Phishing Email Testing with Gophish: A Beginner's Guide

Gophish Phishing Test Setup Guide

Environment:

Server (ECS): 1 unit

Specific Configuration:

Jiaohua | 2 Core 2G | System Disk 40GiB | Traffic Package 400GB | Peak Bandwidth 3Mbit/s | CentOS 7.8 64bit

Docker Quick Deployment Method:

Gophish is recommended to be set up on Ubuntu. To avoid issues caused by the runtime environment, I use Docker for quick deployment.

1. Start the Gophish Service
docker pull gophish/gophish

docker run -it -d --rm --name gophish -p 3333:3333 -p 8003:80 gophish/gophish

#docker run -it -d --rm --name gophish

# Background management port 3333, phishing website port 80

docker ps
2. Access the Management Panel

In version 11 and above, Gophish no longer uses admin/gophish as the default username and password but instead generates a random password.

docker logs gophish

Access Gophish - Login, enter the management panel. Note that it uses the https protocol, while the phishing website uses http, which is different.

3. Access the Phishing Website Landing Page

Access http://{IP:8003}, displaying a 404 page, indicating successful setup. Note the http protocol (no phishing landing page configured, so it shows 404).

4. Configure Email Sending Options

Due to insufficient server configuration, do not set up an email server or domain. Use QQ or 163 email for configuration.

QQ email SMTP service activation method: Settings-SMTP service, follow the prompt to obtain authorization code.

Configure as shown in the image below.

5. Configure the Phishing Website

Configure as shown in the image below. Name and redirect options can be set arbitrarily. Provide a simple form demo to collect data.

Note: The input must be a form; the submit button cannot be named btn, it must be submit, otherwise data cannot be captured.

<html><head>
        <title></title>
    </head>
    <body>
        <h3>
            Please enter your student ID & password, the system will automatically redirect to the password change page after verification
        </h3>
        <form action="" method="post" name="input" id="input">
            Student ID: <input name="user" type="text"/><br/>
            Password: <input name="password" type="password"/><br/>
            <input type="submit" value="Submit"/> 
        </form>

</body></html>

Enable Capture Submitted Data and Capture Passwords to capture data.

6. Configure Phishing Email Template

Configure as shown in the image below, provide a simple phishing email demo.

<h5><a href="{{.URL}}"><b>Click Here</b></a></h5>
7. Configure Victim List

Choose to import via template or add one by one, fill in normally.

8. Create Phishing Project

That's it! See what it looks like from the victim's perspective?

Here is the final demo I created for this test:

Test results with seven university classmates:

Phishing Email:

Phishing Website:

Redirected Original Website:

Easter Egg:

Q: Why did some classmates fall for such suspicious emails and websites, even without domain spoofing?

A: Cybersecurity is called father.

Tags: gophish phishing email testing social engineering Cybersecurity

Posted on Fri, 08 May 2026 14:06:56 +0000 by samudasu

Hot Tags

©2026 Freaks City