This comprehensive lab guide demonstrates how to simulate a real-world phishing attack in a safe and isolated environment. The objective is to understand phishing tactics, learn how malicious actors operate, and develop skills for detecting and preventing such attacks using Gophish and Poste.io.
Special thanks to @Sandra (With.Sandra's YouTube Channel) for the inspiration and guidance that helped shape this project.
Additional gratitude to hailbytes.com for their advanced tutorials, which enabled the transition from an introductory lab to a live email testing environment.
- Design and execute realistic phishing campaigns
- Explore phishing infrastructure capabilities (Gophish + Mail server)
- Simulate user interactions with phishing emails and landing pages
- Improve incident response and detection skills
- Analyse campaign results and extract key insights from captured credentials and user interactions
- Linux System Administration: Ubuntu server setup and hardening
- Virtualisation Management: Proxmox VE setup and VM provisioning
- Cloud Infrastructure: Configuration and deployment using Kamatera
- Containerization: Docker setup and container management
- Email Server Administration: Installing and configuring Poste.io with SMTP
- Network Security: Firewall configuration and secure port management
- Phishing Campaign Design: Crafting convincing emails and attack scenarios
- Security Awareness Testing: Designing tests and defining evaluation metrics
- Threat Simulation: Recreating real-world phishing attacks for training purposes
- Red Team Operations: Understanding attack methodologies and execution
- Gophish – Open-source phishing simulation framework
- Poste.io – All-in-one email server with web-based interface
- Proxmox VE – Virtualization platform for lab environment
- Kamatera – Cloud provider for hosting simulation infrastructure
- Ubuntu Server 24.04 LTS – Base operating system for mail and phishing servers
- UFW (Uncomplicated Firewall) – Host-based firewall management
- Docker – Container platform for Poste.io deployment
- SQLite – Lightweight database for Gophish campaign data
- Lubuntu Desktop – Lightweight Linux desktop for testing client interactions
- TempMail – A Disposable email service for receiving phishing emails safely
Before implementation, you'll need to create a comprehensive diagram to visualise the project architecture and understand data flow between components.
Architecture Components:
- Virtual Machines: Lubuntu clients hosted in Proxmox home lab
- Cloud Services: Kamatera-hosted Ubuntu server running Gophish and Poste.io
- Network Infrastructure: Routing, firewall rules, and port forwarding
Figure 1: Lab Architecture Overview
The following diagram outlines the end-to-end workflow for executing a phishing campaign using Gophish and Poste.io, including configuration steps and execution lifecycle.
Figure 2: Campaign Workflow
- Initiation: Manager launches the phishing simulation via the Gophish dashboard (port 3333)
- Configuration: Email templates, landing pages (port 8081), and recipient lists are created; sending profile configured using Poste.io as SMTP server (port 465)
- Execution: Campaign launches, Gophish sends phishing emails through Poste.io to TempMail inboxes
- User Interaction: Targets receive emails and interact with landing pages; Gophish records clicks and form submissions
- Analysis: Campaign results monitored in the Gophish dashboard to evaluate engagement and identify improvement areas
Kamatera offers a generous $100 free trial credit, making it ideal for this project.
