Test whether employees will grant camera permissions to a deceptive link during an authorized phishing simulation
Demonstrate social engineering risks in a security awareness training session using a controlled fake page
Verify location-based access controls by capturing GPS data during an authorized penetration test
| techchipnet/camphish | atlemo/subtlepatterns | adongwanai/agentguide | |
|---|---|---|---|
| Stars | 4,736 | 4,737 | 4,740 |
| Language | HTML | HTML | HTML |
| Setup difficulty | moderate | easy | moderate |
| Complexity | 2/5 | 1/5 | 3/5 |
| Audience | ops devops | designer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires PHP and either ngrok or a Cloudflare account, only legal to use with explicit written authorization from the target.
CamPhish is a tool that creates fake web pages designed to request camera and GPS location permissions from anyone who opens the generated link. When the person who receives the link grants those browser permissions, the tool captures photos from their device camera and records their GPS coordinates, sending them back to whoever ran the tool. The setup works by running a local PHP web server hosting one of several deceptive page templates: a festival greeting card, a fake live YouTube stream, or a fake online meeting page. The tool then uses either ngrok or a Cloudflare Tunnel to make that local server reachable over the internet as a shareable link. The fake page uses standard browser permission dialogs to ask for camera access, if the visitor clicks Allow, photos are taken silently. The README states the tool is intended for penetration testing (security audits where an organization gives you explicit written permission to test its defenses). Outside of that context, using it against someone who has not given prior written consent is unauthorized surveillance and illegal in most jurisdictions. The tool runs on Kali Linux, Termux (Android terminal), macOS, Ubuntu, Parrot OS, and Windows via WSL. Setup requires PHP and wget. Version 2.0 added GPS location capture with Google Maps integration. Version 1.8 switched from Serveo to Cloudflare Tunnel. A cleanup script is included to delete captured files and logs from the local machine. The project is credited to the TechChip YouTube channel and draws from an earlier open-source phishing toolkit. The repository prohibits unauthorized reuploading.
A penetration testing tool that creates fake web pages to silently capture photos and GPS coordinates from visitors who grant browser camera permissions, legal only with explicit written authorization.
Mainly HTML. The stack also includes PHP, HTML, Bash.
No standard open-source license, the repository prohibits unauthorized redistribution and is legal to use only with explicit written permission from the target organization.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.