Installing Phishing Frenzy on Ubuntu Linux
This guide was built for Ubuntu Server 16.04.2 LTS x64 bit edition
Ensure your repository list is fully updated
$ sudo apt-get update
Install required packages for Ubuntu OS
$ sudo apt-get install apache2 php mysql-server libmysqlclient-dev git curl
During the install assign and document the root MySQL password when prompted. You will need to remember this root password to log into the db later on within this install guide
Clone the github repository
$ sudo git clone https://github.com/pentestgeek/phishing-frenzy.git /var/www/phishing-frenzy
Install RVM and Ruby
$ \curl -sSL https://get.rvm.io | bash
At the end of the installation listen to any post install instructions for RVM
Install Ruby 2.3.0 with RVM. This is the ruby version that is defined within
$ rvm install 2.3.0
After the install of ruby through RVM you should be able to run commands like
rvm list and
rvm default 2.3.0 to list the installed rubies and assign a version as the default.
In some situations RVM may give you some feedback where it's not operating 100% and requires a new shell (by logging out and back in) or requiring you to run
Install rails gem now that you've installed ruby through RVM
$ rvm all do gem install --no-rdoc --no-ri rails
Install mod_passenger gem for Apache
$ rvm all do gem install --no-rdoc --no-ri passenger
Invoke the passenger installation script. If you receive an error that the OS is unable to find
passenger-install-apache2-module this could be an indication that your RVM is not properly using your ruby version with the
passenger gem you just installed above.
Installer stated that I was missing a few apache dependencies as listed below
$ sudo apt-get install build-essential libcurl4-openssl-dev apache2-dev libapr1-dev libaprutil1-dev
Invoke passenger installation script again now that dependencies are installed. Once the Passenger install has completed, ensure you pay attention to the notes and the end. You will need to add 3 lines of text to your
Make sure that you pay attention the lines at the end of the install that need to be placed inside your apache configuration file (likely located at
Apache VHOST Configuration
By default Apache will load any configuration file which is located in the proper directory of
/etc/apache2/sites-enabled/*.conf. With this said we are going to create the configuration file
pf.conf inside this directory which will enable Apache's Virtual Host to render this site when the appropriate FQDN is hit in the browser.
Add the content below to pf.conf file. If you know that your FQDN is going to be something different than
phishing-frenzy.com you can change that now on the
ServerName line to update what makes sense for your environment.
This is the english address that Apache will configure the Virtual Host to listen on for the PF admin interface.
<VirtualHost *:80> ServerName phishing-frenzy.com # !!! Be sure to point DocumentRoot to 'public'! DocumentRoot /var/www/phishing-frenzy/public RailsEnv development <Directory /var/www/phishing-frenzy/public> # This relaxes Apache security settings. AllowOverride all # MultiViews must be turned off. Options -MultiViews </Directory> </VirtualHost>
Ensure mysql is running
$ sudo service mysql start
Login and create tables and permissions for phishing frenzy development mode using the same password you configured as part of the MySQL install performed above.
# mysql -u root -p mysql> create database pf_dev; mysql> grant all privileges on pf_dev.* to 'pf_dev'@'localhost' identified by 'password';
exit to exit the MySQL console
$ wget http://download.redis.io/releases/redis-stable.tar.gz
$ tar xzf redis-stable.tar.gz
$ cd redis-stable/
$ sudo make
$ sudo make install
$ cd utils/
$ sudo ./install_server.sh
If you would like to bind redis to the loopback interface checkout redis documentation for more details
Install Required Gems
$ cd /var/www/phishing-frenzy/
$ bundle install
$ rvmsudo bundle exec rake db:migrate
$ rvmsudo bundle exec rake db:seed
You are OK to ignore any of the
DEPRECATION WARNING messages as the migration and seed should have still worked properly.
Create a tmp directory for sidekiq pid
$ mkdir -p /var/www/phishing-frenzy/tmp/pids
Start the sidekiq server to interact with redis. If you do not Daemonize the process you may want to start a
screen and run sidekiq inside that screen session. Sidekiq is required to send emails in the background properly.
$ rvmsudo bundle exec sidekiq -C config/sidekiq.yml
If you would like to Daemonize your sidekiq process take a look at this great article here which gives an example init script so you can start the sidekiq service on reboot and interact with it like any other typical nix service
Example of how you may interact with service when configured with init script.
# service sidekiq start # service sidekiq status # service sidekiq stop
Edit the sudoers file (likely located at
/etc/sudoers) to ensure the www-data account can reload apache. Insert a line similar to that shown below.
www-data ALL=(ALL) NOPASSWD: /etc/init.d/apache2 reload
Load the Efax and Intel default templates for PF using the rake helper
$ rvmsudo bundle exec rake templates:load
Change ownership of phishing-frenzy directory so that the Apache account (www-data) is able to run the application properly.
$ sudo chown -R www-data:www-data /var/www/phishing-frenzy/
Change permissions on the upload directory
$ sudo chmod -R 755 /var/www/phishing-frenzy/public/uploads/
Change ownership of sites-enabled directory to allow Phishing Frenzy to manage virtual hosts with Apache
$ sudo chown -R www-data:www-data /etc/apache2/sites-enabled/ $ sudo chmod 755 /etc/apache2/sites-enabled/
Restart Apache web server or start if not already started
$ sudo apachectl restart
One of the first things you'll want to do within the application is navigate to
Global Settings to configure the Application Site URL. This is a critical piece that needs to be accurate to properly track user clicks. The Sire URL in most cases is the full url including the FQDN that you have configured within the
pf.conf configuration file above.
Phishing Frenzy is configured with a default login of:
username: admin password: Funt1me!
Configure HTTPS / SSL
If you would like to run your Phishing Frenzy web UI over HTTPS you can do that with a few additional changes.
Run a few commands to enable the SSL module in apache and create a directory to store the cert and key.
$ sudo a2enmod ssl
$ sudo service apache2 restart
$ sudo mkdir /etc/apache2/ssl
Create our self signed cert using openssl
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/pf.key -out /etc/apache2/ssl/pf.crt
Now we will need to update the
pf.conf Virtual Host configuration to take advantage of our newly generated self-signed certificates. If you have valid certificates issued by a registrar, you could configure those as well below.
<VirtualHost *:443> ServerName phishing-frenzy.com SSLEngine on SSLCertificateFile /etc/apache2/ssl/pf.crt SSLCertificateKeyFile /etc/apache2/ssl/pf.key # !!! Be sure to point DocumentRoot to 'public'! DocumentRoot /var/www/phishing-frenzy/public RailsEnv development <Directory /var/www/phishing-frenzy/public> # This relaxes Apache security settings. AllowOverride all # MultiViews must be turned off. Options -MultiViews </Directory> </VirtualHost>
You will also need to restart the Apache service again now that the configuration file has been updated.
$ sudo service apache2 restart
Application Site URL within
Global Settings menu to the appropriate FQDN with the HTTPS address when SSL is enabled and in use.
Browse to your FQDN and Enjoy Phishing Frenzy. Checkout our guide under resources on how convert your application to rails' production mode. This guide was for development mode and should not be considered production ready or placed on the public facing internet.