New
3.0.0 - Rephishment
- Feature: TLS certificates from LetsEncrypt will now get automatically renewed.
- Feature: Automated retrieval and renewal of LetsEncrypt TLS certificates is now managed by
certmagiclibrary. - Feature: Authentication tokens can now be captured not only from cookies, but also from response body and HTTP headers.
- Feature: Phishing pages can now be embedded inside of iframes.
- Feature: Changed redirection after successful session capture from
Locationheader redirection to injected Javascript redirection. - Feature: Changed config file from
config.yamltoconfig.json, permanently changing the configuration format to JSON. - Feature: Changed open-source license from GPL to BSD-3.
- Feature: Added
alwaysmodifier for capturing authentication cookies, forcing to capture a cookie even if it has no expiration time. - Feature: Added
phishlet <phishlet>command to show details of a specific phishlet. - Feature: Added phishlet templates, allowing to create child phishlets with custom parameters like pre-configured subdomain or domain. Parameters can be defined anywhere in the phishlet file as
{param_name}and every occurence will be replaced with pre-configured parameter values of the created child phishlet. - Feature: Added
phishlet createcommand to create child phishlets from template phishlets. - Feature: Renamed lure
templatesto lureredirectorsdue to name conflict with phishlet templates. - Feature: Added
{orig_hostname}and{orig_domain}support forsub_filtersphishlet setting. - Feature: Added
{basedomain}and{basedomain_regexp}support forsub_filtersphishlet setting. - Fixed: One target can now have multiple phishing sessions active for several different phishlets.
- Fixed: Cookie capture from HTTP packet response will not stop mid-term, ignoring missing
optcookies, when all authentication cookies are already captured. - Fixed:
trigger_pathsregexp will now match a full string instead of triggering true when just part of it is detected in URL path. - Fixed: Phishlet table rows are now sorted alphabetically.
- Fixed: Improved phishing session management to always create a new session when lure URL is hit if session cookie is not present, even when IP whitelist is set.
- Fixed: WebSocket connections are now properly proxied.