Table

of Contents
Introduction 1.1
License 1.2
What is Gophish? 1.3
Installation 1.4
Getting Started 1.5
Documentation 1.6
Changing User Settings 1.6.1
Groups 1.6.2
Templates 1.6.3
Landing Pages 1.6.4
Sending Profiles 1.6.5
Campaigns 1.6.6
Using the API 1.6.7
Reporting 1.6.8
Building Your First Campaign 1.7
Introducing the Morning Catch Corporation 1.7.1
Creating the Sending Profile 1.7.2
Importing Groups 1.7.3
Creating the Template 1.7.4
Creating the Landing Page 1.7.5
Launching the Campaign 1.7.6
Template Reference 1.8
Additional References 1.9

2
Introduction

Welcome to Gophish!
Current Version: 0.3-dev

Gophish is a powerful, easy-to-use, open-source phishing toolkit meant to help pentesters

and businesses conduct real-world phishing simulations.

This user guide introduces Gophish and shows how to use the software, building a complete
campaign from start to finish.

3
License

License
Gophish - Open-Source Phishing Framework

The MIT License (MIT)

Copyright (c) 2013 - 2016 Jordan Wright

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software ("Gophish Community Edition") and associated documentation files (the
"Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

4
What is Gophish?

What is Gophish?
What is Gophish?
Gophish is a phishing framework that makes the simulation of real-world phishing attacks
dead-simple. The idea behind gophish is simple – make industry-grade phishing training
available to everyone. “Available” in this case means two things –

Affordable – Gophish is open-source software that is completely free for anyone to

use.
Accessible – Gophish is written in the Go programming language. This has the benefit
that gophish releases are compiled binaries with no dependencies. In a nutshell, this
makes installation as simple as "download and run"!

5
Installation

Installation

Installing Gophish Using Pre-Built Binaries

Gophish is provided as a pre-built binary for most operating systems. With this being the
case, installation is as simple as downloading the ZIP file containing the binary that is built
for your OS and extracting the contents.

Installing Gophish from Source

One of the major benefits of having written gophish in the Go programming language is that
it is extremely simple to build from source. All you will need is the Go language and a C
compiler (such as gcc).

To install gophish, simply run go get github.com/gophish/gophish . This downloads gophish

into your $GOPATH .
Next, navigate to $GOPATH/src/github.com/gophish/gophish and run the command go build .
This builds a gophish binary in the current directory.

Understanding the config.json

There are some settings that are configurable via a file called config.json, located in the
gophish root directory. Here are some of the options that you can set to your preferences:

Key Value (Default) Description

admin_server.listen_url 127.0.0.1:3333 IP/Port of gophish admin server

admin_server.use_tls false Use TLS for admin server?

admin_server.cert_path example.crt Path to SSL Cert
admin_server.key_path example.key Path to SSL Private Key

Creating SSL Certificate and Private Keys

Note: As of 0.3-dev, Gophish will by default create a self-signed certificate for the admin
panel, so this steps would be optional.

6
Installation

It’s a good idea to have the admin server available over HTTPS. While automatic SSL
cert/key generation will be included in a later release, for now let’s take a look at how we can
leverage openssl to generate our cert and key for use with gophish (this assumes you
already have openssl installed!)

We can start the certificate and key generation process with the following command:

openssl req -newkey rsa:2048 -nodes -keyout gophish.key -x509 -days 365 -out gophish.c
rt

Then, all we have to do is answer the CSR process that asks for details such as country,
state, etc. Since this is a local self-signed cert, these won’t matter too much to us.

This creates two files, gophish.key and gophish.crt. After moving these files into the gophish
root directory (in the same folder as config.json), we can have the following in our config.json
file:

"admin_server" : {
"listen_url" : "127.0.0.1:3333",
"use_tls" : true,
"cert_path" : "gophish.crt",
"key_path" : "gophish.key"
}

Now when we launch gophish, you’ll connect to the admin server over HTTPS and accept
the self-signed certificate warning.

Using MySQL
The default database in Gophish is SQLite. This is perfectly functional, but some
environments may benefit from leveraging a more robust database such as MySQL.

