What is Gophish?
Gophish is open-source software phishing simulation software. In this article, I will explain how to set up and manually run a phishing simulation. This article will also explain some pitfalls I experienced while setting up the simulation.
Getting Started
Download the zip file that befits the os you are running.
Once download, extract the contents, then run.
cd downloads/gophish-v0.10.1-osx-64bit
chmod 777 gophish
./gophish
With this you will be taken to the directory that the gophish binary is in. You will need make it accessable so that it can be executed.
When I first tried to run the binary it didnt work for me because I had not given it access.
The terminal kept outputting "permission denied".
The command "chmodd 777 gophish" gives it permission to be accessed.
"./gophish" will start up our binary.
Once this is done the server will be running and you can go to the webpage at https://127.0.0.1:3333
This will navigate you to the login page.
Where the username is “admin” and the password is “gophish”.
I was then taken to the dashboard, where I could now begin.
Creating the Phish
Senders Profile
Once logged in I created a new senders profile. This will show whom the email is coming from on the recipients end.
Write the name of the profile
Fill in who the email is coming from.
The Host is the domain you are using. I used gmail and the way I had to write it was “smtp.gmail.com”
The username and password slots are for the email you used.
Once finished, there is an option to send a test email to make sure everything is working correctly.
It was sent to my recipient email. So you should have a recipient already added in the Users & Groups section if you want to try this.
NOTE:
One problem that I noticed is that gophish could not access my email.
When using gmail you need to make sure that you allow third party softwares to get access to your email.
This can be done by:
- going to your google account
- go to security
- scroll to where it says “less secure app access”
- turn it on
- now go back and send the test email
Users & Groups
Head over to the Users & Groups section. This is where I manually inputted the recipients information. It was just the name, email, and position.
Gophish allows you to import bulk lists of users via csv template.
Email Templates
Next comes the “Email Templates” section. Gophish gives you the option to import an email template or write your own. When you write your own, it automatically converts it into html when you save it. There is a “Import email” feature that allows it to dynamically store the email in use. I just used the template they gave in their own tutorial.
{{.Email}} will display the email that you are sending the phish to. You can create a hyperlink by highlighting a word and clicking on the chain icon.
There is also a “Import URL” feature that does the same thing. {{.URL}} will be the url that the hyperlink takes you too.
Landing Page
This is where the recipient will be sent to, upon clicking the link.
You can import the site that you wish to send them to or create one your self.
I chose a site where you have to input a username and password. It can be any site, that has some type of form page.
There is a redirect link that the recipient will be sent to upon submitting the information.
Launching the Campaign
You are given the chose of what Landing page, senders profile, group, and email template you wish to use. So, input the ones that you just created if this is your first time.
The URL is just the IP address that the gophish server is running on, which is in the url that you used to get to the site. Mine was 127.0.0.1.
Gophish offers a schedule, so I set mine to send two minutes after I created the campaign.
Once the campaign was sent these were the results. In my scenario I clicked on the link and submitted information.
Before you can even send the campaign you must know what the mentioned sections entails. The time it took to send out my first campaign was around 15 minutes.
HacWare AI Phishing Platform
HacWare can help you launch unique phishing campaigns at scale in 60 seconds. The platform does not require you to build templates to get started. When using HacWare, all you have to do is launch the product and white-list 2 domains and the platform will do the rest!
Try out HacWare for Free! Check out the trial!
Pierce Taylor, Software Engineer at HacWare. HacWare makes it stupid easy for software developers and security teams to launch hype custom phishing campaigns and training solutions to combat phishing attacks. Learn more about HacWare at hacware.com