EvilPhish is a tool designed for phishing and vishing assessments to test the security awareness of individuals and organizations. It provides a framework for serving a phishing domain and harvesting user credentials. The webpage is designed to persuade users to login using their network credentials, following a simulated patch verification scan.
Note: Before performing the assessment, you will need to purchase a phishing domain and generate the appropriate DNS records pointing to the server running EvilPhish.
EvilPhish.py
: The main Python script that serves the credential harvesting webpage.LICENSE
: The license file for EvilPhish (MIT License).README.md
: This file provides instructions and information about the tool.Requirements.txt
: A list of required Python packages.templates/
: A directory containing templates for the phishing campaign.index.html
: The HTML template for the phishing page.
static/
: A directory containing static assets for the phishing page.css/
: A directory containing CSS stylesheets.styles.css
: The CSS file for styling the phishing page.
images/
: A directory containing images used in the phishing page.EvilPhish_Logo.png
: The logo image for EvilPhish.
- Clone or download the EvilPhish repository.
- Install the required Python packages using
pip install -r Requirements.txt
. - Update the
index.html
file in thetemplates/
directory with your organization's branding. - Place any additional images or assets in the appropriate directories in the
static/
directory.
- Generate SSL/TLS certificate and private key files:
-
Open a terminal and navigate to the EvilPhish directory.
-
Download certbot
-
Run the following command to generate the SSL/TLS certificate and private key files:
sudo apt install certbot sudo certbot certonly --standalone -d <domainname>
-
Save the generated
private_key.key
andssl_certificate.crt
files in a secure location.
-
-
Edit the path to the private key file and certificate file in the
EvilPhish.py
script:- Open
EvilPhish.py
in a text editor. - Locate the lines that specify the
key_file
andcert_file
variables. - Update the file paths to reflect the locations where you saved each file.
- Open
-
Customize the email domain and password policy in the
EvilPhish.py
script:- Open
EvilPhish.py
in a text editor. - Find the following line of code: if email.endswith('@evilphishinc.com') and len(password) >= 8:
- Modify the domain name to match your organization.
- Open
-
Start EvilPhish:
-
Open a terminal and navigate to the EvilPhish directory.
-
Run the following command to start the phishing simulation:
sudo python3 EvilPhish.py
-
-
Monitor captured credentials:
-
Open a separate terminal window.
-
Navigate to the EvilPhish directory.
-
Run the following command to tail the
credentials.txt
file and monitor captured credentials:tail -f credentials.txt
-
You will see the captured credentials in real-time as the targets interact with the phishing page.
-
Please note that EvilPhish should only be used for authorized and legal security testing purposes. The misuse of this tool can violate privacy laws and may have serious legal consequences. The developer of this tool is not responsible for any illegal or unethical activities performed using this tool.
Contributions to EvilPhish are welcome! If you find any issues or have suggestions for improvements, please feel free to submit a pull request or open an issue on GitHub.
EvilPhish is released under the MIT License.