How to Install and Use Zphisher for Phishing Attacks

Zphisher is a powerful tool used for conducting phishing simulations and awareness testing. In this short guide, I’ll walk you through the process of setting up and using Zphisher to create phishing pages and launch simulated attacks but be aware this is only for educational purposes.

Video version of the below steps:

New video:

Newer guide video with minimal reductions to make it neutral for all

Step 1: Installation

First, you’ll need to install Zphisher by following these commands in your terminal:

git clone https://github.com/htr-tech/zphisher.git

cd zphisher

bash zphisher.sh

The installation script will handle setting up the necessary dependencies for Zphisher.

Step 2: Launching Zphisher

Once installed, launch Zphisher by running the following command in the terminal:

./zphisher.sh

This will start the Zphisher tool and present you with a menu of options.

Step 3: Selecting a Target Template

Zphisher provides a variety of phishing page templates. Choose a template by entering its corresponding number from the menu e.g ‘01’.

Step 4: Setting Up the Phishing Page

Follow the on-screen instructions to customize the phishing page:

• After choosing the template, now it’s time to customize it with the provided choices depending on the template you chose.

• Next option is to pick Cloudflared on the onscreen options for port forwarding services:

• For custom port say “N” for no or “y” if you want to provide a custom one.

• Optionally, provide a URL to mask your phishing template.

Step 5: Sending Phishing Links

Zphisher will generate a phishing link based on the selected template and customization. Share this link with your targets through email, messaging apps, or other communication channels and wait for logins to appear on your screen. Utilize a bit of social engineering if you want to get more credentials.

Step 6: Collecting Credentials

Monitor the Zphisher console for captured credentials and other relevant data in real-time as targets interact with the phishing link.

Step 7: Monitoring and Analyzing Results

Keep an eye on the Zphisher console to track the success of your phishing campaign and analyze the gathered information. You’ll find all the credentials captured stored in a file named “auth/usernames.dat” within Zphisher folder.

Step 8: Cleaning Up

After completing the phishing simulation, stop the Zphisher server and ensure that no unauthorized access or data breaches occur.

Final Step: Raising awareness

After simulating the phishing attempt, you’ve now seen how simple victims can fall for this type of cybersecurity attack. Document the different ways the attack is spread, what ways one can quickly identify and report the attack, and share that knowledge(awareness) with your friends to make sure they never fall victim of such attempts.