Decided we needed a new way to do spam/phishing campaign at work. To this end I decided to install a GoPhish server. There were a few gottchas along the way. I made this page so I remember how to do it.

I got the framework from here https://getgophish.com/
I ran it on an existing Ubuntu 20.04 server I was using to run another service

 

Install

Installation is rather easy. Just get it , unzip it and go.

• There is a config. json file you have to edit.
• The admin_server is where you go to administrate the server
• The phish_server is where your people will be tracked from.
• Edit these to lines to get the thing up and running.

{
	"admin_server": {
		"listen_url": "10.10.10.10:3333",
		"use_tls": true,
		"cert_path": "gophish_admin.crt",
		"key_path": "gophish_admin.key",
		"trusted_origins": []
	},
	"phish_server": {
		"listen_url": "10.10.10.10:80",
		"use_tls": false,
		"cert_path": "example.crt",
		"key_path": "example.key"
	},
	"db_name": "sqlite3",
	"db_path": "gophish.db",
	"migrations_prefix": "db/db_",
	"contact_address": "",
	"logging": {
		"filename": "",
		"level": ""
	}
}

Now browse to the place you extracted the GoPhish zip.
You have to set the file to executable. You can do that with the chmod command

chmod +x gophish

Now go to your GoPhish admin page. In my case its https://10.10.10.10:3333. The temp password is on the server terminal screen. Login and set a new password.

 time="2020-06-30T08:04:33-05:00" level=info msg="Please login with the username admin and the password 1178f855283d03d3"
 time="2020-06-30T08:04:33-05:00" level=info msg="Starting phishing server at http://10.10.10.10:80"

Run as a service

Now we need to set GoPhish so it run all the time and not just when the terminal window is open. I’m sure there are some cool or professional ways to do this. But I did it in webmin. Do not judge me.

I pointed a scheduled cronjob, set to run at boot, to a gophish.sh script file. The contents of the gophish.sh are

#!/bin/bash
cd /root
cd gophish
./gophish

Sending eMail (and spoofing)

The first thing you need to do is set up a sending profile. This can be found on the left menu.
This one was a little tricky. We are a Google domain. So the only way to send via Google smtp is to authenticate. If I authenticate, well then everyone will see the emails are coming from our domain. This will be a dead giveaway that its a phishing campaign.
So I had to set up my own SMTP server. But wait you say, wont that just trigger spam warnings in the users email? No, because I can set it in Google admin console to allow all emails from this smtp server.

Building the SMTP Server

• I also used Webmin for this. I set up a Postfix mail server.
• I set it to deliver mail directly, not relay off a “real” smtp host.
• I then went into the mailbox of a user and sent an email to my work email. (Dont forget you will need to make the mailbox folder. In my case /var/mail/xxx). This failed. Connection refused. This was because my DNS is set to resolve my work domain to the AD domain controller. So I set the DNS to external. This fixed it. I then got an email from user@servername.
• Go in and set up SMTP relay. I have mine set to only be able to relay with a login and only relay to my domain

Make a Sending Profile

• On the left menu in GoPhish chose Sending Profiles
• Name: Give it any name
• SMTP from: make up a fake email
• Host: the smtp server and port you just built, ex 10.10.10.10.:25
• Username: user on smtp server
• Password: that users password
• click the send test mail at the bottom

Google Admin Console

Your email may or may not go thru and get blocked by Gmail as spam. If it does go thru, it wont for long. I went into the allow list and added two emails I will be using for spam Phishing. So now my email will go thru from my phising server with out triggering spam from Gmail or getting blocked.

 

Email Templates and Landing Pages

Not to much surprising here. There doco is good on this. Just remember

• The Email Template is the email the user will receive
• The Landing Page is the fake page that they will go to to collect information if they click on any links in the email. This is NOT the page they go to in order t let them know they were caught in a campaign. That has to be made outside of this config. You can put the url of that page inside of the config of the landing page, and they will be directed to it if they click login.
• I would suggest NOT capturing passwords from your users. I don’t want to be responsible for having their personal or banking info.

Users & Groups

• Groups are required. That is how you assign campaigns to users. Via groups.
• Users can be hand entered or bulk imported into groups.
• A simple csv like so is used

First Name,Last Name,Email,Position
Example,User,foobar@example.com,Systems Administrator
Example2,User2,foobar2@example.com,End User

Campaigns

• Click on New campaign
• Chose and email template
• Choose a landing page
• ULR: put in the url of your GoPhish server. It only works inside on the IP. We will address this later in this doco.
• Set a launch date and time, or leave blank for immediate send
• Chose a sending Profile
• Chose a group

Working from Outside the Network

Its all fine and dandy as long as your users never leave your network. Now we have to get it working so it works the same inside and outside the network. This means no more 10.10.10.x address and we have to start using DNS names.

Get a new domain

I didnt want my emails or the landing pages to reverence my work domain at all.

• I went out and got a new free-be domain. I got one from noip.com. Simple registration process and I now own a me.outsidename domain.
• I then pointed that to a ip inside my network. Now me.outsidename was available outside my network
• I added me.outsidename to my local network DNS so that it resolved to the internal IP. That way machines were not going out my fiber, then back in to get to the GoPhish server.

Campaign using new domain

Make a campaign just like above. But this time in the URL: put the me.outsidename:80 as the address. This will make it so that the user can be tracked inside and outside your network.

Safe Browsing – Deceptive site ahead

Chrome throws up a big red flag stating that me.outsidename is a phishing site. This is because I force safe browsing out to all my users. If you dont force/use safe browsing then users will go to the fake login page.
There is a setting in Google Admin to allow a site to be ignored by safe browsing, but this seemed to have no effect.
Not getting to the fake login page means I cant see who would have actually filled out their username and password (remember, do not collect passwords). I think not having that metric is not a big deal. Its more important to know who clicked on the link.
I changed the links in the email template to bypass the landing page, thus eliminating the Google warning, and taking them right to the training video about spam. However, this did not register as a click. So I have two choices…
1) collect link clicks and send to the red Google warning page
2) edit the links and send to training video, but not know who clicked.

Thats it. You now have a GoPhish sever. Its not ideal with Safe Browsing, but its still a good tool for end user training.