Open-Source Phishing Toolkit
We're excited to announce the release of Gophish v0.12.1. This is a minor release that includes a couple of bug fixes and one great new feature.
We've added the ability to set trusted_origins
in the config.json
file. This allows you to add addresses that you expect incoming connections to come from, which is helpful in cases where TLS termination is handled by a load balancer upstream, rather than the application itself. This has been a long discussed and requested feature so it's great to have! Thanks to @mcab and everyone else in this thread.
Our Continuous Integration workflow has been updated and is succeeding again. We've also updated the Release workflow, mitigating some security concerns and adapting it be able to build Windows releases again. These are (hopefully!) at the bottom of this post.
Some JavaScript files hadn't been minified properly, causing problems with adding customer headers. A small bug was fixed where copying a campaign would not show [Deleted] in an edge case - see https://github.com/gophish/gophish/pull/2482. Thanks @29vivek.
You can find the full changelog for this release here.
To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new Gophish binary and you'll be good to go!
Now, one more thing:
Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.
SHA256 Hash | Filename |
---|---|
9ed2f88d6582b798a3448fb51080ff782b40cec8fb4855895720e9f782f68511 | gophish-v0.12.1-linux-32bit.zip |
44f598c1eeb72c3b08fa73d57049022d96cea2872283b87a73d21af78a2c6d47 | gophish-v0.12.1-linux-64bit.zip |
f80786dcb2c4037d7f9d6c9e8e8655c5eeaa8e46ef4032bda704b9ce18e23491 | gophish-v0.12.1-osx-64bit.zip |
e6936b8a472c730dcb0da64024d82341806869af666fad10f8639e7f85b1b7e6 | gophish-v0.12.1-windows-64bit.zip |
We're excited to announce the release of Gophish v0.12.0. This release includes important security fixes, adds some features, and fixes some bugs.
This has been a long time requested feature, and we're super excited to release it! We've added the ability to add gophish variables to a number of file types which can be attached to emails. As a trivial example it is possible to include Hello {{.FirstName}}, please click here: {{.URL}}
to a Word document, or with a little more effort add tracking pixels to documents. This will allow notification of when users have opened attached files, or enabled macros in Office documents. We currently support the following file extensions: docx, docm, pptx, xlsx, xlsm, txt, html, ics. Please see the documentation for more guidance and examples.
Images in emails are now marked as embedded
rather than attached
, so email clients don't show them as attachments. This is a great addition to improve the quality of campaigns. Thanks @dzsibi
We've added the ability to specify an envelope sender in templates. If left empty, it will fallback to the SMTP-From in the Sender-settings. This can be used to pass SPF-checks but still send a spoofing email. Thanks @ChessSpider and @ptitdoc
Added minor functionality to display last login time for each user in the User Management page and the ability to lock user accounts.
Fixed a minor Open Redirect issue. Thanks @Kirill89
You can find the full changelog for this release here.
To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new Gophish binary and you'll be good to go!
Now, one more thing:
Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.
SHA256 Hash | Filename |
---|---|
42f228158e91e2fce182fbd60a6669fcbed21f76186563f264a941efbc9c1159 | gophish-v0.12.0-linux-64bit.zip |
d06945497f0f3467748c50e518aa4e526e8c71cd7fa58c23541cb65477539306 | gophish-v0.12.0-osx-64bit.zip |
c0fdc4a980914893a9d19544bb6233586db8d81a139657e9773ca8e03c387a02 | gophish-v0.12.0-windows-64bit.zip |
We're excited to announce the release of Gophish v0.11.0. This release includes important security fixes, adds some minor features, and fixes some bugs.
This release addresses multiple security issues that were identified and reported by the community. As always, we encourage sending in security reports via our security policy, and are appreciative of all the work that went in to finding and reporting these vulnerabilities.
The following vulnerabilities were fixed in this latest release:
Reported by: Marcus Nilsson of usd AG Reported by: @dunderhay in #1908
An authenticated user could use certain features of Gophish to make inbound connections to the local network. The most critical of these is via the Landing Page import feature, which could be used to make arbitrary upstream web requests.
