Performing Phishing Simulation with GoPhish

Overview

GoPhish is an open-source phishing simulation framework used by security teams to conduct authorized phishing awareness campaigns. It provides campaign management, email template creation, landing page cloning, and comprehensive reporting. This guide covers deploying GoPhish, creating realistic phishing scenarios, and analyzing campaign results to measure and improve organizational resilience.

Prerequisites

• GoPhish binary or Docker image (https://github.com/gophish/gophish)
• SMTP server or relay for sending test emails
• Written authorization from management for phishing simulation
• Target email list (HR-approved)
• SSL/TLS certificate for landing pages
• Python 3.8+ for automation scripts

Key Concepts

GoPhish Architecture

• Admin Panel: Web UI for campaign management (default port 3333)
• Phishing Server: Serves landing pages and tracks clicks (default port 80/443)
• SMTP Configuration: Outbound email sending profile
• Campaign Engine: Orchestrates email delivery, tracking, and reporting

Campaign Components

1. Sending Profile: SMTP server configuration for outbound email
2. Email Template: The phishing email content with tracking
3. Landing Page: The fake page users are directed to
4. User Group: Target recipients for the campaign
5. Campaign: Combines all components with scheduling

Implementation Steps

Step 1: Deploy GoPhish

# Docker deployment
docker pull gophish/gophish
docker run -d --name gophish -p 3333:3333 -p 8080:80 gophish/gophish

# Or binary deployment
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish
./gophish

Step 2: Configure Sending Profile

• Name: "Internal Mail Server"
• SMTP From: awareness-test@yourdomain.com
• Host: smtp.yourdomain.com:587
• Username/Password: Service account credentials
• Enable TLS

Step 3: Create Email Template

• Use realistic scenarios: password reset, IT notification, HR update
• Include GoPhish tracking pixel: {{.Tracker}}
• Include phishing link: {{.URL}}
• Personalize with {{.FirstName}}, {{.LastName}}, {{.Position}}

Step 4: Create Landing Page

• Clone legitimate login page using GoPhish's import feature
• Enable credential capture (for authorized testing only)
• Configure redirect to training page after submission
• Add SSL certificate for HTTPS

Step 5: Import Users and Launch Campaign

• Import CSV with: First Name, Last Name, Email, Position
• Set campaign schedule (stagger sends to avoid detection)
• Launch and monitor in real-time

Step 6: Analyze Results with process.py

Use the automation script to pull campaign data via GoPhish API and generate detailed analytics reports.

Tools & Resources

• GoPhish: https://getgophish.com/
• GoPhish API Docs: https://docs.getgophish.com/api-documentation/
• GoPhish GitHub: https://github.com/gophish/gophish
• Evilginx2 (for advanced AiTM testing): https://github.com/kgretzky/evilginx2
• King Phisher: https://github.com/rsmusllp/king-phisher

Validation

• Successfully deploy GoPhish and access admin panel
• Create and send a test phishing email to a test mailbox
• Capture simulated credentials on landing page
• Generate campaign report with open/click/submit rates
• Redirect users to awareness training after interaction

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

• SOC 2: CC6.1 (Logical Access), CC7.2 (Anomaly Detection)
• ISO 27001: A.7.2 (Information Security Awareness), A.13.2 (Information Transfer)
• NIST 800-53: AT-2 (Awareness Training), SI-8 (Spam Protection), SC-7 (Boundary Protection)
• NIST CSF: PR.AT (Awareness & Training), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add performing-phishing-simulation-with-gophish

# Or load dynamically via MCP
grc.load_skill("performing-phishing-simulation-with-gophish")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

• SHA-256 chain hashing ensures no step can be modified after execution
• Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
• Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.