GoPhish – phishing campaign simulator – part 1

Some time ago in post Phishing – simulation attack Exchange I had show you simulation attack tool offered by MS. In my case license allows me only basic usage so I started to search something more advanced with possibility to customize mails and landing pages. I have found some tools but GoPhish looks OK for me and had a lot of good opinions. Also in plus here is that this tool is distributed as open source.

In that post will show you possibility of that tool and if you wish I will prepare part 2 with details about installation and configuration from the beggining.

Documentation and additional information about GoPhish is available under: https://getgophish.com/

GoPhish Interface is very simple, intuitive and transparent. Everey campaign has statistics which on my example looks like that.

As you see that campaign is not finished yet but you can now export results to csv file and you have live look via the web interface.

I have noticed that after user report phishing mail in outlook, the stats are not informing about that and in addition “email opened”status is almost the same like “email sent”. For now there are only 2 disadvantages. It could be that I am doing something wrong with that so if you have any ideas let me know:)

Now we will go step by step to creating phishing campaign. First we need to add email addresses of recipients. You can add it manually but is possible to make bulk import from csv file. Addresses could be groupped so for every campaign you can have different recipients. First name, last name, email and position we can use in content of mail in order to be more reliable.

Window where you can add addresses looks like that:

And groups lists looks like that:

The next thing is preparing content of mail. We can import it from the raw format of mail or project it in html by ourself. If you have already html code – just paste it. Below you can see example of mail which was copied.

User by clicking link will be redirected to domain which you will provide during campaing creation at the end of post. Every user will have unique ID which is added to link and by that user and his actions are identified.

Now lets create landing page – the page where user will be redirected after clicking mail link and where will be login form. Here you can also import site code but in case of more advanced forms it could be impossible. I think the better will be create own template or use something what is shared in the internet. In options you can let know GoPhish if you need to capture data typed in form like a login and password or no and website where user will be redirected after login.

The last thing is configuration of mail account for sending emails. Here, until you will configure it in GoPhish you need to set up sendmail on this machine. I used linux to host it. As a mail provider I used gmail.com. To have properly working gmail account you must configure application password in account setting in Google and type it in sendmail config. My config looks like that.

If test mail was sent properly, we can go to create new campaign. In option we put all elements we created eariler. As a URL put address where GoPhish is hosted. The useful options is possibility to send mail in some time frame. This can minimise risk of being member of black lists 🙂

Remember that tools like this you can test only on your own systems 🙂

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *