Penetration Testing

Shellphish: A Phishing Tool

Shellphish is an interesting tool that we came across that illustrates just how easy and powerful phishing tools have become today. The tool leverages some of the templates generated by another tool called SocialFish. The tool offers phishing templates for 18 popular sites, the majority are focused on social media and email providers. There is also an option to use a custom template if so desired.

Declarations: This article is posted only for educational purpose to spread awareness among people from being trapped in Phishing attack. 

Table of Content

Phishing and Social Engineering


Exploring Templates

  • Instagram
  • Netflix
  • Twitter


Phishing Attack

Phishing and Social Engineering

Phishing is probably one of the biggest issues for most organizations today, with network and endpoint defensive technology getting better and better, the bad guys aren’t trying to go after the though route and instead of going for the low hanging fruit. Phishing is one of those issues where training the employees is your best defence – try your best to make sure they can spot a malicious email and make sure that they can report it easily so that appropriate action can be taken as quickly as possible. The train of thought behind saying this is that – it’s beneficial to depend on multiple nodes of human intelligence to spot a potential threat, because even if one person spots and reports a phishing mail, it’s possible to run mass searches and find who all were targeted by a campaign.

Social engineering is a very interesting subject to think about, in this context, it is basically using the victim’s familiarity and habits against them. Human beings are creatures of habit, we are so used to certain things in our life that when faced with them, we don’t think twice before acting on them.

As an example; we are aware that there are a lot of attempts to by hackers to compromise social media accounts, so if one receives an email from your preferred social media site that there was an attempt to break into your account or an email to review your accounts security settings, most people will click on the link and log into their account to check what’s going on. A hacker will use this against a victim, all they need to do is swap a real link with a malicious one. Shellphish is probably one of the easiest ways to generate that malicious link. Let’s have a look.    


Shellphish is fairly straight forward to install. It can be done on your Linux of choice, we will be using Kali. We fire up our Kali Linux and use the terminal to navigate to the desktop.

cd Desktop

We need to clone the ShellPhish from GitHub, the download link is provided below.

git clone

This makes a folder named “shellphish” on our desktop. Let’s check the folder and its contents.

cd shellphish/

The next step is to change the permissions of the file so that we as the admin can use it. We don’t want everyone to have open access to it.

chmod 744

And that’s it, now we can launch our phishing tool


Exploring Templates

ShellPhish offers us 18 prebuilt templates, we will look through 3 of them to get an idea of what someone on the receiving end looks at when they get a link generated by this tool.

Get the Instagram page. The platform needs no introduction. We can see what the malicious link leads to, the page it shows is very convincing and might easily fool someone who isn’t paying attention.

Similarly, you can generate another duplicate page i.e NETFLIX as shown below.

Weaponization for Twitter

Now we will see what the process of weaponizing a phishing link looks like.

Once again, let’s start ShellPhish.


ShellPhish gives us a multitude of templates to choose from, all we need to do is follow the prompts the tool gives us.

We will choose the “Twitter template” for this demonstration.


We will be choosing option 2 here and using the Ngrok service to host our phishing link, this is what gives us the HTTPS on our phishing pages. Just by choosing this option, the tool starts a php and Ngrok server and we have our phishing link presented to us.


Now that we have our link, what do we do? What would a malicious actor do?

We won’t put in too much work into what is about to happen next, it’s more so to demonstrate a process that is commonly used. The first thing we need is an email sent by Twitter to a user to make them aware of a suspicious attempt to log in to their account and that they should secure their account by resetting their password. The catch here is that the user will first have to log into their account to reset their password.

Here is our email that conveys good intentions. Notice the “Reset Password” button.

We delete the “Reset Password” button, highlight where it says “password” in the “Secure your account by resetting your password now.”.

Click on the “Insert Hyperlink” function given in the formatting bar. We copy the link given to us by ShellPhish in the Kali terminal. See the section in the terminal that says, “Send this link to the victim:”. This link is pasted in the section that says, “Web address (URL)” and we click OK.

That’s it, we now have our weaponized email, ready to be sent to our victim

Phishing Attack

The victim has received the weaponized email, The moment the “password” link is clicked, the ShellPhish tool starts showing signs of activity. We can see that the tool gives us certain details like the IP of the victim, the browser they are using, the country and the city they reside in, etc.

Once the link is clicked, the victim is presented with a twitter page where they can enter their credentials to access their account so that they may change their password. We have volunteered to be the victim in this demonstration and are entering our account email “” and password “12345wetrtt”

The moment we click on the “Log in” button, we are redirected to the actual Twitter site. Seems harmless right?

Now for the scary part, the credentials the victim entered have been ferried away to the malicious actor in plain text. Lo and behold! The tool proudly announces, “Credentials Found!”.

You can see the account name and password in plain text. The thing that really stood out was the line that tells us the currency used in the country the victim resides in, we’ll leave it to you to figure out why that is.

Declarations: This article is posted only for educational purpose to spread awareness among people from being trapped in Phishing attack. 

This tool shows us how easy phishing attacks have become to execute and depending on how determined a malicious actor is, there is a lot of creativity that they can put into making the email look as legitimate as possible. Just to give you an idea of how serious the issue of phishing is, according to a recent report – 3.4 billion fake emails are sent out daily!

Email firewalls mostly depend on threat intel or on the strength of their filters which dictate how much scrutiny they exercise on each email that hits a domain and how quick they can be to deem an email malicious.

The problem is that, if you don’t set the strength of these filters to a balanced setting, they will flag and block more emails than you would want, making the email firewall admins phone blow up. Not to mention the amount of business that will be hindered.

So, that’s why internal human intelligence is a big tool at our disposal when it comes to spotting malicious emails. There are many free resources to educate your employees and peers on how to spot a malicious email, this is one of those resources and probably one of the best ones around –      

As always, we at Hacking Articles hope you enjoyed this article and share it with your collogues.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here