Gophish Social Engineering Framework Cheat Sheet

Overview

Gophish is an open-source phishing framework designed for businesses and penetration testers to conduct real-world phishing simulations. It provides a web-based interface for creating and managing phishing campaigns, tracking results, and generating reports.

⚠️ Warning: This tool is intended for authorized security testing and awareness training only. Ensure you have proper authorization before conducting any phishing campaigns.

Installation

Pre-compiled Binaries

# Download latest release for Linux
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish

# Download for Windows
# Download gophish-v0.12.1-windows-64bit.zip from GitHub releases

# Download for macOS
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-macos-64bit.zip
unzip gophish-v0.12.1-macos-64bit.zip
chmod +x gophish

Build from Source

# Install Go (version 1.19+)
git clone https://github.com/gophish/gophish.git
cd gophish
go build

Docker Installation

# Pull official Docker image
docker pull gophish/gophish

# Run Gophish in Docker
docker run -it -p 3333:3333 -p 8080:8080 gophish/gophish

# Run with persistent data
docker run -it -p 3333:3333 -p 8080:8080 -v /opt/gophish:/opt/gophish gophish/gophish

Basic Usage

Starting Gophish

# Start Gophish server
./gophish

# Start with custom configuration
./gophish -config config.json

# Start with custom admin interface
./gophish -admin-server 0.0.0.0:3333

# Start with custom phish server
./gophish -phish-server 0.0.0.0:8080

Initial Setup

# Default admin credentials (change immediately)
# Username: admin
# Password: gophish

# Access admin interface
# https://localhost:3333

# Access phishing server
# http://localhost:8080

Configuration

Basic Configuration (config.json)

{
  "admin_server": {
    "listen_url": "0.0.0.0:3333",
    "use_tls": true,
    "cert_path": "gophish_admin.crt",
    "key_path": "gophish_admin.key"
  },
  "phish_server": {
    "listen_url": "0.0.0.0:8080",
    "use_tls": false,
    "cert_path": "example.crt",
    "key_path": "example.key"
  },
  "db_name": "sqlite3",
  "db_path": "gophish.db",
  "migrations_prefix": "db/db_",
  "contact_address": "",
  "logging": {
    "filename": "",
    "level": ""
  }
}

SSL/TLS Configuration

# Generate self-signed certificate for admin interface
openssl req -newkey rsa:4096 -nodes -keyout gophish_admin.key -x509 -days 365 -out gophish_admin.crt

# Generate certificate for phishing server
openssl req -newkey rsa:4096 -nodes -keyout phish.key -x509 -days 365 -out phish.crt

# Use Let's Encrypt certificate
certbot certonly --standalone -d yourdomain.com

Database Configuration

{
  "db_name": "mysql",
  "db_path": "user:password@tcp(localhost:3306)/gophish?charset=utf8&parseTime=True&loc=Local",
  "migrations_prefix": "db/db_"
}

Campaign Management

Creating Email Templates

<!-- Basic phishing template -->
<!DOCTYPE html>
<html>
<head>
    <title>Security Alert</title>
</head>
<body>
    <h2>Security Alert - Action Required</h2>
    <p>Dear {{.FirstName}} {{.LastName}},</p>
    <p>We have detected suspicious activity on your account.</p>
    <p>Please click <a href="{{.URL}}">here</a> to verify your account.</p>
    <p>Best regards,<br>IT Security Team</p>
    {{.Tracker}}
</body>
</html>

Landing Page Templates

<!-- Credential harvesting page -->
<!DOCTYPE html>
<html>
<head>
    <title>Account Verification</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 50px; }
        .form-container { max-width: 400px; margin: auto; }
        input { width: 100%; padding: 10px; margin: 10px 0; }
        button { background: #007cba; color: white; padding: 10px 20px; border: none; }
    </style>
</head>
<body>
    <div class="form-container">
        <h2>Account Verification</h2>
        <form method="post" action="">
            <input type="text" name="username" placeholder="Username" required>
            <input type="password" name="password" placeholder="Password" required>
            <button type="submit">Verify Account</button>
        </form>
    </div>
    {{.Tracker}}
</body>
</html>

