Top 20 phishing tools to use in 2024

Phishing remains one of the most common and effective techniques in the world of cybersecurity attacks and awareness. Whether you’re a penetration tester, a cybersecurity enthusiast, or someone responsible for building organizational defenses, understanding how phishing tools operate is crucial. This guide dives into the Top 20 Phishing Tools of 2024, covering tools like Setoolkit, Evilginx2, HiddenEye, and more. Each tool offers unique features, from email and SMS phishing to Wi-Fi and QR code manipulation, designed to simulate real-world attacks.

With detailed descriptions, usage instructions, and feature highlights for each tool, this article provides everything you need to know to use these tools effectively and responsibly. Learn which tools to use for specific scenarios, from social engineering to credential harvesting, and understand how these tools contribute to creating better cybersecurity defenses. Read on to discover how each of these tools can enhance your security assessments and phishing simulations!

Disclaimer: This information is for educational and ethical testing purposes only. Unauthorized use of these tools is illegal and strictly discouraged.

1. SEToolkit (Social Engineering Toolkit)

SEToolkit is a powerful and versatile social engineering framework used by penetration testers to simulate real-world phishing attacks.

Key Features:

• Spear-phishing Attack Vector: Craft customized emails to target specific individuals.

• Website Attack Vector: Clone legitimate websites to capture credentials.

• Credential Harvester: Capture login credentials from targets visiting cloned sites.

How to Use:

1. Download and install SEToolkit from its GitHub page.

2. Run SEToolkit and choose the social engineering vector, such as website or email phishing.

3. Clone the target website and initiate the attack, awaiting the results in your terminal.

2. Evilginx2

Evilginx2 is an advanced phishing tool focused on bypassing two-factor authentication by capturing session cookies.

Key Features:

• Proxy Phishing: Acts as a man-in-the-middle (MITM) proxy, capturing both credentials and session cookies.

• Modular Phishing Scenarios: Easily customize for various sites like Facebook or Google.

How to Use:

1. Install Evilginx2 from GitHub.

2. Configure the domain and set up SSL for realistic HTTPS phishing sites.

3. Choose a template for the site to be cloned, then share the phishing link with the target.

4. Once accessed, Evilginx2 captures login details and session cookies.

3. HiddenEye

Known for cloning multiple platforms, HiddenEye captures login details and delivers them to the attacker.

Key Features:

• Customizable Login Pages: Includes pre-configured templates for social media and email providers.

• Multiple Phishing Methods: Supports phishing via email, SMS, and social media.

How to Use:

1. Clone HiddenEye from GitHub.

2. Choose a website template and create a phishing link.

3. Send the link to the target, and the credentials are recorded on the local machine.

4. SocialFish

SocialFish is an easy-to-use tool for phishing social media credentials.

Key Features:

• Social Media Templates: Includes built-in phishing templates for platforms like Facebook and Instagram.

• Compatibility: Works with both Windows and Linux systems.

How to Use:

1. Install SocialFish from GitHub.

2. Select the social media platform template and generate the phishing link.

3. Share the link, and SocialFish captures credentials in real-time.

5. SeeYou (Get Location using Phishing)

SeeYou exploits the target’s device by obtaining GPS location data through a phishing link.

Key Features:

• Real-time Location Capture: Gets accurate GPS coordinates.

• Target Device Identification: Recognizes the type of device used by the victim.

How to Use:

1. Download SeeYou from GitHub.

2. Generate a phishing link, which prompts the target to share location data.

3. Once the target clicks, the tool records and displays their GPS location.

6. SayCheese (Webcam Snapshots)

This tool accesses the target’s webcam to take snapshots through a phishing link.

Key Features:

• Webcam Activation: Captures snapshots through a crafted phishing page.

• Lightweight and Efficient: Minimal setup needed for quick deployment.

How to Use:

1. Clone SayCheese from GitHub.

2. Generate the phishing link and share it with the target.

3. When the link is accessed, SayCheese activates the webcam and saves the images.

7. QR Code Jacking

QR Code Jacking manipulates QR codes to redirect victims to phishing sites.

Key Features:

• Customizable QR Codes: Creates QR codes for social media and other sites.

• Anonymous Tracking: QR codes hide phishing links, making them harder to detect.

How to Use:

1. Get QR Code Jacking from GitHub.

2. Enter the phishing URL, and generate a QR code.

3. Share the QR code, and await login credentials from targets scanning it.

8. ShellPhish

A highly flexible phishing tool, ShellPhish supports multiple social media and email providers.

Key Features:

• Multi-platform Phishing Templates: Supports many popular websites.

• Command-line Interface: Easy setup with a few command prompts.

How to Use:

1. Install ShellPhish from GitHub.

2. Select a template and send the link to the target.

3. Credentials are captured and displayed directly in the terminal.

9. BlackPhish

BlackPhish is ideal for generating fake login pages and capturing credentials.

Key Features:

• Automatic IP Logging: Tracks target’s IP addresses.

