Phishing Using Shellphish

July 29, 2019 | Views: 5097

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

What is a Phishing Attack?

A Phishing ​Attack is a fraud attempt to obtain sensitive information like usernames, passwords, credit card information, Bank Account Numbers, etc. Phishing is an example of Social Engineering technique being used to deceive users.
The way phishing works is that an attacker clones a trusted website or spoofs an email of a known target which leads the person to believe that he is visiting a trusted website like social media sites, e.g., Facebook, SnapChat, Instagram, Google, Netflix, and so on. The target will then put his/her username and password on the malicious website (cloned website) and then the username and password will be sent to the attacker instead of the real website, and the target will be redirected to the real website. Let’s do a demo of phishing using shellphish.

Things Needed:

1. Kali Linux or any other Linux Operating system.
2. Internet Connection.
3. Shell Phish that we will be using for this practical.
4. Firefox or and other browsers.

Develop Your Ethical Hacking Skills for Free >>


1. Open Firefox in your Kali Linux.


2. Type ( in the URL.


3. In the search box type (shell phish).


4. Select the first repository.

5. Click on the (Clone or Download) button and copy the URL.


6. Open your Terminal

7. Type (git clone URL) and paste the URL you have copied and press enter.

8. It will start downloading the shellphish file.


9. When the download is complete.

10. Change your directory to shellphish by typing (cd shellphish).


11. In the Shellphish directory type command(ls -l) it will show all files and their permissions.


12. Now what we will need to change is the permissions of (

13. As you can see its permissions are (-rw-r–r– ) by (-r) it means (read) permission by (w) it means (write) permission

14. There is no execute permission, i.e., x. To add an execute permission, we need to give command (chmod +x it will provide it with new permission that is (x).


15. Now we can execute it by typing (./

16. Shellphish has started. Choose any option from above just by typing their number, e.g. if I want to make an Instagram phishing page, I will type (1) as insta is written on number one.


17. Then choose a port forwarding service that will give you the phishing URL I will go with ngrok so I typed 2.


18. If using for the first time, it will start downloading ngrok wait for it.

19. When the download is complete, it will give you a URL, which is the URL we will use to phish our target.


20. Now you can send this link via email, WhatsApp, Messenger or any other media.

21. When the target clicks on this link, you will get its location and IP address

22. After that, the page will open, and when the target types his/her username and password, it will be sent to the attacker. And the target will be redirected to their Instagram.


Because I was using TOR, the location is unknown, but it will show the exact location of the target otherwise.

Notice: This article is for ethical hacking and educational purpose only.

Start A Career in Ethical Hacking >>

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?