performing-phishing-simulation-with-gophish
GoPhish is an open-source phishing simulation framework used by security teams to conduct authorized phishing awareness campaigns. It provides campaign management, email template creation, landing pag
What this skill does
# Performing Phishing Simulation with GoPhish ## Overview GoPhish is an open-source phishing simulation framework used by security teams to conduct authorized phishing awareness campaigns. It provides campaign management, email template creation, landing page cloning, and comprehensive reporting. This skill covers deploying GoPhish, creating realistic phishing scenarios, and analyzing campaign results to measure and improve organizational resilience. ## When to Use - When conducting security assessments that involve performing phishing simulation with gophish - When following incident response procedures for related security events - When performing scheduled security testing or auditing activities - When validating security controls through hands-on testing ## Prerequisites - GoPhish binary or Docker image (https://github.com/gophish/gophish) - SMTP server or relay for sending test emails - Written authorization from management for phishing simulation - Target email list (HR-approved) - SSL/TLS certificate for landing pages - Python 3.8+ for automation scripts ## Key Concepts ### GoPhish Architecture - **Admin Panel**: Web UI for campaign management (default port 3333) - **Phishing Server**: Serves landing pages and tracks clicks (default port 80/443) - **SMTP Configuration**: Outbound email sending profile - **Campaign Engine**: Orchestrates email delivery, tracking, and reporting ### Campaign Components 1. **Sending Profile**: SMTP server configuration for outbound email 2. **Email Template**: The phishing email content with tracking 3. **Landing Page**: The fake page users are directed to 4. **User Group**: Target recipients for the campaign 5. **Campaign**: Combines all components with scheduling ## Workflow ### Step 1: Deploy GoPhish ```bash # Docker deployment docker pull gophish/gophish docker run -d --name gophish -p 3333:3333 -p 8080:80 gophish/gophish # Or binary deployment wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip unzip gophish-v0.12.1-linux-64bit.zip chmod +x gophish ./gophish ``` ### Step 2: Configure Sending Profile - Name: "Internal Mail Server" - SMTP From: [email protected] - Host: smtp.yourdomain.com:587 - Username/Password: Service account credentials - Enable TLS ### Step 3: Create Email Template - Use realistic scenarios: password reset, IT notification, HR update - Include GoPhish tracking pixel: `{{.Tracker}}` - Include phishing link: `{{.URL}}` - Personalize with `{{.FirstName}}`, `{{.LastName}}`, `{{.Position}}` ### Step 4: Create Landing Page - Clone legitimate login page using GoPhish's import feature - Enable credential capture (for authorized testing only) - Configure redirect to training page after submission - Add SSL certificate for HTTPS ### Step 5: Import Users and Launch Campaign - Import CSV with: First Name, Last Name, Email, Position - Set campaign schedule (stagger sends to avoid detection) - Launch and monitor in real-time ### Step 6: Analyze Results with process.py Use the automation script to pull campaign data via GoPhish API and generate detailed analytics reports. ## Tools & Resources - **GoPhish**: https://getgophish.com/ - **GoPhish API Docs**: https://docs.getgophish.com/api-documentation/ - **GoPhish GitHub**: https://github.com/gophish/gophish - **Evilginx2** (for advanced AiTM testing): https://github.com/kgretzky/evilginx2 - **King Phisher**: https://github.com/rsmusllp/king-phisher ## Validation - Successfully deploy GoPhish and access admin panel - Create and send a test phishing email to a test mailbox - Capture simulated credentials on landing page - Generate campaign report with open/click/submit rates - Redirect users to awareness training after interaction
Related in Ads & Marketing
ads
IncludedMulti-platform paid advertising audit and optimization skill. Analyzes Google, Meta, YouTube, LinkedIn, TikTok, Microsoft, and Apple Ads. 250+ checks with scoring, parallel agents, industry templates, and AI creative generation.
banana
IncludedAI image generation Creative Director powered by Google Gemini Nano Banana models. Use this skill for ANY request involving image creation, editing, visual asset production, or creative direction. Triggers on: generate an image, create a photo, edit this picture, design a logo, make a banner, visual for my anything, and all /banana commands. Handles text-to-image, image editing, multi-turn creative sessions, batch workflows, and brand presets.
rpg-migration-analyzer
IncludedAnalyzes legacy RPG (Report Program Generator) programs from AS/400 and IBM i systems for migration to modern Java applications. Extracts business logic from RPG III/IV/ILE source code, identifies data structures (D-specs), file operations (F-specs), program dependencies (CALLB/CALLP), and converts RPG constructs to Java equivalents. Generates migration reports, complexity estimates, and Java implementation strategies with POJO classes, JPA entities, and service methods. Use when modernizing AS/400 or IBM i legacy systems, analyzing RPG source files (.rpg, .rpgle, .RPGLE), converting RPG to Java, mapping data specifications to Java classes, planning legacy system migration, or when user mentions RPG analysis, Report Program Generator, RPG III/IV/ILE, AS/400 modernization, IBM i migration, packed decimal conversion, or mainframe application rewrite.
brand-library-architect
IncludedBuild a complete brand library for a product — visual asset render pipeline, brand documentation set (BRAND, COPY, MANIFESTO, BIOS, FAQ, GLOSSARY, TONE, PRICING), open-source convention files (README, CONTRIBUTING, SECURITY, CODE_OF_CONDUCT), and a self-contained press kit. This skill should be used when the user asks to "build a brand library / brand kit / press kit / brand assets" for a product, "set up a brand library workflow," "create a positioning manifesto plus visual identity," or any combination of brand documentation + visual asset pipeline. Apply phase-by-phase or run end-to-end. Templates are product-agnostic and use {{TOKEN}} placeholders the skill prompts the user to fill.
writing-tech-post
IncludedAuthors engineering blog posts end-to-end: launch deep-dives, incident postmortems, architecture migrations, performance case studies, tutorials, AI/agent system writeups, security disclosures, and research-to-product translations. Picks the correct archetype, plans the abstraction ladder, enforces an evidence cadence (diagrams, benchmarks, profiles, traces, code, ablations), tunes voice against publisher house styles (Datadog, Vercel, GitHub, AWS, Meta, Cloudflare, Jane Street), and runs a pre-publish gate for narrative momentum and disclosure ethics. Use when drafting a new engineering post, restructuring a draft that feels flat, deciding which evidence form belongs where, validating that depth and product context are balanced, or preparing a postmortem, migration, or performance narrative for external publication. Do not use for API reference documentation, README authoring, marketing copy, release notes, generic SEO content, ghost-written executive thought leadership, or non-engineering long-form essays.
blog-google
IncludedGoogle API integration for blog performance: PageSpeed Insights, CrUX Core Web Vitals with 25-week history, Search Console performance, URL Inspection, Indexing API, GA4 organic traffic, NLP entity analysis for E-E-A-T, YouTube video search for embedding, and Google Ads Keyword Planner. Progressive feature availability based on credential tier (API key, OAuth/service account, GA4, Ads). Shares config with claude-seo at ~/.config/claude-seo/google-api.json. Use when user says "google data", "page speed", "core web vitals", "search console", "indexation", "GA4", "keyword research", "nlp entities", "blog performance", "youtube search", "google api setup".