King Phisher – Phishing Campaign Toolkit

CyberPunk MITM

Introduction

King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. Its flexible architecture allows you the full control over both emails and server content.

“King Phisher can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials.”

DISCLAIMER: Use King Phisher for legal purposes only!

King Phisher: Phishing Campaign Toolkit

The King Phisher is an open source phishing tool, which is fully featured and very flexible. It allows you to easily run multiple separate campaigns, with different areas (phishing attacks/credential harvesting, education, etc.) and with huge number of targets ( up to 10k+). According to the official documentation, it also supports sending messages with embedded images and determining when emails are opened with a tracking image.

It’s written in Python, and since it’s fully open sourced, you can modify source code to suite your needs. In addition, there is no web interface which makes King Phisher server hard to identify if it’s being used for social engineering.

Features:

Fully open source means there’s no limits on use
Run multiple phishing campaigns simultaneously
View detailed graphs regarding the campaign results
Send email with embedded images for a more legitimate appearance
Optional Two-Factor authentication
Highly flexible to accommodate different phishing goals
Powerful template system using the Jinja2 engine
Ability to capture credentials

SMS alerts regarding campaign status
Web page cloning capabilities
Integrated Sender Policy Framework (SPF) checks
Easy installation without setting up an additional web server
Geo location of phishing visitors
Send email with calendar invitations
Plugin support for extending both the Client/Server

Plugins & Templates:

King Phisher Client/Server can be extended with plugins for additional functionalities. [Blink(1) Notifications, Campaign Message Configuration Manager, Clockwork SMS, DMARC Check. Domain, Validator, File Logging, GTUBE Header, etc.] See full list of available plugins.

Template files will only work with the King Phisher server. Using the template files with another server such as Apache or Nginx will not result in the templates being properly rendered or data being recorded. In order to use these templates the King Phisher server must be installed.

Supported OSs:

Windows
Linux [Tested on: BackBox, CentOS, Debian, Ubuntu 16.04, Fedora, Red Hat, Kali Linux]

Install

Linux (Client/Server)

It is recommended to install King Phisher into /opt/king-phisher. Clone the repo:

$ cd /opt/ # or your desired installation directory git clone 
$ git clone https://github.com/securestate/king-phisher.git

Then run the install.sh script (located in the tools directory), which will install all required packages and set up a default server configuration:

$ cd king-phisher
$ cd tools
$ sudo ./install.sh

To see Install script options, use --help:

$ tools/install.sh --help
Usage: install.sh [-h] [-n/-y]

King Phisher Install Script

optional arguments
   -h, --help            show this help message and exit
   -n, --no              answer no to all questions
   -y, --yes             answer yes to all questions
   --skip-client         skip installing client components
   --skip-server         skip installing server components

To install client, run the following:

$ sudo ./install.sh --skip-server

For quick installation, run:

$ wget -q https://github.com/securestate/kingphisher/raw/master/tools/install.sh && \ 
$ sudo bash ./install.sh

Windows (Client only):

Click the “download” button at the bottom to download the latest build.

Basic Usage

In order to connect and start using client, you’ll need to start King Phisher server first:

$ sudo ./KingPhisherServer

But you may encounter the following error:

KingPhisherServer: error: the following arguments are required: config_file

So, run the config script:

$ ./KingPhisherServer server_config.yml

* The King Phisher client connects over SSH to the server for communication. The SSH service must be installed, configured and started independently of the provided King Phisher install script.

To start the client, run:

$ python3 KingPhisher

Now, you’ll be prompt to enter the credentials (same as for SSH).

After you connect, you’ll need to confirm server’s host key and SSH key passphrase. If the client successfully connects to the server, you’ll see the campaign page. Before you continue, configure your SMPT settings.