Support for Mysql has been added as of 0.3-dev. To setup Gophish for Mysql, a couple extra
steps are needed.

Update config.json
First, change the entries in config.json to match your deployment:

Example:

7
Installation

"db_name" : "mysql",
"db_path" : "root:@(:3306)/gophish?charset=utf8&parseTime=True&loc=Local",

The format for the db_path entry is username:password@(host:port)/database?

charset=utf8&parseTime=True&loc=Local .

Create the Database

The last step you'll need to do to leverage Mysql is to create the gophish database. To do
this, log into mysql and run the command

CREATE DATABASE gophish; .

After that, you'll be good to go!

Running Gophish
Now that you have gophish installed, you’re ready to run the software. To launch gophish,
simply open a command shell and navigate to the directory the gophish binary is located.

Then, execute the gophish binary. You will see some informational output showing both the
admin and phishing web servers starting up, as well as the database being created. This
output will tell you the port numbers you can use to connect to the web interfaces.

gophish@gophish.dev:~/src/github.com/gophish/gophish$ ./gophish
2016/01/10 23:13:42 worker.go:34: Background Worker Started Successfully - Waiting fo
r Campaigns
2016/01/10 23:13:42 models.go:64: Database not found... creating db at gophish.db
2016/01/10 23:13:42 gophish.go:49: Admin server started at http://127.0.0.1:3333
2016/01/10 23:13:42 gophish.go:51: Phishing server started at http://0.0.0.0:80

8
Getting Started

Getting Started

Running Gophish
Now that you have gophish installed, you’re ready to run the software. To launch gophish,
simply open a command shell and navigate to the directory the gophish binary is located.

Then, execute the gophish binary. You will see some informational output showing both the
admin and phishing web servers starting up, as well as the database being created. This
output will tell you the port numbers you can use to connect to the web interfaces.

gophish@gophish.dev:~/src/github.com/gophish/gophish$ ./gophish
2016/01/10 23:13:42 worker.go:34: Background Worker Started Successfully - Waiting fo
r Campaigns
2016/01/10 23:13:42 models.go:64: Database not found... creating db at gophish.db
2016/01/10 23:13:42 gophish.go:49: Admin server started at http://127.0.0.1:3333
2016/01/10 23:13:42 gophish.go:51: Phishing server started at http://0.0.0.0:80

Logging In
After Gophish starts up, you can open a browser and navigate to 127.0.0.1:3333 to reach
the login page.

The default credentials are:

Username: admin

Password: gophish

9
Getting Started

10
Documentation

11
Changing User Settings

Changing User Settings

Registering a New User

By navigating to your_site/register you can register a new user:

Logging in
When you first launch gophish, you will be taken to the login page. The default credentials
are admin:gophish . Once logged in, it's encouraged to change your password.

Changing Your Password & Updating Settings

12
Changing User Settings

By clicking the "Settings" tab, you will navigate to the settings page. This page allows you to
change your password, as well as update your API key.

To change your password, simply submit your current password, as well as the new
password you would like to use, and click "Save". Any errors will be indicated on the page.

This page also provides the ability to reset your API key, which is strongly recommended
when logging in for the first time. To reset your API key, simply click the "Reset" button next
to the existing API key.

You might need to refresh the page before continuing to use gophish. This should be fixed
soon.

13
Groups

Groups
Gophish lets you manage groups of users targeted in campaigns.

Creating Groups
To create a group, first navigate to the "Users & Groups" page in the navigation menu and

click the button .

You will see the following dialog appear:

To add a group, you need to specify a unique group name, as well as at least one recipient.

Adding Users to the Group

You can add the users to the group in two ways:

14
Groups

Manually Adding Users

To add users manually, fill in the text boxes for "First Name", "Last Name", "Email", and
"Position" and click the "Add" button.

Bulk Uploading Users

Adding users manually can be a pain. To fix this, Gophish lets you upload users in bulk from
a CSV file.

The CSV format gophish expects has the following header values:

First Name
Last Name
Email
Position

To upload a CSV with user information, click the "Bulk Import Users" button and select the
CSV you want to upload. Users are then uploaded and displayed in the dialog.

