Installing Phishing Frenzy on Ubuntu Linux

Updated: 03/13/17

This guide was built for Ubuntu Server 16.04.2 LTS x64 bit edition

Install Packages

Ensure your repository list is fully updated

$ sudo apt-get update

Install required packages for Ubuntu OS

$ sudo apt-get install apache2 php mysql-server libmysqlclient-dev git curl

During the install assign and document the root MySQL password when prompted. You will need to remember this root password to log into the db later on within this install guide

Clone Repo

Clone the github repository

$ sudo git clone https://github.com/pentestgeek/phishing-frenzy.git /var/www/phishing-frenzy

Install RVM and Ruby

$ \curl -sSL https://get.rvm.io | bash

At the end of the installation listen to any post install instructions for RVM

Install Ruby 2.3.0 with RVM. This is the ruby version that is defined within .ruby-version file.

$ rvm install 2.3.0

After the install of ruby through RVM you should be able to run commands like rvm list and rvm default 2.3.0 to list the installed rubies and assign a version as the default.

In some situations RVM may give you some feedback where it's not operating 100% and requires a new shell (by logging out and back in) or requiring you to run bin/bash --login.

Install rails gem now that you've installed ruby through RVM

$ rvm all do gem install --no-rdoc --no-ri rails

Install mod_passenger gem for Apache

$ rvm all do gem install --no-rdoc --no-ri passenger

Install Passenger

Invoke the passenger installation script. If you receive an error that the OS is unable to find passenger-install-apache2-module this could be an indication that your RVM is not properly using your ruby version with the passenger gem you just installed above.

$ passenger-install-apache2-module

Installer stated that I was missing a few apache dependencies as listed below

$ sudo apt-get install build-essential libcurl4-openssl-dev apache2-dev libapr1-dev libaprutil1-dev

Invoke passenger installation script again now that dependencies are installed. Once the Passenger install has completed, ensure you pay attention to the notes and the end. You will need to add 3 lines of text to your /etc/apache2/apache.conf file.

$ passenger-install-apache2-module

Make sure that you pay attention the lines at the end of the install that need to be placed inside your apache configuration file (likely located at /etc/apache2/apache.conf)

Apache VHOST Configuration

By default Apache will load any configuration file which is located in the proper directory of /etc/apache2/sites-enabled/*.conf. With this said we are going to create the configuration file pf.conf inside this directory which will enable Apache's Virtual Host to render this site when the appropriate FQDN is hit in the browser.

Add the content below to pf.conf file. If you know that your FQDN is going to be something different than phishing-frenzy.com you can change that now on the ServerName line to update what makes sense for your environment.

This is the english address that Apache will configure the Virtual Host to listen on for the PF admin interface.

  <VirtualHost *:80>
    ServerName phishing-frenzy.com
    # !!! Be sure to point DocumentRoot to 'public'!
    DocumentRoot /var/www/phishing-frenzy/public
    RailsEnv development
    <Directory /var/www/phishing-frenzy/public>
      # This relaxes Apache security settings.
      AllowOverride all
      # MultiViews must be turned off.
      Options -MultiViews
    </Directory>
  </VirtualHost>

MySQL

Ensure mysql is running

$ sudo service mysql start

Login and create tables and permissions for phishing frenzy development mode using the same password you configured as part of the MySQL install performed above.

# mysql -u root -p
mysql> create database pf_dev;
mysql> grant all privileges on pf_dev.* to 'pf_dev'@'localhost' identified by 'password';

Type exit to exit the MySQL console

Install Redis

Install Redis

$ wget http://download.redis.io/releases/redis-stable.tar.gz
$ tar xzf redis-stable.tar.gz
$ cd redis-stable/
$ sudo make
$ sudo make install
$ cd utils/
$ sudo ./install_server.sh

If you would like to bind redis to the loopback interface checkout redis documentation for more details

Install Required Gems

$ cd /var/www/phishing-frenzy/
$ bundle install
$ rvmsudo bundle exec rake db:migrate
$ rvmsudo bundle exec rake db:seed

You are OK to ignore any of the DEPRECATION WARNING messages as the migration and seed should have still worked properly.

Sidekiq Configuration

Create a tmp directory for sidekiq pid

$ mkdir -p /var/www/phishing-frenzy/tmp/pids

Start the sidekiq server to interact with redis. If you do not Daemonize the process you may want to start a screen and run sidekiq inside that screen session. Sidekiq is required to send emails in the background properly.

$ rvmsudo bundle exec sidekiq -C config/sidekiq.yml

If you would like to Daemonize your sidekiq process take a look at this great article here which gives an example init script so you can start the sidekiq service on reboot and interact with it like any other typical nix service

Example of how you may interact with service when configured with init script.

# service sidekiq start
# service sidekiq status
# service sidekiq stop

System Configuration

Edit the sudoers file (likely located at /etc/sudoers) to ensure the www-data account can reload apache. Insert a line similar to that shown below.

www-data ALL=(ALL) NOPASSWD: /etc/init.d/apache2 reload

Load the Efax and Intel default templates for PF using the rake helper

$ rvmsudo bundle exec rake templates:load

Ownership Configurations

Change ownership of phishing-frenzy directory so that the Apache account (www-data) is able to run the application properly.

$ sudo chown -R www-data:www-data /var/www/phishing-frenzy/

Change permissions on the upload directory

$ sudo chmod -R 755 /var/www/phishing-frenzy/public/uploads/

Change ownership of sites-enabled directory to allow Phishing Frenzy to manage virtual hosts with Apache

$ sudo chown -R www-data:www-data /etc/apache2/sites-enabled/
$ sudo chmod 755 /etc/apache2/sites-enabled/

Restart Apache web server or start if not already started

$ sudo apachectl restart

One of the first things you'll want to do within the application is navigate to Admin -> Global Settings to configure the Application Site URL. This is a critical piece that needs to be accurate to properly track user clicks. The Sire URL in most cases is the full url including the FQDN that you have configured within the pf.conf configuration file above.

Default Credentials

Phishing Frenzy is configured with a default login of:

username: admin
password: Funt1me!

Configure HTTPS / SSL

If you would like to run your Phishing Frenzy web UI over HTTPS you can do that with a few additional changes.

Run a few commands to enable the SSL module in apache and create a directory to store the cert and key.

$ sudo a2enmod ssl
$ sudo service apache2 restart
$ sudo mkdir /etc/apache2/ssl

Create our self signed cert using openssl

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/pf.key -out /etc/apache2/ssl/pf.crt

Now we will need to update the pf.conf Virtual Host configuration to take advantage of our newly generated self-signed certificates. If you have valid certificates issued by a registrar, you could configure those as well below.

  <VirtualHost *:443>
    ServerName phishing-frenzy.com

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/pf.crt
    SSLCertificateKeyFile /etc/apache2/ssl/pf.key

    # !!! Be sure to point DocumentRoot to 'public'!
    DocumentRoot /var/www/phishing-frenzy/public
    RailsEnv development
    <Directory /var/www/phishing-frenzy/public>
      # This relaxes Apache security settings.
      AllowOverride all
      # MultiViews must be turned off.
      Options -MultiViews
    </Directory>
  </VirtualHost>

You will also need to restart the Apache service again now that the configuration file has been updated.

$ sudo service apache2 restart

Update the Application Site URL within Global Settings menu to the appropriate FQDN with the HTTPS address when SSL is enabled and in use.

Browse to your FQDN and Enjoy Phishing Frenzy. Checkout our guide under resources on how convert your application to rails' production mode. This guide was for development mode and should not be considered production ready or placed on the public facing internet.