# Gophish — Open Source Phishing Simulation Platform > A self-hosted phishing simulation framework designed for security teams to test organizational awareness through realistic phishing campaigns with tracking and reporting. ## Install Save in your project root: # Gophish — Open Source Phishing Simulation Platform ## Quick Use ```bash # Download the latest release binary for your OS from GitHub Releases wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip unzip gophish-v0.12.1-linux-64bit.zip && cd gophish chmod +x gophish && ./gophish # Admin panel: https://localhost:3333 (default credentials printed on first run) ``` ## Introduction Gophish is an open-source phishing simulation toolkit built for security professionals and IT teams. It enables authorized security testing by letting organizations run realistic phishing campaigns against their own employees, tracking who opens emails, clicks links, and submits credentials — all through a clean web dashboard. ## What Gophish Does - Creates and sends phishing simulation emails using customizable templates - Tracks campaign metrics: email opens, link clicks, and credential submissions - Provides a web-based dashboard for managing campaigns, groups, and results - Supports importing target lists via CSV for batch campaign targeting - Generates detailed reports for security awareness training programs ## Architecture Overview Gophish is a single Go binary with an embedded SQLite database (with optional MySQL/PostgreSQL support). The admin server runs on one port (3333) for campaign management, while a separate phishing server (port 80/443) hosts landing pages and tracks user interactions. Email delivery uses a configurable SMTP relay. The stateless binary design makes deployment and backup straightforward. ## Self-Hosting & Configuration - Download a pre-built binary or build from source with Go - Edit `config.json` to set admin and phishing server listen addresses and ports - Configure SMTP sending profiles in the dashboard (supports TLS and authentication) - Use a dedicated domain and SSL certificate for the phishing server to increase realism - Back up the `gophish.db` SQLite file or configure an external database for production use ## Key Features - Email template editor with HTML support and tracking pixel injection - Landing page cloner that replicates real login pages for simulation - Real-time campaign timeline showing each target's interaction events - User group management with CSV import and tagging - REST API for automating campaign creation and result extraction ## Comparison with Similar Tools - **King Phisher** — similar feature set but less actively maintained; Gophish has broader community support - **Lucy Security** — commercial phishing platform; Gophish is free and open source - **Social Engineering Toolkit (SET)** — broader attack toolkit; Gophish specializes in phishing simulation with better reporting - **PhishMe/Cofense** — enterprise SaaS platform; Gophish is self-hosted with no licensing costs ## FAQ **Q: Is Gophish legal to use?** A: Gophish is designed for authorized security testing only. Always obtain written permission before running campaigns against any organization. **Q: Can I customize the landing pages?** A: Yes. Use the built-in page editor, import HTML manually, or clone an existing website URL directly from the dashboard. **Q: Does Gophish support email attachments?** A: Yes. Templates can include file attachments for simulating attachment-based phishing scenarios. **Q: How do I generate reports from campaign results?** A: The dashboard provides summary and detailed views. The REST API exposes all campaign data in JSON for custom reporting and integration with SIEM tools. ## Sources - https://github.com/gophish/gophish - https://docs.getgophish.com/ --- Source: https://tokrepo.com/en/workflows/3f002e33-431d-11f1-9bc6-00163e2b0d79 Author: AI Open Source