Gophish
Open-source phishing framework. Admin UI on 3333; the SQLite DB stores the admin bcrypt hash and API key, and the API can read sent campaigns and harvested credentials.
Ports
| Port | Proto | Notes |
|---|---|---|
3333 | tcp | Gophish admin UI (HTTPS) |
8080 | tcp | Phishing landing-page server |
Fingerprint
- 'Gophish' login at :3333, self-signed cert
- /api/ endpoints return JSON with an API key
Key files
| Path | Holds | Sensitive |
|---|---|---|
gophish.db | SQLite: admin bcrypt hash, api_key, campaign results | sensitive |
Default / weak creds
admin / gophish on very old versions (later builds print a random password at first boot)
Exploitation primitives
- Pull gophish.db for the admin hash + API key
- With the API key, read results — harvested credentials from completed phishing campaigns
- Stored campaign templates/landing pages may contain internal hostnames and creds
Overview
Gophish runs phishing campaigns; the admin panel is on 3333. On a box, its database is the prize — it holds the admin hash, the API key, and any credentials victims already submitted.
Loot the database
sqlite3 gophish.db "select username,hash,api_key from users;"Read harvested creds via the API
curl -sk "https://<TARGET>:3333/api/campaigns/?api_key=<API_KEY>" | jq '.[].results'Hardening
Change the first-boot admin password, restrict :3333 to the operator, and protect gophish.db.