Posted inSecurity

Gophish: Build Your Own Phishing Simulation System for Internal Security Testing and Training on Linux

Security tutorial - IT technology blog
Security tutorial - IT technology blog

Context: When a “Real Attack” Beats a Training Slide Deck

After a few years as a sysadmin, I came to a rather blunt realization: employees can sit through a two-hour security presentation and still click a phishing link two weeks later. Theoretical training isn’t enough — people need real experience to actually internalize the lesson.

That’s why I started using Gophish — an open-source tool for running internal phishing simulations in-house. Instead of paying thousands of dollars a year for an external service, you can deploy and run campaigns yourself on your company’s own VPS.

With Gophish, you can accomplish some genuinely practical things:

  • Create controlled phishing emails
  • Build landing pages cloned from real login pages
  • Track who clicks, who submits forms, and who proactively reports suspicious emails
  • Export reports to analyze vulnerability patterns by department

Disclaimer: For internal use only — written authorization from management is required. Using this beyond that scope is illegal.

Installing Gophish on Linux

System Requirements

  • Ubuntu 20.04+ or Debian 11+ (any distro with systemd works)
  • Minimum 1 CPU, 1GB RAM — but 2GB is more comfortable
  • A dedicated domain or subdomain (recommended to make campaigns more convincing)
  • Port 3333 (admin panel), 80/443 (phishing server)

Download and Install

Gophish is distributed as a binary — no runtime or additional dependencies needed:

# Create a dedicated user to run Gophish (principle of least privilege)
sudo useradd -r -s /bin/false gophish

# Create directory
sudo mkdir -p /opt/gophish
cd /opt/gophish

# Download binary (check latest version at github.com/gophish/gophish/releases)
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip

unzip gophish-v0.12.1-linux-64bit.zip
rm gophish-v0.12.1-linux-64bit.zip

# Set permissions
sudo chown -R gophish:gophish /opt/gophish
sudo chmod +x /opt/gophish/gophish

Edit config.json Before Starting

Open config.json and update it to bind to the correct interface:

{
  "admin_server": {
    "listen_url": "127.0.0.1:3333",
    "use_tls": true,
    "cert_path": "gophish_admin.crt",
    "key_path": "gophish_admin.key"
  },
  "phish_server": {
    "listen_url": "0.0.0.0:80",
    "use_tls": false,
    "cert_path": "example.crt",
    "key_path": "example.key"
  },
  "db_name": "sqlite3",
  "db_path": "gophish.db"
}

I bind the admin server to 127.0.0.1 — accessible only through an SSH tunnel. Never expose the admin panel to the public internet. Access it from your local machine by tunneling over SSH:

ssh -L 3333:127.0.0.1:3333 user@your-server-ip

Create a systemd Service

sudo nano /etc/systemd/system/gophish.service
[Unit]
Description=Gophish Phishing Framework
After=network.target

[Service]
Type=simple
User=gophish
WorkingDirectory=/opt/gophish
ExecStart=/opt/gophish/gophish
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable gophish
sudo systemctl start gophish

# On first run, retrieve the temporary password from the logs
sudo journalctl -u gophish | grep -i "password"

After logging in for the first time, change the admin password immediately. I usually use the password generator at toolcraft.app to create strong passwords for servers — it runs entirely in the browser, so there’s no risk of your password being exposed over the network during generation.

Detailed Configuration: Building Your First Phishing Campaign

1. Sending Profile — SMTP Configuration

Misconfigured SMTP is the number one reason campaigns fail right out of the gate — emails never reach the inbox, or get filtered as spam before anyone sees them. Practical options:

  • Mailgun/SendGrid: Easy to set up, free trial available, good deliverability
  • Internal SMTP: If your company has its own mail server — emails look far more trustworthy
  • VPS + Postfix: Full control, but requires careful SPF/DKIM configuration to avoid spam filters

In the admin panel: Sending Profiles → New Profile

Name: Internal SMTP
Interface Type: SMTP
Host: smtp.mailgun.org:587
Username: [email protected]
Password: [SMTP password]
From: IT Security Team <[email protected]>

Click Send Test Email to verify before creating a real campaign.