Sending Profiles (SMTP)

{
  "name": "Gmail SMTP",
  "host": "smtp.gmail.com:587",
  "username": "your-email@gmail.com",
  "password": "app-password",
  "from_address": "security@company.com",
  "ignore_cert_errors": false
}

User Groups

First Name,Last Name,Email,Position
John,Doe,john.doe@company.com,Manager
Jane,Smith,jane.smith@company.com,Developer
Bob,Johnson,bob.johnson@company.com,Analyst

Advanced Features

Template Variables

<!-- Available template variables -->
{{.FirstName}}     <!-- User's first name -->
{{.LastName}}      <!-- User's last name -->
{{.Email}}         <!-- User's email address -->
{{.Position}}      <!-- User's position -->
{{.URL}}           <!-- Tracking URL -->
{{.Tracker}}       <!-- Tracking pixel -->
{{.From}}          <!-- From address -->
{{.RId}}           <!-- Result ID -->

Custom Headers

{
  "headers": [
    {
      "key": "X-Mailer",
      "value": "Microsoft Outlook 16.0"
    },
    {
      "key": "X-Priority",
      "value": "1"
    }
  ]
}

Webhook Integration

# Configure webhook for real-time notifications
curl -X POST http://localhost:3333/api/webhooks \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "name": "Slack Webhook",
    "url": "https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK",
    "secret": "webhook-secret",
    "is_active": true
  }'

API Usage

Authentication

# Get API key from admin interface
# Settings > API Keys > Generate New Key

# Use API key in requests
curl -H "Authorization: Bearer YOUR_API_KEY" http://localhost:3333/api/campaigns/

Campaign Management via API

# List campaigns
curl -H "Authorization: Bearer YOUR_API_KEY" \
  http://localhost:3333/api/campaigns/

# Get campaign details
curl -H "Authorization: Bearer YOUR_API_KEY" \
  http://localhost:3333/api/campaigns/1

# Create campaign
curl -X POST http://localhost:3333/api/campaigns/ \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "name": "Test Campaign",
    "template": {"name": "Test Template"},
    "page": {"name": "Test Landing Page"},
    "smtp": {"name": "Test SMTP"},
    "groups": [{"name": "Test Group"}],
    "launch_date": "2024-01-01T09:00:00Z"
  }'

Results via API

# Get campaign results
curl -H "Authorization: Bearer YOUR_API_KEY" \
  http://localhost:3333/api/campaigns/1/results

# Get campaign summary
curl -H "Authorization: Bearer YOUR_API_KEY" \
  http://localhost:3333/api/campaigns/1/summary

Evasion Techniques

Email Evasion

<!-- Use legitimate-looking sender -->
From: IT Security <security@company.com>

<!-- Mimic legitimate services -->
Subject: [URGENT] Account Security Alert - Action Required

<!-- Use URL shorteners -->
<a href="https://bit.ly/3xyz123">Verify Account</a>

<!-- Hide tracking pixels -->
<img src="{{.Tracker}}" width="1" height="1" style="display:none;">

Domain Spoofing

# Use similar domains
# Original: company.com
# Spoofed: comp4ny.com, company-security.com

# Use subdomains
# security.legitimate-domain.com

# Use URL shorteners
# bit.ly, tinyurl.com, goo.gl

Content Obfuscation

<!-- Use HTML entities -->
<a href="&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#101;&#118;&#105;&#108;&#46;&#99;&#111;&#109;">Click Here</a>

<!-- Use CSS to hide content -->
<span style="display:none;">PHISHING</span>Legitimate Content

<!-- Use zero-width characters -->
Legi‌timate‌ Content

Reporting and Analytics

Campaign Metrics

# Key metrics tracked:
# - Emails sent
# - Emails opened
# - Links clicked
# - Data submitted
# - Email reported

# Timeline tracking:
# - When emails were opened
# - When links were clicked
# - Geographic data
# - User agent information

