{"id":19065728,"url":"https://github.com/4lph4shell/pishing-api-master","last_synced_at":"2026-03-19T08:00:39.072Z","repository":{"id":258781113,"uuid":"875692636","full_name":"4lph4shell/pishing-api-master","owner":"4lph4shell","description":"4lph4 pishing api master","archived":false,"fork":false,"pushed_at":"2024-10-20T16:44:03.000Z","size":8009,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-02-28T11:25:40.567Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Hack","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/4lph4shell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-20T16:13:40.000Z","updated_at":"2024-10-23T14:03:36.000Z","dependencies_parsed_at":"2024-10-20T19:28:17.975Z","dependency_job_id":null,"html_url":"https://github.com/4lph4shell/pishing-api-master","commit_stats":null,"previous_names":["4lph4shell/pishing-api-master"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/4lph4shell/pishing-api-master","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4lph4shell%2Fpishing-api-master","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4lph4shell%2Fpishing-api-master/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4lph4shell%2Fpishing-api-master/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4lph4shell%2Fpishing-api-master/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/4lph4shell","download_url":"https://codeload.github.com/4lph4shell/pishing-api-master/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4lph4shell%2Fpishing-api-master/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30700607,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-19T05:29:31.190Z","status":"ssl_error","status_checked_at":"2026-03-19T05:28:25.821Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T00:52:20.019Z","updated_at":"2026-03-19T08:00:39.027Z","avatar_url":"https://github.com/4lph4shell.png","language":"Hack","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pishing-api-master\r\n\r\n4lph4 pishing api master\r\n\r\nThis API has three main features. One allows you to easily deploy cloned landing pages for credential stealing, another is weaponized Word doc creation, and the third is saved email campaign templates. Both attack methods are integrated into Slack for real-time alerting. \u003cb\u003eUnfortunately, I'm no longer running this code as a free service @ https://phishapi.com due to cost, sorry!\u003c/b\u003e\r\n\r\n## Update\r\n\r\nThis latest version no longer redirects users of the landing pages to the API directly by default, but instead sends an AJAX request to the API server prior to posting the form data to the legitimate target site. This provides for a more seamless experience for the \"victim\" and will actually log them into the target site when they submit their credentials, instead of performing what appears to be a refresh on the login page. CSRF protection is bypassed by the API grabbing the token beforehand! However, I haven't yet gotten around to updating all of the cloned portal pages to use this new method so many will still perform the redirect. FYI!\r\n\r\n\u003cimg src=\"https://github.com/sobhan-azimzadeh/pishing-api-master/blob/master/asset/screencapture-localhost-Phishing-API-master-2024-10-20-19_35_26.png\" \u003e\r\n\r\n\u003cimg src=\"https://github.com/sobhan-azimzadeh/pishing-api-master/blob/master/asset/Screenshot%202024-10-20%20193608.png\" \u003e\r\n\u003cimg src=\"https://github.com/sobhan-azimzadeh/pishing-api-master/blob/master/asset/screencapture-localhost-Phishing-API-master-templates-templatecreation-php-2024-10-20-19_36_25.png\" \u003e\r\n\u003cimg src=\"https://github.com/sobhan-azimzadeh/pishing-api-master/blob/master/asset/screencapture-localhost-Phishing-API-master-templates-templatecreation-php-2024-10-20-19_36_41.png\" \u003e\r\n\r\n# To Setup :\r\n\r\n1. Import the DB SQL Dump Schema to a new MySQL Instance `mysql -u root -h localhost \u003c DatabaseSQLDump.sql;`. You may have to create a new user that's not \"root\" and grant all privileges to all databases for your config if you have issues.\r\n\r\n2. Host the PHP (PHP7 is supported!) from a web service (Tested with Apache)\r\n\r\n3. Configure `/var/www/html/config.php` with your variables\r\n\r\n4. Install `apt-get install zip`\r\n\r\n5. Chmod 777 all `/var/www/html/phishingdocs` and `/var/www/html/templates/` subdirectories (or Docs and Templates will not work!)\r\n\r\n6. Limit Access to the \"Results\" Directories `/var/www/html/results` and `/var/www/html/phishingdocs/results` (Apache's Basic Auth is Recommended)\r\n\r\n7. Use HTTPS (Let's Encrypt!) and a Domain for the Hosted API\r\n\r\n8. Optionally run Responder and BeEF in a screen session and import the crontab file\r\n\r\n9. Enable browscap in your php.ini config and point to it in your web directory `/var/www/html/browscap.ini` (included in this repo)\r\n\r\n10. Enjoy! :) Message me if you have any issues. This does not work on Windows!