Since importing local webpages, or otherwise making local network connections (e.g. for SMTP/IMAP servers, webhook URLs, etc.) is an expected use case for Gophish we've decided to implement an opt-in allowlist. By default, we block access only to known IP addresses commonly associated with cloud metadata services, but it is now possible to explicitly set the allowed_internal_hosts
configuration variable in the admin_server
section of config.json to a list of allowed internal addresses.
More information can be found here.
Reported By: Marcus Nilsson of usd AG Reported By: @dunderhay in #1901
Various cross-site scripting issues were identified and fixed. All issues required authenticated access and only affected either the user that created the objects, or an administrator using our "Impersonate" issue to impersonate the user that created the objects.
More information can be found in 4e9b94b and 19ef924d89f6e2459387d5645233f16fd07e01b3.
Reported By: Marcus Nilsson of usd AG
Malicious data could be submitted during a campaign that, when exported as a CSV and opened in a spreadsheet viewer, is interpreted as a formula leading to command execution.
More information on CSV Injection can be found here. More information about the fix can be found in b25f5ac5e468f6730e377f43c7995e18f8fccc2b.
Reported By: Marcus Nilsson of usd AG
An attacker could create an iframe which tricks an authenticated administrator into unexpectedly clicking the "Reset" button in the settings page, causing their API key to be reset, potentially causing a denial of service condition.
More information about the fix can be found in 6df62e85fd60f0931d3c8bfdb13b436a961bc9b6.
This release adds a basic password policy for administrators, and removes the default password "gophish". Instead, an initial password is randomly generated and printed in the terminal when Gophish is launched for the first time.
It is possible to override the initial password and API key with environment variables if needed.
This release adds the ability to mark emails as reported that were sent as an attachment. Additionally, it changes the underlying IMAP library to be more robust, eliminating some possible bugs.
Credit to @glennzw for the changes!
You can find the full changelog for this release here.
To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new Gophish binary and you'll be good to go!
Now, one more thing:
Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.
SHA256 Hash | Filename |
---|---|
beb32e243e888f21849d3ee09a979a33cd1da7a7cd79438c8f56fce1a2d9d44c | gophish-v0.11.0-linux-32bit.zip |
f33ac7695850132c04d190f83ef54732421a8d4578be1475d3a819fe6173c462 | gophish-v0.11.0-linux-64bit.zip |
f1af96033c946ed2fe757b9b3a7aefc63ec3548f0ab21f01c44d70a58410ffbe | gophish-v0.11.0-osx-64bit.zip |
f5083bc084715319a4e671bc58dc28f66828fec78a43bd41456373fcc024703c | gophish-v0.11.0-windows-64bit.zip |
We're excited to announce v0.10.1. This release significantly improves the performance of sending emails, adds some features and fixes bugs.
Here's just a couple of the exciting changes.
Thanks to the detailed report from @edermi in #1726, we were able to dramatically increase the speed at which we send emails- especially for large campaigns.
Administrators often have a need to help troubleshoot issues other users are seeing with Gophish. To make this easier, @glennzw added an impersonation feature in #1812 that allows system administrators to login to a user's account. This is available from the User Management page.
We've also changed our release process to use GitHub Actions. The bad news is that this means we won't be supporting 32-bit Mac or Windows releases at this time (we do support 64-bit releases!). The good news is that this will enable us to do much more frequent Gophish releases, getting awesome features and bugfixes out to the community even quicker.
With this in mind, please do let us know if you run into any issues with the releases below!
You can find the full changelog for this release here.
To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!
Now, one more thing:
Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.