To save the group, click "Save changes".

15
Templates

Templates
A "Template" is the content of the emails that are sent to targets. They can be imported from
an existing email, or created from scratch. They also support sending attachments.

Additionally, templates can contain tracking images so that gophish knows when the user
opens the email.

Creating Templates
To create a template, first navigate to the “Email Templates” page and click the “New
Template” button.

Using the HTML Editor

16
Templates

A powerful feature of Gophish is the HTML editor. To switch between the HTML source code
and the visual view, click the "Source" button.

This is helpful to ensure that the email received by the user is pixel-perfect.

Importing a Site
Gophish supports the ability to import an email from the raw content. To do this, click the
"Import Email" button and paste in the original email content. This content is usually found
through the "View Original" feature of many mail clients:

17
Templates

18
Landing Pages

Landing Pages
Landing pages are the actual HTML pages that are returned to the users when they click the
phishing links they receive.

Landing pages support templating, capturing credentials, and redirecting users to another
website after they submit their credentials.

To create a landing page, click on the "Landing Pages" entry in the sidebar and click the
"New Page" button.

The landing page modal supports the same HTML WYSIWYG editor shown in the Templates
section.

19
Landing Pages

Importing a Site From URL

A powerful feature of Gophish is the ability to import a site from a URL. To import a site, click
the "Import Site" button.

After entering the URL and clicking "Import", you should see the HTML of the URL populated
into the editor.

Capturing Credentials
Gophish makes it easy to capture credentials from the landing page. To capture credentials,
simply select the checkbox that says "Capture Submitted Data".

Note: Credentials are stored in plaintext. If you don't want to capture passwords, don't
select the "Capture Passwords" checkbox. Gophish will still capture other text fields,
such as usernames.

Redirecting Users
Red team assessments are all about preventing suspicion. To prevent users from becoming
suspicious after entering credentials, you may want to redirect them to the original URL.

Gophish makes it easy to redirect users after they submit credentials. To redirect users,
enter a URL in the "Redirect To:" text field that appears after the "Capture Submitted Data"
checkbox is selected.

Static Assets

20
Landing Pages

There may be times that you want to store assets such as HTML pages, CSS/JS resources
or other static files. To use these in Gophish, just move them under the static/endpoint
directory. You can then reference them using the URL
http[s]://phishing_server/static/filename . For more background, see this issue.

21
Sending Profiles

Sending Profiles
To send emails, Gophish requires you to configure SMTP relay details called "Sending
Profiles".

To setup a sending profile, click the "Sending Profiles" navigation entry in the sidebar and
click the "New Profile" button.

Note: If you're looking for a good testing SMTP server, I've had good luck with Mailhog.

It's important to make sure that your "From" address is a valid email address format.

Additionally, make sure you setup your "Host" in the full host:port format.

To test your SMTP configuration, you can click the "Send Test Email" button:

22
Sending Profiles

After entering the recipient details and clicking "Send", you should see a message indicating
if the email was sent successfully.

23
Campaigns

Campaigns
Gophish is centered around launching campaigns. This involves sending emails to one or
more groups and monitoring for opened emails, clicked links, or submitted credentials.

Launching a Campaign
To configure and launch a campaign, click the "Campaigns" entry in the navigation sidebar.

Most of the fields should be self-explanatory. Gophish has autocompletion setup for many of
the fields that are selecting from existing objects (such as landing pages, templates, etc.).

The URL field is what populates the {{.URL}} template value. This should be a URL or IP
address that points to the Gophish phishing server and is reachable by the recipient.

24
Campaigns

Since version 0.2, Gophish supports scheduling campaigns, making it easy to plan
campaigns in advance.

After you have the campaign configuration ready to go, click the "Launch Campaign" button,
click through the confirmation message, and you're good to go!

Viewing Campaign Results

When a campaign is launched, you are automatically redirected to the campaign results
screen:

On the results page, you will see overview information on the campaign status as well as
detailed results for each target.

