🛡️

Understanding Phishing Attacks with GoPhish

Jun 4, 2025

Lecture on Phishing Attacks with GoPhish Framework

Course Overview

  • Focus on practical aspects of phishing attacks
  • Manage phishing campaigns for corporate penetration tests
  • Use of GoPhish, an advanced phishing framework

Penetration Testing

  • Includes social engineering as a key component
  • Reference to NIST special publication 800-115 for detailed guidelines
    • Social engineering attempts to trick individuals into revealing information
    • Important in reconnaissance and gaining access phases

Social Engineering

  • Phishing as a form of digital social engineering
    • Often the first line of attack
    • Requires management tools like GoPhish
  • Target high-value individuals using methods like whaling and spear phishing
  • Importance of using professional tools like GoPhish over small-scale tools

GoPhish Framework

  • Open-source and highly effective for penetration tests
  • Set up on a live server with SSL for realism
  • Framework features include email spoofing and campaign management

Installation and Setup

  • Download and install GoPhish framework from getgophish.com
  • Discussed multiple operating systems and installation options
  • Configuration of the framework involves setting up listening ports and server parameters
  • Emphasis on running GoPhish on a VPS for reliability and accessibility

Domain Name and SSL

  • Process of obtaining a free domain from Freenom.com
  • Use of DigitalOcean for setting up a VPS
  • Importance of adding SSL certificate for security and authenticity
    • Use of ZeroSSL to get let's encrypt free SSL certificates

Launching Phishing Campaigns

  • Steps to launch a campaign using GoPhish
  • Importance of setting up a realistic landing page and email template
  • Use of user groups to manage targets
  • Real-time dashboard to track email delivery, open rates, and data submission

Email Spoofing

  • SMTP providers like SMTP2GO for sending emails
  • Importance of choosing providers that allow email spoofing
  • Use of test emails to ensure setup works correctly

Challenges and Considerations

  • Managing domain names and DNS settings
  • Handling SSL certificate renewals every 90 days
  • Ethical considerations and legality of phishing tests
  • Use of controlled environments to test phishing strategies

Final Thoughts

  • GoPhish provides a robust platform for learning and executing phishing in a controlled, ethical manner
  • Importance of understanding legal implications and ensuring ethical use in penetration testing scenarios
  • Encouragement to explore setting up personal SMTP servers for broader control over phishing tests

Full transcript