GoPhish : Open Source Phishing Toolkit
Everyone needs to conduct phishing attacks to see the organisation’s defence against Phishing during a penetration test . Here is an Open source Solution : GoPhish.
Gophish is an open source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily set-up and execute phishing engagements and security awareness training.
What is Gophish?
Gophish is a phishing framework that makes the simulation of real-world phishing attacks dead-simple. The idea behind gophish is simple – make industry-grade phishing training available to everyone.
“Available” in this case means two things –
- Affordable – Gophish is currently open-source software that is completely free for anyone to use.
- Accessible – Gophish is written in the Go programming language. This has the benefit that gophish releases are compiled binaries with no dependencies. In a nutshell, this makes installation as simple as “download and run”!
The idea of a phishing simulation platform isn’t new. Let’s take a look at some of the features that really set gophish apart and make it awesome.
There are many commercial offerings that provide phishing simulation/training. Unfortunately, these are SaaS solutions that require you to hand over your data to someone else.
Gophish, an Open Source Phishing Toolkit is different in that it is meant to be hosted in-house. This keeps you data where it belongs – with you.
Installing Gophish Using Pre-Built Binaries
Gophish is provided as a pre-built binary for most operating systems. With this being the case, installation is as simple as downloading the ZIP file containing the binary that is built for your OS and extracting the contents.
To install gophish, simply run
go get github.com/gophish/gophish
This downloads gophish into your
Next, navigate to
and run the command
This builds a gophish binary in the current directory.
Now that you have gophish installed, you’re ready to run the software. To launch gophish, simply open a command shell and navigate to the directory the gophish binary is located. Then, execute the gophish binary. You will see some informational output showing both the admin and phishing web servers starting up, as well as the database being created. This output will tell you the port numbers you can use to connect to the web interfaces.
$ ./gophish worker.go:34: Background Worker Started Successfully - Waitingfor Campaigns models.go:64: Database not found... creating db at gophish.db gophish.go:49: Admin server started at http://127.0.0.1:3333 gophish.go:51: Phishing server started at http://0.0.0.0:80
#To be used only for Authorized Penetration Testing .