Setup a GoPhish phishing server to run custom phishing campaigns and raise security awareness using the steps below.
This blog provides an introduction to GoPhish and does not highlight the following configurations: mail server, DNS, SPF, DKIM, DMARC, HTTPS, or GoPhish IOCs.
Create a new directory
mkdir gophish && cd gophishDownload GoPhish
wget --no-check-certificate -O gophish.zip https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zipInstall unzip
sudo apt install -y unzipUnzip GoPhish
unzip gophish.zip && rm gophish.zipChange "listen_url" from "127.0.0.1" to "0.0.0.0"
sed -i -e "s/127\.0\.0\.1:3333/0\.0\.0\.0:3333/g" config.jsonWARNING: The command above exposes the admin interface. Exposing the admin interface to the Internet should only be used if needed. Before exposing the admin server to the Internet, it's highly recommended to change the default password. It is also highly recommended to use a firewall to restrict source IP addresses. You can also use the "phish_server.trusted_origins" option to add IP addresses that you expect incoming connections to come from.
Start the GoPhish Server
Start GoPhish
chmod +x gophish
./gophish
# Browse to https://localhost:3333Setup a Phishing Campaign
- Create a Target Group
- Create a Sending Profile
- Create a Landing Page
- Create an Email Template
- Create a Phishing Campaign
- Generate Reports
- Calculate Metrics
Hook Security Co. Phishing Resources
50+ Free Phishing Examples
https://www.hooksecurity.co/phishing-email-examples
Central InfoSec Phishing Resources
GoPhish - Server Setup & Custom Reporting
GoPhish Phishing Server Setup
https://www.centralinfosec.com/blog/gophish-setup
Create Custom Phishing Reports from GoPhish Results
https://www.centralinfosec.com/blog/gophish-report
Excel Workbook Idea to Automate the Management of Phishing Campaign Reporting and Historical Metrics
https://www.centralinfosec.com/blog/phishreport
Slack - Live Phishing Notifications
Slack Notifications for Phished Credentials in Real Time
https://www.centralinfosec.com/blog/gophish-slack-phishing-credential-harvester
Cobalt Strike - Phishing
Cobalt Strike Phishing Profiler Aggressor Script
https://www.centralinfosec.com/blog/cobalt-strike-aggressor-scripts-phishing-profiler
Cobalt Strike Phishing Reporting
https://www.centralinfosec.com/blog/phishreportcs
Keyloggers for Phishing
Setup a Keylogger to Capture Credentials and Bypass Two-Factor Authentication (2FA) for Phishing - v2
https://www.centralinfosec.com/blog/phishlog
Setup a Keylogger to Capture Credentials and Bypass Two-Factor Authentication (2FA) for Phishing - v1
https://www.centralinfosec.com/blog/phishing-keylogger-v1
Other Phishing Tools
Send & Track Phishing Emails
https://www.centralinfosec.com/blog/phishsend
Setup a Mail Server for Phishing
https://www.centralinfosec.com/blog/phishserv
Test for Open Mail Relays that can be Leveraged for Phishing
https://www.centralinfosec.com/blog/phishing-mailtest
Generate Email Addresses by Scraping LinkedIn
https://www.centralinfosec.com/blog/phishgen
Create a Let’s Encrypt SSL Certificate using Certbot for Phishing
https://www.centralinfosec.com/blog/phishcert
Central InfoSec - Pen Test & Red Team Services
Central InfoSec named Best Boutique Pen Test Company in the Global 100 Awards.
