Password Reset Phishing (PRP)

Password Reset Man in the Middle Framework

About the tool

Social engineering is a powerful approach for gaining system access. The amount of phishing attacks (and successful ones at that) continue to increase, so it is vital for employees to be tested and trained to recognize these types of attacks. The Password Reset Phishing (PRP) framework helps perform and audit phishing vulnerabilities to password reset attacks. If a victim provides the low risk and seemingly innocent information PRP requires, their accounts may be compromised for most websites (including that of major companies, e.g. Facebook, Amazon, Google). All the victim needs to do is fill out a “survey” or “registration form” that PRP generates, which may then lead to a multitude of new attack vectors.

PRP campaign overview

How it works

PRP utilizes the password rest man in the middle attack. The victim registers for an attacker owned website, but the registration information is used to reset the victim's account. A tester decides which accounts to compromise from a victim. They then manually reset their own account on the respective websites while PRP records it. PRP is then configured to replicate the attack using the recording. The tester decides what questions to ask the victims and match their answers to the reset process. PRP then services a website that will perform the password reset - appearing only as a sort of registration form. As the user answers questions, PRP is using their information to reset their password. Any challenge questions asked by the account reset process will be forwarded to the user to “answer,” though they think it is for registration.

PRP victim details


Attack Demo


Please login to purchase


You may need permission to perform this attack on users as it may compromise their account for third party services (their personal accounts). We are not liable as to what data is compromised or attacks are performed with this tool. PRP utilized automated web browsers usage (bots) to perform this attack, which may be against the terms of use of many websites. We are not liable for the violation of any terms of use. PRP stores reseted passwords but does not encrypt any local files. Be cautious while using PRP's services as they may be attacked.