SniperPhish: An all-in-one open-source phishing toolkit
SniperPhish is an all-in-one open-source phishing toolkit that pentesters and other security professionals can use for setting up and executing email and web-based spear phishing campaigns.
“The idea to develop SniperPhish came to me in a period during which the company I previously worked with did many social engineering assessments. Most of the assessment included phishing campaigns, which means creating and hosting phishing websites and crafting email campaigns. The available tools had certain limitations and were not very effective at simultaneously tracking data from the phishing emails and websites,” security consultant Gem George, the tool’s creator, told Help Net Security.
“For example, the client didn’t want us to capture the users’ passwords that were submitted to the phishing website. For each project, we were required to code for tracking data from phishing websites. Additionally, the data captured from this website needed to be mapped to the mail campaign, which was a time-consuming and often resulted in errors.”
Based on these scenarios, he thought to developing his own tool to automate things and, within a few months, he already began testing it during the company’s engagements. He’s now actively working on it, along with several contributors, and adding new features.
SniperPhish can create and schedule phishing email campaigns, create web and email tracker code, create custom tracker images, combine phishing sites with email campaigns for central tracking, track replies to phishing message, generate reports, and more.
“The main advantage of SniperPhish is that a person can use this single toolkit to perform web and email phishing assessments,” Gem explained.
“Data can be centrally tracked from the results of phishing emails and websites. The tool reduces manual effort and avoids the necessity of coding language for capturing data from phishing websites. It also provides a variety of customization options for sending emails (such as mail delay, anti-flood control, etc.), which can be chosen as needed to bypass the targeted organization’s security controls. Reports can also be customized. Finally, SniperPhish provides multiple options for crafting modern spear phishing campaigns, such as QR codes and bar codes.”
At the moment, its main limitations are the absence of an API and a greater variety of modules supporting phishing payloads.
Gem is currently working on an enhancement option to recover and resume the campaign if it is crashed mid-run due to generic service or server failures, adding support for calendar invitations, and on the tool’s documentation and user guide.
SniperPhish currently supports Windows and Linux platforms.
For those interested to know more, Gem is scheduled to present and demo SniperPhish at Black Hat Asia 2021 Arsenal in early May.