Gophish Social Engineering Framework Cheat Sheet
Aperçu général
Gophish est un cadre d'hameçonnage ouvert conçu pour les entreprises et les testeurs de pénétration pour effectuer des simulations d'hameçonnage dans le monde réel. Il fournit une interface Web pour créer et gérer des campagnes d'hameçonnage, suivre les résultats et produire des rapports.
C'est pas vrai. Attention : Cet outil est réservé aux essais de sécurité et à la formation de sensibilisation. Assurez-vous d'avoir une autorisation appropriée avant de mener des campagnes d'hameçonnage.
Installation
Binaires précompilés
# Download latest release for Linux
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish
# Download for Windows
# Download gophish-v0.12.1-windows-64bit.zip from GitHub releases
# Download for macOS
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-macos-64bit.zip
unzip gophish-v0.12.1-macos-64bit.zip
chmod +x gophish
Construire à partir de la source
# Install Go (version 1.19+)
git clone https://github.com/gophish/gophish.git
cd gophish
go build
```_
### Installation Docker
```bash
# Pull official Docker image
docker pull gophish/gophish
# Run Gophish in Docker
docker run -it -p 3333:3333 -p 8080:8080 gophish/gophish
# Run with persistent data
docker run -it -p 3333:3333 -p 8080:8080 -v /opt/gophish:/opt/gophish gophish/gophish
```_
## Utilisation de base
### Démarrage Gophish
```bash
# Start Gophish server
./gophish
# Start with custom configuration
./gophish -config config.json
# Start with custom admin interface
./gophish -admin-server 0.0.0.0:3333
# Start with custom phish server
./gophish -phish-server 0.0.0.0:8080
Configuration initiale
# Default admin credentials (change immediately)
# Username: admin
# Password: gophish
# Access admin interface
# https://localhost:3333
# Access phishing server
# http://localhost:8080
Configuration
Configuration de base (config.json)
\\\\{
"admin_server": \\\\{
"listen_url": "0.0.0.0:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
\\\\},
"phish_server": \\\\{
"listen_url": "0.0.0.0:8080",
"use_tls": false,
"cert_path": "example.crt",
"key_path": "example.key"
\\\\},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": \\\\{
"filename": "",
"level": ""
\\\\}
\\\\}
SSL/TLS Configuration
# Generate self-signed certificate for admin interface
openssl req -newkey rsa:4096 -nodes -keyout gophish_admin.key -x509 -days 365 -out gophish_admin.crt
# Generate certificate for phishing server
openssl req -newkey rsa:4096 -nodes -keyout phish.key -x509 -days 365 -out phish.crt
# Use Let's Encrypt certificate
certbot certonly --standalone -d yourdomain.com
Configuration de la base de données
\\\\{
"db_name": "mysql",
"db_path": "user:password@tcp(localhost:3306)/gophish?charset=utf8&parseTime=True&loc=Local",
"migrations_prefix": "db/db_"
\\\\}
Gestion des campagnes
Création de modèles d'email
<!DOCTYPE html>
<html>
<head>
<title>Security Alert</title>
</head>
<body>
<h2>Security Alert - Action Required</h2>
<p>Dear \\\\{\\\\{.FirstName\\\\}\\\\} \\\\{\\\\{.LastName\\\\}\\\\},</p>
<p>We have detected suspicious activity on your account.</p>
<p>Please click <a href="\\\\{\\\\{.URL\\\\}\\\\}">here</a> to verify your account.</p>
<p>Best regards,<br>IT Security Team</p>
\\\\{\\\\{.Tracker\\\\}\\\\}
</body>
</html>
Modèles de page d'atterrissage
<!DOCTYPE html>
<html>
<head>
<title>Account Verification</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 50px; \\\\}
.form-container \\\\{ max-width: 400px; margin: auto; \\\\}
input \\\\{ width: 100%; padding: 10px; margin: 10px 0; \\\\}
button \\\\{ background: #007cba; color: white; padding: 10px 20px; border: none; \\\\}
</style>
</head>
<body>
<div class="form-container">
<h2>Account Verification</h2>
