Eugene Moore

/home

/posts

/about

Building a GoPhish Lab on Ubuntu

Hands-On Phishing Defense: Building a GoPhish Lab on Ubuntu

- 5 min

Introduction

Email remains the primary attack vector for cyber threats, making security training more crucial than ever. GoPhish, an open-source phishing simulator, serves as a vital tool for organizations seeking to strengthen their defenses against these pervasive threats. By simulating realistic phishing attacks, GoPhish enables companies to train employees in identifying and responding to malicious emails effectively, potentially averting devastating security breaches.

This blog post will guide you through setting up GoPhish, from installation to launching your first phishing simulation. You’ll also learn how to use the simulator’s interface to monitor interactions with these test emails, providing insights into your organization’s security posture and training efficacy.

Installation

After creating a gophish directory download the latest gophish version from github.

Github Link

image

Extract the GoPhish package to prepare for installation.

image

Execute the GoPhish binary to start the server. The default username and password will be displayed, which are needed to log into the web interface.

Web Interface and Sending Profiles Configuration

Logging In and Password Change

Once you log into the GoPhish web interface, you’ll first be prompted to change your password for security reasons. Follow the on-screen instructions to set a new, secure password.

Creating a New Sending Profile

  1. Access Sending Profiles: Click on the ‘Sending Profiles’ option in the sidebar.
  2. Add Profile: Select ‘New Profile’ to create a profile.
  3. Configure SMTP Settings:
    • Name: Enter a descriptive name for your profile, such as “Test SMTP Profile”.
    • Interface Type: Choose ‘SMTP’ from the dropdown menu.
    • From Field: Specify the sender’s email address. For instance, use admin.it@domain.edu to simulate an email coming from your IT department.
    • SMTP Host: Enter the SMTP server details (e.g., smtp.gmail.com for Gmail).
    • Username and Password: Provide the credentials that will be used to authenticate with the SMTP server. These should be the credentials of the email account from which emails will be sent.
    • Spoofing Internal Emails: If you use an email from your own domain (e.g., admin.it@domain.edu), it can help bypass SPF checks, making it less likely for the emails to end up in the spam folder. This simulates an attacker spoofing an internal email to trick employees.
    • Send Test Email: Before launching a full campaign, use the ‘Send Test Email’ button to ensure that your configuration works as expected.

image

Users & Groups

This section is dedicated to configuring who will receive your phishing simulation emails.

  1. Navigate to Users & Groups: Locate and click on the ‘Users & Groups’ tab within the GoPhish interface.

  2. Add Email Credentials: Here, you can add the email addresses of individuals or groups within your organization who will participate in the phishing test. This could be the email addresses of all employees for a comprehensive test or just a select group, such as the IT department or new hires, depending on your training focus

image

Setting Up a New Template

  1. Navigate to the Email Templates Section: Access the ‘Email Templates’ tab from the main menu to begin creating a new template.

  2. Create a New Template:

    • Name Your Template: Start by giving your template a name that reflects its purpose, like “Password Reset.”
    • Envelope Sender: This should be set to an email address that appears legitimate, such as admin.it@domain.edu, which might be used by your organization’s IT department.

  3. Compose Your Email:

    • Subject Line: Use a subject that will catch attention and seem urgent, such as “Password Reset for {{.Email}}”. The {{.Email}} tag dynamically inserts the recipient’s email address, making the email feel more personalized.
    • Email Body: Write the content of your email. Here’s an example:

image

Landing Page

Creating an effective landing page is crucial for assessing how users interact with a phishing email. For this tutorial, I used a simulated Office 365 login page.

image

Final result of landing page.

image

Launch Campaign

Launching your phishing simulation campaign is the final step. This process involves sending a test email to selected users and monitoring their interactions with the email and the landing page.

Set Up the Campaign:

  1. Name Your Campaign: Choose a meaningful name that easily identifies the purpose of the campaign, such as “IT Staff Test.”
  2. Select Email Template: Choose the template you prepared earlier, such as “Password Reset.”
  3. Choose Landing Page: Select the landing page that you’ve designed, in this case, a simulated “365 Login Page.”

Configure Campaign Details:

  1. URL: This is the URL of your landing page where the users will be directed after interacting with the email. Make sure it’s correctly set to simulate the phishing scenario (e.g., http://attacker.org as a placeholder in the training context).
  2. Launch Date: Set the specific date and time when the emails should be sent out.
  3. Sending Profile: Select the SMTP profile that you configured to send out the emails.

Select Recipients:

  1. Groups: Assign the campaign to specific groups within your organization, such as the “IT Support Team,” to target the training effectively.

image

Launch the Campaign:

  1. Once all settings are confirmed, click on the Launch Campaign button to start the simulation. You will be able to track real-time results as your campaign progresses.

Monitoring Results

image
After the campaign is launched, monitor the results to see how many emails were opened, how many links were clicked, and whether any data was submitted!