test
More

    Phishing Simulation with GoPhish

    It has been reported that 91% of data breaches were launched via a spear-phishing attack. For security professionals, it is widely known that email is the #1 attack vector used. But filtering and secure email gateways are oftentimes not enough to block a targeted spear-phishing attack.

    Phishing simulations help your end-users identify phishing emails and how to respond to phishing emails in their mailbox correctly. Simulations and training are one of the most effective ways to deal with these dangerous types of attacks because they use real-world scenarios to replicate the sophisticated attacks that occur.

    There are many phishing simulation services available such as KnowBe4 or Microsoft Attack Simulation Training, but these can be costly or require a premium upgrade in the case of Microsoft.

    GoPhish

    Gophish is an open-source attack simulation that allows pen testers or security organizations to generate real-world phishing attacks easily. And because it’s an open-source framework, it’s a solution that’s available to everyone. Gophish is well documented on their website and on Github. I’ll walk through installing and using Gophish, as well as some basic integrations with your other security tools.

    The Gophish server binaries are available on GitHub for Linux, Windows, and macOS. You can also use Gophish via the official Docker container here.

    Getting Started with GoPhish

    Setting up and using GoPhish for phishing simulation is pretty straightforward, especially for an open-source solution. I’ll walk through the what’s needed in this article, but the steps involved are:

    • Setup a Linux VM. I’m going to use a Ubuntu in Azure, but Windows can be used, as well as other cloud providers.
    • Install GoPhish and other components.
    • Configure GoPhish
    • Setup your Phishing Simulation

    Setup a GoPhish Virtual Machine

    GoPhish has executables available for Windows, Linux, and Mac. GoPhish can also be deployed as a container. I set up a small Ubuntu VM in Azure for this exercise with 1 vCPU and 1 GB of RAM. You most likely will need to expose the Phishing Server to the Internet via 80/443, but you should keep SSH and the Admin Portal available via the Private IP of the VM.

    Graphical user interface, text, application, email

Description automatically generated

    Once the VM is set up with a public IP address, configure a DNS record to point to the public IP address. I’ll use this later in the Phishing Campaign setup.

    Install GoPhish

    The GoPhish executables can be downloaded from Github. There are releases for the most popular operating systems.

    SSH into the VM console using the credentials you created in Azure. You need to install a few prerequisite components first and then GoPhish.

    Run the following command to install the Zip library.

    apt-get install zip unzip

    Run the following command to install the Sendmail SMTP server.

    apt-get install sendmail

    Run this command to configure Sendmail. Accept all defaults by pressing enter at each prompt.

    sendmailconfig

    Download the GoPhish executable and unzip it to an /opt directory.

    wget https://github.com/gophish/gophish/releases/download/v0.11.0/gophish-v0.11.0-linux-64bit.zip

    mkdir /opt/gophish

    unzip /home/azureuser/gophish-v0.11.0-linux-64bit.zip -d /opt/gophish

    Graphical user interface

Description automatically generated with medium confidence

    Navigate to the /opt/gophish directory and create two sets of SSL Certs/Keys. One for the admin portal, and one for the phishing pages. To create a more mature setup, use certificates from a valid Certificate Authority.

    openssl req -newkey rsa:2048 -nodes -keyout gophish-admin.key -x509 -days 365 -out gophish-admin.crt

    openssl req -newkey rsa:2048 -nodes -keyout gophish.key -x509 -days 365 -out gophish.crt

    Open the gophish configuration and update the certificate settings to point to the cert files you made. Also update the admin_server listen_url to match your VM’s private IP.

    {
    “admin_server”: {
    “listen_url”: “10.0.0.9:3333”,
    “use_tls”: true,
    “cert_path”: “gophish-admin.crt”,
    “key_path”: “gophish-admin.key”
    },
    “phish_server”: {
    “listen_url”: “0.0.0.0:80”,
    “use_tls”: false,
    “cert_path”: “gophish.crt”,
    “key_path”: “gophish.key”
    },
    “db_name”: “sqlite3”,
    “db_path”: “gophish.db”,
    “migrations_prefix”: “db/db_”,
    “contact_address”: “”,
    “logging”: {
    “filename”: “”,
    “level”: “”
    }
    }

    Run the following command to make the Gophish executable able to be executed.

    chmod +x Gophish

    Now run this command to launch Gophish from your /opt/gophish directory.

    ./gophish

    You should be able to browse to the Admin Portal using private IP address you defined for the VM.

    Graphical user interface, application

Description automatically generated

    Log into the Admin portal using the credentials that are displayed when launched the execuatable.

    Graphical user interface, text, application

Description automatically generated

    Setting up your Phishing Campaign

    GoPhish is pretty simple to set up, but allows for some complex customizations. There are a few basic steps needed before you can send your first email. In my scenario, I setup a Phishing Campaign to mimic a Heroku Email Reset email with a cloned Heroku login page.

    Configure the Sending Profile

    The Sending Profile defines the SMTP connection details and the From address.

    Graphical user interface, text, application, email

Description automatically generated

    Create a User Group

    User Groups contain the target email addresses for your phishing campaign. You can bulk import a CSV or directly enter the contact details.

    Graphical user interface, application, email, website

Description automatically generated

    Create a Landing Page

    The landing page is where you’ll actually collect credentials. One of the great features of GoPhish is that you can point at an existing URL and GoPhish will copy the HTML into you page. This is really easy, but it also works extremely well. In my case I used the Heroku Login Page. You can also configure the Landing Page to collect submitted data.

    Graphical user interface, application, Teams

Description automatically generated

    Create an Email Template

    The phishing emails you can send out are defined in Email Templates. You can manually write the email yourself or use the Import Email function to copy/paste a raw email body. Again using the Import feature allows you to duplicate realistic emails.

    Graphical user interface, text, application, email

Description automatically generated

    Create the Campaign

    The GoPhish Campaign ties all the other components together and sends out the phishing email to users. In the URL field use the DNS address that points to the public IP address of the VM. This will be used to host the landing page that users will be sent to.

    Graphical user interface, text, application, email

Description automatically generated

    Results

    The email links will send the user to the landing page we created on the GoPhish VM.

    Graphical user interface, application, Teams

Description automatically generated

    On the GoPhish dashboard, we can see results in real-time, and track the progress of our campaign.

    Graphical user interface, application

Description automatically generated

    We can drill into the activity for a user and see the timeline and captured credentials.

    Graphical user interface, text, application

Description automatically generated

    Summary

    GoPhish clearly provides a solid alternative to commercial phishing simulations for training or red team operations. The UI is very easy to navigate and also provides a very strong tool for building phishing campaigns. GoPhish already has a number of integrations with other commercial tools and modifications.

    Recent Articles

    Security Trends – Q2 2024

    Small businesses are under increasing cyberattack threat. The global cost of cybercrime is predicted to skyrocket, reaching a staggering $23.84 trillion by...

    Basic Microsoft 365 Security Improvements

    Overview Securing Microsoft 365 tenants involves implementing various measures to protect data, prevent unauthorized access, and mitigate potential...

    Cyber Security Trends for 2024

    Summary The state of cybersecurity in 2024 reflects a dynamic and complex landscape shaped by technological advancements,...

    Content Filtering with Microsoft Defender for Endpoint

    Why is Content Filtering Important? Web content filtering is a critical element of a comprehensive information security strategy.

    Migrating to Azure AD Authentication Methods

    Azure AD Authentication Changes On September 30th, 2024, the legacy multifactor authentication and...

    Related Stories

    0 0 vote
    Article Rating
    Subscribe
    Notify of
    guest
    0 Comments
    Inline Feedbacks
    View all comments

    Stay on op - Ge the daily news in your inbox

    0
    Would love your thoughts, please comment.x
    ()
    x