A Tool For Security Managers Who Want To Train Their Colleague To Phishing - Mercure

Mercure is a tool for security managers who want to teach their colleagues about phishing.

What Mercure can do:

• Create email templates
• Create target lists
• Create landing pages
• Handle attachments
• Let you keep track in the Campaign dashboard
• Track email reads, landing page visits and attachment execution.
• Harvest credentials

What Mercure will do:

• Display more graphs (we like graphs!)
• Provide a REST API
• Allow for multi-message campaigns (aka scenarios)
• Check browser plugins
• User training

Docker Quickstart

Requirements

• docker

Available configuration

Environment variable name	Status	Description	Value example
SECRET_KEY	Required	Django secret key	Random string
URL	Required	Mercure URL	https://mercure.example.com
EMAIL_HOST	Required	SMTP server	mail.example.com
EMAIL_PORT	Optional	SMTP port	587
EMAIL_HOST_USER	Optional	SMTP user	phishing@example.com
EMAIL_HOST_PASSWORD	Optional	SMTP password	P@SSWORD
DEBUG	Optional	Run on debug mode	True
SENTRY_DSN	Optional	Send debug info to sentry.io	https://23xxx:38xxx@sentry.io/1234
AXES_LOCK_OUT_AT_FAILURE	Optional	Ban on forcebrute login	True
AXES_COOLOFF_TIME	Optional	Ban duration on forcebrute login (in hours)	0.8333
DONT_SERVES_STATIC_FILE	Optional	Don't serve static files with django	True

Sample deployment

# create container
docker run \
    -d \
    --name=mercure \
    -e SECRET_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 200 | head -n 1) \
    -e URL=https://mercure.example.com \
    -e EMAIL_HOST=mail.example.com \
    -e EMAIL_PORT=587 \
    -e EMAIL_HOST_USER=phishing@example.com \
    -e EMAIL_HOST_PASSWORD=P@SSWORD \
    synhackfr/mercure

# create super user
docker exec -it mercure python manage.py createsuperuser

Git Quickstart

Requirements

• python3
• pip

Deployment

git clone git@bitbucket.org:synhack/mercure.git && cd mercure
pip install -r requirements.txt
./manage.py makemigrations
./manage.py migrate
./manage.py collectstatic
./manage.py createsuperuser
./manage.py runserver

How to use mercure
We can consider mercure is divide between 4 categories :

• Targets
• Email Templates
• Attachments and landing page
• Campaigns

Targets, Email Templates and Campaign are the minimum required to run a basic phishing campaign.

1. First, add your targets
   
   
   You need to fill mercure name, the target email.Target first and last name are optional, but can be usefull to the landing page
   
2. Then, fill the email template.
   
   
   You need to fill the mercure name, the subject, the send and the email content. To improve the email quality, you have to fill the email content HTML and the text content. To get information about opened email, check "Add open email tracker" You can be helped with "Variables" category.
   Attachments and landing page are optionnal, we will see it after.
   
3. Finally, launch the campaign
   
   
   You need to fill the mercure name, select the email template and the target group. You can select the SMTP credentials, SSL using or URL minimazing
   
4. Optional, add landing page
   
   
   You need to fill the mercure name, the domain to use You can use "Import from URL" to copy an existing website.
   You have to fill the page content with text and HTML content by clicking to "Source"
   
5. Optional, add Attachment
   
   
   You need to fill the mercure name, the file name which appears in the email and the file You also have to check if the the file is buildable or not, if you need to compute a file for example.
   To execute the build , you need to create a zip archive which contain a build script (named 'generator.sh' and a buildable file

Download Mercure