βββββββ βββ ββββββββββ ββββββββββ βββ ββββββββββββββ
ββββββββββββββββββββββ βββββββββββββββ ββββββββββββββ
ββββββββββββββ βββββββ βββββββββββββββββββββββββββ
ββββββββββββββ βββββββ βββββββ βββββββββββββββββββ
βββ βββββββββββββββββ ββββββ βββ ββββββββββββββ
βββ ββββββ ββββββββββ ββββββ βββ ββββββββββββββ
A lightweight, customizable phishing simulation tool built with Python, Flask, and Selenium β
designed for ethical hackers, red team operators, and cybersecurity educators.
Overview Β· Features Β· Tech Stack Β· Installation Β· Usage Β· Admin Panel Β· Architecture Β· Configuration Β· Contributing
This tool is strictly for educational and authorized security testing purposes only.
The author bears no responsibility for any misuse, damage, or illegal activity resulting from use of this software.
You must only use RickPhis on systems you own or have explicit written permission to test.
Unauthorized use against third-party systems is a criminal offense in most jurisdictions.
RickPhis is a modular phishing simulation framework that spins up a local Flask web server, exposes it to the internet via Ngrok tunneling, and leverages Selenium for browser automation β all in one lightweight Python package.
It allows security professionals to:
- Rapidly deploy convincing credential-harvesting pages for awareness training
- Simulate real-world phishing attack vectors in controlled environments
- Conduct red team exercises against organizational security posture
- Educate users about social engineering threats through hands-on demonstrations
- Flask-powered web server β lightweight, fast, and fully customizable
- Ngrok tunneling β instantly expose local pages via HTTPS public URLs
- Selenium integration β real browser automation that attempts live logins
- 2FA interception β captures two-factor authentication codes mid-session
- Web Admin Panel β view all captured credentials directly in your browser
- Admin REST API β programmatically retrieve captured data via JSON endpoint
- Persistent logging β all captures saved to
captured_credentials.json - Custom HTML/CSS templates β realistic Instagram login page clone
- Gunicorn support β production-grade WSGI server for stable deployments
- webdriver-manager β automatic ChromeDriver management, no manual setup
- Animated ASCII art banner β color terminal startup animation via
colorama
| Layer | Technology | Version | Role |
|---|---|---|---|
| Language | Python | 3.8+ | Core runtime |
| Web Framework | Flask | 3.1.3 | HTTP server, routing & session management |
| Browser Automation | Selenium | 4.15.2 | Live Instagram login attempts |
| Production Server | Gunicorn | 22.0.0 | WSGI deployment |
| Driver Management | webdriver-manager | 4.0.1 | Auto ChromeDriver setup |
| Tunneling | Ngrok | latest | HTTPS public URL exposure |
| Terminal Colors | colorama | latest | Startup ASCII art animation |
| Frontend | HTML5 + CSS3 | β | Phishing page & admin panel templates |
RickPhis/
β
βββ app.py # Main Flask app β routes, Selenium logic, admin panel
βββ requirements.txt # Python dependencies
βββ captured_credentials.json # Auto-generated β stores all captured data
β
βββ templates/
β βββ login.html # Fake Instagram login page
β βββ 2fa.html # Fake 2FA verification page
β βββ admin.html # Admin login page
β βββ admin_panel.html # Admin dashboard (credential viewer)
β
βββ static/ # CSS, JS, and static assets
β βββ ...
β
βββ RΔ°ckPhis.png # Project logo
βββ Screenshot.png # Application screenshot
βββ README.md # You are here
Before you begin, ensure you have the following installed:
- Python 3.8+
- Google Chrome or Chromium
- Ngrok (with a free account)
pippackage manager
git clone https://github.com/Rickidevs/RickPhis.git
cd RickPhispython -m venv venv
# Linux / macOS
source venv/bin/activate
# Windows (PowerShell)
venv\Scripts\Activate.ps1
# Windows (CMD)
venv\Scripts\activate.batpip install -r requirements.txtSign up at ngrok.com and authenticate:
# macOS
brew install ngrok/ngrok/ngrok
# Linux (snap)
sudo snap install ngrok
# Add your auth token
ngrok config add-authtoken <YOUR_AUTHTOKEN>python app.pyThe animated ASCII banner will appear on startup, then the server launches at http://localhost:5000.
Open a new terminal window:
ngrok http 5000You will receive a public HTTPS URL:
Forwarding https://abcd-1234-5678.ngrok-free.app -> http://localhost:5000
Share this URL as the phishing link in your simulation.
gunicorn --workers 4 --bind 0.0.0.0:5000 app:app| Flag | Description |
|---|---|
--workers 4 |
Number of worker processes |
--bind 0.0.0.0:5000 |
Bind to all interfaces on port 5000 |
RickPhis includes a built-in web admin panel that lets you view all captured credentials directly in your browser β no terminal required.