SHA256 Hash | Filename |
---|---|
e236fea0628623c9158e01d189cf20766b2ebbb7cc1e6e53c1d4f49e039c98f7 | gophish-v0.10.1-linux-32bit.zip |
d075245dd146494ee1d25d2c6201ef84a5a2cdb6d38adc152df3b71ab8e91845 | gophish-v0.10.1-linux-64bit.zip |
1c8e4cbd8da090b9f6f38eb5605d7b1753b3f60ccf705e943befe98ff4969ab4 | gophish-v0.10.1-osx-64bit.zip |
7c01df6bbeeca6a9a6dd0fc28e12eb329414c3d15c8f0dec237bf6535e4d268a | gophish-v0.10.1-windows-64bit.zip |
SHA256 Hash | Filename |
---|---|
e9b754682d6476d0ff07e9d0bb4d7634e0e4d0ebba570c3a0f27574358636415 | gophish-v0.10.0-linux-32bit.zip |
7a6186d90eb4d75f773a09baf035b877f952136e7e73d2e8f680c83bb1524082 | gophish-v0.10.0-linux-64bit.zip |
4abbb083be9f5b9f11a92cbe024449be3825e60b67140356bc236fe82f244723 | gophish-v0.10.0-osx-64bit.zip |
087edf7e1b64aa66912b4780a5914d4cfbfd78b8e1fd8046da7c6b08c79388cd | gophish-v0.10.0-windows-64bit.zip |
We're excited to announce v0.9.0. This release adds big features, improves performance, and fixes bugs.
Here's just a couple of the exciting changes.
Ever since Gophish was launched, we've had the ability to fetch campaign results via the API. But sometimes, you may want to have campaign updates pushed directly to you as they happen.
To solve this problem, we've added support for webhooks.
When you configure a webhook, Gophish will make (optionally signed) HTTP requests to an endpoint you control. These requests include the JSON body of the event that just happened- the exact same JSON that you would normally receive via the API. This gives you real-time updates to your campaign as they happen.
You can find more information about using webhooks in our documentation.
Webhook support was sponsored by Al Lowenstein and implemented by @GildedHonour in #1642. Thank you both for all your help making this happen!
I always encourage folks using Gophish to focus not only on minimizing the click through rates, but even more so on increasing the reporting rate. To that end, many companies have an email address they encourage employees to send any potential phishing emails.
I've often got feedback that it'd be great if Gophish emails sent to that email address would automatically show as "reported" in the campaign results. Now that's possible!
Thanks to the great work from @glennzw, you can now configure IMAP details which Gophish will use to fetch any campaign emails, marking them as reported. Thank you for all your amazing work @glennzw!
You can find more information about configuring reporting via IMAP in our documentation.
While there are amazing performance improvements and bug fixes included in this release, you'll notice something about the two big features listed above- neither were built by me (@jordan-wright).
This is incredibly exciting. I've long held that the community around Gophish is my favorite thing about the entire project. We have a group of folks contributing to issues, offering advice and feature requests and, with this release, contributing core features that make Gophish even better.
Thank you all for everything you do. We have big things planned for Gophish, and I'm excited to build them alongside you all.
To upgrade, download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!
Now, one more thing:
Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.
SHA256 Hash | Filename |
---|---|
f12ad070007b4d764e7e7816db8dae1f8002483c9aff81e2437319e9c6521465 | gophish-v0.9.0-linux-32bit.zip |
ffcdf7a1a8590b6de70660754c88ef2be3c3b69e1dd5ae18c472dbd26d5ff534 | gophish-v0.9.0-linux-64bit.zip |
6780ea4124eeaefa1cd0a5c2a825f4457dfda807b43be741bbbd22ab8e870099 | gophish-v0.9.0-osx-32bit.zip |
ab283c49625af335bf6fee1b65f386bd69cece68d2ed9bd051b4de9b43b3dd5e | gophish-v0.9.0-osx-64bit.zip |
d63ae01b2152f1964ffb9dc1d4d36fe3e8b8abcaffa74e1750770e6b8b321c3f | gophish-v0.9.0-windows-32bit.zip |
7f1593d5fafe3590acaed4157c47d5c00ba9a30df86382d3f6c531369f8d9123 | gophish-v0.9.0-windows-64bit.zip |
tl;dr - New version of Gophish. Lots of improvements. Binaries can be found above. 😄
We're excited to announce v0.8.0. This release fixes a bunch of bugs, adds a few features, and lays the groundwork for really cool features to come.
This release includes initial support for Role-Based Access Control (RBAC). Specifically, it introduces global roles that separates admins from non-admins. You can find more information here.
Users with the admin role have access to the user management API. This API allows you to create and manage users programmatically. You can find documentation for this API here.
We've added a Dockerfile
so that you can build Gophish in a container. We'll be uploading an official Docker image at gophish/gophish
shortly.