2. Landing Page — Fake Page

Gophish has a feature to import landing pages directly from real URLs — extremely convenient:

  1. Go to Landing Pages → New Page
  2. Enter the URL of the login page you want to spoof (e.g., an Office 365 login page or an internal system)
  3. Click Import Site
  4. Enable Capture Submitted Data and Capture Passwords
  5. Set the redirect URL after submission to point to the real login page so users don’t immediately get suspicious

3. Email Templates

Templates should look convincing but still include a few telltale signs that careful users can spot:

<!-- Example: spoofed HR email notifying about salary confirmation -->
Subject: [Important] Confirm Your June Salary Details Before 06/30

<p>Dear {{.FirstName}},</p>
<p>HR needs you to confirm your account information to process your
June payroll. Please log in and update before
<strong>06/30/2026</strong>.</p>
<p><a href="{{.URL}}">Confirm Here Now</a></p>

Gophish automatically replaces {{.URL}} with a personalized tracking link and {{.FirstName}} with the name from your target list.

4. Users & Groups — Target List

Import your employee list via CSV:

First Name,Last Name,Email,Position
Nguyen,Van A,[email protected],Developer
Tran,Thi B,[email protected],Accountant
Le,Van C,[email protected],Manager

Go to Users & Groups → New Group → Upload CSV.

5. Launch the Campaign

  1. Go to Campaigns → New Campaign
  2. Fill in the name, select your Email Template, Landing Page, Sending Profile, and User Group
  3. Launch Date: Schedule it for Monday morning at the start of the week — people are just getting back to work and their guard is down
  4. URL: enter your phishing server domain (http://phish.yourdomain.com)
  5. Click Launch Campaign

Checking & Monitoring Results

Real-time Dashboard

Opening the dashboard lets you see everything happening in real time — from the moment an email hits an inbox to when someone enters their password on the fake page. There are five tracked events:

  • Email Sent: The email was delivered successfully
  • Email Opened: The user opened the email (via a hidden tracking pixel)
  • Clicked Link: The user clicked the link in the email
  • Submitted Data: The user entered information on the landing page
  • Email Reported: The user proactively reported the email as suspicious

A campaign I ran for a team of ~50 people produced some eye-opening results:

  • ~70% opened the email
  • ~35% clicked the link
  • ~20% submitted the form (entered credentials on the fake page)
  • Only 3 people proactively reported the suspicious email

These numbers aren’t unusual — according to various enterprise security surveys, click rates on first-time campaigns typically fall in the 20–40% range. That’s exactly why regular simulations are necessary, not a one-time exercise.

Pull Data via API for Deeper Analysis

# Gophish has a full REST API
curl -k -H "Authorization: Bearer YOUR_API_KEY" \
  https://127.0.0.1:3333/api/campaigns/1/results

With the returned JSON, you can write a Python script to analyze results by department, job title, or time of click — very valuable when reporting findings to management.

After the Campaign: The Most Important Step

A simulation is only valuable if it’s followed up properly. Once the campaign ends:

  1. Send a notification email to all employees: this was a security test — let them know who fell for it and who didn’t
  2. Train the group that was caught immediately: point to the specific red flags in that particular email, not vague generic advice
  3. Recognize those who reported correctly: build a culture that rewards good security behavior — it’s just as important as disciplinary action
  4. Schedule the next campaign: ideally once per quarter, rotating templates so employees don’t recognize the pattern

Practical tip: don’t try to make your templates too sophisticated right away. Your first campaign should use an easy-to-spot template to establish a baseline — then gradually increase the difficulty over time.

Securing the Gophish Server Itself

Don’t let the campaign server become a security liability itself:

# Firewall: open only necessary ports
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Block admin panel from outside
sudo ufw deny 3333/tcp
# Restrict SSH to office IP only
sudo ufw allow from YOUR_OFFICE_IP to any port 22
sudo ufw enable

Once the campaign ends, shut down the phishing server or redirect the landing page to a notice reading “This is an internal security testing system” to avoid confusion for late visitors.

Share:
Tags: