# Gophish Pentest Course – Section 1: Introduction & Installation
Phishing is one of the most prevalent and effective attack vectors used by cybercriminals. As a white-hat hacker or cybersecurity professional, understanding how phishing attacks work and how to simulate them ethically is crucial for developing comprehensive security strategies. Gophish, an open-source phishing simulation tool, is designed to simplify the process of creating, sending, and tracking phishing emails. This section will delve into the installation and configuration of Gophish on Kali Linux, step-by-step usage instructions, and real-world use cases to equip you with practical knowledge.
## 1. Installation of Gophish on Kali Linux
### Prerequisites
Before we begin the installation, ensure that you have the following prerequisites:
– A Kali Linux environment (version 2021.3 or later recommended).
– Basic familiarity with terminal commands in Linux.
– Root or superuser access to install and run services.
### Step 1: Update Your System
It’s always a good practice to update your system before installing new software. Open a terminal and run:
"`bash
sudo apt update && sudo apt upgrade -y
"`
### Step 2: Download Gophish
Navigate to the [Gophish GitHub releases page](https://github.com/gophish/gophish/releases) to find the latest version. You can use `wget` to download it directly:
"`bash
wget https://github.com/gophish/gophish/releases/download/v0.11.0/gophish-v0.11.0-linux-64bit.zip
"`
### Step 3: Install Dependencies
Gophish requires a few dependencies to function correctly. You may need to install `unzip` if it's not already installed:
"`bash
sudo apt install unzip
"`
### Step 4: Unzip Gophish
Once the download is complete, unzip the package:
"`bash
unzip gophish-v0.11.0-linux-64bit.zip
"`
### Step 5: Start Gophish
Navigate to the Gophish directory and start the application:
"`bash
cd gophish-v0.11.0-linux-64bit
./gophish
"`
This command will start the Gophish server. By default, it will listen on port 80 for HTTP and 443 for HTTPS. Make sure these ports are not blocked by your firewall settings.
### Step 6: Access the Gophish Interface
Open your browser and navigate to `http://localhost:3333`. You should see the Gophish login screen. Use the default credentials:
– **Username:** admin
– **Password:** gophish
## 2. Configuration of Gophish
### Step 1: Configure Sending Profiles
Once logged in, the first step is to configure your sending profiles. This is necessary as Gophish needs to know from which email address it will send phishing emails.
1. **Click on "Sending Profiles" in the left navigation menu.**
2. **Click on "New Sending Profile".**
3. Fill in details like the name, email address, SMTP server, and authentication credentials (if required).
### Example Sending Profile Configuration
"`json
{
"name": "Example SMTP",
"email": "[email protected]",
"host": "smtp.example.com",
"username": "your_smtp_username",
"password": "your_smtp_password",
"port": 587,
"use_tls": true
}
"`
### Step 2: Configure Landing Pages
Landing pages are critical for a successful phishing campaign. Gophish allows you to create and manage these pages easily.
1. **Click on "Landing Pages" in the left navigation menu.**
2. **Click on "New Landing Page".**
3. Use the HTML editor to create your phishing page. You can also upload a pre-built HTML file.
### Example Landing Page HTML
"`html
Please Sign In
"`
### Step 3: Configure Email Templates
To create a convincing phishing campaign, you can customize email templates.
1. **Click on "Email Templates" in the left navigation menu.**
2. **Click on "New Email Template".**
3. Fill in the subject line, choose your email body, and add dynamic variables as needed.
### Example Email Template
"`markdown
Subject: Important Update Required
Hi {{ .FirstName }},
We noticed unusual activity in your account. Please click the link below to verify your identity:
[Verify Your Account]({{ .URL }})
Thank you,
Support Team
"`
## 3. Step-by-Step Usage and Real-World Use Cases
Once you have configured Gophish, you can proceed to create a phishing campaign. Below we describe this process in detail.
### Step 1: Create a New Campaign
1. **Go to the "Campaigns" tab.**
2. **Click on "New Campaign".**
Fill in the campaign details, selecting your sender profile, email template, and landing page.
### Step 2: Define Targets
You can import email addresses from a CSV file or add them manually. Ensure you have permission to test the targets to comply with ethical standards.
### Example CSV File Format
"`csv
email,first_name,last_name
[email protected],John,Doe
[email protected],Jane,Smith
"`
### Step 3: Launch the Campaign
After setting up your campaign, click on "Launch Campaign". Gophish will start sending emails to your defined targets. You can track the status in real-time on the campaign dashboard.
### Real-World Use Case
#### Example: Company Training Phishing Simulation
Suppose you are conducting a phishing simulation for a corporate client. You can create an email that mimics a password reset request. By observing how employees respond, you can assess their preparedness and educate them further.
### Step 4: Analyze Results
After the campaign has run its course, Gophish provides detailed analytics. You can see how many emails were opened, how many users clicked on the links, and how many submitted their credentials.
1. **Go to the "Campaigns" tab.**
2. **Click on the campaign you wish to analyze.**
### Example Campaign Report
"`json
{
"opened": 75,
"clicked": 30,
"submitted": 15,
"not_clicked": 45
}
"`
## 4. Detailed Technical Explanations and Security Best Practices
Gophish provides extensive features for ethical phishing simulations, but it is essential to adhere to security best practices when conducting such tests.
### Security Considerations
– **Get Permission:** Always ensure you have explicit permission from the organization you are testing.
– **Inform Employees Post-Campaign:** After testing, inform employees about the campaign and share best practices for recognizing phishing attempts.
– **Secure Your Gophish Instance:** Change admin credentials, use HTTPS for secure communication, and limit access to the Gophish interface.
### External Reference Links
– [Gophish Official Documentation](https://gophish.com/docs/)
– [OWASP: Phishing](https://owasp.org/www-community/Phishing)
– [Cybint: Phishing Simulation](https://www.cybintsolutions.com/phishing-simulation/)
– [Kali Linux Official Documentation](https://www.kali.org/docs/)
## Conclusion
In this section, we have covered the installation, configuration, and usage of Gophish for phishing simulations. You should now have a foundational understanding of how to utilize this powerful tool ethically in a penetration testing context. Through practical exercises and real-world examples, you can improve your skills in phishing penetration testing and strengthen your cybersecurity posture.
In the following sections, we will explore advanced features of Gophish, including API usage for automation, integrations with reporting tools, and other practical scenarios.
—
Made by pablo rotem / פבלו רותם