Installing Phishing Frenzy on Kali Linux

Clone Repo

Clone the Phishing Frenzy repository using git

# git clone https://github.com/pentestgeek/phishing-frenzy.git /var/www/phishing-frenzy

Install RVM, Ruby and Packages

$ \curl -sSL https://get.rvm.io | bash

At the end of the installation listen to any post install instructions for RVM

Install Ruby 2.1 with RVM

$ rvm install 2.1.5

Install rails

# rvm all do gem install --no-rdoc --no-ri rails

Install mod_passenger for Apache

# rvm all do gem install --no-rdoc --no-ri passenger

Install Passenger

Invoke the passenger installation script

# passenger-install-apache2-module

Installer stated that I was missing a few apache dependencies

# apt-get install apache2-threaded-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev

Invoke passenger installation script again now that dependencies are installed. Once the Passenger install has completed, ensure you pay attention to the notes and the end. You will need to add 3 lines of text to your /etc/apache2/apache.conf file.

# passenger-install-apache2-module

Install packages we need for MySQL to bundle properly

# apt-get install libmysqlclient-dev

Apache VHOST Configuration

Add Include Statement to apache2.conf and create the file /etc/apache2/pf.conf

Include pf.conf

Add content to pf.conf file

  <IfModule mod_passenger.c>
    PassengerRoot %ROOT
    PassengerRuby %RUBY
  </IfModule>

  <VirtualHost *:80>
    ServerName phishing-frenzy.com
    # !!! Be sure to point DocumentRoot to 'public'!
    DocumentRoot /var/www/phishing-frenzy/public
    RailsEnv development
    <Directory /var/www/phishing-frenzy/public>
      # This relaxes Apache security settings.
      AllowOverride all
      # MultiViews must be turned off.
      Options -MultiViews
    </Directory>
  </VirtualHost>

Uncomment out the line # NameVirtualHost *:443 inside of /etc/apache2/ports.conf to allow SSL Phishing sites to render properly

MySQL

Ensure mysql is running

# service mysql start

Login and create tables and permissions for phishing frenzy development mode

# mysql -u root -p
mysql> create database pf_dev;
mysql> grant all privileges on pf_dev.* to 'pf_dev'@'localhost' identified by 'password';

Install Required Gems

# cd /var/www/phishing-frenzy/
# bundle install

If your web application fails to run because it states your missing a gem, you may need to run

# bundle install --deployment
# rake db:migrate
# rake db:seed

Install Redis

# wget http://download.redis.io/releases/redis-stable.tar.gz
# tar xzf redis-stable.tar.gz
# cd redis-x.x.x/
# make
# make install
# cd utils/
# ./install_server.sh

If you would like to bind redis to the loopback interface checkout redis documentation for more details

Sidekiq Configuration

Create a tmp directory for sidekiq pid

# mkdir -p /var/www/phishing-frenzy/tmp/pids

Start the sidekiq server to interact with redis

# bundle exec sidekiq -C config/sidekiq.yml

If you would like to Daemonize your sidekiq process take a look at this great article here which gives an example init script so you can start the sidekiq service on reboot and interact with it like any other typical nix service

Example of how you may interact with service when configured with init script.

# service sidekiq start
# service sidekiq status
# service sidekiq stop

System Configuration

Edit the sudoers file to ensure the www-data account can reload apache

www-data ALL=(ALL) NOPASSWD: /etc/init.d/apache2 reload

Load the Efax and Intel default templates for PF using the rake helper

# rake templates:load

Change ownership of phishing-frenzy directory so apache has proper access

# chown -R www-data:www-data /var/www/phishing-frenzy/

Change permissions on the upload directory

# chmod -R 755 /var/www/phishing-frenzy/public/uploads/

Change ownership of sites-enabled directory to allow Phishing Frenzy to manage virtual hosts with Apache

# chown -R www-data:www-data /etc/apache2/sites-enabled/
# chmod -R 755 /etc/apache2/sites-enabled/

Start Apache web server

# apachectl start

One of the first things you'll want to do within the application is navigate to Admin -> Global Settings to configure the Application Site URL. This is a critical piece that needs to be accurate to properly track user clicks.

Default Credentials

Phishing Frenzy is configured with a default login of:

username: admin
password: Funt1me!

Configure HTTPS / SSL

If you would like to run your Phishing Frenzy web UI over HTTPS you can do that with a few additional changes.

Run a few commands to enable the SSL module in apache and create a directory to store the cert and key.

$ sudo a2enmod ssl
$ sudo service apache2 restart
$ sudo mkdir /etc/apache2/ssl 

Create our self signed cert using openssl

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/pf.key -out /etc/apache2/ssl/pf.crt
  <IfModule mod_passenger.c>
    PassengerRoot %ROOT
    PassengerRuby %RUBY
  </IfModule>

  <VirtualHost *:443>
    ServerName phishing-frenzy.com

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/pf.crt
    SSLCertificateKeyFile /etc/apache2/ssl/pf.key

    # !!! Be sure to point DocumentRoot to 'public'!
    DocumentRoot /var/www/phishing-frenzy/public
    RailsEnv development
    <Directory /var/www/phishing-frenzy/public>
      # This relaxes Apache security settings.
      AllowOverride all
      # MultiViews must be turned off.
      Options -MultiViews
    </Directory>
  </VirtualHost>

Update the Application Site URL within Global Settings menu to the appropriate FQDN with the HTTPS address with SSL enabled.

Browse to your FQDN and Enjoy Phishing Frenzy. Checkout the guide on how convert your application to rails' production mode