Setting up ‘GoPhish’ on AWS (Updated for v0.4 / Ubuntu Xenial)

These are my notes on how to install and configure GoPhish, a popular opensource Social Engineering platform.

Please remember — Social Engineering should only be performed on organizations that you have permission to!


Setting up AWS instance

I configured a t2.micro instance with Ubuntu 16.04, configured a security group as shown below:

╔═════════╦══════╦═════════════╗
║ Service ║ Port ║ Restriction ║
╠═════════╬══════╬═════════════╣
║ SSH ║ 22 ║ My IP ║
║ HTTPS ║ 443 ║ Global ║
║ HTTP ║ 80 ║ Global ║
║ Admin ║ 3333 ║ My IP ║
╚═════════╩══════╩═════════════╝

I also created a DNS alias (A record) on our domain, then connected and became root:

$ ssh ubuntu@gophish01.domain.com
$ sudo -s

To keep things tidy, I always set the hostname on a new instance

# hostname gophish01.domain.com
# echo "gophish01.domain.com" > /etc/hostname
# echo "127.0.1.1 gophish01.domain.com" >> /etc/hosts

Installing GoPhish

I then downloaded and extracted GoPhish. At time of writing the latest is v0.3, you can check for a later release on github.

# wget https://github.com/gophish/gophish/releases/download/v0.4.0/gophish-v0.4-linux-64bit.zip
# apt install unzip
# unzip gophish-v0.4-linux-64bit.zip -d /opt
# ln -s /opt/gophish-v0.4-linux-64bit/ /opt/gophish
# chmod +x /opt/gophish/gophish

You’ll need to configure the listen address to allow remote access to the admin console. You can edit /opt/gophish/gophish.conf manually, or just run this sed:

# sed -i 's!127.0.0.1!0.0.0.0!g' /opt/gophish/config.json

Configuring SSL (recommended)

Although HTTPS is not required, it is strongly recommended. For the admin console, it prevents your admin credentials being captured, and (of equal importance), if you are capturing credentials from customers then HTTPS will protect their credentials while in transit. Unfortunately GoPhish does not currently support encryption for captured credentials at rest, but this will stop them getting picked up by corporate network monitoring (unless they have MitM..).

Luckily for us, Lets Encrypt and their certbot tool makes this impossibly easy.

# apt install letsencrypt
# letsencrypt certonly --manual -d <yourdomain>

Lets Encrypt will walk you through the steps, entering your email address, accepting the terms and that you’re ok with your IP being logged. If this works, you should see a message containing the location of your new certificates:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/gophish01.yourdomain.com/fullchain.pem

While it may be tempting to move these certificates somewhere more convenient, leave them there so they can be automatically renewed. Instead, we’ll link them into the gophish directory to keep configuration simple and portable:

# ln -s /etc/letsencrypt/live/gophish01.yourdomain.com/cert.pem /opt/gophish/cert.pem
# ln -s /etc/letsencrypt/live/gophish01.yourdomain.com/privkey.pem /opt/gophish/privkey.pem

To configure GoPhish with your new certificate, edit /opt/gophish/config.json and update the listen_url,use_tls, cert_path, and key_path options:

{
"admin_server" : {
"listen_url" : "0.0.0.0:3333",
"use_tls" : true,
"cert_path" : "cert.pem",
"key_path" : "privkey.pem"
},
"phish_server" : {
"listen_url" : "0.0.0.0:443",
"use_tls" : true,
"cert_path" : "cert.pem",
"key_path" : "privkey.pem"
},
"db_name" : "sqlite3"
"db_path" : "gophish.db",
"migrations_path" : "db/migrations/"
}

One last piece of housekeeping — the letsencrypt certificate will expired in 90 days. The recommended way to prevent this is to add the following to the crontab:

# echo "/usr/bin/letsencrypt renew > /dev/null" > /etc/cron.daily/renewcerts
# chmod +x /etc/cron.daily/renewcerts

Productionizing GoPhish (optional)

First thing first, GoPhish does not need to run as root, and doing so puts your system (and customer data) at risk. Create a user to run the service as:

# adduser gophish --shell /usr/sbin/nologin --disabled-login --disabled-password

If using SSL as described above, this user will require access to the SSL certs (which are normally only available to root). The safest way to allow this is to create a new group which will be granted permission to the certs directory:

# addgroup --system certs
# adduser gophish certs
# chgrp -R certs /etc/letsencrypt/
# chmod -R g+rx /etc/letsencrypt/

We also need to allow our new user to run this service on a privileged port, whether that is 80 or https, this will prevent ‘ugly’ port numbers appearing in your URL and potentially scaring your targets. The command to allow this is very catchy:

# setcap 'cap_net_bind_service=+ep' /opt/gophish/gophish

Finally, change the owner of the ‘gophish’ folder to allow GoPhish to modify it’s own data (but nothing else)

# chown -R gophish /opt/gophish
# wget https://gist.githubusercontent.com/immure/4ac4800189fd3e61f516838d0c35a519/raw/b95694856572b9e11263864711f0ba6eaf204625/gophish.service -O /etc/systemd/system/gophish.service
# systemctl daemon-reload
# systemctl enable gophish
# systemctl start gophish
# systemctl status gophish

TODO: MySQL Setup

Install Postfix (optional)

Unless you want to use an existing SMTP server, you’ll need a locally install SMTP server on your server. Luckily, Ubuntu makes this pretty easy.

# apt install postfix

For options, select “Internet Site”, ensure the domain name is correct, and otherwise keep the defaults.

Launching GoPhish

You should now be ready to run GoPhish.

If you productionized GoPhish then run

# systemctl start gophish

otherwise, run

# cd /opt/gophish
# ./gophish

You should immediately navigate to the application page (on port 3333), use credentials admin/gophish and change them using the web interface.


Using GoPhish

For a guide on how to use GoPhish, I recommend running through the example in the official documentation:

When setting up your SMTP server, use localhost:25 That’s it! Enjoy your new AWS-hosted phishing engine :)

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.