<form method="post" action="">
<input type="text" name="username" placeholder="Username" required>
<input type="password" name="password" placeholder="Password" required>
<button type="submit">Verify Account</button>
</form>
</div>
\\\\{\\\\{.Tracker\\\\}\\\\}
</body>
</html>
Envoi de profils (SMTP)
\\\\{
"name": "Gmail SMTP",
"host": "smtp.gmail.com:587",
"username": "your-email@gmail.com",
"password": "app-password",
"from_address": "security@company.com",
"ignore_cert_errors": false
\\\\}
Groupes d'utilisateurs
First Name,Last Name,Email,Position
John,Doe,john.doe@company.com,Manager
Jane,Smith,jane.smith@company.com,Developer
Bob,Johnson,bob.johnson@company.com,Analyst
Caractéristiques avancées
Variables du modèle
\\\\{\\\\{.FirstName\\\\}\\\\}
\\\\{\\\\{.LastName\\\\}\\\\}
\\\\{\\\\{.Email\\\\}\\\\}
\\\\{\\\\{.Position\\\\}\\\\}
\\\\{\\\\{.URL\\\\}\\\\}
\\\\{\\\\{.Tracker\\\\}\\\\}
\\\\{\\\\{.From\\\\}\\\\}
\\\\{\\\\{.RId\\\\}\\\\}
En-têtes personnalisés
\\\\{
"headers": [
\\\\{
"key": "X-Mailer",
"value": "Microsoft Outlook 16.0"
\\\\},
\\\\{
"key": "X-Priority",
"value": "1"
\\\\}
]
\\\\}
Intégration de Webhook
# Configure webhook for real-time notifications
curl -X POST http://localhost:3333/api/webhooks \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '\\\\{
"name": "Slack Webhook",
"url": "https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK",
"secret": "webhook-secret",
"is_active": true
\\\\}'
API Utilisation
Authentification
# Get API key from admin interface
# Settings > API Keys > Generate New Key
# Use API key in requests
curl -H "Authorization: Bearer YOUR_API_KEY" http://localhost:3333/api/campaigns/
Gestion de campagne via API
# List campaigns
curl -H "Authorization: Bearer YOUR_API_KEY" \
http://localhost:3333/api/campaigns/
# Get campaign details
curl -H "Authorization: Bearer YOUR_API_KEY" \
http://localhost:3333/api/campaigns/1
# Create campaign
curl -X POST http://localhost:3333/api/campaigns/ \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '\\\\{
"name": "Test Campaign",
"template": \\\\{"name": "Test Template"\\\\},
"page": \\\\{"name": "Test Landing Page"\\\\},
"smtp": \\\\{"name": "Test SMTP"\\\\},
"groups": [\\\\{"name": "Test Group"\\\\}],
"launch_date": "2024-01-01T09:00:00Z"
\\\\}'
Résultats via API
# Get campaign results
curl -H "Authorization: Bearer YOUR_API_KEY" \
http://localhost:3333/api/campaigns/1/results
# Get campaign summary
curl -H "Authorization: Bearer YOUR_API_KEY" \
http://localhost:3333/api/campaigns/1/summary
Techniques d'évacuation
Évasion par courriel
From: IT Security ``<security@company.com>``
Subject: [URGENT] Account Security Alert - Action Required
<a href="https://bit.ly/3xyz123">Verify Account</a>
<img src="\\\\{\\\\{.Tracker\\\\}\\\\}" width="1" height="1" style="display:none;">
Champ géographique
# Use similar domains
# Original: company.com
# Spoofed: comp4ny.com, company-security.com
# Use subdomains
# security.legitimate-domain.com
# Use URL shorteners
# bit.ly, tinyurl.com, goo.gl
Obfuscation du contenu
<a href="https://evil.com">Click Here</a>
<span style="display:none;">PHISHING</span>Legitimate Content
Legitimate Content
Rapports et analyses
Statistiques de campagne
# Key metrics tracked:
# - Emails sent
# - Emails opened
# - Links clicked
# - Data submitted
# - Email reported
# Timeline tracking:
# - When emails were opened
# - When links were clicked
# - Geographic data
# - User agent information
Résultats des exportations
# Export campaign results to CSV
curl -H "Authorization: Bearer YOUR_API_KEY" \
"http://localhost:3333/api/campaigns/1/results?format=csv" \
-o campaign_results.csv
# Export campaign summary
curl -H "Authorization: Bearer YOUR_API_KEY" \
"http://localhost:3333/api/campaigns/1/summary?format=json" \
