Some of the common questions, following up from my previous article, was “How can I efficiently scale my simulated phishing operation up?” or “Is there an easier way? i.e. via a graphical user interface (GUI).” And the answer to both questions is: Yes! (with Gophish)
Instead of writing scripts to automate your phishing campaign, Gophish, allows users to manage their phishing campaigns from an intuitive web-based dashboard. After the initial setup, anyone with minimal training or security knowledge within your IT department can launch a phishing campaign.
With Gophish, users can:
Assemble a collection of phishing emails templates by importing from existing emails or customising their own;
Group and specify multiple targeted victims;
Replicate authentic sites and serve them as a landing page;
Collect information that users divulge;
Report on view and click responses; and
Schedule phishing email campaign.
You can refer to many guides on the web to install Gophish on your server or PC. All that is required is the Go language, and a C compiler (GCC) installed to get going. For example:
After installing Gophish, you are required to set up an SMTP server to send your phishing emails out. You can refer to this guide by DigitalOcean to quickly set up a send-only SMTP server on Ubuntu:
If you are hosting this on the cloud, you will need to edit the config.json file to set your listen_url to your public IP address.
{ "admin_server" :
{ "listen_url" : "<your public IP here>:<desired port number>",
"use_tls" : false,
"cert_path" : "example.crt",
"key_path" : "example.key" }Once completed, restart the service and run Gophish again using the following command (for Linux users):
sudo ./gophish Next, navigate to http://localhost:3333 or http://<public_ipaddress>:3333 and login with the default password.
user: admin
password: gophish
You see the following tabs on the left of the screen:
Users & Groups – People who you wish to target. You can classify your targets via a department, team, agency, etc.
Email Templates – Refers to your arsenal of phishing emails. You can import or customise your phishing email template here. Do remember to use the tracking image option to understand better whether users ignore or read your phishing emails.
Landing Pages – Basically refers to the page where unwitting victims land when they click on the “malicious” link in your phishing email. You can set these pages to include a form and capture user input.
Sending Profiles – You can specify the email address of the person which you are trying to impersonate here. You are to specify your SMTP here. If you are using postfix, you can add a user by using the command:
useradd <username>
passwd <username> Campaigns – Finally, under campaigns, you put together the profiles that you have created under email templates, users & groups, landing pages and, sending profiles. Under campaigns is where you launch your phishing emails. You can also schedule the date and time of your phishing email/s here.
Tip: If you are running this on a VM or cloud provider, be sure to check the system clock. The system clock might not be in sync with your actual timezone. You can compare the time of your system using the following command:
date +%H:%M:%S.%N As seen in the diagram below, the Dashboard, intuitively reports the results/responses of your phishing campaign. Launching and collecting results from a phishing campaign has never been this easy.
Final thoughts
I liked how Gophish has simplified the whole operation of sending phishing emails, collecting responses and reporting data. With such a tool, one can quickly deploy a preconfigured VM or docker container within their company network and begin their phishing campaign within the hour or two. I only wish that I had learned about this tool earlier. Kudos to Jordan Wright for developing this excellent tool.
Contributed by Andre Ng, First Mate of Div0.