• Responsive Phishing Pages: Ensures compatibility across devices.

How to Use:

1. Download BlackPhish from GitHub.

2. Choose a phishing page template, generate the link, and wait for the login details.

10. Zphisher

This is a modified version of ShellPhish, offering more templates and advanced features.

Key Features:

• Enhanced Template Variety: Contains many additional templates for social media.

• Automatic Login Capture: Credentials are automatically saved.

How to Use:

1. Clone Zphisher from GitHub.

2. Select the desired template, share the link, and await captured credentials.

11. PhishX

PhishX provides realistic phishing pages for various platforms.

Key Features:

• Anti-bot Verification: Ensures only genuine visitors access the page.

• Multiple Phishing Vectors: Supports email, SMS, and social media phishing.

How to Use:

1. Download PhishX from GitHub.

2. Select a platform, generate a link, and await credentials from the target.

12. Gophish

Gophish is an open-source phishing framework often used for large-scale campaigns.

Key Features:

• Campaign Management: Manages and tracks multiple campaigns.

• User-friendly Dashboard: Provides a GUI for configuration and tracking.

How to Use:

1. Install Gophish from GitHub.

2. Set up email campaigns with custom links and track responses.

13. Wifiphisher

Wifiphisher is aimed at creating fake Wi-Fi access points to capture credentials.

Key Features:

• Wi-Fi Network Phishing: Users connect to the fake network and enter credentials.

• Automatic Network Setup: Simulates legitimate network behavior.

How to Use:

1. Install Wifiphisher from GitHub.

2. Configure the access point and wait for users to connect.

14. Phishing Frenzy

Phishing Frenzy is a Ruby-based framework built for large-scale phishing campaigns, offering detailed tracking and analytics.

Key Features:

• Email Tracking and Analytics: Monitors opened emails, clicked links, and credentials entered.

• Template Library: Includes a variety of pre-built email and webpage templates.

How to Use:

1. Install Phishing Frenzy from GitHub.

2. Configure email server settings and choose a template.

3. Deploy a campaign, track metrics, and collect results from the built-in dashboard.

15. Ghost Phisher

Ghost Phisher emulates Wi-Fi access points and web servers to capture login credentials through fake captive portals.

Key Features:

• Fake Captive Portals: Redirects users to a login page when they connect to Wi-Fi.

• ARP Spoofing: Redirects legitimate traffic to malicious pages.

How to Use:

1. Download Ghost Phisher from GitHub.

2. Set up a Wi-Fi access point, configure the captive portal, and monitor for connected devices.

16. BlackEye

BlackEye provides ready-to-use phishing templates for popular sites and is highly customizable.

Key Features:

• Pre-configured Templates: Covers social media, email, and e-commerce platforms.

• CLI-based: Simple command-line interface for rapid deployment.

How to Use:

1. Install BlackEye from GitHub.

2. Select a template, generate a link, and capture credentials from victims.

17. King-Phisher

King-Phisher is a flexible tool that combines phishing with social engineering tactics for more sophisticated attacks.

Key Features:

• Campaign Management: Manages and tracks multiple campaigns.

• Email Spoofing: Sends realistic-looking emails for phishing.

How to Use:

1. Clone King-Phisher from GitHub.

2. Create a phishing campaign and send emails with customized templates.

3. Track the target’s interaction and gather metrics.

18. SpookPhish

SpookPhish is designed to be lightweight and effective for simple phishing scenarios.

Key Features:

• Customizable Phishing Pages: Easily modified to simulate various platforms.

• Compact and Fast: Minimal setup required.

How to Use:

1. Download SpookPhish from GitHub.

2. Select a template and generate a link, then capture any credentials entered by the target.

19. PyPhisher

PyPhisher is a Python-based tool that offers an easy setup for phishing and is suitable for beginners.

Key Features:

• Python-based CLI: Straightforward command-line interface.

• Diverse Templates: Pre-configured templates for major sites.

How to Use:

1. Clone PyPhisher from GitHub.

2. Choose a site to clone, generate a link, and wait for the target to engage.

20. HiddenPhish

HiddenPhish is built for undetectable phishing links, making it harder for targets to recognize phishing attempts.

Key Features:

• Masked URLs: Creates phishing links that look legitimate.

• Multiple Service Support: Includes templates for major platforms.

How to Use:

1. Download HiddenPhish from GitHub.

2. Configure the phishing page and share the link with your target.

Each tool on this list provides unique features suited to different scenarios in phishing simulations and security awareness. Here’s a quick summary of when to use each:

• For beginners: Try PyPhisher or Zphisher, as they offer simple CLI-based setups.

• For Wi-Fi phishing: Wifiphisher and Ghost Phisher are top choices, designed for network-based phishing.

• For advanced needs: King-Phisher and Phishing Frenzy are highly customizable for complex campaigns.

These tools are incredibly powerful when used responsibly for testing and improving security. Unauthorized use, however, is illegal and unethical.