25
Campaigns

Exporting Campaign Results

To export campaign results in CSV format, click the "Export CSV" format and select the type
of results you want to export:

Results - The current status for each target in the campaign.

Contains the following fields:

id, email, first_name, last_name, position, status, ip, latitude, longitude

Raw Events - Contains a stream of events as they occurred during the campaign.

Completing a Campaign
To complete a campaign, click the "Complete" button and confirm that you want to mark the
campaign as completed.

Deleting a Campaign
To delete a campaign, click the "Delete" button and confirm that you want to delete the
campaign.

Note: This cannot be undone, so be careful when deleting a campaign!

Viewing Result Details

Gophish makes it easy to view the campaign results in a timeline format.

To view the timeline for each recipient, expand the row with the recipient's name.

26
Campaigns

27
Using the API

Using the API

Gophish was designed to be API-first. This means that the UI is just a wrapper around a
powerful JSON RESTful API.

You can find our API documentation here.

Python API Client

The Gophish team maintains an official Python API client for easily interacting with the API.

28
Reporting

Reporting
Reporting is an important part of any Gophish campaign. To help facilitate generating
reports, there are a few options you could consider:

Using the Web UI

The Gophish dashboard gives a quick overview showing the results for a particular
campaign:

In addition to providing the results in the dashboard, you have the option to export the raw
logs from Gophish using the "Export CSV" button at the top of the page. You could then
parse these CSV files using other software such as Excel or Google Sheets.

Using GoReport
Gophish has an incredible community that has built tools around the API to help make
reporting easy. A great example of this is called GoReport.

29
Reporting

GoReport, created by Github user @chrismaddalena, provides a really simple, clean way to
generate reports for a given Gophish campaign. You can use this script to generate reports
for the campaign in either CSV or DOCX format.

Leveraging the API

If you are wanting to make custom reports, perhaps for one or more campaigns, we strongly
suggest you consider leveraging the extensive Gophish API.

We have a Python API client that can help facilitate getting the data you need from the API.
You can find the documentation for the Python API client here.

30
Introducing the Morning Catch Corporation

Introducing the Morning Catch

Corporation

For this documentation, we will step through the process of setting up users, templates, and
a full campaign from scratch for a fake company called Morning Catch. In this case, we are
assuming the role of a security administrator of Morning Catch and have been given the
authorization to perform this training.

As a note, this fake company is based on a great VM used specifically for testing phishing
frameworks that you can download here if you're interested.

The fake company will consist of 3 users: Richard Bourne, Boyd Jenius, and Haiti Moreo.

31
Creating the Sending Profile

Creating the Sending Profile

Creating a sending profile is easy for this campaign. Navigate to the "Sending Profiles" page
and click "New Profile".

For my campaign, I'll be sending emails from Boyd Jenius, the system administrator. I'll use
his name and email address in the "From" field.

I have my Morning Catch VM listening for inbound email on 192.168.56.101:25 so I will use
that for my "Host".

Remember: Always specify the port number when configuring a sending profile! Use
the host:port format when specifying the Host.

You should wind up with something that looks like this:

32
Creating the Sending Profile

If you want, you can send a test email to another recipient on the morningcatch.ph domain
to ensure emails are relayed correctly.

After the settings are specified, click "Save Profile".

33
Importing Groups

Importing Groups
The first thing we need to do before we can launch a campaign is to figure out who to target.
There are a ton of ways to gather/generate email addresses for potential targets. You can
either harvest email addresses from public information using OSINT if you are aiming to
simulate a realistic scenario.

Now that we have our list of users, let’s import them into gophish.

To add a group, navigate to the “Users & Groups” page and click “New Group”:

Since we are performing phishing simulation for Morning Catch, we can call our group
“Morning Catch Employees”.

Now we have to add the members. There are two ways to do this:

Add each member’s details one at a time using the form inputs
Bulk import the group from a CSV file

To save time (and typing!) let’s go with the CSV option.