Navigate to:
http://localhost:5000/adminpage
Or via your Ngrok URL:
https://xxxx.ngrok-free.app/adminpage
β οΈ Change these before any real deployment (see Configuration)
| Field | Default Value |
|---|---|
| Username | admin |
| Password | admin |
| Route | Method | Description |
|---|---|---|
/adminpage |
GET |
Admin login page |
/admin/auth |
POST |
Authenticate as admin |
/admin/panel |
GET |
Dashboard β view all captured credentials |
/admin/api/data |
GET |
JSON API β returns all captures programmatically |
/admin/logout |
GET |
End admin session |
Once authenticated, you can fetch all captured data as JSON:
curl http://localhost:5000/admin/api/dataResponse format:
[
{
"timestamp": "2025-01-15T14:32:11.123456",
"username": "target_user",
"password": "captured_pass",
"session_id": "IGsessioncookievalue",
"two_fa_code": "123456",
"status": "success",
"ip_address": "192.168.1.10",
"user_agent": "Mozilla/5.0 ..."
}
]| Status | Meaning |
|---|---|
captured |
Form submitted, awaiting login attempt |
success |
Login successful β session cookie captured |
failed_login |
Wrong username or password |
2fa_required |
Credentials valid, 2FA was triggered |
2fa_success |
2FA code captured, session cookie obtained |
2fa_failed |
Wrong 2FA code entered |
βββββββββββββββββββββββββββββββββββββββββββ
β TARGET BROWSER β
ββββββββββββββββββββ¬βββββββββββββββββββββββ
β HTTPS Request
ββββββββββββββββββββΌβββββββββββββββββββββββ
β NGROK TUNNEL β
β https://xxxx.ngrok-free.app β
ββββββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββββββΌβββββββββββββββββββββββ
β FLASK WEB SERVER :5000 β
β β
β GET / β login.html β
β POST /login β Selenium login β
β GET /2fa β 2fa.html β
β POST /verify β Selenium 2FA verify β
β GET /adminpage β admin login β
β GET /admin/panel β credential viewer β
βββββββββββββ¬βββββββββββββββ¬βββββββββββββββ
β β
ββββββββββββββββββΌβββ ββββββββΌβββββββββββββββ
β SELENIUM CHROME β β captured_ β
β Real Instagram β β credentials.json β
β login attempt β β (persistent log) β
βββββββββββββββββββββ βββββββββββββββββββββββ
Flow:
- Target visits the Ngrok URL β sees a realistic Instagram login page
- Credentials are submitted β Flask triggers a real Selenium browser session against Instagram
- If 2FA is required β target is shown the fake 2FA page β code is captured and submitted via Selenium
- All data (credentials, session cookies, IP, user agent) is saved to
captured_credentials.json - Operator reviews everything at
/admin/panelin the browser
All sensitive defaults can be overridden using environment variables β no code changes needed.
# Linux / macOS
export ADMIN_USER=your_custom_username
export ADMIN_PASS=your_strong_password
# Windows (PowerShell)
$env:ADMIN_USER="your_custom_username"
$env:ADMIN_PASS="your_strong_password"Then start the server normally:
python app.pyIf you prefer to hardcode values, locate these lines in app.py:
# Line ~15 in app.py
ADMIN_USERNAME = os.getenv('ADMIN_USER', 'admin') # β change 'admin'
ADMIN_PASSWORD = os.getenv('ADMIN_PASS', 'admin') # β change 'admin'Replace 'admin' with your preferred credentials:
ADMIN_USERNAME = os.getenv('ADMIN_USER', 'mySecureUser')
ADMIN_PASSWORD = os.getenv('ADMIN_PASS', 'myStr0ngP@ss!')π‘ Best practice: Always use environment variables over hardcoded secrets, especially in shared or production environments.
| Variable | Default | Description |
|---|---|---|
CAPTURE_FILE |
captured_credentials.json |
Output file for captured data |
MAX_INPUT_LENGTH |
150 |
Max allowed length for form fields |
PERMANENT_SESSION_LIFETIME |
30 minutes |
Flask session expiry time |
host |
0.0.0.0 |
Server bind address |
port |
5000 |
Server port |
| β DO | β DON'T |
|---|---|
| Test only on systems you own | Use against unauthorized third parties |
| Obtain written consent before red team ops | Harvest real user credentials |
| Disclose findings responsibly | Share or sell captured data |
| Use for awareness training | Deploy without legal clearance |
| Change default admin credentials | Leave admin/admin in production |
| Follow your organization's security policies | Violate local cybercrime laws |
Flask==3.1.3
selenium==4.15.2
gunicorn==22.0.0
webdriver-manager==4.0.1pip install -r requirements.txt# 1. Fork the repository on GitHub
# 2. Create your feature branch
git checkout -b feature/your-feature-name
# 3. Commit your changes
git commit -m "feat: add your feature description"
# 4. Push to your fork
git push origin feature/your-feature-name
# 5. Open a Pull Request on GitHubThis project is provided for educational and research purposes only.
Commercial use, malicious deployment, or distribution of harvested data is strictly prohibited.
Built by Rickidevs
If this project helped you, consider giving it a β β it means a lot!