https://github.com/4lph4shell/pishing-api-master

4lph4 pishing api master
https://github.com/4lph4shell/pishing-api-master

Last synced: 4 months ago
JSON representation

4lph4 pishing api master

• Host: GitHub
• URL: https://github.com/4lph4shell/pishing-api-master
• Owner: 4lph4shell
• License: apache-2.0
• Created: 2024-10-20T16:13:40.000Z (8 months ago)
• Default Branch: master
• Last Pushed: 2024-10-20T16:44:03.000Z (8 months ago)
• Last Synced: 2025-01-02T14:21:58.859Z (6 months ago)
• Language: Hack
• Size: 7.64 MB
• Stars: 1
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# pishing-api-master

4lph4 pishing api master

This API has three main features. One allows you to easily deploy cloned landing pages for credential stealing, another is weaponized Word doc creation, and the third is saved email campaign templates. Both attack methods are integrated into Slack for real-time alerting. Unfortunately, I'm no longer running this code as a free service @ https://phishapi.com due to cost, sorry!

## Update

This latest version no longer redirects users of the landing pages to the API directly by default, but instead sends an AJAX request to the API server prior to posting the form data to the legitimate target site. This provides for a more seamless experience for the "victim" and will actually log them into the target site when they submit their credentials, instead of performing what appears to be a refresh on the login page. CSRF protection is bypassed by the API grabbing the token beforehand! However, I haven't yet gotten around to updating all of the cloned portal pages to use this new method so many will still perform the redirect. FYI!









# To Setup :

1. Import the DB SQL Dump Schema to a new MySQL Instance `mysql -u root -h localhost < DatabaseSQLDump.sql;`. You may have to create a new user that's not "root" and grant all privileges to all databases for your config if you have issues.

2. Host the PHP (PHP7 is supported!) from a web service (Tested with Apache)

3. Configure `/var/www/html/config.php` with your variables

4. Install `apt-get install zip`

5. Chmod 777 all `/var/www/html/phishingdocs` and `/var/www/html/templates/` subdirectories (or Docs and Templates will not work!)

6. Limit Access to the "Results" Directories `/var/www/html/results` and `/var/www/html/phishingdocs/results` (Apache's Basic Auth is Recommended)

7. Use HTTPS (Let's Encrypt!) and a Domain for the Hosted API

8. Optionally run Responder and BeEF in a screen session and import the crontab file

9. Enable browscap in your php.ini config and point to it in your web directory `/var/www/html/browscap.ini` (included in this repo)

10. Enjoy! :) Message me if you have any issues. This does not work on Windows!

# 2) To Use the API for Generating Word Doc Payloads :

1. Create `/var/www/uploads` Path and `sudo chmod 777 /var/www/uploads -R` the path

2. Browse out to your hosted API (YOUR_URL.com) and select "Weaponized Documents" to generate your DOCX

3. Optionally set up [Responder](https://github.com/SpiderLabs/Responder "Responder") in a background process and run `phishinghashes.sh` every minute or so with cron

4. Set up your php.ini to allow uploads of at least 15MB and enable browscap.ini for parsing UserAgent strings, otherwise some functionality may be limited.

5. Email your doc and wait for the Slack alerts!

Bonus points if you use your docs as honeypot bait! :)











Figure 1: Web Based Payload Generation - Create New Doc or Upload Existing w/ Payload Options



                  

            










Figure 2: Opening Document Generated (New) by Service












Figure 3: If "Auth Prompt" is Selected in Payload Options, Display Basic Auth Prompt to User for Credential Capturing (like Phishery)












Figure 4: HTTP Beacon is Selected by Default and Alerts When the Target Opens the Document












Figure 5: If Credentials are Entered from Figure 3 Above, Notify via Slack When Captured












Figure 6: Clicking on the Slack Alert Displays Captured Details (Hashes, Credentials, Client Details)












Figure 7: Slack Alert when UNC/SMB Hashes are Received from Word Document









	Currently, I'm running Responder in a Screen session with phishinghashes.sh scheduled via Cron to run every minute to pick up hashes, correlate phished users, and alert via Slack.  You can also relay those hashes with another tool if you'd like to take things even further.  Enjoy! :)


# 3) To Use the API to Store and Generate Email Campaign Templates :

Leverage a template by creating or choosing an existing template from the local repository, or, you can compose a blank email and embed the invisible HTML beacon to be notified when the recipient opens their email.









Figure 1: Existing, New, or No Campaign Choices



If a new campaign is chosen, you can create variables for dynamic re-use in the future and store them as HTML templates in a database. The WYSIWYG editor makes things simple, but you can also copy and paste from a text editor or another source if you'd like!









Figure 2: New Campaign w/ Variables & Images



Next time, choosing the existing template will dynamically provide input fields for the stored variables. They can be applied in real time using JavaScript to update the email body. Checking the "Embed Notification for Opened Email" box will automatically append invisible code to your template that will alert you when your recipient opens their email. (Images must be allowed to render for this to work)









Figure 3: Existing Campaign



Sit back and watch as your target opens their email and cross your fingers you later recieve another alert for BeEF, Maldocs, or your captured credentials!