Cybersecurity awareness for end users is one of the key factors which decides the security posture of a company. Testing out your employee’s response to phishing mail can tell your organization how vulnerable your company is to potential attackers.
In today’s article, we will discuss what is a phishing assessment and the step-by-step guide on how to install the phishing assessment tool ‘Gophish’.
Phishing assessment is a proactive security measure that simulates real-world phishing attacks to evaluate an organization’s susceptibility to such attacks. It involves creating mock phishing emails, links, or messages that mimic the tactics employed by cybercriminals. These simulated attacks are sent to employees within the organization to assess their response and determine their level of awareness regarding phishing threats. This information enables organizations to take proactive measures to strengthen their security posture, such as implementing additional security controls, enhancing training programs, or updating policies and procedures.
Regular exposure to simulated phishing attacks trains employees to identify suspicious emails, links, or messages and empowers them to make informed decisions regarding cybersecurity threats.
A phishing assessment tool is a software application or platform designed to simulate and assess the susceptibility of individuals or organizations to such attacks, and security professionals majorly use these tools to measure the awareness of the employees in an organization.
Phishing assessment tools create simulated phishing campaigns that imitate real-world phishing attacks. They can send phishing emails or text messages to a targeted group of users within an organization. These simulated attacks are carefully crafted to mimic actual phishing attempts, but instead of capturing sensitive data, they measure user responses and behaviors.
Gophish is a widely recognized and open-source phishing assessment tool designed to help organizations evaluate their susceptibility to . Gophish is written in the Go programming language and is very easy to install and set up.
Being an open-source tool, Gophish is very flexible to changes and modifications. We can change its source code and configurations to avoid being detected by any email gateway. Gophish is also very simple and easy to use and makes our life much easy by automating most of our tasks. For instance, we don’t have to create a phishing page from scratch. We can give the URL of the original page we want to clone, and Gophish will import it for us. We just need to make minor changes in its HTML code and tune it to our needs. It also helps in analyzing the results of the phishing assessments and provides a nice graphical representation related to the success of our assessment.
Virtual Private Server (VPS) is one mandatory entity required to install Gophish. Before proceeding to install Gophish, we should find a suitable Virtual Private Server (VPS). If you are not aware of what is a Virtual Private Server (VPS), keep reading.
A Virtual Private Server (VPS) is a virtualized server environment created by partitioning a physical server into multiple virtual instances. Each virtual instance operates independently, functioning as a self-contained server with its own dedicated resources, operating system, and allocated storage space.
Unlike shared hosting, where multiple websites or applications share the same server resources, a VPS provides users with a private and isolated environment. While the physical server’s resources, such as CPU, RAM, and storage, are shared among the virtual instances, each VPS operates as an independent server, offering a higher level of performance, security, and customization options.
Installation of Gophish can be divided into two parts:
Set up a Virtual private server
Download and install Gophish
In this demo, we are going to set up a VPS on a well-known VPS provider, Digital Ocean. You are free to choose your own VPS service provider. The reason we have chosen Digital Ocean is because of its low pricing plans and very simple to use and set up. As of today, Digital Ocean charges on an hourly basis, so it is easy on our pocket.
Once we have created the account, we will move forward to “Create a Droplet.”
For our purpose, we are not going to create a whole website, and hence the basic plan fits our needs.
Picture 1: Droplet Type from Digital Ocean
Go ahead, create a very strong SSH password since this will be exposed to the internet, and create your droplet.
Picture 2: Digital Ocean Ubuntu Droplet
In less than a minute, your droplet will be created. Once done, you can log in as a root user using the password you created while creating the droplet.
Picture 3: SSH Login screen of the Ubuntu Droplet
You can download Gophish from their official GitHub repo here(https://getgophish.com/). Go to the Gophish download page and copy the link to its 64-bit Linux zip file.
Then ssh into our VPS and download the zip file using “wget” command as shown in snippet below.# wget
https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
Once it’s downloaded successfully, we’ll have to unzip it.# unzip gophish-v0.12.1-linux-64bit.zip
In most of the Linux distributions, Unzip is not part of the default installation packages. If you don’t, you should install it using “apt” utility and move forward to unzip the file.# apt install unzip
Once done, we no longer need the zip file, and hence can be deleted. Also, to run the gophish application without interruption, I am going to use tmux tool here. With tmux we can run the gophish application in an uninterrupted environment while working on other tasks on our VPS (looks like tmux is installed by default on our machine).
Now, before starting the application, we have to do one important change. Gophish by default runs on localhost. Hence, to access the admin panel, we have to change the localhost to our VPS public IP by going inside the config.json file.
As you can see, I have changed the admin_server and phish_server URLs to 0.0.0.0, change the port numbers to my desired value, and set the use_tls value to true. You can also change your IP from 0.0.0.0 to your VPS public IP.
Now all is set to run the Gophish server.
To start Gophish application, first, we’ll create a new screen with tmux using the command:# tmux new -s gophish
(gophish is the name I have given to my tmux terminal)
Next as we are attached to a new screen, we will first give execution permission to gophish and then run it.# chmod +x gophish
# ./gophish
Once run, it creates an admin password for the first time which we’ll have to change as soon as we log in. We can now log in to the admin server which is running at port 43333 in our case.
That’s it, our phishing environment is ready. Note, you may see warning signs on your browser, it’s because of no SSL Certificate. The warning says that the communication is not encrypted. You should need to install SSL Certificate to get rid of the warning. we don’t have an SSL certificate yet due to our browser throughs warning. But no problem, in an upcoming post “How to Conduct a Successful Phishing Assessment“, we’ll show you how to set up a free SSL certificate to make it look secure.
To stop the application, you can press “ctrl+c” and to come out of tmux screen you can press “ctrl+b” and then “d” to detach. To attach again to the same tmux screen, use this command.
# tmux a -t gophish
In today’s article, we went into detail on what is a phishing assessment and the step-by-step guide on how to install the phishing assessment tool ‘Gophish’. In the next article, we will dive into how to conduct an entire phishing exercise from scratch using Gophish.
Thanks for reading this post. Please share this post and help to secure the digital world. Visit our website thesecmaster.com and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.