Closed MJTurney closed 7 years ago
zeknox
commented
7 years ago Oh yeah, most definitely. It supports uploading a ZIP archive as a website file and will extract that into the webroot when a campaign goes active. The main caveat here is any PHP pages where you want the clicks to be tracked must not be in this ZIP archive.
This is due to my poor code that only applies the Tracking PHP tags to files outside the ZIP archive, not inside.
MJTurney
commented
7 years ago So if I understand you correctly...a multi page credential harvesting template need only be coded in the first place, and then uploaded as a zip? With the exception of pages containing tracking PHP tags?
zeknox
commented
7 years ago Correct, your ZIP archive can contain folders deep of assets, css, or whatever you need to make a full blown comprehensive website. This is huge when you clone a website and have hundreds of files needed to support the website. Just ZIP up all the dependencies, place files like index.php or whatnot outside the ZIP archive as its own website file within a PF template. Sky is the limit!
I checked out the website and noticed this was not documented there, apologies.
MJTurney
commented
7 years ago No no, it's a rather atypical question. In most cases, single page credential harvesting pages are enough. I was just wondering what would it take for page 1 of the template to save creds, and then lead to a second page that also saves creds, and so on. I was surpised not to see any ready made examples of it!
zeknox
commented
7 years ago I have done exactly what you describe above. Unfortunately I dont have any examples readily available to share. The big part is to make sure you pass the UID to the 2nd page as well so those creds can also be tied to a specific UID / target.
I'll see if I can find more code examples of what the form looks like on the 1st page.
MJTurney
commented
7 years ago Awesome. Appreciate your time and response!
zeknox
commented
7 years ago Here is a good example for you: https://github.com/pentestgeek/phishing-frenzy-templates/blob/master/office365/www/index.php#L97
Take a look at how the Form is able to take the UID and pass it to the 2nd page which is login-submit.php. Now this 2nd page has the UID which is the only requirement to make it harvest credentials as well.
MJTurney
commented
7 years ago That's a perfect example of what I was looking for...very clear and simple. So in PF, it would show the harvested creds from every page that maintained the UID?
zeknox
commented
7 years ago Assuming the 2nd page had a form with the proper UsernameForm name, and PasswordForm name within the HTML.
MJTurney
commented
7 years ago Are those the only tags that can be used or is the HTML format for any kind of input? I.e. UsernameForm and instead of PasswordForm, EmployeenumberForm?
zeknox
commented
7 years ago Correct, as of today PF is limited to only the two examples I listed above. I know that the industry has been itching for more. Perhaps in the future.
MJTurney
commented
7 years ago Ahhhh yes, indeed!
I noticed all the templates available for single page entry only...is there a way to make a multiple page template that collects details from every page?