While this isn't a user-facing change, it's a big one. We've refactored a bunch of the code to be cleaner and more structured. This will help new developers coming into Gophish to get up and running more quickly.
Those are the big changes, but that's certainly not everything! You can find a full changelog here.
To upgrade, simply download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!
I want to also take a quick moment to say thank you to everyone. The community is what makes Gophish great. I'm so thankful to everyone who leaves questions, suggests features, and goes the extra mile to help others out.
Thank you all for everything you do!
Now, one more thing:
Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.
Note: The
VERSION
file for these releases still says 0.7.1. This was an oversight during the release process. After upgrading, even if you see 0.7.1, you're certainly running the 0.8.0 codebase. I apologize for the inconvenience!
SHA256 Hash | Filename |
---|---|
80cb2c13b9f34dd2a5454c15065af81c15d09fbf30298cce276ba1fa7318462b | gophish-v0.8.0-linux-32bit.zip |
8a64368f31a10d7e0bbedfce8827fcd9fbbfa8d0fc5b5d6a3c467569a7818d26 | gophish-v0.8.0-linux-64bit.zip |
9209ccab7087e432e0fbd1ecf8772ac5d1cb92839b89907cdbe02ff3b392dd6b | gophish-v0.8.0-osx-32bit.zip |
95a1adcd9c1e56c2cc6525140fb65e4dda7f89e91497ed5498d09c4319e9c2f7 | gophish-v0.8.0-osx-64bit.zip |
68de55454a4fca68a61b3bd3359986b26423484350ff947e59a31e0b174ff4cc | gophish-v0.8.0-windows-32bit.zip |
8bd15a7484e363e0573d0afad31b56e3bbf634dcce377bb4b1ef24a7146823d0 | gophish-v0.8.0-windows-64bit.zip |
In the previous version, we introduced the {{.BaseURL}}
template variable that points to the root URL. This helps make things like pointing to static files easier. See #1189 for more details.
Turns out, this didn't work for email template validation, since we weren't checking for all possible template tags. I'm sorry for the inconvenience!
The good news is that this is fixed now, and should have only been an issue if you were trying to use the new {{.BaseURL}}
tag. Since this was something I promised and it didn't work, I wanted to roll out a hotfix.
For all the full details in the latest release, check out the 0.7.0 release notes.
SHA1 Hash | Filename |
---|---|
9bf4cf0905b1d171092a726cae6eafc6c837d926 | gophish-v0.7.1-linux-32bit.zip |
77d8cf20e8b9591b3e8b8123653156d77a4ff0cb | gophish-v0.7.1-linux-64bit.zip |
0b88b6d42a7907cfbd1f18574c230158c280d766 | gophish-v0.7.1-osx-32bit.zip |
1a628ff9aa9a3f398d060e1644bc52a68aa102d4 | gophish-v0.7.1-osx-64bit.zip |
798486c3bdb6c261625bd2b0605b1311b3ab3c7d | gophish-v0.7.1-windows-32bit.zip |
1651769aa4f66401107efc04c035d96c8ef4e463 | gophish-v0.7.1-windows-64bit.zip |
tl;dr - New version of Gophish. Lots of improvements. Binaries can be found above. 😄
We're excited to announce v0.7.0. This release is packed with improvements that make Gophish more powerful than ever.
When setting up a campaign, you want to know what the email and landing page looks like. Previously, to do this you would have to set up a separate campaign just for yourself, since there was no way of testing the full flow.
This isn't good.
In this Gophish release, we've fixed this! Now, when sending a test email from the campaign builder, clicking on the links will load up the landing page, showing you exactly what your recipients would see.
Before this release, emails for a Gophish campaign were all sent at the same time. This is great in some cases, but sometimes you want to spread out the emails over a period of minutes, hours, or even days.
Now you can!
In this release, we've added a new field called "Send Emails By". If you set this field, then Gophish will spread out the emails evenly between the campaign launch and this date.
No one likes looking through raw logs to see what kinds of devices are clicking on links. Now you don't have to!
