What is GoPhish?
GoPhish is a great platform for launching phishing campaigns on a budget. By simply installing it along with Postfix on a Digitalocean droplet, we can launch phishing campaigns customized to our own needs from the cloud for only a few dollars a month. Compare this to other options like what Microsoft offers, and this all of a sudden becomes a very appealing platform. There's a lot of discussion out across the internet though on the different pro's and cons to utilizing GoPhish. Some teams dislike it because it adds a header on every email identifying itself as GoPhish, some dislike it because it doesn't have robust default options like you would get with a paid solution, and some dislike it because it can be seen as a hacky approach to trying to solve the issue of how to phish users. Coming from more well known pre-configured platforms, I like it for the ability to customize campaigns to what different teams and users are facing company to company. Sure, Microsoft can launch a campaign in five different languages, but rarely do their options represent what I see in the real world.
With all this said, let's begin setting up GoPhish!
Setup
First up is installing Postfix. Postfix is what we will use for sending the actual emails. It's a lightweight opensource platform that pairs very easily with GoPhish. Setup is simple, just run apt-get install postfix. Once Postfix is installed, we want to ensure the mynetworks variable is set to our local home IP.
The next step, if you want to receive emails, will be to setup an A record and an MX record. To do so, go to Digitalocean, select the project that this resides under, and then select Networking. From there, go to domains and add a new one. Once this is all set, we can begin setting up the DNS records. We will need an A record that points to our VPS IP and an MX record that points to our domain name.
This step is optional though as a lot of phishing campaigns focus on emulating automated emails like password resets or billing invoice documents, so being able to receive emails is less important.
Now that Postfix is installed and setup, we can install GoPhish. As of writing this, .12 is the most up to date version. Download it with wget https://github.com/gophish/gophish/releases/download/v0.12.0/gophish-v0.12.0-linux-64bit.zip and then unzip gophish-v0.7.1-linux-64bit.zip && chmod +x gophish. Now that GoPhish is installed and executable, start it with ./gophish
Since the admin panel listens on localhost:3333 by default, and I don't want to open this interface up to the internet, let's create an SSH tunnel with sudo ssh -i <cert> root@<ip> -L3333:localhost:3333 -N -f where <IP> is your Digitalocean VPS IP and <cert> is the certificate you're using for user authentication. Log in and start poking around! There's a lot that we can do here and launching custom phishing campaigns that fit our needs is fairly simple.
Starting your first campaign
I will provide a simple campaign to test users executing macros on documents that can be expanded to do a lot more if you want. Below is the example macro that will reach out to requestbin with the current username showing who has executed the document.
Setting up the campaign in GoPhish's dashboard is very quick. We first need to create a sender profile that we will use to send the document with.
What you want to call the profile goes into the name field. The "From:" field is where you make your fake sending persona. The "Host:" will be the IP of your Postfix server if it's not hosted locally. The Username/Password can be left blank unless you have authentication for your SMTP service turned on. And finally in the "Email Headers:" field, we can add custom data to help identify us to spam filters and allow test campaigns through.
Then, we need to set up an email template. This is where we will include the document we made above as an attachment along with a convincing message to tell users to open the document and enable the macro to run.
There's a nifty trick for creating templates where you can import a saved email that you want to emulate or that you often see users receive. Otherwise, fill in the subject and body with what you think will test your users well and attach the file. Something important to remember, do not make phishing campaigns too good. Emulating common services that your teams use can have the opposite affect from what was intended and cause them to be overly suspicious now of legitimate day to day emails. There are things that should be off limits too like pretending to be the executive team and offering COVID bonuses for people struggling. Yeah, you will probably get someone desperate enough to click and execute, yeah the criminals are not above doing this. But you won't develop a good relationship with the rest of the company and users will grow to resent the security team if that's how you go about testing.