king-phisher Beta Testing released : a phishing-focused social engineering campaign.

king-phisher Beta Testing released : a phishing-focused social engineering campaign.

change log latest version ;
+ Add a request jinja var for server pages
+ Add a jinja function to create CSRF pages.
+ Add a unittest to check the releases name schema.
+ Use the logo svg as the default window icon
King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet flexible architecture allowing full control over both emails and server content.
King Phisher is only to be used for legal applications when the explicit permission of the targeted organization has been obtained.
The King Phisher server hosts HTML content from the directory configured as the web_root. It tracks users and associates them with campaigns by monitoring request parameters and using cookies.
Easy Setup:
King Phisher uses a SQLite database making it easier and faster to setup with no dependencies on other services. Additionally King Phisher uses the packaged web server that comes standard with Python making configuring a separate instance unnecessary.king-phisher-logo

Dynamic content is supported through the powerful Jinja2 template engine. For more information on writing dynamic HTML pages for use with King Phisher, see the Templates wiki page.
Configuring Landing Pages
Landing pages are HTML pages which are presented to users when they are enticed to click a link from a message. The content of these pages can be anything from informing the user of the phishing attempt and educating them to presenting the user with a fake login page in an attempt to harvest credentials.
King Phisher includes a template education landing page which is available in the data directory.
When creating a new landing page, the King Phisher javascript resource /kp.js should be included in the html head tags. This resource is used to facilitate injecting dynamic javascript (such as BeEF hooks) into pages that are served to victims. This resource can be included with a simple script tag such as <script src=”/kp.js” type=”text/javascript”></script>.

Pages For Harvesting Credentials
King Phisher can be used to harvest credentials as part of a social engineering attack when a user visits the page. The login page needs to be written in such a way that a “username” and a “password” parameter are sent to any resource on the King Phisher server via either a GET or POST request. The server will then record the values of these parameters in the campaign database.

Pages For Exploitation
Server pages can also host any javascript including BeEF hooks which can facilitate launching browser based exploits. While javascript can be placed directly in any HTML content in the web root, a BeEF hook URL can be set through the client’s GUI configuration dialog. By setting the BeEF hook through the King Phisher configuration, clients will load the hook on all pages which load the King Phisher javascript resource.

Configuring The Web Root
The King Phisher server setting require_id can be configured to true to only serve pages when a resource is requested with a uid that can be associated with a campaign. This helps to prevent undesired attention to the landing pages.
Additionally the server setting vhost_directories can be enabled to divide the web root into sub-directories based on the requested VHOST. This is useful when multiple DNS entries are pointing to the same server. For example if a request is received with a VHOST of “” and the web_root setting is configured to “/var/www” then “/var/www/” will be used as the web root for the request.

Client Configuration :
The client configuration file is encoded in JSON and most options are configurable through the GUI interface.
The following options will be honored but are not configurable through the GUI:
+ server_remote_port (Default: 80)
+ mailer.max_messages_per_connection (Default: 5)
+ ssh_preferred_key (Default: N/A)

Download version :
Stable PDF 
Stable HTMLzip 
Latest HTMLzip
or clone git
source :