Safeguards for the IT infrastructure often neglect email as an attack vector. Although most companies run a spam filter, they pay far too little attention to phishing, and many companies have already fallen victim to data theft, espionage, and sabotage. The industry association Bitkom estimates the annual damage to German institutions by these attacks, which are carried out in an increasingly professional manner, at more than EUR 200 billion (~$163 billion) [1].

Although most companies focus their security campaigns on hardening their own infrastructures, they overlook the fact that the real threats lurk elsewhere: 85 percent of cybersecurity breaches are due to human error, and 94 percent of all malware finds its way to its recipient by email. More than 80 percent of security-related events are phishing attacks. Attackers have long since stopped focusing on seemingly attractive corporations and large companies and are increasingly targeting small and medium-sized enterprises (SMEs), which are targeted by attackers precisely because they invest significantly less in their security architecture, whether by choice or because of budget restrictions.

The consequences of these findings is that companies need to invest more in their email security; in particular, protection against phishing attacks need significant improvement. This is where phishing penetration testing comes in: Gophish [2] provides an open source framework for precisely this task.

Gophish at a Glance

In view of the huge relevance of the phishing problem and the associated threat situation, surprisingly, most companies rely on extensions of established filter programs (e.g., SpamAssassin) that typically use plugins to combat phishing. However, it is not enough to filter out critical messages; instead, IT managers need to check their own infrastructures for vulnerabilities. Dynamic environments and temporarily logged-in clients such as field workers' notebooks, tablets, and smartphones pose a particular challenge.

The Gophish framework lets you simulate phishing attacks, enabling phishing training for any type of organization. Gophish is written in the Go programming language, and the central benefit is that the compiled binaries do not have any dependencies.

Getting Started

You can simply download and run the software – no installation required. In the case of a source code-based installation, you need to configure the interaction with a MySQL server, and you also need SSL certificates and private keys. Finally, you need to make various adjustments (e.g., to the IP address and port configuration) in the config.json file in the root directory of the Gophish installation. Compiled packages for Linux, macOS, and Windows are available for download [3]. To get started, simply unpack and start the Gophish server.

Penetration testers usually turn to Kali Linux for their work, although Gophish is not preinstalled in Kali. To install, download and unzip Gophish to a directory of your choice, and then assign the required permissions:

chmod +x gophish

Configuration is adjusted by editing the config.json file. In addition to the IP address, you need to specify the paths to the SSL keys and certificates. To start the application, type:

./gophish

The implementation of a phishing campaign comprises three steps: (1) generate the templates and determine the targets, (2) send the phishing email on its way – staggering the timing between messages, if necessary, (3) track the results, which Gophish visualizes in real time on its dashboard.

Preparing a Campaign

On Windows you launch the environment by running gophish.exe; on macOS and Linux, use the binaries for your choice of OS. By default, the web interface can be accessed on https://127.0.0.1:3333/ . The username is admin , and the password is output on the console. Before you can access the Administration Center, you need to define a new password, after which, the environment is at your disposal. During the initial installation, Gophish tells you that you don't have a campaign yet.

The first step is to create a sending profile by switching to the Sending Profiles menu and creating an initial configuration in New Profile . The description in Figure 1 uses a virtual machine (VM) on 192.168.178.100 and is the sender of the phishing email. Now assign the typical data for sending email to this sender, which will then wait for messages on the specified address. It is important that you use a valid send port. You can also use a custom header.

Figure 1: The phishing test starts by creating a sender profile.

If you are just starting out, it is a good idea to send a test email to check the functionality by clicking Send Test Email . A click on Save Profile lets you save the initial profile configuration.

Before launching a phishing campaign, you need to define the targets, for which you can use various tools. If you want to collect email addresses from public information to simulate as realistic a scenario as possible, you can turn to open source intelligence (OSINT), for example. To test the local infrastructure, you need the local email addresses. Regardless of the data source, you need to create an initial group in the Users & Groups menu by clicking on New Group . Assign a name and save the addresses of your target group. The easiest way to do this is to use the bulk import function with a CSV file. For the import to work, it needs First Name, Last Name, Email Address, and Position header values. You can also create some test receivers manually. Click Save changes to save the group.