Skip to main content
Legal Notice: These tools are intended for authorized security testing only. Using phishing tools without explicit written permission is illegal and unethical. Always obtain proper authorization before conducting any phishing simulations or tests.

Overview

Phishing attack tools are designed for security professionals to simulate real-world phishing attacks in controlled environments. These tools help organizations:
  • Test employee awareness and security training effectiveness
  • Identify vulnerabilities in email filtering and security controls
  • Conduct authorized penetration testing and red team exercises
  • Assess social engineering attack surfaces

Social Engineer Toolkit

Industry-standard penetration testing framework for social engineering

Evilginx2

Advanced MITM phishing framework that bypasses 2FA

PyPhisher

Easy-to-use tool with 77 pre-built website templates

HiddenEye

Modern phishing tool with multiple tunneling services

Available Phishing Tools

Automated Phishing Frameworks

Description: Automated phishing toolkit for rapid deploymentInstallation:
git clone https://github.com/CodingRanjith/autophisher.git
cd autophisher
Usage:
cd autophisher
sudo bash autophisher.sh
GitHub: CodingRanjith/autophisher
Description: Easy to use phishing tool with 77 website templatesInstallation:
git clone https://github.com/KasRoudra/PyPhisher
cd PyPhisher/files
pip3 install -r requirements.txt
Usage:
cd PyPhisher
sudo python3 pyphisher.py
Features:
  • 77 pre-built templates for popular services
  • Multiple tunneling options (Ngrok, Cloudflared)
  • Clean and user-friendly interface
GitHub: KasRoudra/PyPhisher
Description: Advanced phishing tool with OTP phishing capabilitiesInstallation:
git clone https://github.com/Ignitetch/AdvPhishing.git
cd AdvPhishing
chmod 777 *
bash Linux-Setup.sh
Usage:
cd AdvPhishing
sudo bash AdvPhishing.sh
GitHub: Ignitetch/AdvPhishing

Social Engineering Frameworks

Description: The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering attacksInstallation:
git clone https://github.com/trustedsec/social-engineer-toolkit/
cd social-engineer-toolkit
sudo python3 setup.py
Usage:
sudo setoolkit
Features:
  • Spear-phishing attack vectors
  • Website attack vectors
  • Infectious media generator
  • Mass mailer attack
  • Credential harvester
GitHub: trustedsec/social-engineer-toolkit
Description: Automated phishing tool and information collector
Default credentials - Username: root, Password: pass
Installation:
git clone https://github.com/UndeadSec/SocialFish.git
sudo apt-get install python3 python3-pip python3-dev -y
cd SocialFish
sudo python3 -m pip install -r requirements.txt
Usage:
cd SocialFish
sudo python3 SocialFish.py root pass
GitHub: UndeadSec/SocialFish

Advanced MITM Phishing

Description: Man-in-the-middle attack framework for phishing login credentials and session cookies, bypassing 2-factor authentication
Requirements:
  • Go version 1.14.0 or higher
  • Proper PATH configuration for Go
Installation:
# Install Go first (version >= 1.14.0)
sudo apt-get install git make
go get -u github.com/kgretzky/evilginx2
cd $GOPATH/src/github.com/kgretzky/evilginx2
make
sudo make install
Environment Setup: Add to your ~/.profile:
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
Then load it:
source ~/.profile
Usage:
sudo evilginx
Features:
  • Bypass 2FA by capturing session cookies
  • Custom phishlets for various services
  • DNS and certificate handling
GitHub: kgretzky/evilginx2

Location & Media Phishing

Description: Tool to find exact location of victim through social engineering or phishing engagementInstallation:
git clone https://github.com/Viralmaniar/I-See-You.git
cd I-See-You
sudo chmod u+x ISeeYou.sh
Usage:
cd I-See-You
sudo bash ISeeYou.sh
Features:
  • Expose local servers to Internet
  • Decode location coordinates from log files
  • Social engineering engagement tracking
GitHub: Viralmaniar/I-See-You
Description: Capture webcam shots from target by sending a malicious linkInstallation:
git clone https://github.com/hangetzzu/saycheese
Usage:
cd saycheese
sudo bash saycheese.sh
GitHub: hangetzzu/saycheese

