Shellphish is an easy and automated phishing toolkit or phishing page creator written in bash language. This tool is made by thelinuxchoice. Original GitHub repository of shellphish was deleted then we recreated this repository.

Screenshot from 2019-04-24 20-01-11.png

Shellphish can perform phishing in WAN (Wide Area Network). Shellphish can create phishing page of most popular social networking sites like,
Shellphish also have an option that we can create custom phishing page. This tool is very easy to setup and use.

To install shellphish we need to open our terminal window and apply the following command :
git clone https://github.com/jaykali/shellphish

This command will clone this tool from Github repository. After cloning is complete, we need to go in the folder/directory of shellphish by using cd command and check the files using ls command as following:
cd shellphish && ls

The screenshot is following:

Screenshot from 2019-04-24 19-58-24.png

Now we need to give access permission to the main bash script called shellphish.sh . We are going to use the following command to do this :
chmod +x shellphish.sh

Then we can run shellphish by using following command:

The main menu will appear after running this tool. Screenshot of the command is following:

Screenshot from 2019-04-24 20-01-36.png

Here we need to choose a website for phishing by using number, we choose number 2 that is Facebook.
The screenshot is following:

Screenshot from 2019-04-24 20-07-40.png

Then we need to choose the port forwarding option. This tool recommend to choose option 1 the SSH tunneling method by Servo.net. We gonna use Servo, so we choose 1.
The screenshot is following:

Screenshot from 2019-04-24 20-11-19.png

Then we need to choose the port by default it's 3333, we are going to use the default configuration so we gonna leave this field blank and type enter.
The screenshot is following:

Screenshot from 2019-04-24 20-14-34.png

Shellphish will do the rest, it will start the server and make a SSH tunnel. At last shellphish give us the phishing link.
One url will be direct and long url and other will be short url. We recommend to use the direct link because sometimes url shortener banned shorted phishing urls.

Okey now we can send this to victims using some social engineering.
The social engineering part is very crucial for phishing. we need little bit information about about victim. For an example if we know that victim is PUBG lover then we can send this link as a message
Claim your free 80000 UC in PUBG by login your Facebook from this link https://www.bit.ly/3rcG6

This is is just an example of easy social engineering, and we need to wait for the credentials without closing the terminal.
The advantage of this tool that is this is very very easy to setup.

Now the question comes how to be safe from this kind of attacks ?
First we should not click urls from 3rd party, and we need to active two factor authentication. This tool can't bypass 2FA.
But some advanced phishing tool really can bypass two factor authentication.