Gophish — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Open-source phishing toolkit — campaign management, email templates, landing pages, and reporting for awareness training.

Use case: Social EngineeringDifficulty: IntermediateHomepage: https://getgophish.com

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (binary)

wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip; unzip; ./gophish

Docker

docker run -d -p 3333:3333 gophish/gophish

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Default admin login

https://localhost:3333 → admin / (random password printed on first launch)

API token

Settings → API Token

Send via API

curl -X POST -H "Authorization: Bearer TOKEN" https://localhost:3333/api/campaigns/ -d @campaign.json

Sending profile (SMTP)

Configure in Sending Profiles → relay credentials

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • For real campaigns, change default port (3333) and bind to localhost only — Gophish admin panel is exposed by default.
  • Use a dedicated mail server with proper SPF/DKIM/DMARC for the phishing domain — otherwise Gmail/O365 blocks instantly.
  • conf.json: bump contact_address to a real mailbox so users can report.
  • Multi-campaign: import targets via CSV (Targets → Import) rather than manual entry.
  • Tracking pixels and link-clicks aggregate in real-time — useful dashboard for executive reporting.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Default cert is self-signed — recipients see SSL errors when clicking landing pages. Use Let’s Encrypt cert.
  • Sending domain reputation: warm up the domain over weeks before a real campaign or 90% of mails land in spam.
  • Authorisation is critical: phishing without explicit written consent (corporate authorisation) is illegal under Indian IT Act Section 66.
  • Default admin port (3333) often left exposed online. Always firewall.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • King Phisher (abandoned).
  • Evilginx2 — for reverse-proxy phishing (MFA bypass).
  • Modlishka — similar reverse-proxy approach.

India context and engagement notes

For Indian DPDP compliance training: Gophish quarterly campaigns are increasingly expected. Use Indian-context lures (UPI fraud, KYC verification, IT department password reset) — much higher click-through than generic “your package is delayed” Western templates. ALWAYS get HR sign-off in writing before campaigns.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants