A comprehensive web application for conducting phishing awareness training and simulations, similar to Gophish. Built with React, Vite, and Supabase.
- Real-time campaign metrics and statistics
- Interactive charts (timeline, bar, pie charts)
- Campaign activity visualization
- Success rate tracking
- SMTP server configuration
- Multiple profile management
- Test email functionality
- Secure credential storage
- Rich email template editor
- Personalization variables ({{.FirstName}}, {{.LastName}}, {{.Email}}, {{.URL}})
- HTML and plain text support
- Template preview
- Fake credential capture pages
- HTML editor with preview
- Pre-built templates (Office 365, Gmail, etc.)
- Redirect URL configuration
- Target user management
- CSV import functionality
- Group organization
- Bulk operations
- Campaign creation wizard
- Real-time tracking
- Email open/click tracking
- Credential submission monitoring
- Comprehensive results analysis
- Frontend: React 18 + Vite
- Backend: Supabase (PostgreSQL)
- Styling: Vanilla CSS with modern design system
- Charts: Recharts
- Routing: React Router DOM
- Node.js 16+ and npm
- Supabase account (free tier available at https://supabase.com)
- Create a new project at https://supabase.com
- Copy your project URL and anon key from Settings > API
- Go to SQL Editor and run the schema from
supabase/schema.sql
-
Copy
.env.exampleto.env.local:cp .env.example .env.local
-
Update
.env.localwith your Supabase credentials:VITE_SUPABASE_URL=your_supabase_project_url VITE_SUPABASE_ANON_KEY=your_supabase_anon_key
npm installnpm run devThe application will be available at http://localhost:5173
npm run buildThe application uses the following main tables:
- campaigns - Campaign information and status
- email_templates - Email template content
- landing_pages - Fake credential capture pages
- sending_profiles - SMTP configuration
- target_groups - User group organization
- targets - Individual target users
- campaign_targets - Campaign-target junction with tracking
- campaign_events - Detailed event logging
- captured_credentials - Submitted credentials (encrypted)
- Total campaigns, active campaigns, total targets
- Click rate percentage
- Campaign activity timeline (last 7 days)
- Event distribution charts
- Campaign status distribution
- Recent campaigns list
- Automatic data synchronization using Supabase real-time subscriptions
- Live campaign metrics
- Instant event tracking
- Email Sending: For actual email sending, configure SMTP credentials in Sending Profiles
- Credential Storage: In production, ensure passwords are encrypted
- Access Control: Configure Supabase Row Level Security (RLS) policies
- Rate Limiting: Implement rate limiting for email sending
- Compliance: Ensure compliance with your organization's security policies
The schema includes sample data:
- 1 email template (Office 365 Password Reset)
- 1 landing page (Fake Office 365 Login)
- 2 target groups (IT Department, Marketing Team)
- 3 sample targets
- 1 sending profile (Gmail SMTP - needs configuration)
src/
├── lib/
│ └── supabase.js # Supabase client
├── hooks/
│ └── useCampaigns.js # Campaign data hook
├── components/
│ └── Sidebar.jsx # Navigation sidebar
├── pages/
│ ├── Dashboard.jsx # Main dashboard
│ ├── SendingProfiles.jsx # SMTP configuration
│ ├── EmailTemplates.jsx # Email templates
│ ├── LandingPages.jsx # Landing pages
│ ├── UsersGroups.jsx # Target management
│ └── Campaigns.jsx # Campaign management
└── index.css # Design system
The application uses a modern dark theme with:
- Glassmorphism effects
- Vibrant gradient accents
- Smooth animations
- Responsive grid system
- Accessible color palette
- Full CRUD operations for all modules
- Campaign wizard with step-by-step creation
- Email template editor with WYSIWYG
- Landing page HTML editor
- CSV import for targets
- Email tracking implementation
- Credential capture webhook
- Advanced analytics and reporting
- Export campaign results
- User authentication
- Role-based access control
MIT
This tool is designed for authorized security awareness training only. Unauthorized use of this tool for malicious purposes is illegal and unethical. Always obtain proper authorization before conducting phishing simulations.