explaingit

techchipnet/camphish

4,736HTMLAudience · ops devopsComplexity · 2/5LicenseSetup · moderate

TLDR

A penetration testing tool that creates fake web pages to silently capture photos and GPS coordinates from visitors who grant browser camera permissions, legal only with explicit written authorization.

Mindmap

mindmap
  root((CamPhish))
    What it does
      Fake page templates
      Camera capture
      GPS location capture
    Page templates
      Festival greeting card
      Fake YouTube stream
      Fake meeting page
    Tunnel options
      ngrok
      Cloudflare Tunnel
    Platforms
      Kali Linux
      Termux Android
      macOS and Ubuntu
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Test whether employees will grant camera permissions to a deceptive link during an authorized phishing simulation

USE CASE 2

Demonstrate social engineering risks in a security awareness training session using a controlled fake page

USE CASE 3

Verify location-based access controls by capturing GPS data during an authorized penetration test

Tech stack

PHPHTMLBash

Getting it running

Difficulty · moderate Time to first run · 30min

Requires PHP and either ngrok or a Cloudflare account, only legal to use with explicit written authorization from the target.

No standard open-source license, the repository prohibits unauthorized redistribution and is legal to use only with explicit written permission from the target organization.

In plain English

CamPhish is a tool that creates fake web pages designed to request camera and GPS location permissions from anyone who opens the generated link. When the person who receives the link grants those browser permissions, the tool captures photos from their device camera and records their GPS coordinates, sending them back to whoever ran the tool. The setup works by running a local PHP web server hosting one of several deceptive page templates: a festival greeting card, a fake live YouTube stream, or a fake online meeting page. The tool then uses either ngrok or a Cloudflare Tunnel to make that local server reachable over the internet as a shareable link. The fake page uses standard browser permission dialogs to ask for camera access, if the visitor clicks Allow, photos are taken silently. The README states the tool is intended for penetration testing (security audits where an organization gives you explicit written permission to test its defenses). Outside of that context, using it against someone who has not given prior written consent is unauthorized surveillance and illegal in most jurisdictions. The tool runs on Kali Linux, Termux (Android terminal), macOS, Ubuntu, Parrot OS, and Windows via WSL. Setup requires PHP and wget. Version 2.0 added GPS location capture with Google Maps integration. Version 1.8 switched from Serveo to Cloudflare Tunnel. A cleanup script is included to delete captured files and logs from the local machine. The project is credited to the TechChip YouTube channel and draws from an earlier open-source phishing toolkit. The repository prohibits unauthorized reuploading.

Copy-paste prompts

Prompt 1
Set up CamPhish on Kali Linux for an authorized phishing simulation and walk me through selecting the fake YouTube live page template
Prompt 2
Configure CamPhish to use Cloudflare Tunnel instead of ngrok so the phishing link looks less suspicious during a pen test
Prompt 3
Help me write a security report section explaining the camera-permission social engineering risk demonstrated with CamPhish during our authorized audit
Open on GitHub → Explain another repo

← techchipnet on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.