When you view the passwords report, there is no "back to stats" link like there is in the visitors report.

Allow the user to preview the email within the web interface before sending. Currently the preview functionality doesn't handle images properly due to base64 encoded strings within the html body.

Something to add the tags for the from/to/etc for all variables so the user does not need to do more work.

add the ability to clone websites

To configuration items such as smtp settings to give users an easier job figuring shit out.

When copying a template, if you have spaces in the "Copy To" field, when you launch a campaign the Document Root in httpd.conf uses those spaces and apache2 will not restart.
Example:
Copy To: Intel test 1

Hey guys,

Connected to production DB, create campaign successfully. When I attempt to save any changes to the campaign options the campaigns/update_settings/1 page comes up with the above error. Where should I be looking to troubleshoot this? Or did I not RTFM enough? Thx.

Currently the email address text field only supports up to 4000 characters, increase the size of this in the case where lots of email addresses are provided to a campaign

I am having a similar issue as discussed in #26 in that PF appears to be sending an initial SMTP AUTH request based upon the AUTH type specified in the drop down box even if no username and password is specified.

The campaign is configured as follows:
SMTP Authentication: login
SMTP Username: (blank)
SMTP Password: (blank)

The following is the error message displayed in PF:
503 5.5.1 Error: authentication not enabled

The following is the error message displayed in Postfix:
lost connection after AUTH from hostname.domainname.com

Possibly the code described in ff50361 has been superceded in some manner?

The zip file that is uploaded to approot/public/uploads/*.zip needs to be removed after a successful restore.

ensure that phishing templates that are restored through the web interface are given the proper permissions on the file system.

The template needs be restored with RW access for the owner of Apache to properly send emails and server up phishing websites.

"campaign_id" is a integer in all the database tables except for "victims", where it is a string. Is this intended?

campaign launched, following the phish URL yields 404 not found, apache2 error log shows the above error. httpd.conf is populated correctly with the virtual host for the phish site (testing intel), clearly not getting to the templates folder and phish site access log is 0 bytes.

Perhaps use a JavaScript library like the following: https://github.com/Valve/fingerprintjs

Testing using the Intel password template I get an error.

Unknown action

The action 'intel' could not be found for TemplatesController

And there is a password.txt file but it never gets populated. I checked the permissions.

Create a running list of every user that has logged into PF, and timestamp the login data and IP address (if possible).

trying to spoof domains that already have SPF configured properly is not a good idea

https://github.com/resque/resque-scheduler

https://github.com/resque/resque

Create a log / archive of all smtp conversations that occur within a campaign

Currently the rake db:seeds will most likely fail because it is attempting to populate protected attributes within the admin.rb model. Instead use an SQL statement that will populate the database without referencing the attributes.

Example:
http://stackoverflow.com/questions/4838716/how-to-avoid-the-validation-callbacks-and-attr-accessible-effects-during-the

I've followed your Kali installation guide and everything is installed correctly, but I can't get the default page to load. I'm running a local install, non-hosted. Local address is 127.0.0.1

I can get to the index, but the main page says:
The web server software is running but no content has been added, yet

Did I miss a step?

Also consider flushing the logs automatically when a campaign is launched for the very first time. This way the user is getting more accurate statistics for the phishing campaign.

Implement pagination for campaigns, templates, and reports to prevent web pages from getting to large.

http://railscasts.com/episodes/254-pagination-with-kaminari

Maybe I'm over thinking this.
I have Phishing frenzy set up and running on a server for example 192.168.1.50. That server is also running sendmail on port 25. I can send email to the address in question via telnet/nc. However, I am getting an error:
testemail is a substute address, for privacy.
[-] 501 5.0.0 Invalid domain name when sending to [email protected] using SSL through localhost:25
[-] 504 5.3.3 AUTH mechanism PLAIN not available when sending to [email protected] through localhost:25
[-] Unable to send [email protected]

I have tried to configure the smtp page in PF as localhost and 127.0.0.1 adding username/passwords,leaving them out, various other things

currently PF will default to index.php as the default landing page for a virtual host. Allow the user to specify whichever landing page they choose within the campaign options.

This creates a permission denied condition when attempting to edit the template files within the template.

dev@rails:/var/www/phishing-frenzy/log# ls -l ../public/templates/
total 24
drwxr-xr-x 4 www-data www-data 4096 Nov  3 18:09 efax
drwx------ 4 nobody   nogroup  4096 Nov  3 18:52 infosec_audit_report
drwxr-xr-x 4 www-data www-data 4096 Nov  3 18:09 intel
drwx------ 4 nobody   nogroup  4096 Nov  3 18:59 template_name
drwx------ 4 www-data www-data 4096 Nov  7 03:09 test

I'm trying to set up phishing-frenzy on a kali VM and www-data doesn't have the service command.

Changing CompaignsController#home:19 to

apache_output = `/etc/init.d/apache2 status`

seems to work.

State current campaign as editing in a banner or something.

Currently the login cookie never expires. Add expiration on the cookie so users are not logged in indefinitely.

http://www.tutorialspoint.com/ruby-on-rails/rails-session-cookies.htm

Using something like delayed_job, send the emails in the background. This way when a user is sending to a large amount of targets the console will not hang until all of the email addresses have been sent.

When a campaign is set to become active, ensure that a FQDN is properly populated so Apache can server up a proper website using ServerName with virtualhosts

Currently if you know the url to send emails it will send the emails by invoking the send script via the url. Only allow the button to call the action which performs sending the emails.

use a csv file , and autopopulate each name into the greeting of the phishing email to personalize

I run on a RHEL platform, so the global settings were a welcome change for the RHEL usage of the "httpd" command vs "apache". I was able to remove all my previous patches when global settings were added, but one, the apache command for listing the VHOSTS.

In campaigns_controller.rb, the default command for this is apache2ctl -S
For my RHEL instance I needed to update this to apachectl -S

If this command were configurable in global settings, then those of us forced to use Red Hat can still be otherwise happy :)

add a little statistic when listing out the reports to get an idea of how the campaign is performing

allow the user to download the raw apache logs

I get uninitialized constant PhishingFrenzy when trying to go to the login.

Also, there is no information on setting up the routes, which not being at all familiar with ruby is very cryptic.

I also noticed in the install it starts as showing in the path phishing-frenzy then changes to phishing-framework

allow the user to generate a final report full of stats and send an email with final report

Currently the reports => stats page refreshes the entire page every 20 seconds. Change this behavior to use ajax and only update the relevant content

Add another password field for the password change functionality to ensure the passwords match before the password is changed and updated.

Allow the user to preview the email before it is ever sent within the web interface.

The difficult part of this is displaying images because they are base64 encoded strings in most HTML emails. This makes it a little more difficult to render images within RoRs

Add functionality to add code to each website to forward the information to the manager to determine clicks and potentially add alerts via on screen/email.

Id like to request if possible, that the console can report if a user opens or views the email, using a 1pixel jpg or something.

Create a Global Settings database within the admin controller that will allow customizations of where apache is located, syntax to restart apache, location to httpd.conf and other customizable settings.

The Apache log files are owned by root when they are created for each VirtualHost. The web application runs as www-data so when attempting to clear the logs, a permission denied situation occurs.

Add event sourcing when sending emails to provide the user with feedback and real time updates