- Sign up at Kamatera.com
- The free trial provides sufficient credit for complete deployment
- Navigate to My Cloud and click Create New Server
- Configure the following settings:
- Zone: Select the closest to your region
- Image: Ubuntu 24.04 LTS
- Server Type: General Purpose
Figure 3: Kamatera Server Deployment
- Set recommended specifications:
- CPU: 2 vCPUs
- RAM: 4 GB
- Storage: 50 GB SSD
- Networking: Public and private networking enabled
Figure 4: Server Configuration Options
- Set server credentials:
- Create a strong root password
- Name the instance:
MyLab-PhishLab - Estimated cost: ~$20/month
Figure 5: Server Credentials Configuration
- Navigate to Server List and locate your new instance
Figure 6: Server Status Dashboard
Figure 7: Server Details
- Test connectivity from your local terminal:
ping <SERVER_PUBLIC_IP>Figure 8: Connectivity Test
- Navigate to Firewall under server settings
- Enable the firewall and add custom rules:
- Allow TCP/UDP traffic from your local IP address
- Use an IP lookup tool (e.g., whatismyip.com) to identify your public IP
Figure 9: Firewall Configuration
Figure 10: UDP Rule Configuration
Figure 11: TCP Rule Configuration
Figure 12: IP Address Lookup
Connect to your Ubuntu server from your local machine:
ssh root@<SERVER_PUBLIC_IP>Figure 13: SSH Connection
Figure 14: SSH Session Established
- Update the system:
apt update && apt upgrade -yFigure 15: System Update Command
Figure 16: Update Process
- Install required packages:
sudo apt install unzip -yFigure 17: Installing Unzip
Figure 18: Installation Complete
Important Note:
This mail server setup is designed for testing and learning purposes only in a disposable email environment. It does not include MX records, real domains, TLS certificates, SPF, DKIM, or DMARC configuration. Consequently, it will not deliver to trusted email providers (Gmail, Outlook, etc.). Do not use this setup for malicious purposes.
- Download the Docker installation script:
curl -fsSL https://get.docker.com -o get-docker.shFigure 19: Download Docker Script
Figure 20: Script File Created
Figure 21: Script Content Preview
- Execute the installation script:
sudo sh get-docker.shFigure 22: Docker Installation
- Verify Docker installation:
sudo docker run hello-worldThis command should display a "Hello from Docker" message.
Execute the following Docker command with your specific configuration:
docker run \
--net=host \
-e TZ=Europe/Prague \
-v /your-data-dir/data:/data \
--name "mailserver" \
-h "campaign.com.au" \
-t analogic/poste.ioCommand Parameters Explained:
--net=host: Uses host networking for simplified access-e TZ=Europe/Prague: Sets timezone (adjust as needed)-v /your-data-dir/data:/data: Mounts data directory for persistence--name "mailserver": Names the Docker container-h "mail.example.com": Sets mailserver hostname (replace with your domain)-t analogic/poste.io: Specifies the Poste.io Docker image
Figure 23: Poste.io Container Running
Figure 24: Poste.io Ready
Figure 25: Poste.io Port Configuration
For advanced configuration options, refer to the official documentation: https://poste.io/doc/getting-started
- Access the webmail interface by clicking the mail icon in the top-right corner
Figure 26: Accessing Webmail
Figure 27: Webmail Interface
- Obtain a disposable email address from TempMail
Figure 28: TempMail Service
- Send a test email to the disposable address
Figure 29: Sending Test Email
- Verify email delivery in the TempMail inbox
Figure 30: Email Received
Figure 31: Email with Spoofed Domain
This confirms that the mail server is operational and can deliver emails with the configured domain.
- Access the web interface at:
https://<SERVER_PUBLIC_IP> - If the default page doesn't load, navigate directly to:
https://<SERVER_PUBLIC_IP>/admin/install/server - Complete the setup wizard with the following information:
- Mailserver hostname:
campaign.com.au - Administrator email:
admin@campaign.com.au - Password: Create a strong administrator password
- Mailserver hostname:
Figure 32: Poste.io Setup Form
- Visit https://getgophish.com and locate version 0.12.1
Figure 33: Gophish Website
- Copy the download link for Linux 64-bit:
https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
Figure 34: Download Link
- Download using wget:
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zipFigure 35: Download Command
Figure 36: Download Complete
Figure 37: File Verification
- Create installation directory:
sudo mkdir /opt/gophishFigure 38: Create Directory
- Extract the archive:
unzip gophish-v0.12.1-linux-64bit.zip -d /opt/gophishFigure 39: Extract Files
Figure 40: Directory Contents
- Set executable permissions:
cd /opt/gophish
sudo chmod +x gophishFigure 41: Navigate to Directory
Figure 42: Set Permissions
- Edit the configuration file:
sudo nano config.jsonFigure 43: Edit Configuration
- Modify the listen URL:
- Change:
"listen_url": "127.0.0.1:3333" - To:
"listen_url": "0.0.0.0:3333"
- Change:
Figure 44: Configuration File
- Start the Gophish service:
sudo ./gophishFigure 45: Start Gophish
Figure 46: Gophish Running
- Note the initial credentials displayed in the terminal
Figure 47: Initial Credentials
- Open a browser and navigate to:
https://<SERVER_PUBLIC_IP>:3333
Figure 48: Gophish Web Interface
- Log in using the temporary credentials from the terminal
Figure 49: Login Screen
- Change the default password when prompted
Figure 50: Password Change
Figure 51: Gophish Dashboard
Deploy four lightweight Linux VMs to simulate client targets. This guide uses Lubuntu for its minimal resource requirements.
