What is Gophish?

Gophish is open-source software phishing simulation software. In this article, I will explain how to set up and manually run a phishing simulation. This article will also explain some pitfalls I experienced while setting up the simulation.

Getting Started

Download the zip file that befits the os you are running.

Once download, extract the contents, then run.

cd downloads/gophish-v0.10.1-osx-64bit
chmod 777 gophish
./gophish

With this you will be taken to the directory that the gophish binary is in. You will need make it accessable so that it can be executed.

When I first tried to run the binary it didnt work for me because I had not given it access.

The terminal kept outputting "permission denied".

The command "chmodd 777 gophish" gives it permission to be accessed.

"./gophish" will start up our binary.

Once this is done the server will be running and you can go to the webpage at https://127.0.0.1:3333

This will navigate you to the login page.

Where the username is “admin” and the password is “gophish”.

I was then taken to the dashboard, where I could now begin.

go-dash

Creating the Phish

Senders Profile

Once logged in I created a new senders profile. This will show whom the email is coming from on the recipients end.

Write the name of the profile

Fill in who the email is coming from.

The Host is the domain you are using. I used gmail and the way I had to write it was “smtp.gmail.com”

The username and password slots are for the email you used.

Once finished, there is an option to send a test email to make sure everything is working correctly.
It was sent to my recipient email. So you should have a recipient already added in the Users & Groups section if you want to try this.

NOTE:

One problem that I noticed is that gophish could not access my email.

When using gmail you need to make sure that you allow third party softwares to get access to your email.
This can be done by:

  • going to your google account

  • go to security

  • scroll to where it says “less secure app access”
    less-sec

  • turn it on

  • now go back and send the test email

Users & Groups

Head over to the Users & Groups section. This is where I manually inputted the recipients information. It was just the name, email, and position.

Gophish allows you to import bulk lists of users via csv template.

Email Templates

Next comes the “Email Templates” section. Gophish gives you the option to import an email template or write your own. When you write your own, it automatically converts it into html when you save it. There is a “Import email” feature that allows it to dynamically store the email in use. I just used the template they gave in their own tutorial.

{{.Email}} will display the email that you are sending the phish to. You can create a hyperlink by highlighting a word and clicking on the chain icon.

gophish_email

There is also a “Import URL” feature that does the same thing. {{.URL}} will be the url that the hyperlink takes you too.

Landing Page

This is where the recipient will be sent to, upon clicking the link.
You can import the site that you wish to send them to or create one your self.

I chose a site where you have to input a username and password. It can be any site, that has some type of form page.

There is a redirect link that the recipient will be sent to upon submitting the information.

Launching the Campaign

You are given the chose of what Landing page, senders profile, group, and email template you wish to use. So, input the ones that you just created if this is your first time.
The URL is just the IP address that the gophish server is running on, which is in the url that you used to get to the site. Mine was 127.0.0.1.
Gophish offers a schedule, so I set mine to send two minutes after I created the campaign.

Once the campaign was sent these were the results. In my scenario I clicked on the link and submitted information.

alt text

Before you can even send the campaign you must know what the mentioned sections entails. The time it took to send out my first campaign was around 15 minutes.


Pierce Taylor, Software Engineer Intern at HacWare. HacWare measures risky cybersecurity behaviors and automates security education to help lean IT teams combat phishing attacks.

Learn more about HacWare at hacware.com