How to simulate phishing emails for employee training — GoPhish

Introduction

Nowadays, the cyber-attacks has been increased significantly during the pandemic, and if you are a security lead for your company with limit budget you may want to do some miracles with the available open source tools in the market. In this article you will learn how to use GoPhish to simulate Mail phishing campaign to train and measure your employee awareness position.

Go Phish

Go Phish is an open source tool that enable us to simulate phishing campaigns in a controlled environment, it enables you to create real looking emails and track how many employees opened an email and shared their credentials to your own crafted fake website.

Installation

Download the tool according to your OS, in my case: Windows 64 bits. https://getgophish.com Find the executable, in my case it is gophish.exe

And it will be running in localhost:3333

Image #1. GoPhish login

default credentials are: admin /and the password can be found in the logs when you execute your application for the first time, in my case:

Then you will be prompted to change the password

Image #2. Changing Password

How does it work?

We need to first create some email templates depending on our goals, after doing this we can create a campaign to keep track of our phishing emails. The Template is basically our fake muck-up of our mail.

Click email templates > New Template

Image #3 Creating a template

In my case I’m going to clone an email that I received from Amazon, to achieve this you need to go to your inbox, locate an email (in my case Amazon recommendations) open it and then click on the 3 dots and click Show Original / Show Raw and copy the source code.

Image #5. Stealing an original html email

Once the source code is copied, go back to your email template, put a campaign name and click import email

Image #6. Importing the fake email
Image #7. Editing the imported fake email

and paste the raw code and click import, after doing this you will see that you have the exact same email in your preview section, now, here we can create a defacement or a phishing website that asks for credentials and start harvesting amazon accounts. You can click in source and start modifying the embedded links

Image #8. Changing the source code of the email

Now we can click save and we have our first email template created, now we need to create a landing page, where it can be a fake Amazon login page, you can create a fake one or try to copy it by importing it by submitting the URL since we are using Amazon, I went to the login page and pasted the URL, here is the result

Image #9. Creating the landing page

Be careful with the capture submitted data and capture passwords, this is done just for learning purposes, if you are auditing your employees it is better to skip this part of capture passwords since those go in plain text.

Setting up SMTP server

Now we need to create the sending profiles, this is the SMTP server with the fake email address to send the fake emails, this is the most technical part. I created mine in CentOS on a VM using mailhog, also remember to configure the SMTP json file depending of your targets. https://github.com/mailhog/MailHog. Here are good extra references that you may need to install go lang and do not forget to install Github. https://linuxize.com/post/how-to-install-go-on-centos-7/

If like me you are using windows for the go-phish tool and centOS for the mailHog, you may have to verify your bridge connection and firewall rules in the centOS VM. You may be able to reach out to the SMTP page in windows.

Image #10. Configuring the sending profiles (SMTP)

Creating groups and targets

Now let's create the group of targets, you can import it from CSV or manually introduce your target

Image #11. Creating the target groups

Now we are all set, let’s create our campaign, this is the final step in which we will sent in bulk format all the fake emails to track!

Image #12. Creating the campaign
Image #13. All set

Here you can track the progress of your campaign and reach out to each specific employee that opened and submitted data to the fake website and train them better.

Image #14. Monitoring our campaign

Here is how it looks in our SMTP server!

Image #15. Preview of the fake email

And here is how it looks in our inbox!!!

Image #16. Fake email in our inbox
Image #17. Opened fake email

The images are not loaded and that can be easily fixed, but this will be a good homework for your team! This post was made for learning purposes only, please use this only on a controlled environment and never use this for evil tasks.

I hope you enjoyed this article!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josué Carvajal

Josué Carvajal

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH