GoPhish how to fish online?

No matter how much time an IT team spends securing your company's data center servers and / or desktops, your security is as strong as the end users who use the hardware.

With a single click, one of your employees could destroy your systems. That's why it's important to constantly test your devices. However, you also need to educate your users.

With a simple phishing test, you could test the effectiveness of antivirus solutions, as well as the knowledge of those who work in your business. Are end users able to detect a suspicious email, or are you one click away from being attacked?

How to test these end users? One way is with the GoPhish e-fishing tool kit. With GoPhish you can simulate e-fishing and train your employees.

GoPhish is an easy-to-use platform that can run on desktops with Linux, macOS and Windows. With GoPhish you can create and track phishing campaigns, landing pages, upload profiles and more.

Below we will see how you can install GoPhish and create a campaign.

I will demonstrate GoPhish on Debian. Installing GoPhish is actually quite simple regardless of platforms, but there is an extra step you need to take when using Linux (the system of my choice).

To use GoPhish in the way I will describe below, you will need a Linux distribution and a root privileged user.

You are not actually installing GoPhish. Just download a compressed file, unpack it and run the binary.

The first thing you need to do is download the compressed GoPhish file from official download page. Once the download is complete, open a terminal in the folder that contains the download and create a new folder with the command:

mkdir gophish

Move the compressed file to this folder with the command:

mv gophish * .zip gophish

Go to the new directory with the command:

cd gophish

Then unzip the file with the command:

unzip gophish * .zip

When the disconnection process is completes, you will find (among other things) the GoPhish binary. To run this file, you need to give it the appropriate permissions with the command:

chmod u + x gophish

How to run GoPhish

To use GoPhish properly, recipients of the e-fishing test campaign must have access to the e-fishing server. So you should not use the loopback address, but use the IP address of the phishing server URL.

This, of course, means that your server should be accessible. To make sure GoPhish is accessible from your LAN, you need to make a simple adjustment to a configuration file. At the terminal you have open, give the command:

nano config.json

In this file, look for the line:

"Listen_url": "",

and change it to:

"Listen_url": "SERVER_IP: 3333",

Where SERVER_IP is the IP address of the machine that will host the campaign.

Save and close the file with CTRL + X, press Y and Enter. In our example we did not change the internal IP because we run it locally only for testing.

You can now start GoPhish with the command:

sudo ./gophish
or if you are already rooted

This will start the GoPhish embedded server. Once it runs, you will see a line in the terminal informing you of the default credentials. The username is admin and the password is a random string. Copy this character string, and then open the address in a browser. When prompted, enter the default login credentials

Sign in to GoPhish for the first time.

You will then be prompted to change the administrator password.


Once you change the administrator password, you will be in the GoPhish control panel

Start a GoPhish campaign

Sending a campaign through GoPhish is quite simple, if you know where to start. You can't just click on New Campaign and get started, because you first have to create a few pieces to join the puzzle.

The upload profile needs SMTP settings (otherwise GoPhish could not send campaigns). Click Sending Profiles on the left sidebar, and then click New Profile. In the window that opens, configure an SMTP server to be used for the campaign.

Then create an email template by clicking Email Templates in the left pane and clicking New Template. In the new template window, create a template to use for your campaign.


When creating a Template, it is important to use variables. For example, in a subject line you would use something like:

Reset password for E E .Email}}

Then, in the main part of the e-mail, you can use something like:

N {.Name}},

The password for {{.Email}. Has expired. Reset your password here.


Your IT team

Next, you need to add a link. Open the Link Dialog, and then use {{.URL}} as the URL.

Then you need to create a landing page. This will simulate the page from which users will try to log in to their service or change their password.

For this, you need to use a real site that requires users to log in or change their password. This may be one of your own servers or some third party. Click Landing Page, then New Landing Page.

In the window that opens, give the page a name, click Import Site, and type the URL of the login page to be used, and click Import. Check the Capture Submitted Data.

Finally, you need to create a new group. Click Users & Groups in the left sidebar, then click New Group. In the window, create a new group, and then add or import users. These users will be the email addresses you send your phishing campaign to.

After creating all the above you can now click on Campaigns and then on New Campaign. In the New Campaign window, fill in all the information that you have created.

The only thing to watch out for is the URL. The URL is what will populate it of {{.URL}} and must be accessible by the recipient. It must also be the domain or IP address of the server hosting GoPhish.

Once you have filled in all the information, click Start Campaign, which will start sending emails to the recipient list that you created in the Groups section.

Recipients will receive the campaign and can click on the link. When they do, GoPhish will record the data. You can then see the results in Control Panel. The list will tell you which users opened the email, which users clicked on the phishing link, and which users entered data on the link that was clicked. The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).