Note: The VM deployment process using Proxmox, VirtualBox, or VMware is not detailed here as it's assumed you have virtualisation experience.
Figure 52: Lubuntu Client VMs
- In the Poste.io admin interface, navigate to Virtual Domains
- Click Create a new virtual domain
Figure 54: Virtual Domains
- Create a domain using:
mailer.last.fm(matching your email template)
Figure 55: New Virtual Domain
- Create a new email address for the campaign domain
Figure 56: New Email Address
- Configure the email account details
Figure 57: Email Configuration
Figure 58: Email Account Created
- Access the webmail portal
Figure 59: Webmail Portal
- Log in with the campaign email credentials
Figure 60: Webmail Login
- Send a test email to verify functionality
Figure 61: Test Email
- Confirm delivery to a disposable email
Figure 62: Email Delivery
Figure 63: Email Content
- Navigate to Email Templates and click New Template
Figure 64: Email Templates
- Configure template details and import the original email
Figure 65: Template Configuration
- Obtain email source code (in Gmail: three dots → Show Original)
Figure 66: Email Source
Figure 67: Copy Email Source
- Import email and configure settings
Figure 68: Import Email
- Save the template
Figure 69: Save Template
Figure 70: Template Saved
- Boot your Lubuntu VMs and obtain disposable email addresses for each
Figure 71: VM1 Email
Figure 72: VM2 Email
Figure 73: VM3 Email
Figure 74: VM4 Email
- Navigate to Users & Groups and click New Group
Figure 75: Users & Groups
- Download the CSV template for easier bulk import
Figure 76: CSV Template
- Fill in the CSV with target information (emails from VMs, names, positions)
Figure 77: Completed CSV
- Use Bulk Import Users to upload the CSV
Figure 78: Bulk Import
- Navigate to Landing Pages and click New Page
Figure 79: Landing Pages
- Configure landing page name and import target site (Last.fm login page)
Figure 80: Landing Page Configuration
Figure 81: Import Last.fm
- Configure data capture settings and redirect URL
Figure 82: Landing Page Settings
Figure 83: Landing Page Saved
- Navigate to Sending Profiles and click New Profile
Figure 84: Sending Profiles
- Configure SMTP settings using Poste.io virtual domain
- Host: Server public IP with port 465
- Username/Password: Virtual domain email credentials
- Test email delivery before saving
Figure 85: SMTP Configuration
Figure 86: Profile Saved
- Navigate to Campaigns and click New Campaign
Figure 87: New Campaign
- Configure campaign settings:
- URL: Server public IP with port 8081 (Gophish listener)
- Select previously created templates, groups, and sending profiles
- Launch the campaign
Figure 88: Campaign Configuration
Monitor campaign progress in the Gophish dashboard:
Figure 89: Campaign Monitoring
Figure 90: Campaign Responses
- Monitor individual user responses
Figure 91: Individual Response
- Simulate credential entry on the landing page
Figure 92: Credential Entry
- Verify credential capture in Gophish
Figure 93: Credentials Captured
Figure 94: Credential Details
After simulating all user interactions:
Figure 95: All Submissions
Figure 96: Captured Credentials 1
Figure 97: Captured Credentials 2
Figure 98: Captured Credentials 3
Figure 99: Campaign Completion
This comprehensive phishing simulation lab successfully demonstrates the complete lifecycle of a phishing attack in a controlled environment. By integrating Gophish with Poste.io and deploying virtual client machines, we've replicated the core phases of real-world phishing campaigns:
- Infrastructure Setup: Successfully deployed cloud-based phishing infrastructure using Kamatera, Docker, and Ubuntu Server
- Email Spoofing: Configured Poste.io to send convincing phishing emails with spoofed domains
- Campaign Execution: Created realistic phishing templates, landing pages, and user groups
- Data Capture: Demonstrated credential harvesting and user interaction tracking
- Security Awareness: Highlighted vulnerabilities in human behaviour and email security
