raikia / fiercephish Goto Github PK

After a new installation on Ubuntu 16.04.1 LTS, when the FiercePhish prefix has been changed via the web interface, listing targets causes this pop-up to appear:

DataTables warning: table id=DataTables_Table_0 - Ajax error. For more information about this error, please see http://datatables.net/tn/7

Corresponding apache log:

<snip> - - [12/Jan/2017:16:14:00 +0000] "POST /a/b/c/ajax/targetuser/list HTTP/1.1" 500 5084 "http://<snip>/a/b/c/targets" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"

This error does not occur after a new installation if the FiercePhish prefix has not been changed.

All good applications should have test cases. Right now, there are ZERO test cases.....this should be fixed...

Add a file hosting module with:

• Notifications for views (email and text message)
• Choose route to file for hosting
• Connect it to a campaign to track the UUID of each user who access it
• Log all access to the file, including IP, geolocation, etc

If you paste raw HTML source into the template editor's source view, much of the CSS, font size, color, and other formatting information is thrown away by the editor when the template is saved. Please allow raw HTML editing of email templates.

When running a Ubuntu Azure VM the installation of FiercePhish doesn't give any issues. When logging on to the web interface with the admin users an error shows up: "Whoops, looks like something went wrong.". Installing in verbose mode doesn't show any issues. Tried installing the Azure provided Ubuntu VM's:

Ubuntu Server 16.04 LTS
Ubuntu Server 14.04 LTS
Ubuntu Server 16.10

They all give the 'Whoops, looks like something went wrong.' error after logging in to the web interface.

I can share SSH / TeamViewer access to the specific Azure VM so you don't have to look into Azure or deploy anything on it.

Like the title says, if APP_URL is set incorrectly and you do a configuration update via the web interface ("Settings" --> "Configurations"), the user will be redirected to the APP_URL link instead of a correct link.

Example: APP_URL set to "http://localhost"

If you hit "save" in the configurations page, you will be redirected to "http://localhost/config/settings/".

Current version is Laravel 5.2. It needs to be updated to Laravel 5.3 (or whatever latest is as of time of fixing)

Is the [uid] value that gets placed into each email from the email template stored anywhere in the backend database? It doesn't appear to match the UUID value of the corresponding target_user.

It would be useful for tracking link clicks to be able to access this value externally from FiercePhish. I don't mind implementing this behavior myself, I just wanted to be sure that I'm not missing something.

Feature request: More detailed SMTP activity logging

Right now, error pages (404, 500, etc) all show laravel error messages which can hint that laravel is running somewhere. Error pages should be updated to use Apache error messages

Add statistics page with more graphs and more information about the activity generated from the application. As new functionality is added (file hoster, site spoofer, etc), add more graphs and stats about that activity as well.

Feature request: Upgrade function via web interface

Users created by Simple Send are not appropriately counted in the UI if they are then later added to a campaign.

Repro steps:

• Use Simple Send to send a message to a test email address
• All Lists > Add a list
• [During list creation, the user from the earlier test should be visible. Add them to the list.]
• Add another user to the list.
• Create a campaign.
• Send test message to the two-user list.
• Observe that the Dashboard shows a user count of 1 despite 2 emails going outbound.

Add the ability to export the activitylog to CSV for easy saving and reference.

Installer bug: If any variable has an "&" symbol, the variable fails to read properly.

Feature request: Define port number of apache during installation

Possibly a dumb question, but I just installed FiercePhish locally on a freshly installed Ubuntu 16, and when clicking something in the left menu, nothing happens. In other words, I'm unable to navigate through the site without manually filling in the URL's.

Feature request: Report browser agent / device type of clicking users

Allow the sender to specify if they want to put a different sender name and email address in the Envelope-From header (The "From:" header which goes inside the DATA block of the email.), separate from the SMTP "MAIL FROM:" header. This can allow you to send your legitimately SPF/DKIM-validated message from the domain you own, while presenting the target's actual email domain within their mail client. (Not all mail clients are susceptible to this, and some spam filters may treat this negatively, but in some cases, it's a good social engineering technique.)

Officially support Ubuntu 17.04

Feature request: Verify SMTP configuration

Hi !

Can/Will FiercePhish be officially supported on kali linux soon ?

Thank you very much ;)

Reported via twitter:

The installer appears to sometimes fail at setting a root password for mysql. Unknown reasons why, but the installer should check to see if the root password is correct and prompt if it is not.

Right now if the timezone is changed after emails have been sent, the timestamps of previously sent emails will be wrong (because they are stored as the current timezone setting). Instead, all times should be stored as UTC and should convert on-the-fly so no errors occur when timezone setting is changed.

Challenge to overcome: Laravel jobs and future scheduled email sending.

Feature request: Two factor authentication admin portal (RADIUS)

there is a java script issue happens during uploading csv file for targets, the progress bar freez the navigation and everything else, same issue with DateJS, any solutions ?

