Today we’re proud to release the latest version of King Phisher, 1.7. Since the last release, we have added two major features and a couple of new plugins. For a complete list of changes, checkout the change log.
The first new feature is something that has been requested for a little while now and that’s the ability to send messages using separate To, CC, and BCC fields. This can be used to great effect in pretexts where a user is CCed on an email that is sent to their boss complaining about them. The King Phisher client facilitates this by allowing the user to select the “Target Field” or the user that will receive the message, while the remaining fields can then be set independently.
The next feature added in this release is the ability to import campaigns that were previously exported using the XML file format. This can be used to allow campaigns to be run on multiple servers, exported, and then migrated to a central server. Users can now set up a temporary server, run their campaign and then migrate their data as necessary.
Finally, since the last release, two new client plugins have been released. King Phisher has supported extending functionality with plugins since version 1.3 and the number of available plugins has slowly grown since then. The two newest additions are an OTP Self Service plugin and a DMARC Check plugin.
The OTP Self Service plugin makes it possible for users to set up two-factor authentication on their account by themselves. Prior to this, to set up OTP, a user would have to log into the King Phisher server and run a command line script with access to interact with the database. This was a tedious process and often meant that a user would have to contact the server administrator to perform this action. With this new plugin, users can create and set a new TOTP configuration for themselves. The plugin will create the necessary QRCode to scan into an application, such as Google Authenticator. Finally, if a user wants to remove their TOTP configuration from their account, the plugin can handle that as well. It is the intention of the plugin to make it easier for users to take advantage of the OTP security feature that has been in King Phisher for some time now.
The new DMARC Check plugin expands on King Phisher’s ability to proactively guess what will happen to a message that is about to be sent. This is an important step before sending messages in a campaign to help ensure that no alarms are triggered due to a faulty configuration. King Phisher has had native integrations for checking Sender Policy Framework (SPF) records and guessing the outcome before sending messages. DMARC can be combined with SPF to publish a record dictating what a server that receives a message that fails the SPF or DKIM checks should do with it. Options include dropping the message, putting it in a quarantine, and possibly sending a report to the domain’s owner informing them of the message. This new plugin can provide some useful information regarding the DMARC policy that is being published be the domain from which the user is sending.
As always you can find the latest release of King Phisher in the releases page.