A lightweight, self-hosted simulation tool for "ClickFix" type social engineering attacks.
This tool is for AUTHORIZED SECURITY AWARENESS TRAINING ONLY. Unauthorized use of this tool to target systems or users without explicit permission is illegal and unethical. The authors are not responsible for any misuse of this software.
ClickFix (also known as "ClearFake" or "Fake Update") is a social engineering technique where attackers trick users into manually executing malicious commands (usually via the Windows Run dialog) to "fix" a fake error. Because the user initiates the execution, this technique often bypasses traditional security controls.
The ClickFix Training Tool allows security teams to simulate these attacks safely to train employees.
Key Features:
- Safe Simulation: Uses harmless payloads (MessageBox + Redirect) instead of malware.
- Realistic Lures: Includes templates for Teams, SharePoint, Cloudflare, and more.
- Site Cloner: Built-in tool to clone legitimate sites and inject the trap.
- Tracking: Logs page views, clicks, and payload executions.
- Privacy-First: Self-hosted, no external data exfiltration.
-
Clone the repository:
git clone https://github.com/boredchilada/clickfix-simulator-2025.git cd clickfix-simulator-2025 -
Start the container:
docker-compose up -d
-
Access the tool:
- Admin Dashboard:
https://localhost/admin(User:admin, Pass:changeme_please) - Test Lure:
https://localhost/s/teams_error?uid=test_user
- Admin Dashboard:
-
Prerequisites: Python 3.8+,
pip,openssl(for certs). -
Install dependencies:
python -m venv venv source venv/bin/activate # or venv\Scripts\activate on Windows pip install -r requirements.txt
-
Initialize Database:
flask init-db
-
Generate Certificates (Required for Clipboard API):
mkdir certs openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/key.pem -out certs/cert.pem -days 365 -subj "/CN=localhost" -
Run the server:
python run.py
The tool is built with Flask (Python) and uses SQLite for data storage.
run.py: Main application logic, routes, and payload generation.cloner.py: Utility to clone websites and inject traps.templates/:lures/: Full-page attack templates.traps/: HTML fragments (popups/overlays) injected into cloned sites.scenarios/: Storage for cloned sites.
static/: CSS, JS, and images.
To receive real-time alerts when a user clicks the fix button or executes the payload, set the WEBHOOK_URL environment variable.
Supported formats: Slack, Discord, Microsoft Teams (Incoming Webhook).
environment:
- WEBHOOK_URL=https://hooks.slack.com/services/T000/B000/XXXXYou can override the default trap for any campaign by appending ?t=<trap_name> to the URL.
Example: https://training.local/s/teams_error?uid=john&t=cloudflare
By default, the tool uses SQLite (training_log.db). For high-volume campaigns or load-balanced deployments, you can switch to PostgreSQL or MySQL by setting SQLALCHEMY_DATABASE_URI.
environment:
- SQLALCHEMY_DATABASE_URI=postgresql://user:pass@db_host:5432/clickfix- HTTPS is Mandatory: The
navigator.clipboard.writeText()API requires a Secure Context (HTTPS or localhost). The tool will not work over plain HTTP on a network. - Payload Safety: The default payload only opens a message box and redirects the browser. It does not execute any system changes.
- Access Control: The Admin Dashboard is protected by Basic Auth. Change the default credentials in
docker-compose.ymlor.envbefore deployment.
Contributions are welcome! Please read CONTRIBUTING.md for guidelines.
- ✅ Core ClickFix simulation
- ✅ 3 trap templates (Cloudflare, Chrome, Windows Update)
- ✅ Full event tracking and admin dashboard
- ✅ Simple site cloner with trap injection
- Windows-Only Instructions: The execution triggers (Win+R) are Windows-specific. macOS/Linux support planned for v1.1.
- Single Payload Type: Only PowerShell IEX stager is supported. Additional payload types planned for v1.1.
- No Evasion Features: Bot detection and geofencing are not implemented. Planned for v2.0.
This project is licensed under the MIT License - see the LICENSE file for details.