In this release, we parse the user-agents for devices that click links or submit credentials, and we show that information in the campaign details:
As mentioned in #1057, we can do a better job of running friendly phishing simulations. The only approved use of Gophish is to run authorized phishing simulations, so we've added some features to make these campaigns more transparent.
Specifically, we've added:
contact_address
field to the config.json
. This field is inserted as an X-Gophish-Contact
header in outgoing emailsX-Mailer
header is set to gophish
for outgoing emailsrid
. This returns a JSON response containing the contact address and indicates that the email was generated by GophishThose are the big features, but that's certainly not everything! You can find a full changelog here.
To upgrade, simply download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!
I want to also take a quick moment to say thank you to everyone. The community is what makes Gophish great. I'm so thankful to everyone who leaves questions, suggests features, and goes the extra mile to help others out.
Thank you all for everything you do!
Now, one more thing:
Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.
SHA1 Hash | Filename |
---|---|
63149165688d3ca989974e32b5716be7e87ed6b4 | gophish-v0.7.0-linux-32bit.zip |
f113435940626c3f13448ce8e12aafb3e347c504 | gophish-v0.7.0-linux-64bit.zip |
45736f416e475541ac214611f41c40fb967167dd | gophish-v0.7.0-osx-32bit.zip |
d9b3ac3a2cf11f53bd33196d0310167ffb43cd8a | gophish-v0.7.0-osx-64bit.zip |
98ad9756fa95d43af99b12f8d08423f71dc7fc14 | gophish-v0.7.0-windows-32bit.zip |
f069cc4f4c9c50e422923f205c34eb226a2ea550 | gophish-v0.7.0-windows-64bit.zip |
Old hashes (only valid if you downloaded the release immediately after it was published before I got a chance to bump the VERSION
file):
SHA1 Hash | Filename |
---|---|
dfddc8a8038fa612022bb22e823e2a51b343e261 | gophish-v0.7.0-linux-32bit.zip |
261efd81c727021dfa039fe081ff7941cd86f9ee | gophish-v0.7.0-linux-64bit.zip |
5ca9e90bc8c6ed0494ddb29deb907548859c5ab0 | gophish-v0.7.0-osx-32bit.zip |
c0ffcc5f06799c807b79c3b41cefa6785c853dd8 | gophish-v0.7.0-osx-64bit.zip |
fd12ebc44c964e8577f688405f6c01d470335d9f | gophish-v0.7.0-windows-32bit.zip |
8000eec9d77a3d6987aa57b7d61736717238c471 | gophish-v0.7.0-windows-64bit.zip |
tl;dr - New version of Gophish. Lots of improvements. Binaries can be found above. 😄
We're excited to announce v0.6.0 of Gophish! This fix has a bunch of bug fixes (including a couple of low-severity security fixes) and a couple of new features.
The biggest new feature in this release is the ability for users to report phishing emails to Gophish and to have those reports displayed in the dashboard. We don't have email clients ready for this quite yet, so everything is just implemented on the server-side for now.
Huge thanks to @S0larflare for making this happen!
Here are just a few of the bugs fixed in this release:
And more!
To upgrade, simply download the release for your platform, extract into a folder, and copy (remember to copy, not move so that you have a backup) your existing gophish.db file into the new directory. Then, run the new gophish binary and you'll be good to go!
I want to also take a quick moment to say thank you to everyone. The community is what makes Gophish great. I'm so thankful to everyone who leaves questions, suggests features, and goes the extra mile to help others out.
Thank you all for everything you do!
Now, one more thing:
Have questions, comments, or feature ideas about Gophish? Let us know by filing an issue.
SHA1 Hash | Filename |
---|---|
301620234118f7d33a22beaebeb772f3211b1592 | gophish-v0.6.0-linux-32bit.zip |
6e6c621cab279f136f8d7b29b60b291b441e4bba | gophish-v0.6.0-linux-64bit.zip |
a87e2eeebc8d62b6905a9d7eb59c7b7b4d2291e9 | gophish-v0.6.0-osx-32bit.zip |
426def461471012f274dbeca01c37471934b723e | gophish-v0.6.0-windows-32bit.zip |
ed5ed65b9e0d1a98fb1034fd080d76e7da8f0273 | gophish-v0.6.0-windows-64bit.zip |