gitmyhub

CamPhish

HTML ★ 4.9k updated 1y ago

Grab cam shots & GPS location from target's phone front camera or PC webcam just sending a link.

A penetration testing tool that creates fake web pages to silently capture photos and GPS coordinates from visitors who grant browser camera permissions, legal only with explicit written authorization.

PHPHTMLBashsetup: moderatecomplexity 2/5

CamPhish is a tool that creates fake web pages designed to request camera and GPS location permissions from anyone who opens the generated link. When the person who receives the link grants those browser permissions, the tool captures photos from their device camera and records their GPS coordinates, sending them back to whoever ran the tool.

The setup works by running a local PHP web server hosting one of several deceptive page templates: a festival greeting card, a fake live YouTube stream, or a fake online meeting page. The tool then uses either ngrok or a Cloudflare Tunnel to make that local server reachable over the internet as a shareable link. The fake page uses standard browser permission dialogs to ask for camera access; if the visitor clicks Allow, photos are taken silently.

The README states the tool is intended for penetration testing (security audits where an organization gives you explicit written permission to test its defenses). Outside of that context, using it against someone who has not given prior written consent is unauthorized surveillance and illegal in most jurisdictions.

The tool runs on Kali Linux, Termux (Android terminal), macOS, Ubuntu, Parrot OS, and Windows via WSL. Setup requires PHP and wget. Version 2.0 added GPS location capture with Google Maps integration. Version 1.8 switched from Serveo to Cloudflare Tunnel. A cleanup script is included to delete captured files and logs from the local machine.

The project is credited to the TechChip YouTube channel and draws from an earlier open-source phishing toolkit. The repository prohibits unauthorized reuploading.

Where it fits