Setting up ‘GoPhish’ on AWS (Updated for v0.4 / Ubuntu Xenial)

These are my notes on how to install and configure GoPhish, a popular opensource Social Engineering platform.

Please remember — Social Engineering should only be performed on organizations that you have permission to!

Setting up AWS instance

I configured a t2.micro instance with Ubuntu 16.04, configured a security group as shown below:

I also created a DNS alias (A record) on our domain, then connected and became root:

To keep things tidy, I always set the hostname on a new instance

Installing GoPhish

I then downloaded and extracted GoPhish. At time of writing the latest is v0.3, you can check for a later release on github.

You’ll need to configure the listen address to allow remote access to the admin console. You can edit /opt/gophish/gophish.conf manually, or just run this sed:

Configuring SSL (recommended)

Although HTTPS is not required, it is strongly recommended. For the admin console, it prevents your admin credentials being captured, and (of equal importance), if you are capturing credentials from customers then HTTPS will protect their credentials while in transit. Unfortunately GoPhish does not currently support encryption for captured credentials at rest, but this will stop them getting picked up by corporate network monitoring (unless they have MitM..).

Luckily for us, Lets Encrypt and their certbot tool makes this impossibly easy.

Lets Encrypt will walk you through the steps, entering your email address, accepting the terms and that you’re ok with your IP being logged. If this works, you should see a message containing the location of your new certificates:

While it may be tempting to move these certificates somewhere more convenient, leave them there so they can be automatically renewed. Instead, we’ll link them into the gophish directory to keep configuration simple and portable:

To configure GoPhish with your new certificate, edit /opt/gophish/config.json and update the listen_url,use_tls, cert_path, and key_path options:

One last piece of housekeeping — the letsencrypt certificate will expired in 90 days. The recommended way to prevent this is to add the following to the crontab:

Productionizing GoPhish (optional)

First thing first, GoPhish does not need to run as root, and doing so puts your system (and customer data) at risk. Create a user to run the service as:

If using SSL as described above, this user will require access to the SSL certs (which are normally only available to root). The safest way to allow this is to create a new group which will be granted permission to the certs directory:

We also need to allow our new user to run this service on a privileged port, whether that is 80 or https, this will prevent ‘ugly’ port numbers appearing in your URL and potentially scaring your targets. The command to allow this is very catchy:

Finally, change the owner of the ‘gophish’ folder to allow GoPhish to modify it’s own data (but nothing else)


Install Postfix (optional)

Unless you want to use an existing SMTP server, you’ll need a locally install SMTP server on your server. Luckily, Ubuntu makes this pretty easy.

For options, select “Internet Site”, ensure the domain name is correct, and otherwise keep the defaults.

Launching GoPhish

You should now be ready to run GoPhish.

If you productionized GoPhish then run

otherwise, run

You should immediately navigate to the application page (on port 3333), use credentials admin/gophish and change them using the web interface.

Using GoPhish

For a guide on how to use GoPhish, I recommend running through the example in the official documentation:

When setting up your SMTP server, use localhost:25 That’s it! Enjoy your new AWS-hosted phishing engine :)

AppSec Engineer at InVision (writing as myself)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store