Open-source phishing toolkit — campaign management, email templates, landing pages, and reporting for awareness training.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux (binary)
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip; unzip; ./gophish
Docker
docker run -d -p 3333:3333 gophish/gophish
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Default admin login
https://localhost:3333 → admin / (random password printed on first launch)
API token
Settings → API Token
Send via API
curl -X POST -H "Authorization: Bearer TOKEN" https://localhost:3333/api/campaigns/ -d @campaign.json
Sending profile (SMTP)
Configure in Sending Profiles → relay credentials
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- For real campaigns, change default port (3333) and bind to localhost only — Gophish admin panel is exposed by default.
- Use a dedicated mail server with proper SPF/DKIM/DMARC for the phishing domain — otherwise Gmail/O365 blocks instantly.
conf.json: bumpcontact_addressto a real mailbox so users can report.- Multi-campaign: import targets via CSV (Targets → Import) rather than manual entry.
- Tracking pixels and link-clicks aggregate in real-time — useful dashboard for executive reporting.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Default cert is self-signed — recipients see SSL errors when clicking landing pages. Use Let’s Encrypt cert.
- Sending domain reputation: warm up the domain over weeks before a real campaign or 90% of mails land in spam.
- Authorisation is critical: phishing without explicit written consent (corporate authorisation) is illegal under Indian IT Act Section 66.
- Default admin port (3333) often left exposed online. Always firewall.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- King Phisher (abandoned).
- Evilginx2 — for reverse-proxy phishing (MFA bypass).
- Modlishka — similar reverse-proxy approach.
India context and engagement notes
For Indian DPDP compliance training: Gophish quarterly campaigns are increasingly expected. Use Indian-context lures (UPI fraud, KYC verification, IT department password reset) — much higher click-through than generic “your package is delayed” Western templates. ALWAYS get HR sign-off in writing before campaigns.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.