ZPhisher is an advanced phishing tool-kit it is an upgraded version of Shellphish. It has the main source code from Shellphish but ZPhisher has some upgrade and has removed some unnecessary codes from Shellphish. It is developed by HTR-Tech . ZPhisher can be run from Kali Linux and also can be run from Android devices using Termux. It is the all-in-one phishing framework in 2020.
- Facebook Normal Login Page
- Fake Security Login Method (DarkSecDevelopers)
- Facebook Voting Poll Method (DarkSecDevelopers)
- Messenger Login Page (New)
- Normal Login Page
- Instagram Auto Follower Phishing Page (the Linux choice)
- Instagram Badge Verify Method (DarkSecDevelopers)
- Google Old Login Page
- Google New Login Page
- Google Voting Poll Method (DarkSecDevelopers)
4) Adobe Login Page
5) Badoo Login Page
6) CryptoCoinSniper Login Page
7) Deviantart Login Page
8) Dropbox Login Page
9) eBay Login Page
10) Github Login Page
11) Linkedin Login Page
12) Microsoft Login Page
13) Netflix Login Page
14) Origin Login Page
15) Paypal Login Page
16) Pinterest Login Page
17) Playstation Login Page
18) Protonmail Login Page
19) Reddit Login Page
20) Snapchat Login Page
21) Spotify Login Page
22) Stackoverflow Login Page
23) Steam Login Page
24) Twitch Login Page
25) Twitter Login Page
26) Vk Login Page
27) Vk Poll Method (Hiddeneye)
28) WordPress Login Page
29) Yahoo Login Page
30) Yandex Login Page
Zphisher also has 4 port forwarding options
- localhost (For local network/LAN)
- Ngrok (For World-Wide WAN)
- Serveo.Net (For WAN)
- Localhost.run (For WAN)
Installing on Kali Linux
First, we need to clone ZPhisher from it’s GitHub repository by using the following command:
git clone https://github.com/htr-tech/zphisher
The screenshot of the preceding command if following:
Then we need to go inside the zphisher directory using cd command:
Here we need to give executable permission to the bash script by using the following command:
sudo chmod +x zphisher.sh
The screenshot is following.
Now we are ready to run it. We can run it by using the following command:
Then this bash script leads us to the main menu of the ZPhisher tool as shown in the following screenshot:
Here everything is very clear. For example we choose 1 for Facebook and press enter.
Here we can choose whatever we think easy to trick our victim. For example we choose 3 for a “Fake Security Login Page”.
Now we can choose our port forwarding option. Here If we choose 1 then it will be for our local network (same WiFi or LAN) only, but we can choose the other options like ngrok server or localhost.run. (These are all free port forwarding services so sometimes some services may be down for overloading. In that case, we need to choose other.)
Here we choose 2 for ngrok.io. Then we wait for some seconds until our link generated.
In the above screenshot, we can see our link created on ngrok. Now we can send this link to our victim by SMS or mail or by any other way With some catchy social engineering technique.
If our victim opens it then he/she will see something like the following screenshots:
If our victim inputs the username and password then,
We got the credentials of our victim. Now it can be used to log in the victim’s Facebook account.
Installing on Android (Termux)
We also can use it on Android through Termux application. First, we need to install Termux from Google Play Store. Then we can open it and run a single command to update download and run the ZPhisher. The single command is the following:
apt update && apt install git php curl openssh -y && git clone https://github.com/htr-tech/zphisher && cd zphisher && chmod +x zphisher.sh && bash zphisher.sh
How to be safe from this Attack
- We should not click on any link through sms/email/website/chatroom or text messages etc.
- we need to check the link is driving to original Facebook, mean to say check the links is https://www.facebook.com/ or not. If not and the page is looking like Facebook, then this might be a phishing page.
- Windows user should use anti-virus and web security software, like Norton or McAfee. Linux user should take care before clicking unknown links.
This tutorial is for educational purpose only. Phishing is a crime. If anyone does any illegal activity then we are not responsible for that.