Last post i explained about installing phishing frenzy in kali linux, for today i want to go over some of the features that Phishing Frenzy has to offer, including campaign creation, customization, and execution.



Creating New Phishing Campaigns


After Login , go to the Campaign menu and click create new campaign.


Screenshot from 2014-06-29 09:55:00


Enter the name with description of your new Campaign, then mark active and enter the target email ids to phishing.


Screenshot from 2014-07-04 07:32:31


In the Template section select the template available for you, or you can create your own template. but for this post i going to use default template Intel password checker


Screenshot from 2014-07-04 07:32:50


If you don’t have default templates, you can do so by simply running the following rake task.

#rake templates:load


In SMTP section set the details of your smtp  server, here i use my Gmail account.


Screenshot from 2014-07-04 07:33:03


In email setting section set the subject and from address of your phishing email and set the Phishing URL to redirecting.


Screenshot from 2014-07-04 07:49:56


In phishing option some advance options are available to use like intergrating with Beef to do XSS, Scheduling and iptables Restrictions.


Screenshot from 2014-07-04 07:34:39


Once you’ve setup a phishing scenario that works with Phishing Frenzy you can reuse them for all future campaigns. Phishing Frenzy also offers the ability to backup and restore templates.


Screenshot from 2014-07-04 07:36:26


Then test and lanch your campaign, it will send mails with redirecting link to your targets.


Screenshot from 2014-07-04 07:47:31


I typically make the email look like it came from someone within the company who is an authoritative figure. The email  states that everyone should test their passwords to ensure they are in compliance with the company policies.

Open Report menu it will show that which user clicks on the phishing URL, they are directed to our fake Intel Password Checker website. The idea is that any passwords entered into the box will be harvested by us. You may notice that we are not asking for the users name or username in this scenario, and that is because we already have it.


Screenshot from 2014-07-04 07:54:54


Screenshot from 2014-07-04 07:49:18



Screenshot from 2014-07-04 18:19:32




Using a little PHP magic we can use the $_GET function to pull the base64 encoded email address from id parameter within the url. This way we know the email address and the password entered into the website.


Screenshot from 2014-07-04 07:55:34