-o campaign_summary.json
Rapports personnalisés
# Python script for custom reporting
import requests
import json
api_key = "YOUR_API_KEY"
base_url = "http://localhost:3333/api"
headers = \\\\{"Authorization": f"Bearer \\\\{api_key\\\\}"\\\\}
# Get all campaigns
campaigns = requests.get(f"\\\\{base_url\\\\}/campaigns/", headers=headers).json()
for campaign in campaigns:
results = requests.get(f"\\\\{base_url\\\\}/campaigns/\\\\{campaign['id']\\\\}/results", headers=headers).json()
# Calculate metrics
total_sent = len(results)
opened = len([r for r in results if r['status'] == 'Email Opened'])
clicked = len([r for r in results if r['status'] == 'Clicked Link'])
submitted = len([r for r in results if r['status'] == 'Submitted Data'])
print(f"Campaign: \\\\{campaign['name']\\\\}")
print(f"Sent: \\\\{total_sent\\\\}, Opened: \\\\{opened\\\\}, Clicked: \\\\{clicked\\\\}, Submitted: \\\\{submitted\\\\}")
Considérations en matière de sécurité
Sécurité opérationnelle
# Use VPS or cloud infrastructure
# Implement proper access controls
# Use encrypted communications
# Regular security updates
# Monitor for detection
Considérations juridiques
# Obtain written authorization
# Define scope and limitations
# Implement opt-out mechanisms
# Protect collected data
# Follow data protection laws
Lignes directrices éthiques
# Educational purpose only
# Minimize psychological impact
# Provide immediate feedback
# Offer security training
# Respect privacy rights
Dépannage
Questions relatives à la livraison des courriels
# Check SMTP configuration
# Verify DNS records (SPF, DKIM, DMARC)
# Test with different email providers
# Monitor reputation scores
# Use authenticated SMTP
Problèmes SSL/TLS
# Verify certificate validity
openssl x509 -in certificate.crt -text -noout
# Test SSL configuration
openssl s_client -connect domain.com:443
# Check certificate chain
curl -vI https://domain.com
Questions relatives aux bases de données
# Backup database
cp gophish.db gophish.db.backup
# Check database integrity
sqlite3 gophish.db "PRAGMA integrity_check;"
# Repair database if needed
sqlite3 gophish.db ".recover"|sqlite3 gophish_recovered.db
Problèmes de performance
# Monitor resource usage
top -p $(pgrep gophish)
# Optimize database
sqlite3 gophish.db "VACUUM;"
# Increase system limits
ulimit -n 65536
Exemples d'intégration
Intégration Slack
# Webhook for Slack notifications
import requests
import json
def send_slack_notification(webhook_url, message):
payload = \\\\{
"text": message,
"username": "Gophish",
"icon_emoji": ":fishing_pole_and_fish:"
\\\\}
response = requests.post(webhook_url, json=payload)
return response.status_code == 200
SIEM Intégration
# Send events to SIEM
import syslog
def log_phishing_event(event_type, user_email, campaign_name):
message = f"Phishing Event: \\\\{event_type\\\\} - User: \\\\{user_email\\\\} - Campaign: \\\\{campaign_name\\\\}"
syslog.syslog(syslog.LOG_WARNING, message)
Intégration active des répertoires
# Check user against Active Directory
import ldap3
def check_user_in_ad(username, ad_server, ad_user, ad_password):
server = ldap3.Server(ad_server)
conn = ldap3.Connection(server, ad_user, ad_password)
if conn.bind():
search_filter = f"(sAMAccountName=\\\\{username\\\\})"
conn.search('dc=company,dc=com', search_filter)
return len(conn.entries) > 0
return False
Ressources
- [Site Web officiel gophais] (LINK_5)
- [Répertoire GitHub gophais] (LINK_5)
- [Documentation gophiste] (LINK_5)
- [Guide de l'utilisateur gophais] (LINK_5)
- [Formation à la sensibilisation au phishing] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation de Gophish. Assurez-vous toujours d'avoir une autorisation appropriée et de suivre les directives éthiques lors de la conduite de simulations d'hameçonnage. *