This lab provides hands-on experience with:
- Attack Methodologies: Understanding how threat actors design and execute phishing campaigns
- Infrastructure Components: Learning the technical requirements for phishing operations
- Detection Opportunities: Identifying points where security controls could intervene
- User Behaviour: Observing how users interact with malicious content
- Defensive Strategies: Developing awareness of protection mechanisms and training needs
The skills and knowledge gained from this lab apply to:
- Security Awareness Training: Designing effective user education programs
- Red Team Operations: Conducting authorized penetration testing
- Blue Team Defense: Improving detection and response capabilities
- Risk Assessment: Evaluating organisational vulnerability to social engineering
- Incident Response: Understanding attack vectors and evidence collection
Critical Warning:
This guide is intended exclusively for educational and authorised testing purposes within controlled environments. The techniques demonstrated must only be used with explicit written permission from system owners and within the scope of legitimate security testing or training programs.
- Authorisation: Always obtain proper written authorisation before conducting any phishing simulations
- Scope Limitation: Only target systems and users explicitly included in the authorised testing scope
- Data Protection: Ensure all captured data is handled according to applicable privacy laws and regulations
- Documentation: Maintain detailed records of all testing activities for audit purposes
The following activities are strictly forbidden:
- Conducting unauthorised phishing attacks against any individual or organisation
- Using these techniques for financial gain, identity theft, or other criminal purposes
- Deploying phishing infrastructure without proper authorisation and oversight
- Sharing captured credentials or personal information outside the authorised testing team
- Using spoofed domains that could damage legitimate organisations' reputations
Issue: Emails not reaching target inboxes
- Cause: Missing DNS records, blacklisted IP, or blocked ports
- Solution: Use disposable email services for testing; verify Poste.io configuration
- Note: This setup intentionally lacks proper email authentication for educational purposes
Issue: Cannot access Gophish web interface
- Cause: Firewall blocking port 3333 or incorrect listen configuration
- Solution:
- Verify firewall rules allow traffic on port 3333
- Confirm
config.jsonuses"listen_url": "0.0.0.0:3333" - Check server security groups in the cloud provider console
Issue: Poste.io container fails to start
- Cause: Port conflicts or insufficient permissions
- Solution:
- Stop conflicting services using ports 25, 80, 443, 465, 993, 995
- Remove existing container:
docker rm -f mailserver - Restart with proper permissions and unique ports
Issue: Landing page doesn't render correctly
- Cause: Missing CSS/JavaScript resources or HTTPS/HTTP conflicts
- Solution:
- Use simple HTML templates without complex JavaScript
- Ensure all resources are properly imported
- Test with basic forms before adding complexity
- Gophish Documentation: https://docs.getgophish.com
- Poste.io Setup Guide: https://poste.io/doc
- Docker Best Practices: https://docs.docker.com/develop/best-practices
- NIST Cybersecurity Framework: Guidelines for security assessment and improvement
- OWASP Testing Guide: Web application security testing methodologies
- SANS Security Awareness: Resources for security training program development
- Gophish Community: GitHub issues and discussions for technical support
- Security Forums: Professional communities for sharing best practices
- Training Programs: Certified ethical hacking and penetration testing courses
This guide represents a comprehensive approach to understanding phishing attack methodologies through safe, controlled simulation. You can use this knowledge responsibly to improve cybersecurity awareness and defensive capabilities.