How to simulate phishing emails for employee training — GoPhish
Introduction
Nowadays, the cyber-attacks has been increased significantly during the pandemic, and if you are a security lead for your company with limit budget you may want to do some miracles with the available open source tools in the market. In this article you will learn how to use GoPhish to simulate Mail phishing campaign to train and measure your employee awareness position.
Go Phish
Go Phish is an open source tool that enable us to simulate phishing campaigns in a controlled environment, it enables you to create real looking emails and track how many employees opened an email and shared their credentials to your own crafted fake website.
Installation
Download the tool according to your OS, in my case: Windows 64 bits. https://getgophish.com Find the executable, in my case it is gophish.exe
And it will be running in localhost:3333
default credentials are: admin /and the password can be found in the logs when you execute your application for the first time, in my case:
Then you will be prompted to change the password
How does it work?
We need to first create some email templates depending on our goals, after doing this we can create a campaign to keep track of our phishing emails. The Template is basically our fake muck-up of our mail.
Click email templates > New Template
In my case I’m going to clone an email that I received from Amazon, to achieve this you need to go to your inbox, locate an email (in my case Amazon recommendations) open it and then click on the 3 dots and click Show Original / Show Raw and copy the source code.
Once the source code is copied, go back to your email template, put a campaign name and click import email
and paste the raw code and click import, after doing this you will see that you have the exact same email in your preview section, now, here we can create a defacement or a phishing website that asks for credentials and start harvesting amazon accounts. You can click in source and start modifying the embedded links
Now we can click save and we have our first email template created, now we need to create a landing page, where it can be a fake Amazon login page, you can create a fake one or try to copy it by importing it by submitting the URL since we are using Amazon, I went to the login page and pasted the URL, here is the result
Be careful with the capture submitted data and capture passwords, this is done just for learning purposes, if you are auditing your employees it is better to skip this part of capture passwords since those go in plain text.
Setting up SMTP server
Now we need to create the sending profiles, this is the SMTP server with the fake email address to send the fake emails, this is the most technical part. I created mine in CentOS on a VM using mailhog, also remember to configure the SMTP json file depending of your targets. https://github.com/mailhog/MailHog. Here are good extra references that you may need to install go lang and do not forget to install Github. https://linuxize.com/post/how-to-install-go-on-centos-7/
If like me you are using windows for the go-phish tool and centOS for the mailHog, you may have to verify your bridge connection and firewall rules in the centOS VM. You may be able to reach out to the SMTP page in windows.
Creating groups and targets
Now let's create the group of targets, you can import it from CSV or manually introduce your target
Now we are all set, let’s create our campaign, this is the final step in which we will sent in bulk format all the fake emails to track!
Here you can track the progress of your campaign and reach out to each specific employee that opened and submitted data to the fake website and train them better.
Here is how it looks in our SMTP server!
And here is how it looks in our inbox!!!
The images are not loaded and that can be easily fixed, but this will be a good homework for your team! This post was made for learning purposes only, please use this only on a controlled environment and never use this for evil tasks.
I hope you enjoyed this article!