<h2class="post-title"><ahref="/blog/post/2019-01-11-creating-the-gophish-demo-part-two/">Creating the Gophish Demo: Part Two</a></h2>
</header>
<sectionclass="post-excerpt">
<p>In the previous post, I showed how I created a script to generate a realistic but fake campaign within Gophish. This is a great start to a demo, but still put the burden on the user to download and install Gophish first. In the second part of this two-part series, we'll see how I managed to get the entire demo working in a single command. <aclass="read-more"href="/blog/post/2019-01-11-creating-the-gophish-demo-part-two/">»</a></p>
<description>In the previous post, I showed how I created a script to generate a realistic but fake campaign within Gophish. This is a great start to a demo, but still put the burden on the user to download and install Gophish first. Then, they’d have to delete everything manually if they wanted to remove the fake campaign.
My goal for the demo was to have everything self-contained. I wanted Gophish itself to be downloaded and run automatically.</description>
<title>Creating the Gophish Demo: Part Two · Gophish - Blog</title>
<metaname="description"content="In the previous post, I showed how I created a script to generate a realistic but fake campaign within Gophish. This is a great start to a demo, but still put t"/>
<p>In the <ahref="https://getgophish.com/blog/post/2019-01-04-creating-the-gophish-demo-part-one/">previous post</a>, I showed how I created a script to generate a realistic but fake campaign within Gophish. This is a great start to a demo, but still put the burden on the user to download and install Gophish first. Then, they’d have to delete everything manually if they wanted to remove the fake campaign.</p>
<p>My goal for the demo was to have everything self-contained. I wanted Gophish itself to be downloaded and run automatically. I wanted the script to execute, adding a fake campaign without any work from the user. I wanted everything to be cleaned up when the user was done with the demo.</p>
<p>Oh, and I wanted it all to happen in a single command.</p>
<p>This post talks about how I managed to get everything working seamlessly in a single <code>docker run</code> command that could fit in a tweet:</p>
<blockquoteclass="twitter-tweet"><plang="en"dir="ltr">Want to play with Gophish? Now you can create a demo instance with a fake campaign already set up - all with just a single command 🔥:<br><br>docker run -ti -p 3333:3333 --rm gophish/demo<br><br>Enjoy! <ahref="https://t.co/1OMzrEcSSe">pic.twitter.com/1OMzrEcSSe</a></p>— Jordan Wright (@jw_sec) <ahref="https://twitter.com/jw_sec/status/1079928489812414464?ref_src=twsrc%5Etfw">January 1, 2019</a></blockquote>
<h3id="building-the-container">Building the Container</h3>
<p>I opted to use Docker for the demo, largely because it lets me abstract away all the hard work of setting up the demo into a container image.</p>
<p>Since I wanted everything to fit in a single command, I couldn’t use something like <code>docker-compose</code>. Instead, I needed to get everything working together in a single container, which posed a few challenges.</p>
<p>Here’s the high-level steps I needed to do to make the demo work:</p>
<ul>
<li>Download and launch Gophish</li>
<li>Get the API key that’s generated when the database is created</li>
<li>Launch the <code>create_demo.py</code> script with the retrieved API key</li>
</ul>
<p>Here’s a flow chart showing what this process looks like:</p>
<p>This made things a bit more difficult, since Docker encourages you to keep containers limited to a single process or application. This is gently enforced by only exposing a single entrypoint in an image.</p>
<p>To make this work, I first wrapped the demo script in a separate bash script to help set things up. I then used <code>supervisord</code> to launch Gophish and the demo script as services so that they could both run in the same container.</p>
<p>Both of these had their own challenges, so it’s worth covering each in a bit more detail.</p>
<h3id="wrapping-the-demo-script">Wrapping the Demo Script</h3>
<p>The <code>create_demo.py</code> script assumes Gophish is already running, and requires a valid API key to interact with the Gophish API. This presented a challenge, since I knew there wasn’t a guarantee that Gophish would be ready by the time <code>create_demo.py</code> was launched.</p>
<p>To solve this, I wrapped the script in a bash script that first waited for the <code>gophish.db</code> file to exist, indicating that Gophish was running:</p>
><spanstyle="color:#888">&</span><spanstyle="color:#444">2</span><spanstyle="color:#388038">echo</span><spanstyle="color:#b83838">"Waiting for database"</span>
<p>Once the database was created, I used the same technique to wait for the API key to be generated and added. I could the grab the API key using a simple SQL command:</p>
<divclass="highlight"><prestyle="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><codeclass="language-bash"data-lang="bash"><spanstyle="color:#888;font-style:italic"># Get the API key
</span><spanstyle="color:#888;font-style:italic"></span><spanstyle="color:#388038">export</span><spanstyle="color:#b04040">API_KEY</span><spanstyle="color:#666">=</span><spanstyle="color:#2838b0">$(</span>sqlite3 <spanstyle="color:#b04040">$DATABASE</span><spanstyle="color:#b83838">'select api_key from users limit 1'</span><spanstyle="color:#2838b0">)</span><spanstyle="color:#888">;</span></code></pre></div>
<p>Finally, I can run the demo!</p>
<divclass="highlight"><prestyle="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><codeclass="language-bash"data-lang="bash"><spanstyle="color:#888;font-style:italic"># Launch the demo
<p>With the details of how I wanted to execute <code>create_demo.py</code> out of the way, I needed to actually launch the script and Gophish. This is where Supervisord comes in.</p>
<h3id="setting-up-supervisord">Setting up Supervisord</h3>
<p><ahref="http://supervisord.org/">Supervisord</a> makes it easy to manage processes as if they were services. For example, it handles launching applications and restarting them if they crash.</p>
<p>Supervisord is set up using a <ahref="http://supervisord.org/configuration.html">configuration file</a> called <code>supervisord.conf</code>. The configuration is divided into sections, with a section for global configuration, as well as sections for each program you want to launch.</p>
<p>In our case, I had two programs I wanted to launch: Gophish itself, and the demo script. For Gophish, I configured Supervisord to start the process automatically, and restart it if it were to crash for whatever reason:</p>
<p>The demo script is similar, except I only wanted to run it once so I set the <code>autorestart</code> parameter to <code>false</code>. I also set up logging to <code>stdout</code> so that the logs could be viewed when <code>docker run</code> is executed:</p>
<p>All that was left was to build the image using <code>docker build -t gophish/demo:latest</code> and push it to Docker Hub!</p>
<p>While there were some hurdles to overcome, I’m really happy with how this demo turned out. I’m excited that more people will get to play around with all the powerful features Gophish has to offer- all with a single command.</p>
<h2class="post-title"><ahref="/blog/post/2019-01-11-creating-the-gophish-demo-part-two/">Creating the Gophish Demo: Part Two</a></h2>
</header>
<sectionclass="post-excerpt">
<p>In the previous post, I showed how I created a script to generate a realistic but fake campaign within Gophish. This is a great start to a demo, but still put the burden on the user to download and install Gophish first. In the second part of this two-part series, we'll see how I managed to get the entire demo working in a single command. <aclass="read-more"href="/blog/post/2019-01-11-creating-the-gophish-demo-part-two/">»</a></p>
<description>In the previous post, I showed how I created a script to generate a realistic but fake campaign within Gophish. This is a great start to a demo, but still put the burden on the user to download and install Gophish first. Then, they’d have to delete everything manually if they wanted to remove the fake campaign.
My goal for the demo was to have everything self-contained. I wanted Gophish itself to be downloaded and run automatically.</description>
Jordan Wright
