Cybersecurity awareness for end users is one of the key factors which decides the security posture of a company. Testing out your employee’s response to phishing mail can tell your organization how vulnerable your company is to potential attackers.
In today’s article, we will discuss what is a phishing assessment and the step-by-step guide on how to install the phishing assessment tool ‘Gophish’.
What Is a Phishing Assessment?
Phishing assessment is a proactive security measure that simulates real-world phishing attacks to evaluate an organization’s susceptibility to such attacks. It involves creating mock phishing emails, links, or messages that mimic the tactics employed by cybercriminals. These simulated attacks are sent to employees within the organization to assess their response and determine their level of awareness regarding phishing threats. This information enables organizations to take proactive measures to strengthen their security posture, such as implementing additional security controls, enhancing training programs, or updating policies and procedures.
Regular exposure to simulated phishing attacks trains employees to identify suspicious emails, links, or messages and empowers them to make informed decisions regarding cybersecurity threats.
What Is a Phishing Assessment Tool?
A phishing assessment tool is a software application or platform designed to simulate phishing attacks and assess the susceptibility of individuals or organizations to such attacks, and security professionals majorly use these tools to measure the awareness of the employees in an organization.
Phishing assessment tools create simulated phishing campaigns that imitate real-world phishing attacks. They can send phishing emails or text messages to a targeted group of users within an organization. These simulated attacks are carefully crafted to mimic actual phishing attempts, but instead of capturing sensitive data, they measure user responses and behaviors.
Why the Tool Gophish Is Preferred for Phishing Assessment?
Gophish is a widely recognized and open-source phishing assessment tool designed to help organizations evaluate their susceptibility to phishing attacks. Gophish is written in the Go programming language and is very easy to install and set up.
Being an open-source tool, Gophish is very flexible to changes and modifications. We can change its source code and configurations to avoid being detected by any email gateway. Gophish is also very simple and easy to use and makes our life much easy by automating most of our tasks. For instance, we don’t have to create a phishing page from scratch. We can give the URL of the original page we want to clone, and Gophish will import it for us. We just need to make minor changes in its HTML code and tune it to our needs. It also helps in analyzing the results of the phishing assessments and provides a nice graphical representation related to the success of our assessment.
Virtual Private Server (VPS) is one mandatory entity required to install Gophish. Before proceeding to install Gophish, we should find a suitable Virtual Private Server (VPS). If you are not aware of what is a Virtual Private Server (VPS), keep reading.
What Is a Virtual Private Server?
A Virtual Private Server (VPS) is a virtualized server environment created by partitioning a physical server into multiple virtual instances. Each virtual instance operates independently, functioning as a self-contained server with its own dedicated resources, operating system, and allocated storage space.
Unlike shared hosting, where multiple websites or applications share the same server resources, a VPS provides users with a private and isolated environment. While the physical server’s resources, such as CPU, RAM, and storage, are shared among the virtual instances, each VPS operates as an independent server, offering a higher level of performance, security, and customization options.
How to Install the Phishing Assessment Tool ‘Gophish’?
Installation of Gophish can be divided into two parts:
- Set up a Virtual private server
- Download and install Gophish
Set up a Virtual Private Server:
In this demo, we are going to set up a VPS on a well-known VPS provider, Digital Ocean. You are free to choose your own VPS service provider. The reason we have chosen Digital Ocean is because of its low pricing plans and very simple to use and set up. As of today, Digital Ocean charges on an hourly basis, so it is easy on our pocket.
Once we have created the account, we will move forward to “Create a Droplet.”
For our purpose, we are not going to create a whole website, and hence the basic plan fits our needs.
Picture 1: Droplet Type from Digital Ocean
Go ahead, create a very strong SSH password since this will be exposed to the internet, and create your droplet.
Picture 2: Digital Ocean Ubuntu Droplet
In less than a minute, your droplet will be created. Once done, you can log in as a root user using the password you created while creating the droplet.
Picture 3: SSH Login screen of the Ubuntu Droplet
Download and install Gophish
Time needed: 10 minutes.
How to Install the Phishing Assessment Tool ‘Gophish’?
- Download Gophish
You can download Gophish from their official GitHub repo here(https://getgophish.com/). Go to the Gophish download page and copy the link to its 64-bit Linux zip file.
Then ssh into our VPS and download the zip file using “wget” command as shown in snippet below.
- Unzip the downloaded file
Once it’s downloaded successfully, we’ll have to unzip it.
# unzip gophish-v0.12.1-linux-64bit.zip
In most of the Linux distributions, Unzip is not part of the default installation packages. If you don’t, you should install it using “apt” utility and move forward to unzip the file.
# apt install unzip
Once done, we no longer need the zip file, and hence can be deleted. Also, to run the gophish application without interruption, I am going to use tmux tool here. With tmux we can run the gophish application in an uninterrupted environment while working on other tasks on our VPS (looks like tmux is installed by default on our machine).
- Configure hostname to access
Now, before starting the application, we have to do one important change. Gophish by default runs on localhost. Hence, to access the admin panel, we have to change the localhost to our VPS public IP by going inside the config.json file.
As you can see, I have changed the admin_server and phish_server URLs to 0.0.0.0, change the port numbers to my desired value, and set the use_tls value to true. You can also change your IP from 0.0.0.0 to your VPS public IP.
Now all is set to run the Gophish server.
- Start Gophish
To start Gophish application, first, we’ll create a new screen with tmux using the command:
# tmux new -s gophish
(gophish is the name I have given to my tmux terminal)
Next as we are attached to a new screen, we will first give execution permission to gophish and then run it.
# chmod +x gophish
- Set admin password
Once run, it creates an admin password for the first time which we’ll have to change as soon as we log in. We can now log in to the admin server which is running at port 43333 in our case.
That’s it, our phishing environment is ready. Note, you may see warning signs on your browser, it’s because of no SSL Certificate. The warning says that the communication is not encrypted. You should need to install SSL Certificate to get rid of the warning. we don’t have an SSL certificate yet due to our browser throughs warning. But no problem, in an upcoming post “How to Conduct a Successful Phishing Assessment“, we’ll show you how to set up a free SSL certificate to make it look secure.
To stop the application, you can press “ctrl+c” and to come out of tmux screen you can press “ctrl+b” and then “d” to detach. To attach again to the same tmux screen, use this command.
# tmux a -t gophish
In today’s article, we went into detail on what is a phishing assessment and the step-by-step guide on how to install the phishing assessment tool ‘Gophish’. In the next article, we will dive into how to conduct an entire phishing exercise from scratch using Gophish.