Building Gophish Healthcheck: Part One

One of the questions I see most often from Gophish users is “how do I get past my spam filter?” Generally, my answer to this is something along the lines of “just whitelist the IP address,” since it’s my opinion that phishing simulations should be a test of the people and processes, not the email infrastructure.

But what if we do want to test the email infrastructure?

This post is the first in a two-part series about how I’m creating the email healthcheck service for Gophish. This post talks about how I handle DNS programmatically, and the next post will describe the actual architecture being used.

Read More

Automating Gophish Releases With Ansible and Docker

It’s been a while! While I haven’t posted as much here, I have been writing quite a bit over on Duo’s blog about the really cool research I’ve gotten to do this past year with the incredible Duo Labs team.

Any spare time I’ve had has been spent working on Gophish. This past year I’ve released a new hand-crafted, artisinal website, responded to nearly 400 support requests, and made too many improvements to count!

Now, most people who use Gophish use a pre-built binary*, which means that it’s important to make new releases as soon as possible after improvements are made. Otherwise, I’m left answering support requests with the advice of “build from source”, which is not ideal.

The previous release process was manual, making it a huge pain. This led to inconsistency and large amounts of time spent packaging every release, which results in very infrequent releases.

This post documents the previous process as well as how I recently improved it using Ansible, Docker, DigitalOcean API’s, and more.

Read More

Gophish Update - Importing Sites and Emails


I’m excited to announce that the gophish “alpha” release is almost complete! I’m just cleaning up a few bugs, touching some things up, etc. In the meantime, I wanted to write a quick post to show off some really slick features that I was able to add earlier than planned.

Creating pixel-perfect email templates and landing pages are crucial to delivering the best possible phishing training. Gophish has always had the ability to create these, but it was quite frankly a pain to use as you needed the raw HTML or text for both the email and site content. In this post, let’s take a look at how we can now import sites and emails directly into gophish.

Read More

Author image Jordan Wright on #gophish,

Gophish Update: Getting Closer to Alpha!


It’s been a busy couple of months!

I thought it would be worth providing a long-overdue update into the development status of gophish. Overall, the project is getting closer to beta status every day, and I’m hoping to see a 0.1 release at the end of March.

Without further ado, let’s dive in and see where we’re at.

Read More

Building GoPhish - How to Send Email with Go


I’ve been playing around with Go for about a month now, and I’ve really grown to like it. After getting used to the syntax and remembering what a pointer is for (thanks, Python), Go has become a favorite language to develop with. I’m even using it for the Matasano Crypto Challenges (which are awesome).

While the standard library in Go is definitely robust, being a young language, there are a few niceties that aren’t yet included. Sending email is one of them. Don’t get me wrong, Go has a wonderful SMTP package, MIME package, and even a Mail package (which only parses existing email messages). However, there is no library to actually create emails in a meaningful way. Since Gophish relies heavily on sending emails, I’ve sought to change this. And, after reading more RFC’s than I normally prefer, I believe I’ve created a package that provides intuitive, robust, and flexible email creation and sending called email.

Let’s see how to use it.

Read More

Building Gophish - Day 1


Since the Simple Phishing Toolkit (SPT) was discontinued, I’ve wanted to create a simple, effective, and open-source phishing toolkit. In recent years, we’ve seen a rise in spear-phishing attacks targeting large organizations, most of which are largely successful. The goal of this toolkit will be to provide businesses and penetration testers with the ability to quickly and easily perform in-house or contracted phishing engagements, and track the responses to see where improvements can be made. This toolkit will be called gophish.

In addition to this, I’ve been casually poking around at go for a while now, and have decided it would be good to finally put it to use in a larger project. I’m a fan of seeing the steady development and updates of projects as they are created. I believe it can help keep the developer motivated and the users informed and involved, so this is what I’m going to do. Hopefully, these posts will allow others to learn alongside me, as well as spur improvements from experienced go developers so that gophish can be the best product possible.

With that being said - let’s get started!

Read More