phishing Frenzy to restart apache and manage the virtual hosts. This way Phishing Frenzy can run multiple phishing websites on one webserver.
www-data ALL=(ALL) NOPASSWD: /etc/init.d/apache2 reload
configure the SITE_URL within config/application.rb to the appropriate FQDN of the PF interface. This is most likely the same FQDN defined in pf.conf:
SITE_URL = “http://www.arthar.com”
Start Apache web server
# apachectl start
Enjoy Phishing Frenzy!!!!!
Phishing Frenzy is configured with a default login of: