With the version 1.13 release, we have added several goodies. First is a long requested feature! The ability to store MFA tokens submitted from a login page. Now you can grab username, password, and the MFA field . If you are using this feature as part of penetration test you will have to stay on top of the password submission field and use the data quickly as they often have a short lifespan. Alternatively it can be used for awareness purposes to identify users that would submit them. In addition to the new field, each credential set (username, password, mfa-token) can be validated using an optional regular expression configured on a per-campaign basis. This part comes in handy if you happen to know your targets password policy. The results of the regex will be available through the Credentials tab of the GUI. Also you can use a Jinja variable in your landing page(s) for advanced features like only allowing credentials to be submitted that pass the regex or displaying invalid password verbiage. The fields and examples can be found on King Phisher’s Creating Server Content wiki page.
The next large feature is the ability to set up metadata files for your landing pages on the King Phisher server. The information from the metadata files is advertised by the server to the client. We have implemented two features on client side that use this data. First is in the campaign configuration. When creating a new campaign or updating an existing one, the user will now have the option to select an advertised landing page and view all the available information for it. This will help with identifying a suitable page to be used for the chosen pretext. Additionally, the Web Server URL entry box now has an autocomplete option that will suggest the advertised landing pages. More information on the metafiles is located on the King Phisher Wiki. The King Phisher Templates repository has been updated to include metadata for each of the site templates to use this feature. I recommend the SurveyHound’s metadata.yml template to use as an example for your metadata files.
Target URL on Campaign Editor
Auto Complete for Web Server URL*
Also of note is while creating a campaign you can import a KPM file from the wizard. This will help streamline the process of repeat usage of particular KPM files, for example while retesting a batch of users.
Continuing out trend increasing support for client plugins, the plugin manager will now attempt to automatically install required dependencies for plugins when installing them. This makes it seamless for you to install and enable any plugin from within the plugin manager. No more dependency issues!
As always Happy Phishing!