Hi @Raikia
related to this issue

now it's ok with mailgun and Gmail smtp .
there is a problem with ./update.sh .
please edit the install.sh on line 352

other question :
1 - I want to purshase a domain to add it with this great tool.
please if you have tested a good one . give me the name or the link to purshase it

2 - can you edit a version for kali linux rolling

                                      thx freind.

Feature request: Native Let'sEncrypt support would be awesome

Create an installer that detects the version of Linux and runs the proper installation commands, including smtp server

Add the ability to host mini websites with a specific route. These websites can be hooked in as a credential stealer or file download prompter. They should be module and easy to add/remove/edit.

I can't see the ability to include attachments in the emails as a campaign. Is that available? If not, we should support that to deliver "malicious" payloads in a campaign in addition to ad-hoc single emails.

Hello! I'm using Gmail's SMTP, port 587, TLS config on FiercePhish (or at least I'm trying).

I'm not being able to send single emails or by starting a campaign.. basically I'm getting this:

Error: Address in mailbox given [] does not comply with RFC 2822, 3.6.2.

I think that's the problem.. not because of using Google's SMTP (since I can use it in a Python script.. no 2FA on the account I'm configuring to send the emails from)

It seems that some variables are not getting the "TO:" email because it looks "blank"...

Any help? Fresh Ubuntu 16.04 Installation, FiercePhish Remote Installation the only thing running...

Thank you!

Feature request: Report browser / device types vuln's of clicking users

Something like this builtin FP:
http://www.today.com/money/test-your-phish-spotting-skills-fun-quiz-t55891

So a (personal) web page to perform a phishing quiz test.
Gathering results, benchmarking between different departments and other business would be very nice.

Feature request: Send test e-mails

Specifically referencing #47

Right now, FiercePhish kinda requires a full monitor to function properly. Should update it to work on smaller screens.

This is a simple HTML change on each view.....slated for v1.3.0

Feature request: Add [firstname] variable

Add functionality to receive email (by connecting to an IMAP server), and reply to the emails.

thkx for this good job.
i've installed FiercePhish on ubuntu 16.04 with no error's.
i've added mailgun domaine and api key to Email Settings.
i try to use the send option but no message have sent .
i have this error :

{SendEmail} Cancelling email due to failed sending attempt. Check the log for the errors!
Last 200 lines of /var/log/mail.log=Empty log file
i've just started apache2-mysql-postfix-and mailservice
there is any other service's to start also with apache2 -mysql-mailservice ,???
i have on the Email log : status=sent ,but i receive no message
just for information; mailgun work good with curl and php
please do a wiki page to explain how to start using FiercePhish
thx to replay
@+

Increase the scalability of FiercePhish. The only problems right now are the loading in TargetUsers and assigning TargetLists. Should be pretty easy to move those to jobs.

Custom SMTP server via ADSL does not work:

FirePhish Follow Up Items:
1. Go to http://ADSL_IP/ to use FirePhish! (or http://127.0.0.1/ if you used a domain name)

DNS Changes:
1. A record for '@' point to 'ADSL_IP'
2. A record for 'www' point to 'ADSL_IP'
3. TXT record for 'mail._domainkey' with text: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVRHFPG0uRBWhDPVzFj548neBdTSr5LILFy1LTE2A7Shc2eSFz0zFAKyLzQheP2e9p22TVBgbOqRqPG+44FPWLtokJrGtaBlMDh/w9g+3RbziJmjZilPXkdTJrXh1T+jznzWowoZ5LtKomnGOB9R95ix2S9HQ/94DFHeJJ0v0GLwIDAQAB
4. A record for 'mail' point to 'ADSL_IP'
5. MX record point to 'mail' subdomain (or MXE record pointing to ADSL_IP)
6. TXT record for '@' with text: v=spf1 a mx a:mail.localhost a:localhost ip4:ADSL_IP ~all
7. TXT record for '_dmarc' with text: v=DMARC1; p=none

Feature request: Preconfigured Template, sort of a Template Store

Sometimes the installer randomly decides to not start some services (like supervisor). Add in a status check at the end of the installer to make sure all services are running.

Feature request: Fake logon portal to seduce users to enter credentials.
Customizable logo would be great. Cloning existing webmail / remote access portals would be even greater!

We've deployed FirePhish with a load balancer in front of it. Due to the way Laravel generates asset URLs, requests to https://firephish.example.com would attempt to load assets from http://firephish.example.com. To fix this issue, I updated the app/Http/routes.php file to have the following at the top:

$proxy_url    = getenv('PROXY_URL');
$proxy_schema = getenv('PROXY_SCHEMA');

if (!empty($proxy_url)) {
   URL::forceRootUrl($proxy_url);
}

if (!empty($proxy_schema)) {
   URL::forceSchema($proxy_schema);
}

And added the following to the .env file:

PROXY_URL = http://firephish.example.com/
PROXY_SCHEMA = https

I'm not familiar enough with Laravel to submit a PR to patch this in a more permanent way, but I figured I'd document it for others who use this configuration.

I use auto install method , all installation run perfect:

http://i.imgur.com/flKUzSd.png

...but admin panel dont start:

http://i.imgur.com/yXH5J2q.png