Introduction to GoPhish and Phishing Simulations
Phishing remains the most effective vector for initial network compromise, with 80%+ of breaches beginning with a phishing email. GoPhish is an open-source phishing framework designed specifically for authorized security assessments and employee awareness training. Organizations use GoPhish-based phishing simulations to identify vulnerability in their workforce and validate the effectiveness of security training.
This tutorial demonstrates setting up a legitimate, authorized phishing simulation lab. Unauthorized phishing is illegal; this content is strictly for authorized security testing only.
Prerequisites and Legal Requirements
Essential Authorization
Before setting up any phishing simulation:
- Written organizational approval: Obtain explicit written permission from organizational leadership
- Legal compliance: Ensure compliance with laws like the CFAA, Computer Misuse Act, and GDPR
- Scope definition: Clearly define which employees/systems are targets
- Consent documentation: Maintain proof of authorization for all activities
- Insurance coverage: Verify cyber liability insurance covers phishing simulations
Technical Prerequisites
- Linux server (Ubuntu 20.04+ recommended)
- Domain name you own or control
- SSL certificate
- Basic networking knowledge
- Ability to configure mail DNS records
Installing and Configuring GoPhish
Step 1: Download and Extract GoPhish
# Download latest GoPhish release
cd /opt
sudo mkdir gophish
cd gophish
sudo wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
# Extract archive
sudo unzip gophish-v0.12.1-linux-64bit.zip
# Make executable
sudo chmod +x gophish
# Verify installation
sudo ./gophish --version
Step 2: Generate Self-Signed Certificate
For testing purposes, generate a self-signed certificate:
# Navigate to GoPhish directory
cd /opt/gophish
# Generate private key
sudo openssl genrsa -out gophish_key.pem 2048
# Generate certificate (valid for 365 days)
sudo openssl req -new -x509 -key gophish_key.pem -out gophish_cert.pem -days 365 \
-subj "/C=US/ST=State/L=City/O=Organization/CN=phishing-lab.local"
For production phishing simulations, use a valid SSL certificate from Let’s Encrypt or your certificate authority.
Edit the configuration file:
sudo nano config.json
Default configuration:
{
"admin": {
"listen_url": "0.0.0.0:3333",
"use_ssl": true,
"cert_path": "gophish_cert.pem",
"key_path": "gophish_key.pem",
"redirect_url": "https://localhost:3333"
},
"phish": {
"listen_url": "0.0.0.0:80"
},
"dbpath": "gophish.db",
"max_upload_size": 10485760,
"use_external_loggers": false
}
Secure configuration for production:
{
"admin": {
"listen_url": "127.0.0.1:3333",
"use_ssl": true,
"cert_path": "gophish_cert.pem",
"key_path": "gophish_key.pem",
"redirect_url": "https://localhost:3333"
},
"phish": {
"listen_url": "0.0.0.0:443",
"use_ssl": true,
"cert_path": "valid_cert.pem",
"key_path": "valid_key.pem"
},
"dbpath": "gophish.db",
"max_upload_size": 10485760,
"use_external_loggers": false
}
Running GoPhish
Starting the Service
# Navigate to GoPhish directory
cd /opt/gophish
# Start GoPhish (runs in foreground)
sudo ./gophish
# Or run as background service
sudo ./gophish &
# Output shows default credentials:
# [*] Admin server listening on https://0.0.0.0:3333
# [*] Phishing server listening on http://0.0.0.0:80
# [*] Please open https://127.0.0.1:3333 in your browser
Initial Admin Access
Access the admin panel:
- Open browser to
https://localhost:3333
- Accept security warning (self-signed certificate)
- Login with default credentials:
- Username: admin
- Password: gophish
Change default password immediately:
- Click your username in top-right
- Select “Change Password”
- Enter new strong password
Creating Phishing Campaigns
Step 1: Design the Email Template
Navigate to Email Templates:
- Click “New Template”
- Choose “Clone from Campaign” or start fresh
- Design email content to mimic legitimate organizational emails
Example template:
<!DOCTYPE html>
<html>
<head>
<title>Security Alert</title>
</head>
<body>
<h2>Security Alert - Action Required</h2>
<p>Dear {{.FirstName}},</p>
<p>We've detected unusual activity on your account.
Please verify your credentials to secure your account:</p>
<p><a href="{{.URL}}">Verify Account</a></p>
<p>IT Security Team</p>
</body>
</html>
Important design elements:
- Use realistic company branding
- Include organizational email signatures
- Reference legitimate company policies
- Create urgency without appearing suspicious
- Include proper unsubscribe links
Step 2: Create Landing Page
Navigate to Landing Pages:
- Click “New Page”
- Use “Import Site” to mirror legitimate login pages
- Configure user input capture
Cloning a real page:
# From command line, mirror a website
wget --mirror -k -K https://legitimate-site.com/login
Upload the cloned HTML to GoPhish landing page section.
