• Stars
    star
    1,324
  • Rank 35,502 (Top 0.7 %)
  • Language
    PHP
  • License
    GNU General Publi...
  • Created almost 8 years ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.

FiercePhish

FiercePhish

FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more. The features will continue to be expanded and will include website spoofing, click tracking, and extensive notification options.

Note: As of 1/6/2017, FirePhish has been renamed FiercePhish. Screenshots may still show FirePhish logo

All Information is on the Wiki Pages

ChangeLog

Click here to go to the Wiki Pages

Disclaimer

This project is my own and is not a representation of my employer's views. It is my own side project and released by me alone.

Screenshot

Screenshot

More screenshots are available in the "Features" wiki pages

Quick Automated Install

For more information (like a manual installation method), see the wiki pages

This is the preferred method of installing FiercePhish + SMTP + IMAP services.

Supported Operating Systems

  • Ubuntu 16.04
  • Ubuntu 16.10
  • Ubuntu 18.04
  • Ubuntu 20.04

(Fresh installs are expected, but the installer should work on a used OS with no problems)

(Ubuntu 14.04 support has been removed. To install FiercePhish on 14.04, read these instructions)

If you would like a different OS distribution supported, create a Github issue

Recommended Prerequisites

  • Purchase a domain name to send emails from

This isn't required, but it is heavily suggested. Phishing campaigns where you spoof an active domain you don't own are extremely susceptible to being spam filtered (unless the domain's SPF record is improperly configured). The best way to perform a phishing campaign is by buying a generic domain that can fool someone ("yourfilehost.com") or a domain that is very similar to a real domain ("microsoft-secure.com").

Installation Method #1 (remote curl download)

This method is probably the easiest way to install/configure everything. It is a fully unattended installation (aside from the beginning).

  1. You must run the installer as root:

sudo su

  1. Generate the configuration file:

curl https://raw.githubusercontent.com/Raikia/FiercePhish/master/install.sh | bash

  1. This will create a configuration file located at "~/fiercephish.config". You must edit this file before moving on!

Click here for a detailed description of the configuration variables

  1. Once "CONFIGURED=true" is set in the configuration file, re-run the install script:

curl https://raw.githubusercontent.com/Raikia/FiercePhish/master/install.sh | bash

  1. Sit and wait. The installation could take anywhere from 5-15 minutes depending on your server's download speed.

  2. Once the installation completes, follow the instructions it prints out. It will tell you what DNS entries to set.

Installation Method #2 (local installation run)

This method is just as easy as method #1, but the install will prompt you as it runs for the information it requires (as opposed to using a configuration file like method #1).

  1. You must run the installer as root:

sudo su

  1. Download the configuration file:

wget https://raw.githubusercontent.com/Raikia/FiercePhish/master/install.sh

  1. Set the installer as executable:

chmod +x install.sh

  1. Run the installer:

./install.sh

The installer will prompt you for the same information as is described in the configuration file for method #1. See that wiki page for information on what to provide.

  1. Sit and wait. The installation could take anywhere from 5-15 minutes depending on your server's download speed.

  2. Once the installation completes, follow the instructions it prints out. It will tell you what DNS entries to set.

Updating

As of FiercePhish v1.2.0, an update script is included. Versions prior to 1.2.0 are not compatible with 1.2.0 and later, so you'll have to do a fresh install (or read the wiki).

To update FiercePhish, simply run:

 sudo ./update.sh

Troubleshooting

If you have errors with the installation script, you can safely rerun the script without messing anything up (even if you provide it different information). If you continue to have problems, set "VERBOSE=true" (for method #1) or run ./install.sh -v (for method #2) to see the full log of everything running. If you still have problems, submit a bug report.

More Repositories

1

UhOh365

A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.
Python
590
star
2

CredNinja

A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
C#
442
star
3

Kali-Setup

Script for Kali that adds a bunch of tools and customizes it to be much better
Python
171
star
4

SMBCrunch

3 tools that work together to simplify reconaissance of Windows File Shares
Perl
162
star
5

Recon-NG-API-Key-Creation

One of the biggest annoyances of using Recon-ng is getting everything set up to use it. So here I’ll outline the different API keys it can use and where to get them yourself.
162
star
6

SharpStat

C# utility that uses WMI to run "cmd.exe /c netstat -n", save the output to a file, then use SMB to read and delete the file remotely
C#
39
star
7

Get-ReconInfo

A powershell script that prints a lot of IP and connection info to the screen
PowerShell
30
star
8

Nmap-scripts

A collection of nmap scripts I've written
Lua
23
star
9

CredSwissArmy

DEPRECATED! LOOK AT CREDNINJA! A tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB
Perl
15
star
10

Misc-scripts

Honestly, these are just scripts for my own use and consumption. If someone wants to use them too, cool.
Shell
5
star
11

IPCheckScope

A simple script to help check if a list of IPs are within the provided network scopes
Python
3
star
12

dotfiles

Some simple dotfiles of mine.
Prolog
1
star