– Moved templates to a dedicated separate repository
– Added a custom theme for the client
– Added support for two factor authentication with TOTP
– Support for specifying an img style attribute for inline images in messages
King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet flexible architecture allowing full control over both emails and server content.
King Phisher is only to be used for legal applications when the explicit permission of the targeted organization has been obtained.
The King Phisher server hosts HTML content from the directory configured as the web_root. It tracks users and associates them with campaigns by monitoring request parameters and using cookies.
King Phisher uses a SQLite database making it easier and faster to setup with no dependencies on other services. Additionally King Phisher uses the packaged web server that comes standard with Python making configuring a separate instance unnecessary.
Dynamic content is supported through the powerful Jinja2 template engine. For more information on writing dynamic HTML pages for use with King Phisher, see the Templates wiki page.
Configuring Landing Pages
Landing pages are HTML pages which are presented to users when they are enticed to click a link from a message. The content of these pages can be anything from informing the user of the phishing attempt and educating them to presenting the user with a fake login page in an attempt to harvest credentials.
King Phisher includes a template education landing page which is available in the data directory.
Pages For Harvesting Credentials
King Phisher can be used to harvest credentials as part of a social engineering attack when a user visits the page. The login page needs to be written in such a way that a “username” and a “password” parameter are sent to any resource on the King Phisher server via either a GET or POST request. The server will then record the values of these parameters in the campaign database.
Pages For Exploitation
Configuring The Web Root
The King Phisher server setting require_id can be configured to true to only serve pages when a resource is requested with a uid that can be associated with a campaign. This helps to prevent undesired attention to the landing pages.
Additionally the server setting vhost_directories can be enabled to divide the web root into sub-directories based on the requested VHOST. This is useful when multiple DNS entries are pointing to the same server. For example if a request is received with a VHOST of “example.com” and the web_root setting is configured to “/var/www” then “/var/www/example.com” will be used as the web root for the request.
Client Configuration :
The client configuration file is encoded in JSON and most options are configurable through the GUI interface.
The following options will be honored but are not configurable through the GUI:
+ server_remote_port (Default: 80)
+ mailer.max_messages_per_connection (Default: 5)
+ ssh_preferred_key (Default: N/A)