Step 3: Build the Campaign
Navigate to Campaigns:
- Click “New Campaign”
- Configure:
- Campaign Name: Descriptive name for tracking
- Email Template: Select previously created template
- Landing Page: Select landing page for credential harvesting
- Redirect URL: Where users go after clicking (legitimate company page)
Campaign configuration example:
Name: Q2 2026 Phishing Simulation
Email Template: Security Alert Template
Landing Page: Office365 Login Clone
Redirect URL: https://company.com
Step 4: Import User List
Create CSV file with target users:
Email,FirstName,LastName
john.smith@company.com,John,Smith
jane.doe@company.com,Jane,Doe
bob.wilson@company.com,Bob,Wilson
Upload in the campaign creation interface.
Step 5: Launch Campaign
Configure launch settings:
- Launch Date/Time: Immediate or scheduled
- Sending Profile: SMTP configuration (see below)
- URL: GoPhish phishing URL
Configuring Email Delivery
Step 1: Set Up Sending Profile
Navigate to Sending Profiles:
- Click “New Profile”
- Configure SMTP:
- Name: Descriptive profile name
- From: Spoofed email address
- Host: SMTP server
- Port: 587 (TLS) or 465 (SSL)
- Username/Password: SMTP credentials
Example configuration:
Name: Company SMTP
From: noreply@company.com
Host: smtp.company.com
Port: 587
Auth: SMTP Authentication
Username: gophish_service
Password: xxxxxxxx
Step 2: DNS Configuration for Email Spoofing
Configure SPF, DKIM, and DMARC records to increase email delivery:
# SPF Record (add to DNS)
example.com TXT "v=spf1 include:_spf.google.com ~all"
# DMARC Record
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
# DKIM Configuration
# Generated during SMTP configuration
Warning: Proper SPF/DMARC configuration helps emails reach inboxes but may reveal testing activity. Balance realism with operational security.
Campaign Monitoring and Analysis
Tracking Campaign Results
Access the campaign dashboard:
-
Results Overview:
- Emails sent
- Emails opened (when landing page accessed)
- Links clicked
- Credentials submitted
-
Detailed Results:
- Per-user click tracking
- Submission data
- Timestamp information
- User IP addresses
Analyzing User Behavior
Campaign Results:
- John Smith: Opened email, submitted credentials (8:32 AM)
- Jane Doe: Clicked link, didn't submit (8:45 AM)
- Bob Wilson: No open, no click (Never interacted)
Use results to identify:
- High-risk employees requiring additional training
- Effective phishing templates
- Optimal send times
- Vulnerability patterns
Post-Campaign Actions
Step 1: Notify Participants
After campaign completion, immediately notify participants:
Subject: Security Awareness Training Follow-up
You recently received a phishing simulation email as part of our
security awareness program. This was an authorized test to measure
our organizational security posture.
If you clicked the link or submitted credentials, please:
1. Reset your password immediately
2. Enable multi-factor authentication
3. Complete security training [link]
Step 2: Conduct Training
Provide targeted training to users who fell for the phishing:
- Review red flags in phishing emails
- Explain proper credential verification
- Demonstrate verification procedures
- Provide resources and support
Step 3: Documentation
Maintain records for compliance:
Phishing Simulation Campaign Report
Campaign: Q2 2026 Phishing Simulation
Date Conducted: 2026-04-10
Authorization: Signed by CTO, CFO
Total Users: 250
Results:
- Emails Sent: 250
- Emails Opened: 145 (58%)
- Credentials Submitted: 38 (15%)
Users Requiring Training: 38
Follow-up Training Scheduled: 2026-04-17
Security Considerations
Operational Security
- Restrict access: Limit admin panel access to security team
- Log all activity: Enable audit logging
- Use VPN: Access admin panel only through secure channels
- IP whitelisting: Restrict admin access by IP address
- Monitor infrastructure: Ensure phishing infrastructure isn’t detected
Legal and Ethical Protection
- Authorization documentation: Maintain written approval for all activities
- Scope limitations: Never test users outside authorized scope
- Data protection: Secure captured credentials; never store in plain text
- Incident response: Prepare procedures for unintended consequences
- Regular training: Ensure all testers understand legal/ethical boundaries
Advanced GoPhish Techniques
Custom Phishing Pages
Create advanced landing pages that:
<!-- Capture additional data -->
<form method="POST">
<input type="email" name="email" placeholder="Email">
<input type="password" name="password" placeholder="Password">
<input type="text" name="employeeID" placeholder="Employee ID">
<input type="submit" value="Verify">
</form>
Multi-Stage Campaigns
Design phishing campaigns that:
- Send initial email
- Harvest credentials on first landing page
- Redirect to second page requesting additional information
- Track progressive disclosure of information
Conclusion
GoPhish enables authorized organizations to assess employee vulnerability to phishing attacks and measure the effectiveness of security awareness training. Properly configured phishing simulations identify high-risk users and demonstrate the importance of security training.
Always operate within explicit authorization, maintain detailed documentation, and treat captured data with appropriate security controls. Phishing simulations serve legitimate security purposes when conducted ethically and legally.