Phishing Club
The self-hosted phishing framework for security awareness training and penetration testing.
Overview
Phishing Club is a phishing simulation framework designed for security professionals, red teams, and organizations looking to test and improve their security awareness. This platform provides tools for creating, deploying, and managing phishing campaigns in a controlled environment.
License
Phishing Club is available under a dual licensing model:
Open Source License (AGPL-3.0)
This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). This means:
- ✅ You can use, modify, and distribute the software freely
- ✅ Perfect for educational, research, and non-commercial use
- ✅ You can run your own instance for internal security testing
- ⚠️ Important: If you provide the software as a network service (SaaS), you must make your source code available under AGPL-3.0
Commercial License
For organizations that want to:
- Use Phishing Club in commercial products without AGPL restrictions
- Offer Phishing Club as a service without source code disclosure
- Integrate with proprietary software
- Get dedicated support and maintenance
Contact us for commercial licensing: license@phishing.club
See the LICENSE file for the full AGPL-3.0 terms.
Getting Started
Production Installation
For production use, download the latest release and follow our installation guide:
- Download the latest version from GitHub Releases
- Follow the installation guide at https://phishing.club/guide/management/#install
- Complete the setup by following the step-by-step instructions in our documentation
For detailed setup instructions, troubleshooting, and best practices, visit the Phishing Club Guide.
Development Setup
This repository contains the core Phishing Club platform.
Prerequisites
- Docker and Docker Compose
- Git
- Make (optional, for convenience commands)
Quick Start
- Clone the repository:
git clone https://github.com/phishingclub/phishingclub.git
cd phishingclub
- Start the services:
make up
# or manually:
docker compose up -d
- Access the platform:
- Administration:
http://localhost:8003 - HTTP Phishing Server:
http://localhost:80 - HTTPS Phishing Server:
https://localhost:443
- Get admin credentials:
The username and password are output in the terminal when you start the services. If you restart the backend service before completing setup by logging in, the username and password will change.
make backend-password
- Setup and start phishing:
Open https://localhost:8003 and setup the admin account using the credentials from step 4.
Visit the Phishing Club Guide for more information.
Services and Ports
| Port | Service | Description |
|---|---|---|
| 80 | HTTP Phishing Server | HTTP phishing server for campaigns |
| 443 | HTTPS Phishing Server | HTTPS phishing server with SSL |
| 8002 | Backend API | Backend API server |
| 8003 | Frontend | Development frontend with Vite |
| 8101 | Database Viewer | DBGate database administration |
| 8102 | Mail Server | Mailpit SMTP server for testing |
| 8103 | Container Logs | Dozzle log viewer |
| 8104 | Container Stats | Docker container statistics |
| 8201 | ACME Server | Pebble ACME server for certificates |
| 8202 | ACME Management | Pebble management interface |
Development Commands
# Start all services
make up
# Stop all services
make down
# View logs
make logs
# Restart specific service
make backend-restart
make frontend-restart
# Access service containers
make backend-attach
make frontend-attach
# Reset backend database
make backend-db-reset
# Get backend admin password
make backend-password
Development Domains
All domains ending with .test are automatically handled by the development setup. To use custom domains during development:
Option 1: DNSMasq (Recommended)
# Add to your DNSMasq configuration
address=/.test/127.0.0.1
Option 2: Hosts File
Add to /etc/hosts:
127.0.0.1 microsoft.test
127.0.0.1 google.test
127.0.0.1 vikings.test
127.0.0.1 dark-water.test
Configuration
Environment Variables
Copy the example environment file and customize:
cp backend/.env.example backend/.env.development
Key configuration options:
- Database settings
- SMTP configuration
- Domain settings
- Security keys
SSL Certificates
The development environment uses Pebble ACME server for automatic SSL certificate generation. In production, configure your preferred ACME provider or upload custom certificates.
Contributing
We welcome contributions from the community! Please follow our contribution guidelines:
Before Contributing
- Check existing issues - Search for existing feature requests or bug reports
- Create a feature request - If your idea doesn't exist, create a detailed feature request issue, we have criteria for which features we want to add and do not waste anyones time with feature requests we never wanted.
- Wait for approval - Allow us to review and approve your proposal
- Discuss implementation - We may suggest changes or alternative approaches
Development Workflow
-
Fork the repository and clone your fork
-
Create a feature branch from
main:git checkout -b feat/your-feature-name -
Follow naming conventions:
- Features:
feat/feature-name - Bug fixes:
fix/bug-description - Documentation:
docs/update-description - Refactoring:
refactor/component-name
- Features:
-
Follow conventions:
- Follow existing code style and patterns
- Update documentation as needed
-
Prepare for submission:
- Rebase your commits to a single, clean commit before creating the pull request
- Sign your commit using the
-sflag:git commit -s -m "Your commit message" - Ensure your commit message is clear and descriptive
-
Submit a pull request:
- Reference the related issue number
- Provide a clear description of changes
- Include screenshots/videos for UI changes
Code Standards
- Formatting: Use project configurations
- Documentation: Update relevant docs with your changes
- Security: Follow secure coding practices
License Agreement
Important: All contributors must agree to our Contributor License Agreement (CLA).
By contributing to Phishing Club, you agree that your contributions will be licensed under the same dual license terms (AGPL-3.0 and commercial). You confirm that:
- You have the right to contribute the code
- Your contributions are your original work or properly attributed
- You grant Phishing Club the right to license your contributions under both AGPL-3.0 and commercial licenses
Required:
- All commits must be signed off using the
-sflag:git commit -s -m "Your commit message" - Before submitting a pull request, rebase your branch to a single commit
- Use descriptive commit messages that explain what and why
# Example workflow:
git rebase -i main # Interactive rebase against main branch to squash commits
git commit --amend -s # Add sign-off to the final commit if needed
This adds a "Signed-off-by" line indicating you agree to our CLA and the Developer Certificate of Origin.
For detailed terms, see:
Support and Security
Need help, join the Phishing Club Discord
- Security Issues: Report privately via security@phishing.club
- Commercial Licensing: Contact license@phishing.club
- General Support: Join our Discord community or open a GitHub issue
Only for ethical use
This platform is designed for authorized security testing only. Users are responsible for:
- Obtaining proper authorization before conducting phishing simulations
- Complying with all applicable laws and regulations
- Using the platform ethically and responsibly
- Protecting any data collected during testing
This tool is for authorized security testing only. Misuse of this software may violate applicable laws. Users are solely responsible for ensuring their use complies with all applicable laws and regulations.