QR Code Phishing

Description: QR Code Jacking for various websitesInstallation:
git clone https://github.com/cryptedwolf/ohmyqr.git
sudo apt -y install scrot
Usage:
cd ohmyqr
sudo bash ohmyqr.sh
GitHub: cryptedwolf/ohmyqr
Description: OWASP QRLJacking framework for exploiting QR code authenticationInstallation:
git clone https://github.com/OWASP/QRLJacking.git
cd QRLJacking
git clone https://github.com/mozilla/geckodriver.git
chmod +x geckodriver
sudo mv -f geckodriver /usr/local/share/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver
cd QRLJacker
pip3 install -r requirements.txt
Usage:
cd QRLJacking/QRLJacker
python3 QrlJacker.py
GitHub: OWASP/QRLJacking

Specialized Phishing Tools

Description: The Rogue Access Point FrameworkInstallation:
git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher
Usage:
cd wifiphisher
sudo python setup.py
GitHub: wifiphisher/wifiphisher
Description: The ultimate phishing tool with 38 websites availableInstallation:
git clone https://github.com/thelinuxchoice/blackeye
cd blackeye
Usage:
cd blackeye
sudo bash blackeye.sh
GitHub: An0nUD4Y/blackeye
Description: Phishing tool for 18 social media platformsInstallation:
git clone https://github.com/An0nUD4Y/shellphish.git
Usage:
cd shellphish
sudo bash shellphish.sh
GitHub: An0nUD4Y/shellphish
Description: Browser to browser phishing toolkitInstallation:
git clone https://github.com/TridevReddy/Thanos.git
cd Thanos
sudo chmod -R 777 Thanos.sh
Usage:
cd Thanos
sudo bash Thanos.sh
GitHub: TridevReddy/Thanos
Description: Hide phishing URLs under normal-looking URLs (google.com or facebook.com)Installation:
git clone https://github.com/jaykali/maskphish.git
cd maskphish
Usage:
cd maskphish
sudo bash maskphish.sh
GitHub: jaykali/maskphish
Description: Advanced phishing tool with update and management featuresInstallation:
git clone https://github.com/iinc0gnit0/BlackPhish.git
cd BlackPhish
sudo bash install.sh
Usage:
cd BlackPhish
sudo python3 blackphish.py
Update:
cd BlackPhish
sudo bash update.sh
GitHub: iinc0gnit0/BlackPhish
Description: Domain name permutation engine for detecting typo squatting, phishing, and corporate espionageInstallation:
git clone https://github.com/elceef/dnstwist.git
cd dnstwist
Usage:
cd dnstwist
sudo python3 dnstwist.py
GitHub: elceef/dnstwist

Best Practices

Security Testing Guidelines:
  1. Authorization: Always obtain written permission before conducting phishing tests
  2. Scope: Clearly define the scope of testing with all stakeholders
  3. Communication: Establish clear communication channels for incident reporting
  4. Data Handling: Properly secure and dispose of any collected credentials
  5. Documentation: Document all activities for audit trails
  6. Debriefing: Provide educational debriefing sessions after tests
Important Legal Information:
  • Unauthorized phishing attacks are illegal under computer fraud and abuse laws in most countries
  • Written authorization from system owners is required
  • Be aware of data protection regulations (GDPR, CCPA, etc.)
  • Understand the difference between authorized testing and malicious activity
  • Consider insurance and liability implications
  • Follow responsible disclosure practices

Use Cases

Security Awareness Training

Simulate real-world phishing attacks to train employees on recognizing and reporting suspicious emails.

Red Team Assessments

Test an organization’s detection and response capabilities against sophisticated phishing attacks.

Email Security Testing

Evaluate the effectiveness of email filtering, anti-phishing tools, and security controls.

Incident Response Drills

Practice incident response procedures in controlled phishing scenarios.

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us