Skip to content

Gophish Usage

Jump to bottom
ChrisPowell6p6 edited this page May 24, 2021 · 2 revisions

Once configured, all interactions with the Mail Spoofer infrastructure are performed via the Gophish web interface. The design ensures all SMTP transactions only occur on the internal Docker network stack.

You log in by browsing to your domain on TCP port 3333 — for example, https://example.org:3333. Default Gophish credentials are admin and gophish.

This web interface is where you create and send your email campaigns.

Warning

We recommend you change them immediately as the web interface is directly exposed. Unfortunately, a later version of Gophish rectifies the password problem but contains a really annoying bug when used with a reverse proxy.

Gophish

Official documentation can be found on the website here https://docs.getgophish.com/user-guide. However the quick how-to guide is as follows.

  • Configure a sending profile of a vulnerable address. You can find information on targeting domains here.
    • Fill in a Name — this is for internal Gophish use only.
    • Fill in a From address — the field doesn't require the name in quotes — "RiskIQ" in the example. But it makes the email look more legitimate. Make sure to enter the address you'd like to spoof in angle brackets.
    • Fill in the Host address — it will always be postfix:25. The domain name is resolved within the Docker infrastructure.
    • Save the profile.

  • Create a landing page. Its presence is required but not essential. Call it "test" and move on.

  • Create an email template. You can either fill one in or import one by copying a legitimate email message — this feature is fantastic, and you should have a play.

  • Create a target group. I'll be using test accounts and my legitimate 6point6 address to receive the spoof emails.

  • Select the correct template, landing page, profile and groups and launch the campaign!

Results

The spoof email is listed above the legitimate message.

Legitimate

Spoof

All of the emails have SPF, DKIM and ARC passes. In this instance RiskIQ has their DMARC policy set to none — permit spoof emails. That means the DMARC check failed and was permitted anyway.

RiskIQ DMARC record on 24/05/2021

# dig _dmarc.riskiq.net TXT +short
"v=DMARC1; p=none; rua=mailto:e8qlfzzo@ag.dmarcian.com,mailto:postmaster@riskiq.net; 
ruf=mailto:e8qlfzzo@fr.dmarcian.com;"

Landing Pages

If you'd like to track your phishing campaign, you must configure a landing page beyond our test example.

To use the tracking pixel feature in Gophish, you must use an HTML message body instead of only Text. Here is an example of an HTML code used to track opened emails by the recipients.

<html>
<head>
	<title></title>
</head>
<body>
<p>A message with a tracking pixel.</p>
<p>{{.Tracker}}</p>
</body>
</html>

To help keep the message spam score low, we recommend adding a plain text version of the message body in addition to the HTML message. Ensure you also check the "Add tracking image" and confirm the track_domain in the settings.env file is pointing to the current server IP address.

Clone this wiki locally