search

jenyraval / Phishing-Simulation

Phishing Simulation mainly aims to increase phishing awareness by providing an intuitive tutorial and customized assessment
GNU General Public License v3.0
136 stars 34 forks source link

Passwords Stored in Plaintext #1

Open nstr10 opened 5 years ago

nstr10 commented 5 years ago

Hi Jeny, If this is a security tool, why does it do such insecure things as storing passwords unencrypted?

No offense, but given the state of this project you should probably have a big red blinking warning in the readme letting people know not to use this in production, only in an isolated/protected lab environment.

I really like this idea, though - keep up the good work!

kiall commented 5 years ago

Not the author, just stumbled across this from the mailop posting.

Red team assessment was mentioned pretty early in the readme, a red team would typically want the actual passwords so they can use them to elevate their access and cover their tracks for later ops.. so, hashing the passwords would be counter intuitive.

Reversable encryption though, that would make sense. Ideally without keeping the private key on the server - operators can then choose to either keep the key and decrypt passwords offline, or discard it and know the passwords are irreversible.

nstr10 commented 5 years ago

I was actually looking at the login page for the admin panel when I wrote that. Haven't checked to see if phished credentials are stored, but assume they probably are.

jenyraval commented 5 years ago

Hello

Appreciate your time in reviewing!!

Though this is phishing simulation which does not store any credentials as such. Regarding the admin module password, Since the module is just meant for admin, I would try to implement some more security around it.

Thanks!

pendalazo commented 1 week ago

Hello

I am stuck on the generate domain variation step; it is not generating anything and after entering the info manually, I am not able to preview the phished page and I am getting the error bellow.

" Warning: preg_match(): Compilation failed: invalid range in character class at offset 119 in C:\xampp\htdocs\AdminPanel\includes\url_to_absolute.php on line 342

Fatal error: Uncaught ValueError: Path cannot be empty in C:\xampp\htdocs\AdminPanel\includes\htmlSaveComplete.php:487 Stack trace: #0 C:\xampp\htdocs\AdminPanel\includes\htmlSaveComplete.php(487): file_get_contents('') #1 C:\xampp\htdocs\AdminPanel\includes\htmlSaveComplete.php(543): htmlSaveComplete->getContents(false) #2 [internal function]: htmlSaveComplete->createDataUri(Array) #3 C:\xampp\htdocs\AdminPanel\includes\htmlSaveComplete.php(239): preg_replace_callback('#(url\(['\"]?)(...', Array, '<!DOCTYPE html>...') #4 C:\xampp\htdocs\AdminPanel\includes\htmlSaveComplete.php(139): htmlSaveComplete->toDataUri('<!DOCTYPE html>...') #5 C:\xampp\htdocs\AdminPanel\saveCompletePage.php(21): htmlSaveComplete->getCompletePage(false, false, false) #6 {main} thrown in C:\xampp\htdocs\AdminPanel\includes\htmlSaveComplete.php on line 487"

regards Penda