AdvPhushing tool is the latest phishing technique in which you can easily access social media accounts of users . there are many type of tools like this but in this tool you can access social media accounts of user even if if two-factor authentication is activated. with the help of this tool not only you can access social media accounts, but you can access many more important accounts like :

Popular Payments Sites :

  • Paytm
  • Paypal
  • PhonePay

    Popular Food Webpages :

  • Zomato
  • Uber-Eats

Declarations : This article is posted only for educational purpose to spread awareness among people from being trapped in Phishing attack. 

Soical Engineering

social engineering is one of basic attack in which we can execute our plan with minimum efforts. social engineering as one of the simplest methods to gather information about a target through the process of exploiting human weakness that is inherit to every organization. with the help of social engineering you can collect sensitive information.

For example, most of the people are active on social media accounts these days, there is a lot of attentions in which fake emails are sent to take access to your accounts, some of them open those fake emails and follow their instructions. So that their accounts get compromised

Features :

  • User can use AdvPhishing to obtain the target’s IP address.
  • Easy for user to use.
  • 32 different types of templates are available.
  • Available on both Andorid ( Termux ) and Linux.

Testing on Following :

  • Kali Linux – 2020.1a (version)
  • Parrot OS – Rolling Edition (version)
  • Ubuntu – 18.04 (version)
  • Arch Linux
  • Termux App

Requirement :

  • sudo – [ MUST ]
  • php
  • apache2
  • ngrok Token


As you know that the Advphishing tool available on both Android and Linux . but we will use kali linux for testing Advphishing Tool. First lets open kali linux and use the terminal to navigate to the desktop.

We need to login as root

We need to clone the AdvPhishing from GitHub, the download link is provided below.

This makes a folder named “AdvPhishing” on our desktop. Let’s check the folder and its contents.

The next step is to change the permissions of the setup.sh file so that we as the admin can use it.

After that we have to run the configuration file of the tool.

This tool helps ngrok token so we have to signup on ngrok webpage

Copy the ngrok token from there and enter it Ex : ./ngrok authtoken effefef

And that’s it, now we can launch our phishing tool by pressing ‘Y’

Exploring Templates

Advphishing tool has provided 32 templates, we will press 12 and wait for the results

When we open this link we can see what the malicious link leads to, the page it shows is very convincing and might easily fool someone who isn’t paying attention.

Similarly, you can generate another duplicate page i.e Netflix or Google as shown below.

Once again, let’s start AdvPhishing
We will choose the “Linkedin Template ” for this demonstration.

As soon as Victim will open the link and enter their username and password, we will have information of him

We have his username and password, now we have to go to the real linkedin webpage and enter this information to send the OTP to vicitm

After receiving victim would enter the otp and then we will have to enter the otp on phishing page.

As you can see that we has successfully logged in victim account

Declarations:  This article is posted only for educational purpose to spread awareness among people from being trapped in Phishing attack. 

Installtion of Termux

About the Author
Shubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher.

20 thoughts on “AdvPhishing : OTP Bypass Phishing Tool”

  1. Once it asks “Enter The Ngrok Token [Ex. ./ngrok authtoken 1Y7IU ] ”
    I enter the ./ngrok authtoken 1dlJEd………………………
    Press enter then I’ve got this just after:
    └──╼ $

    Then nothing happens, unlike you are saying with tape Y to launch ..
    Any idea why?

  2. How to change the phone number for receiving otp from +91******** to whatever number we choose?

  3. for enample, i have a paypal login an password, i tried to login with the phishing page but it showed a phone number that they would send the otp to which is not my number nor the client number. i just want to know if i can change the number to mine . and how does the receiving otp works?

    1. If you have the victim user and passwords after that you need to enter the credentials on paypal and then the otp will successfully comes to the vicitm.

  4. After selecting any template this error is occurring

    ./An-AdvPhishing.sh: line 752: syntax error near unexpected token `;;’
    ./An-AdvPhishing.sh: line 752:
    How to fix?


Leave a Reply