• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Offense > Do that Phish: King Phisher Video Guides

Do that Phish: King Phisher Video Guides

March 2, 2016 By Erik

The Importance of Phishing

Over the last few years, trending has emerged that clearly indicates social engineering, specifically phishing, is the most consistently reliable attack vector through which hackers gain access to target organizations. Given the non-technical, weak-link factor involved in responding to a well crafted phishing attack, how can organization best combat this particular vector? It unquestionably boils down to training the end user and security awareness!

I order to determine if regular training is effective, organizations should be conducting internally-driven phishing assessments to make sure the training content is effective and well understood by the end users. Driving the company’s culture into a security mindset can be a difficult task. Live exercises offer the best overall results in assessing your organization’s phishing awareness.

To perform an effective phishing exercise, there are considerations that one must take into account. As users become more aware and transition to a security mind set, the phishing will become more complex. Therefore, testers should build and develop pretenses which will increasingly tempt users to execute action on the behalf of the “attacker.”

When creating a pretense, it’s import to understand your targets and the parent company or organization, particularly if you are working as a third party consultant. Which team members would most likely respond to the email in the intended manner (click a link, enter credentials, run a payload), and what is the end goal for the campaign? Once these factors have been decided, the next step is to build the email and the website template.

As specific pretenses are limited only by your imagination, flexible tools are required to execute these types of assessments. The tool needs to have the capability to track data points to improve the phishing of the “attacker” as well as provide feed back to the organization of their current status and if their Security Awareness training is effective.

King Phisher

This brings us to King Phisher. If you’re a regular reader of the War Room, you are probably familiar with King Phisher. It is an open source phishing tool developed at RSM with the goal of facilitating and executing dynamic phishing campaigns.  Before jumping right into your first campaign there are a few things you will need first:

  1. A King Phisher Server
  2. The King Phisher Client
  3. Pretense
  4. CSV of targets

The King Phisher software and install guides can be obtained on Github, and it is also prepacked in Kali Linux. Once you have completed the installation process, you will need to have a pretense in mind, or you can feel free use a template(s) from King Phisher Template Repository.

Next you will need to create a csv file with the list of marks you would like to phish. This csv file must be in the format of firstname,lastname,email-address,department. The department column is optional but will provide additional metrics for you to analyze to help focusing phishing campaign and training for the organization. Note that an xls or xlsx file will not work here. If you create your document in Excel rather than a text editor, be sure to save it as a csv. Do not include column titles as King Phisher will not parse them appropriately.

Example Targets File in Excel

You can also use your favorite text editor such as notepad to create the csv file. To do this open up notepad, put in the list of your targets in the above specified format and it should look like:

CSV File in Notepad

Now all you need to do set launch King Phisher and set your phish up. For this I’ve made two simple videos to guide you through the process. This guide uses the training templates that are found on the King Phisher Template Repository mentioned above. These templates have been found to be very effective, so feel free to use them.

Happy phishing!

How To Run a Campaign with King Phisher

How to Read Campaign Data

Share this...
  • Reddit
  • email
  • Facebook
  • Twitter
  • Linkedin

Erik

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • Sophos UTM Home Edition – 3 – The Setup 10.7k views
  • DLL Injection Part 1: SetWindowsHookEx 10.6k views
  • Leveraging MS16-032 with PowerShell Empire 9.9k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.7k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2021 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.