Mercure is a tool for security managers who want to train their colleague to phishing.
Also Read OWTF – Offensive Web Testing Framework Great Tools & Make Pen Testing More Efficient
Edit docker compose configuration (docker-compose.yml
)
version: '2'
services:
front:
image: atexio/mercure
restart: always
ports:
- 8000:8000
environment:
SECRET_KEY: '<random value>'
URL: 'https://preprod.mercure.io'
EMAIL_HOST: 'mail.example.com'
EMAIL_HOST_USER: 'phishing@example.com'
EMAIL_HOST_PASSWORD: 'P@SSWORD'
volumes:
- /etc/localtime:/etc/localtime:ro
- ./data/database:/code/database
- ./data/media:/code/media
- ./data/migrations/phishing:/code/phishing/migrations
To generate the SECRET_KEY variable, you can use this command:
# generate random SECRET_KEY
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 200 | head -n 1
The SECRET_KEY is used as a salt for Django password hashing, don’t change it after using it with Mercure. After changing the secret key, you can run the container with this command:
docker-compose up -d
Next, you can create a superuser to log into the web interface:
# create super user
docker-compose exec front python manage.py createsuperuser
We can consider Mercure is divided into 5 steps :
Targets, Email Templates, and Campaign are the minimum required to run a basic phishing campaign.
You need to fill Mercure name, the target email. Target first and the last name is optional but can be useful to the landing page
You need to fill the Mercure name, the subject, the send and the email content. To improve the email quality, you have to fill the email content HTML and the text content. To get information about opened email, check “Add open email tracker” You can be helped with “Variables” category.
Attachments and landing page are optional, we will see it after.
You need to fill the mercure name, select the email template and the target group. You can select the SMTP credentials, SSL using or URL minimizing
You need to fill the mercure name, the domain to use You can use “Import from URL” to copy an existing website.
You have to fill the page content with text and HTML content by clicking to “Source”
You need to fill the mercure name, the file name which appears in the email and the file You also have to check if the file is buildable or not if you need to compute a file for example.
To execute the build, you need to create a zip archive which contains a build script (named ‘generator.sh’ and a buildable file
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…