A high-performance Rust phishing tool designed for authorized security testing and penetration testing. Phitto clones target websites, captures credentials, and provides a complete phishing simulation framework built with modern Rust async technology.
This Rust phishing tool is intended for authorized security testing only. Unauthorized phishing, credential harvesting, or access to computer systems/networks is illegal and strictly prohibited. The maintainers are not responsible for any misuse of this tool.
Use responsibly. Get written authorization before testing any system you do not own.
Phitto is a Rust-based phishing simulation tool that security professionals use for:
- Phishing campaign testing - Clone login pages to test organizational vulnerability
- Credential harvesting simulation - Capture form submissions safely
- Security awareness training - Test employee responses to sophisticated phishing
- Penetration testing - Assess the effectiveness of security controls
- Red team operations - Validate phishing resistance capabilities
This Rust phishing framework scrapes target URLs, modifies form actions, localizes all resources, and serves a fully functional clone for security testing.
| Feature | Description |
|---|---|
| 🚀 Rust Performance | Built with Tokio async runtime for concurrent operations |
| 🎣 Credential Capture | Captures form submissions at /handle_submit/{site_id} |
| 📦 Resource Localization | Downloads and localizes images, CSS, JavaScript |
| 🔒 Bot Evasion | Uses browser-like headers to avoid detection |
| 🌐 Full Page Clone | Preserves original site appearance and functionality |
| ⚡ High Performance | Async HTTP client with connection pooling |
| 🔧 CLI Interface | Simple command-line interface with clap |
# Clone the repository git clone https://github.com/rafainsights/phitto-phishing.git cd phitto-phishing # Build the Rust phishing tool cargo build --release # Run the binary cd main cargo run --release -- \ --url "https://target-site.com/login" \ --target_dir "../cloned_site" \ --site_id "test1"
| Flag | Description | Required | Default |
|---|---|---|---|
--url |
Target URL to clone for phishing test | Yes | - |
--target_dir |
Output directory for cloned phishing site | Yes | - |
--site_id |
Unique identifier for this phishing campaign | No | site1 |
The Rust phishing scraper sends HTTP requests with browser-like headers to clone the target:
// Bot evasion headers for realistic phishing headers.insert(USER_AGENT, "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36..."); headers.insert(ACCEPT, "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); headers.insert(ACCEPT_LANGUAGE, "en-US,en;q=0.9");
All HTML forms are modified to redirect submissions to the local server:
- Form
actionset to/handle_submit/{site_id} - Form
methodchanged toPOST - Input field names prefixed for tracking
Download all static assets for a fully functional clone:
- Images (
<img>) - Stylesheets (
<link rel="stylesheet">) - JavaScript files (
<script>) - Fonts and other resources
phitto-phishing/ # Rust phishing security tool
├── Cargo.toml # Workspace configuration
├── main/ # CLI application entry point
│ ├── Cargo.toml
│ └── src/
│ └── main.rs # CLI args, server setup, form capture
└── lib/ # Core phishing library
├── Cargo.toml
└── src/
├── lib.rs # Library exports
├── errors.rs # Custom error types
├── scraping/
│ └── scraping.rs # Website scraping logic
├── forms/
│ └── add_phishing_form.rs # Form modification
└── resources/
└── copy_resources.rs # Asset downloading
| Crate | Version | Purpose |
|---|---|---|
tokio |
1.49 | Async runtime for concurrent phishing operations |
reqwest |
0.13 | HTTP client for web scraping |
axum |
0.8 | Web framework for serving cloned phishing sites |
clap |
4.5 | CLI argument parsing |
kuchiki |
0.8 | HTML parsing and manipulation |
url |
2.5 | URL resolution for resource localization |
# Install testing tools
cargo install cargo-nextest cargo-watchcd main cargo run --release -- \ --url "https://example.com/login" \ --target_dir "../phishing_test" \ --site_id "campaign_001"
# First campaign cd main && cargo run --release -- \ --url "https://bank.com/login" \ --target_dir "../bank_phishing" \ --site_id "bank_001" # Second campaign cargo run --release -- \ --url "https://social.com/login" \ --target_dir "../social_phishing" \ --site_id "social_001"
cd main cargo watch -x run -- \ --url "https://test-site.com" \ --target_dir "../test"
| Method | Path | Description |
|---|---|---|
| GET | / |
Serves cloned phishing page |
| POST | /handle_submit/{site_id} |
Captures submitted credentials |
| All | * |
Serves static assets |
Form submissions are logged with:
- Original field names (prefixed)
- Site identifier
- Submission timestamp
# Run all Rust tests cargo test # Run with nextest (faster) cargo nextest run # Run clippy linter cargo clippy
- Playwright integration for JavaScript-heavy phishing pages
- Form submission logging to file/database
- Redirect after credential capture
- Cookie handling for authenticated session testing
- Template system for custom phishing pages
- Multi-threaded concurrent scraping
- SOCKS proxy support
- SSL/TLS certificate generation
When using this Rust phishing tool for security testing:
- Get Authorization - Always obtain written permission before testing
- Scope Limits - Stay within agreed-upon boundaries
- Data Handling - Protect captured credentials securely
- Incident Response - Have a plan for handling real credentials
- Reporting - Document findings thoroughly
- Cleanup - Remove all phishing infrastructure after testing
This project demonstrates Rust's advantages for security tools:
- Memory Safety - No buffer overflows or use-after-free
- Zero-Cost Abstractions - High performance for concurrent operations
- Fearless Concurrency - Safe parallelism for web scraping
- Type System - Compile-time error catching
- Cargo Ecosystem - Easy dependency management
See CONTRIBUTING.md for guidelines.
This Rust phishing tool is for educational and authorized security testing purposes only.
Phitto - Professional Rust Phishing Security Testing Tool