Gophish Pentest Course
# Gophish Pentest Course – Section 5/5: Mastering Gophish
## Introduction to Gophish
Gophish is an open-source phishing framework designed for penetration testers and security professionals. It provides a robust platform for simulating phishing attacks to test the security awareness and response of users within an organization. In this final section, we will dive deep into the installation, configuration, and usage of Gophish, as well as explore real-world scenarios where it can be applied effectively.
—
## 1. Installation and Configuration on Kali Linux
### 1.1 Prerequisites
Before installing Gophish, ensure that your Kali Linux system is up to date. Open your terminal and run:
sudo apt update && sudo apt upgrade -y
Gophish requires Go (Golang) to be installed, as well as additional dependencies. You can install Go by following these steps:
### 1.2 Install Go
1. Download the latest version of Go from the [official Go website](https://golang.org/dl/).
Example command to download Go:
wget https://golang.org/dl/go1.19.5.linux-amd64.tar.gz
2. Extract the downloaded file:
sudo tar -C /usr/local -xzf go1.19.5.linux-amd64.tar.gz
3. Update your `.bashrc` to include Go's binary path:
echo "export PATH=$PATH:/usr/local/go/bin" >> ~/.bashrc
source ~/.bashrc
4. Verify the installation of Go:
### 1.3 Download and Install Gophish
1. Clone the Gophish repository from GitHub:
git clone https://github.com/gophish/gophish.git
2. Change into the Gophish directory:
3. Build Gophish:
4. You can now run Gophish with:
### 1.4 Configuring Gophish
Upon first launch, Gophish will create a configuration file named `config.json`. The default settings are meant for basic usage, but you may want to customize them for your needs.
1. Open the `config.json` file with your preferred text editor:
2. Edit the following fields:
– `listen_url`: The URL on which Gophish will listen. Change this if you need to use a specific interface or port.
– `migrations`: You might want to set this for automatic database migrations.
– `db`: This is where you can configure the database settings. Gophish uses SQLite by default.
Example configuration:
[/dm_code_snippet]json
{
"server": {
"listen_url": "0.0.0.0:3333",
"use_tls": false
},
"database": {
"type": "sqlite3",
"name": "gophish.db"
}
}
[/dm_code_snippet]
3. Save the file and restart Gophish to apply the changes.
### 1.5 Accessing the Gophish Dashboard
Open your web browser and navigate to `http://localhost:3333`. You should see the Gophish login screen.
– **Default Credentials**:
– **Email**: `
[email protected]`
– **Password**: `gophish`
Make sure to change these credentials immediately after logging in for the first time.
—
## 2. Step-by-Step Usage and Real-World Use Cases
### 2.1 Creating a New Campaign
1. **Log into Gophish.**
2. Navigate to the "Campaigns" section from the dashboard.
3. Click on the "New Campaign" button.
#### 2.1.1 Setting Up the Campaign
– **Name**: Give your campaign a descriptive name.
– **From Address**: Set a realistic email address that may likely belong to your organization.
– **Reply-To Address**: Optionally, set an address to capture replies.
– **Subject**: Craft an enticing subject that will encourage users to open the email.
#### 2.1.2 Configuring the Email Template
1. In the email section, select "Email Templates" and create a new template.
2. Use variables to personalize the emails (e.g., `{{.FirstName}}`).
3. You can use HTML for a more professional touch.
Example email template:
[/dm_code_snippet]html
Important Security Update
Dear {{.FirstName}},
We have noticed unusual activity on your account. Please verify your information by clicking the link below:
Verify Account
Thank you,
Your IT Team
[/dm_code_snippet]
#### 2.1.3 Setting Up Landing Pages
1. Navigate to the "Landing Pages" section.
2. Create a new landing page for users to land on after clicking the phishing link.
3. Design the page to look legitimate and encourage users to enter sensitive information.
Example landing page HTML:
[/dm_code_snippet]html
Account Verification
Account Verification Needed
[/dm_code_snippet]
### 2.2 Launching the Campaign
1. After setting up the email and landing page, navigate back to the campaign screen.
2. Schedule your campaign based on your testing requirements.
3. Launch the campaign and monitor the results.
### 2.3 Viewing and Analyzing Results
1. After your campaign has run for some time, return to the "Campaigns" section.
2. Click on the campaign to view statistics such as:
– Emails Sent
– Emails Opened
– Click-through Rate
– Submissions on Landing Page
Use this data to assess user awareness and identify areas for training.
—
## 3. Detailed Technical Explanations
### 3.1 Understanding Gophish Architecture
Gophish utilizes a client-server architecture where the server manages the backend and the client interface is accessible via a web browser. The integration of Go's concurrent programming capabilities allows Gophish to handle multiple campaigns and users efficiently.
### 3.2 Phishing Campaign Best Practices
– **Social Engineering**: Use real-world scenarios that employees might encounter.
– **User Education**: Follow up with training sessions for users who fall for the phishing attempt.
– **Reporting**: Encourage users to report suspicious emails and create a culture of security awareness.
### 3.3 Integrating with Other Tools
Gophish can be integrated with various tools to enhance its capabilities. For instance:
– **Integration with SIEM Systems**: Send alerts to SIEM systems like ELK stack or Splunk for monitoring phishing attempts.
– **Using Webhooks**: To trigger actions in other applications when a submission is made on the phishing form.
### 3.4 Security Considerations
When running Gophish, always consider the following security measures:
– Use TLS to encrypt traffic.
– Change default credentials after first use.
– Limit access to the Gophish dashboard to trusted IP addresses.
—
## 4. External Reference Links
– [Gophish Official Documentation](https://getgophish.com/docs/)
– [Phishing Simulation: Best Practices](https://www.csoonline.com/article/3257839/how-to-run-a-phishing-simulation.html)
– [OWASP Phishing and Social Engineering](https://owasp.org/www-community/Phishing)
—
With Gophish, you now have a powerful tool at your disposal for conducting phishing simulations and improving cybersecurity awareness within your organization. Remember to use this tool ethically and responsibly, ensuring that all tests are authorized and aimed at strengthening your defenses against potential phishing attacks.
—
Made by pablo rotem / פבלו רותם