34
Importing Groups

Importing from CSV

The CSV format gophish expects has the following header values:

First Name
Last Name
Email
Position

So, the CSV for Morning Catch would look like the following:

First Name,Last Name,Position,Email

Richard,Bourne,CEO,rbourne@morningcatch.ph
Boyd,Jenius,Systems Administrator,bjenius@morningcatch.ph
Haiti,Moreo,Sales & Marketing,hmoreo@morningcatch.ph

After uploading this CSV using the “Bulk Import Users” button, we see that our members
were added automatically:

After clicking “Save changes”, we see a confirmation message that our group was created.

Tip: If you don’t see the group show up right away, refresh the page and it should
appear in the table.

35
Importing Groups

36
Creating the Template

Creating the Template

To create the template we will use for our Morning Catch campaign, first navigate to the
"Email Templates" page and click the "New Template" button.

We notice that Morning Catch comes with a webmail portal. Let’s craft a simple template that
suggests the user needs to go reset their password. Obviously, this is a simple scenario, and
by using the "Import Email" feature, you can import existing emails directly into gophish for a
greater effect.

We'll use the following subject line:

Password Reset for {{.Email}}

37
Creating the Template

You'll notice we used the {{.Email}} template value. This will populate with the target's
email address when the emails are sent. This is Gophish's way to tailor emails to individuals
to increase the chance of success.

By clicking the "HTML" tab, we will see the editor we can use to create our HTML content:

Since our content is pretty simple, we can just click the "Source" button and be taken to the
more visual editor, which will be enough for our purposes:

Our template will be simple for the sake of demonstration. I'll start by adding the message:

{{.FirstName}},

The password for {{.Email}} has expired. Please reset your password here.

Thanks,
Morning Catch IT Team

38
Creating the Template

Speaking of links, now we need to add our phishing link. Highlight the word "here" and click
the chain icon in the menu, exposing the "Link" dialog. In this dialog, we'll set the link to
{{.URL}} , another template value, so that our link is automatically created and inserted into

the email.

Finally, make sure the "Add Tracking Image" checkbox is checked, and click "Save
Template".

39
Creating the Landing Page

Creating the Landing Page

The Morning Catch corporation has a webmail portal that we will clone for our landing page.

Start by navigating to the "Landing Pages" page and clicking the "New Page" button.

To import a site by URL, click the "Import Site" button. The webmail portal is located at
/mail/ , so I will use http://192.168.56.101/mail/ as my import URL.

After the import, you'll see the HTML populated into the editor. Clicking the "Source" button
shows a preview of the page.

40
Creating the Landing Page

Finally, we'll capture submitted data and passwords by checking both options, and we'll
redirect users to the webmail portal after they submit credentials.

Finally, click "Save Page" to save the landing page.

41
Launching the Campaign

Launching the Campaign

Now that we have all the pieces setup, we can launch the campaign!

To create a new campaign, navigate to the Campaigns page and click the "New Campaign"
button.

Most of the settings should be self-explanatory. The only thing to look out for is the URL
field. Since the IP address of our Gophish server is 192.168.1.1 , that's what we'll use:

Once all the settings filled, click "Launch Campaign" to start sending the emails!

Viewing the Results

42
Launching the Campaign

After launching the campaign, you will be automatically redirected to the campaign results
page. This will give you a realtime view as emails are sent, opened, and links are clicked.

Congrats on running your first campaign!

43
Template Reference

Template Reference
The following variables are available in templates and landing pages:

Tip: Remember - Templates are case sensitive!

Variable Description
{{.FirstName}} The target's first name

{{.LastName}} The target's last name

{{.Position}} The target's position
{{.Email}} The target's email address

{{.From}} The spoofed sender

{{.TrackingURL}} The URL to the tracking handler

{{.Tracker}} An alias for <img src=" {{.TrackingUrl}} "/>

{{.URL}} The phishing URL

44
Additional References

Simulated Phishing Educational Guide

Github user @LarryGrim published a comprehensive guide on using Gophish to perform
phishing awareness training.

The reference, "Simulated Phishing Educational Guide", takes a deep-dive into setting up a
production Gophish instance from scratch leveraging Amazon EC2.

You can find the full guide here: http://tinyurl.com/PhishCampaign

45
THE End!!!