Tooling

Phishing & Social Engineering — GoPhish, Evilginx

Phishing simulation, MITM phish-proxies, and the awareness-platform alternatives.

Phishing remains the #1 initial-access technique. Red-team phishing splits into "awareness simulation" (GoPhish style) and "real adversary emulation" (Evilginx-class MITM proxies that defeat MFA). For email infrastructure see Email. For exploitation post-click see Exploitation Frameworks. For defender-side reporting see Bot Protection (login defences) and SIEM.

Phishing simulation / awareness

  • GoPhish — open-source phishing campaign manager; web UI; tracks opens / clicks / submissions; templated landing pages; reporting. Free OSS — the reference for awareness simulations.
  • King-Phisher (sunset) — older open-source competitor; archive only.
  • Lucy Security — paid SaaS; comprehensive awareness platform.
  • KnowBe4 — paid; market leader for corporate awareness training.
  • Hoxhunt — paid; gamified.
  • Cofense PhishMe — paid; large enterprise.
  • Proofpoint Security Awareness — paid.
  • Curricula / Mimecast / Infosec IQ — paid SaaS competitors.

MFA-defeating MITM proxies (real-adversary territory)

  • Evilginx 3 (Kuba Gretzky) — modern reverse-proxy phishing framework; cookie-grab + session-hijack across Microsoft 365 / Google / Okta / others; defeats most TOTP / push MFA. Free OSS — the reference modern adversary tool.
  • Modlishka (Piotr Duszynski) — alternative reverse-proxy MITM; Polish researcher; free.
  • EvilProxy / Storm-1101 — commercial criminal services (illegal); listed for awareness only.
  • Muraena — Italian open-source reverse-proxy phishing; pairs with NecroBrowser for session takeover.
  • CredSniper — older; Google-focused.

These tools defeat TOTP and push MFA; WebAuthn / FIDO2 / Passkeys are the practical defence — see Auth.

Site cloners / payload pages

  • Zphisher — quick CLI phishing-page generator; many templates; free.
  • SocialFish — web UI; templates.
  • HiddenEye — multi-template phisher.
  • AdvPhishing — phishing kit.
  • ShellPhish — phishing kit.
  • SET (Social-Engineer Toolkit) by TrustedSec — classic; broad; menu-driven.

Domain / sender infrastructure

  • dnstwist — typosquat domain generation.
  • CheckMarx URLPunycodeChecker / IDN checks — homoglyph IDN domains.
  • DomainHunter / DomainTools / Spamhaus — pick "aged" domains so SpamGuard / Proofpoint don't categorise as new.
  • MailSPF / DKIM / DMARC tooling — see Email; proper auth lifts deliverability.
  • GoPhish + sendgrid / mailgun / amazonses test domain — typical lab setup.
  • Postal / Mail-in-a-Box — self-host SMTP; see Self-Host Email Servers.

Voice / SMS / vishing

  • VICIdial / SignalWire / Twilio for testing — vishing infra.
  • Asterisk / FreePBX — self-host PBX for caller-ID-spoof scenarios.
  • SocialEngineer Toolkit has voice modules.
  • fakecaller / Spoofcard — paid.
  • Smishing — typically Twilio in test scenarios.

Payload-bearing variants

  • MalDoc / Office macros (Office macros mostly blocked from internet docs since 2022 — still useful via OneNote, ISO, LNK, polyglot).
  • HTA / SVG smuggling / browser exploit — niche.
  • OneNote / ISO / IMG / VHDX / LNK — common 2023–26 vectors.
  • MOTW (Mark Of The Web) bypasses — research-track; many CVEs.
  • See Malware Analysis for analyzing payloads (and constructing them safely in lab).

Templates / OSINT for pretexting

  • See OSINT & Recon — Hunter.io for company email patterns, LinkedIn enumeration, theHarvester.
  • Phishing kits leak repos — TheLeakedKitsRepo etc.; for blue-team study.

Defensive (the other side)

  • DMARC enforcement (p=reject) + DKIM + SPF — table stakes.
  • Microsoft Defender for Office 365 / Proofpoint / Mimecast / Abnormal — paid email security.
  • PhishTank / OpenPhish — IOC feeds.
  • knockpy / urlscan.io — link analysis.
  • WebAuthn / Passkeys for high-value accounts — see Auth.
  • Trained users + a "Report Phishing" button — biggest cheap win.

Pick this if…

  • Default awareness-simulation platform, free: GoPhish.
  • Default real-adversary MITM phishing for engagements: Evilginx 3.
  • Quick test page / demo: Zphisher or SET.
  • Enterprise awareness program: KnowBe4 or Hoxhunt (paid).
  • Defence: DMARC reject + WebAuthn / Passkeys for crown-jewel accounts.

On this page