\r\n\r\n# 2) To Use the API for Generating Word Doc Payloads :\r\n\r\n1. Create `/var/www/uploads` Path and `sudo chmod 777 /var/www/uploads -R` the path\r\n\r\n2. Browse out to your hosted API (YOUR_URL.com) and select \"Weaponized Documents\" to generate your DOCX\r\n\r\n3. Optionally set up [Responder](https://github.com/SpiderLabs/Responder \"Responder\") in a background process and run `phishinghashes.sh` every minute or so with cron\r\n\r\n4. Set up your php.ini to allow uploads of at least 15MB and enable browscap.ini for parsing UserAgent strings, otherwise some functionality may be limited.\r\n\r\n5. Email your doc and wait for the Slack alerts!\r\n\r\n\u003cp align=\"center\"\u003e\u003cb\u003eBonus points if you use your docs as honeypot bait! :)\u003c/b\u003e\u003c/p\u003e\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/LW4BUjN.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 1: Web Based Payload Generation - Create New Doc or Upload Existing w/ Payload Options\u003c/b\u003e\r\n\u003c/p\u003e\r\n                  \r\n            \r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/onsPyFp.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 2: Opening Document Generated (New) by Service\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/sw8JWQE.png\" width=\"40%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 3: If \"Auth Prompt\" is Selected in Payload Options, Display Basic Auth Prompt to User for Credential Capturing (like Phishery)\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/HlY3T4G.png\" width=\"80%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 4: HTTP Beacon is Selected by Default and Alerts When the Target Opens the Document\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/ku6UTNI.png\" width=\"75%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 5: If Credentials are Entered from Figure 3 Above, Notify via Slack When Captured\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/OO0sjDR.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 6: Clicking on the Slack Alert Displays Captured Details (Hashes, Credentials, Client Details)\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/qZFGmXA.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 7: Slack Alert when UNC/SMB Hashes are Received from Word Document\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\n\u003cbr /\u003e\u003cbr/\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n\t\u003cb\u003eCurrently, I'm running \u003ca href=\"https://github.com/SpiderLabs/Responder\"\u003eResponder\u003c/a\u003e in a Screen session with \u003ci\u003ephishinghashes.sh\u003c/i\u003e scheduled via Cron to run every minute to pick up hashes, correlate phished users, and alert via Slack.  You can also relay those hashes with another tool if you'd like to take things even further.  Enjoy! :)\u003c/b\u003e\u003c/p\u003e\r\n\r\n# 3) To Use the API to Store and Generate Email Campaign Templates :\r\n\r\nLeverage a template by creating or choosing an existing template from the local repository, or, you can compose a blank email and embed the invisible HTML beacon to be notified when the recipient opens their email.\r\n\r\n\u003cbr /\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/AmwZbbF.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 1: Existing, New, or No Campaign Choices\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\nIf a new campaign is chosen, you can create variables for dynamic re-use in the future and store them as HTML templates in a database. The WYSIWYG editor makes things simple, but you can also copy and paste from a text editor or another source if you'd like!\r\n\r\n\u003cbr /\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/COHaq6q.png\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 2: New Campaign w/ Variables \u0026 Images\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\nNext time, choosing the existing template will dynamically provide input fields for the stored variables. They can be applied in real time using JavaScript to update the email body. Checking the \"Embed Notification for Opened Email\" box will automatically append invisible code to your template that will alert you when your recipient opens their email. (Images must be allowed to render for this to work)\r\n\r\n\u003cbr /\u003e\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://i.imgur.com/SsBAqKv.png\" width=\"75%\"\u003e\u003cbr /\u003e\r\n\u003cb\u003eFigure 3: Existing Campaign\u003c/b\u003e\r\n\u003c/p\u003e\r\n\r\nSit back and watch as your target opens their email and cross your fingers you later recieve another alert for BeEF, Maldocs, or your captured credentials!\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F4lph4shell%2Fpishing-api-master","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F4lph4shell%2Fpishing-api-master","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F4lph4shell%2Fpishing-api-master/lists"}