Hiding GoPhish from the boys in blue! See my blog article linked below for details on all the changes made during compilation of GoPhish before using!


GoPhish by default tips your hand to defenders and security solutions. The container here strips those indicators and makes other changes to hopefully evade detection during operations.


Getting the container up and running is very simple.

Run the following one-liner to clone the repository and build the container:

git clone && \
  cd sneaky_gophish && \
  docker build -t sneaky_gophish .

To actually run the container headlessly, run the following command:

docker run -itd --name sneaky_gophish -p 3333:3333 -p 8080:8080 sneaky_gophish

Thank god that GoPhish doesn’t use a universal default password anymore. To get the admin credentials for the image after running it, issue the following command:

docker logs sneaky_gophish | grep password

You should now be able to navigate to the GoPhish administrator interface at the URL listed below if you are running this on your workstation:


  • This container exposes port 8080 for the phishing page sent to users. This means we aren’t using SSL out of the box. We reccomend using a reverse proxy and robust redirect rules to protect your GoPhish instance and thwart defenders.
  • The changes to this repository aren’t the end all for detection capabilities. There is more here that should be done before using it in a real world engagement.