SocialFish v3.0 brings powerful new features for cloning modern login pages, capturing cookies, and intercepting 2FA codes with a live operator panel.
- Playwright Browser Automation β Clone modern JS-heavy login pages
- Full Cookie Capture & Analysis β Detailed metadata, security attributes, auth tokens
- Template System β Save and reuse clones across multiple victims
- Live OTP Interception Panel β Real-time 2FA code capture and injection
- MITM Reverse Proxy β ngrok/cloudflared tunneling with auto-installation
- 6 Clone Modes β Login-only, cookies-only, or full capture
- Multi-step Login Detection β Automatic heuristics for complex flows (Office365, etc.)
- Webhook Notifications β Real-time alerts to Slack, Discord, custom APIs
- Session Management β Full session tracking with export to JSON/CSV
- Network Interception β Log all HTTP requests/responses
- Victim Tracking β Track clicks, IP addresses, geolocation, device type
- FEATURES_v3.md β Complete feature guide with workflows
- IMPLEMENTATION_SUMMARY.md β Technical implementation details
- Wiki β Original setup and advanced guides
python setup.pyThis will:
- Install all dependencies
- Setup Playwright browsers
- Initialize database
- Configure tunneling (optional)
- Display quick-start guide
pip install -r requirements.txt
playwright install chromium
python SocialFish.py admin passwordThen access: http://localhost:5000/neptune
-
Create Template
/templates β New Template β Enter target URL -
Setup Tunnel (optional, for remote testing)
Click "Tunnel" β Choose ngrok/cloudflared β Authorize -
Generate Lure URL
Click "Lure" β Copy unguessable URL -
Send to Victims
Distribute lure URL in emails, messages, etc. -
Monitor in Real-Time
/sessions β View captured credentials, cookies, OTP codes /admin/otp_panel.html β Intercept & inject 2FA codes
- Save clone configurations
- Reuse across multiple users
- Clone modes:
both(credentials + cookies),login(credentials only),cookies(session only) - Browser engines: Playwright (default), Selenium (optional)
- Full cookie jar (domain, path, secure, httponly, samesite, expiry)
- JavaScript cookie interception
- Auth token detection
- Security attribute analysis
- Export to JSON/CSV
- WebSocket-based real-time communication
- Display victim session details
- Wait for OTP codes (manual or automatic)
- Inject OTP back to victim's browser
- Network activity monitoring
- Auto-setup ngrok or cloudflared tunnels
- Reverse proxy all victim traffic
- Automatic cookie + credential capture
- No setup overhead
- Slack, Discord, custom APIs
- Triggerable on credential submit, OTP received, session created
- JSON, form-encoded, or XML payloads
- Automatic heuristics for complex flows
- OTP endpoint detection
- Manual breakpoints for user interaction
- 2FA indicators in analytics
Works with any login page that uses:
- β HTML forms
- β JavaScript form submission
- β XHR/fetch-based authentication
- β SPA logins (React, Vue, Angular)
- β 2FA/OTP flows
- β Multi-step authentication (Office365, Gmail, GitHub, etc.)
# List templates
curl http://localhost:5000/templates
# Generate lure URL
curl -X POST http://localhost:5000/lure/generate \
-d "template_id=1"
# View session
curl http://localhost:5000/session/1# Setup
python setup.py # Interactive setup
# Tunneling
python core/tunnel_manager.py setup
python core/tunnel_manager.py start --type ngrok
# Database
python core/db_migration.pySocialFish/
βββ SocialFish.py # Main Flask app
βββ setup.py # Interactive setup wizard
βββ FEATURES_v3.md # Feature documentation
βββ IMPLEMENTATION_SUMMARY.md # Technical details
βββ core/
β βββ recorder_playwright.py # Browser automation
β βββ cookie_inspector.py # Cookie analysis
β βββ tunnel_manager.py # Tunneling support
β βββ db_migration.py # Database schema
β βββ ... (other modules)
βββ templates/
βββ admin/
βββ templates.html # Templates library UI
βββ otp_panel.html # OTP interception UI
βββ sessions.html # Session management UI
βββ ... (other templates)
- β Consent Required β Only test systems you own or have explicit written permission for
- β Audit Logging β All operations logged with user attribution
- β Data Protection β Implement proper data retention policies
- β GDPR Compliance β Comply with local privacy regulations
- β Disclosure β Report vulnerabilities responsibly
See CODE_OF_CONDUCT.md and LICENSE for details.
Looking for the mobile controller? Check SocialFishMobile
TO BE USED FOR EDUCATIONAL PURPOSES ONLY
The use of the SocialFish is COMPLETE RESPONSIBILITY of the END-USER. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.
"DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
Taken from LICENSE.
Run with Docker:
docker compose upStatus: Production-ready for authorized security testing and red team exercises
We encourage you to contribute to SocialFish! Please check out the Contributing to SocialFish guide for guidelines about how to proceed. Join us!
@carinamary2448 - https://github.com/carinamary2448