Export Results

# Export campaign results to CSV
curl -H "Authorization: Bearer YOUR_API_KEY" \
  "http://localhost:3333/api/campaigns/1/results?format=csv" \
  -o campaign_results.csv

# Export campaign summary
curl -H "Authorization: Bearer YOUR_API_KEY" \
  "http://localhost:3333/api/campaigns/1/summary?format=json" \
  -o campaign_summary.json

Custom Reports

# Python script for custom reporting
import requests
import json

api_key = "YOUR_API_KEY"
base_url = "http://localhost:3333/api"

headers = {"Authorization": f"Bearer {api_key}"}

# Get all campaigns
campaigns = requests.get(f"{base_url}/campaigns/", headers=headers).json()

for campaign in campaigns:
    results = requests.get(f"{base_url}/campaigns/{campaign['id']}/results", headers=headers).json()
    
    # Calculate metrics
    total_sent = len(results)
    opened = len([r for r in results if r['status'] == 'Email Opened'])
    clicked = len([r for r in results if r['status'] == 'Clicked Link'])
    submitted = len([r for r in results if r['status'] == 'Submitted Data'])
    
    print(f"Campaign: {campaign['name']}")
    print(f"Sent: {total_sent}, Opened: {opened}, Clicked: {clicked}, Submitted: {submitted}")

Security Considerations

Operational Security

# Use VPS or cloud infrastructure
# Implement proper access controls
# Use encrypted communications
# Regular security updates
# Monitor for detection

Legal Considerations

# Obtain written authorization
# Define scope and limitations
# Implement opt-out mechanisms
# Protect collected data
# Follow data protection laws

Ethical Guidelines

# Educational purpose only
# Minimize psychological impact
# Provide immediate feedback
# Offer security training
# Respect privacy rights

Troubleshooting

Email Delivery Issues

# Check SMTP configuration
# Verify DNS records (SPF, DKIM, DMARC)
# Test with different email providers
# Monitor reputation scores
# Use authenticated SMTP

SSL/TLS Issues

# Verify certificate validity
openssl x509 -in certificate.crt -text -noout

# Test SSL configuration
openssl s_client -connect domain.com:443

# Check certificate chain
curl -vI https://domain.com

Database Issues

# Backup database
cp gophish.db gophish.db.backup

# Check database integrity
sqlite3 gophish.db "PRAGMA integrity_check;"

# Repair database if needed
sqlite3 gophish.db ".recover" | sqlite3 gophish_recovered.db

Performance Issues

# Monitor resource usage
top -p $(pgrep gophish)

# Optimize database
sqlite3 gophish.db "VACUUM;"

# Increase system limits
ulimit -n 65536

Integration Examples

Slack Integration

# Webhook for Slack notifications
import requests
import json

def send_slack_notification(webhook_url, message):
    payload = {
        "text": message,
        "username": "Gophish",
        "icon_emoji": ":fishing_pole_and_fish:"
    }
    
    response = requests.post(webhook_url, json=payload)
    return response.status_code == 200

SIEM Integration

# Send events to SIEM
import syslog

def log_phishing_event(event_type, user_email, campaign_name):
    message = f"Phishing Event: {event_type} - User: {user_email} - Campaign: {campaign_name}"
    syslog.syslog(syslog.LOG_WARNING, message)

Active Directory Integration

# Check user against Active Directory
import ldap3

def check_user_in_ad(username, ad_server, ad_user, ad_password):
    server = ldap3.Server(ad_server)
    conn = ldap3.Connection(server, ad_user, ad_password)
    
    if conn.bind():
        search_filter = f"(sAMAccountName={username})"
        conn.search('dc=company,dc=com', search_filter)
        return len(conn.entries) > 0
    
    return False

Resources

• Gophish Official Website
• Gophish GitHub Repository
• Gophish Documentation
• Gophish User Guide
• Phishing Awareness Training

---

This cheat sheet provides a comprehensive reference for using Gophish. Always ensure you have proper authorization and follow ethical guidelines when conducting phishing simulations.