Categories: Kali Linux

Mercure – Tool For Security Managers Who Want To Train Their Colleague To Phishing

Mercure is a tool for security managers who want to train their colleague to phishing.

What Mercure can do:

  • Create email templates
  • Create target lists
  • Create landing pages
  • Handle attachments
  • Let you keep track in the Campaign dashboard
  • Track email reads, landing page visits, and attachment execution.
  • Harvest credentials
  • Schedule campaigns
  • Minimize link in email templates

What Mercure will do:

  • Display more graphs (we like graphs!)
  • Provide a REST API
  • Allow for multi-message campaigns (aka scenarios)
  • Check browser plugins
  • User training

Also Read OWTF – Offensive Web Testing Framework Great Tools & Make Pen Testing More Efficient

Sample deployment

Edit docker compose configuration (docker-compose.yml)

version: '2'

services:
  front:
    image: atexio/mercure
    restart: always
    ports:
      - 8000:8000
    environment:
      SECRET_KEY: '<random value>'
      URL: 'https://preprod.mercure.io'
      EMAIL_HOST:  'mail.example.com'
      EMAIL_HOST_USER: 'phishing@example.com'
      EMAIL_HOST_PASSWORD: 'P@SSWORD'
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./data/database:/code/database
      - ./data/media:/code/media
      - ./data/migrations/phishing:/code/phishing/migrations

To generate the SECRET_KEY variable, you can use this command:

# generate random SECRET_KEY
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 200 | head -n 1

The SECRET_KEY is used as a salt for Django password hashing, don’t change it after using it with Mercure. After changing the secret key, you can run the container with this command:

docker-compose up -d

Next, you can create a superuser to log into the web interface:

# create super user
docker-compose exec front python manage.py createsuperuser

How to use Mercure

We can consider Mercure is divided into 5 steps :

  • Targets
  • Email Templates
  • Campaigns
  • Attachments
  • Landing page

Targets, Email Templates, and Campaign are the minimum required to run a basic phishing campaign.

  • First, add your targets

You need to fill Mercure name, the target email. Target first and the last name is optional but can be useful to the landing page

  • Then, fill in the email template.

You need to fill the Mercure name, the subject, the send and the email content. To improve the email quality, you have to fill the email content HTML and the text content. To get information about opened email, check “Add open email tracker” You can be helped with “Variables” category.

Attachments and landing page are optional, we will see it after.

  • Finally, launch the campaign

You need to fill the mercure name, select the email template and the target group. You can select the SMTP credentials, SSL using or URL minimizing

  • Optional, add a landing page

You need to fill the mercure name, the domain to use You can use “Import from URL” to copy an existing website.

You have to fill the page content with text and HTML content by clicking to “Source”

  • Optional, add Attachment

You need to fill the mercure name, the file name which appears in the email and the file You also have to check if the file is buildable or not if you need to compute a file for example.

To execute the build, you need to create a zip archive which contains a build script (named ‘generator.sh’ and a buildable file

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago