github.com/topsteplocal/gophish@v0.6.0/templates/gophish.apib (about) 1 FORMAT: 1A 2 HOST: http://localhost:3333/api 3 4 # Gophish API 5 Gophish was built from the ground-up with a JSON API that makes it easy for developers and sysadmins to automate simulated phishing campaigns. 6 7 These docs describe how to use the [gophish](https://github.com/gophish/gophish) API. 8 9 ::: note 10 ## Authorization 11 All API requests require the use of a generated API key. You can find your API key, or generate a new one, by navigating to the /settings endpoint, or clicking the "Settings" sidebar item. 12 13 When making requests, simply append the ```api_key=[API_KEY]``` as a GET parameter to authorize yourself to the API. 14 15 ```http 16 GET /api/campaigns/?api_key=12345678901234567890123456789012 17 ``` 18 19 If no API key is provided, you'll receive the following response when attempting to make requests to API endpoints: 20 21 ```json 22 { 23 "message": "API Key not set", 24 "success": false, 25 "data": null 26 } 27 ``` 28 ::: 29 30 # Group Campaigns 31 ## Campaigns [/campaigns/] 32 33 ### Get Campaigns [GET] 34 Get a list of campaigns. 35 36 Campaigns object contain the resources needed for gophish to launch and track a simulated phishing campaign. 37 38 Campaigns have the following attributes: 39 40 + ```id``` : 1 (number, required) - Unique identifier 41 + ```name``` : Example Campaign (string, required) - Title of Campaign 42 + ```created_date``` : 2015-1-1T01:02:03.000000Z (datetime) - Date the Campaign was created 43 + ```completed_date``` : 2015-1-1T01:02:03.000000Z (datetime) - Date the Campaign was completed 44 + ```template``` : [Template](#templates) 45 + ```page``` : [Page](#pages) (required) - Landing page for users who click the phishing link 46 + ```status``` : Emails Sent (string) - The current status of the campaign 47 + ```results``` : array[Result] - List of Results for the campaign 48 + ```timeline``` : array[Event] - List of Events for the campaign 49 + ```smtp``` : [SendingProfile](#sending-profiles) 50 + ```url``` : http://foo.bar (required, string) - The URL used in the Template sent to us 51 ers 52 53 The results of the campaign are stored in the ```results``` field. Each result has the following attributes: 54 55 + ```id``` : 1 (number, required) - Unique identifier 56 + ```email``` : foo@example.com - Email address of the target 57 + ```first_name``` : John - First name of the target 58 + ```last_name``` : Doe - Last name of the target 59 + ```status``` : Email Sent - The status of the result 60 + ```ip``` : 1.2.3.4 - The IP address that created the event (if any) 61 + ```latitude``` : 0.0000- The latitude of the IP address 62 + ```longitude``` : 0.0000 - The longitude of the IP address 63 64 Each campaign also keeps a timeline of events that occur, such as clicking a link, opening an email, etc. These events each have the following attributes: 65 66 + ```email``` : foo@example.com - Email address of the target 67 + ```time``` : 2015-1-1T01:02:03.000000Z (datetime) - The timestamp the event was created 68 + ```message``` : Campaign Created (string) - The event message 69 70 + Response 200 (application/json) 71 72 + Attributes (array[Campaign]) 73 74 + Response 404 (application/json) 75 76 + Body 77 78 [] 79 80 ### Create New Campaign [POST] 81 Create a new campaign. 82 83 + Attributes (Campaign) 84 85 + Request (application/json) 86 87 + Response 201 (application/json) 88 89 + Attributes (Campaign) 90 91 + Response 400 (application/json) 92 93 + Attributes (BadRequestResponse) 94 95 ## Campaign [/campaigns/{id}] 96 ### Get Campaign [GET] 97 Get a campaign by its ID. 98 99 + Parameters 100 101 + id: `1` (number, required) - The Campaign ID 102 103 + Response 200 (application/json) 104 105 + Attributes (Campaign) 106 107 + Response 404 (application/json) 108 109 + Body 110 111 { 112 "message": "Campaign not found", 113 "success": false, 114 "data": null 115 } 116 117 ### Delete a Campaign [DELETE] 118 Delete a campaign by its ID. 119 120 + Parameters 121 122 + id: `1` (number, required) - The Campaign ID 123 124 + Response 200 (application/json) 125 126 + Body 127 128 { 129 "message": "Campaign deleted successfully!", 130 "success": true, 131 "data": null 132 } 133 134 + Response 404 (application/json) 135 136 + Body 137 138 { 139 "message": "Campaign not found", 140 "success": false, 141 "data": null 142 } 143 144 # Group Templates 145 ## Templates [/templates/] 146 ### Get Templates [GET] 147 Get a list of templates. 148 149 Templates define what email content is sent to targets during campaigns. It contains the subject of the email as well as the HTML and text content of the email. 150 151 + ```id```: 1 (number, required) - Unique identifier 152 + ```name```: Example Template (string, required) - Name of template 153 + ```subject```: Example email template subject (string) - Subject of email sent to users 154 + ```text```: `This is a test message!` (string) - Raw text of email sent to users 155 + ```html```: `<html><head></head><body>This is a test message!</body></html>` (string) - HTML of email sent to users 156 + ```attachments```: array[Attachment] - The attachments sent with the email template 157 + ```modified_date```: `2015-01-01T01:02:03.000000Z` (string) - Date the Template was last modified 158 159 You can also attach files or payloads to the emails that you send. These are attached as a list of Attachment objects. 160 161 Attachments have the following attributes: 162 163 + ```id```: 1 (required, number) - Unique identifier 164 + ```name```: Example Attachment (required) - Filename of Attachment 165 + ```content```: Base64 encoded attachment content 166 + ```type```: `text/plain` - MIME type of the Attachment 167 168 + Response 200 (application/json) 169 170 + Attributes (array[Template]) 171 172 + Response 404 (application/json) 173 174 + Body 175 176 [] 177 178 ### Create New Template [POST] 179 Create a new template 180 181 ::: note 182 **Importing an Existing Email** 183 184 What better way to make pixel-perfect emails than by importing an existing email you already have sitting in your inbox? 185 186 Using the [Import Email](#import-email) endpoint, you can take a raw email and import it as a template into gophish. 187 ::: 188 189 + Request (application/json) 190 191 + Attributes (Template) 192 193 + Response 201 (application/json) 194 195 + Attributes (Template) 196 197 + Response 400 (application/json) 198 199 + Attributes (BadRequestResponse) 200 201 ## Template [/templates/{id}] 202 ### Get Template [GET] 203 Get a template by its ID. 204 205 + Parameters 206 207 + id: `1` (number, required) - The Template ID 208 209 + Response 200 (application/json) 210 211 + Attributes (Template) 212 213 + Response 404 (application/json) 214 215 + Body 216 217 { 218 "message": "Template not found", 219 "success": false, 220 "data": null 221 } 222 223 ### Delete a Template [DELETE] 224 Delete a template by its ID. 225 226 + Parameters 227 228 + id: `1` (number, required) - The Template ID 229 230 + Response 200 (application/json) 231 232 + Body 233 234 { 235 "message": "Template deleted successfully!", 236 "success": true, 237 "data": null 238 } 239 240 + Response 404 (application/json) 241 242 + Body 243 244 { 245 "message": "Template not found", 246 "success": false, 247 "data": null 248 } 249 250 # Group Groups 251 ## Groups [/groups/] 252 253 ### Get Groups [GET] 254 Get a list of groups. 255 256 Groups contain the details for one or more users targeted in the simulated phishing campaign. Groups contain the following attributes: 257 258 + ```id```: 1 (required, number) - Unique identifier 259 + ```name```: Example Group (required) - Name of the Group 260 + ```modified_date```: `2015-01-01T01:02:03.000000Z` (string) - Date the Group was last modified 261 + ```targets```: Attributes (array[Target]) (required) - The targets in the group 262 263 Each target contains the following attributes: 264 265 + ```id```: 1 (required, number) - Unique identifier 266 + ```first_name```: John - First name of Target 267 + ```last_name```: Doe - Last name of Target 268 + ```email```: john.doe@example.com - Email address of Target 269 + ```position```: System Administrator - Company position of the Target 270 271 ::: note 272 **Have A Lot of Users to Import?** 273 274 If you have all your targets in a CSV file, you can bulk import them into a group using the [Import CSV](#import-group) endpoint. 275 276 In the future, we plan to add other importation methods to make setting up groups a breeze. 277 ::: 278 279 + Response 200 (application/json) 280 281 + Attributes (array[Group]) 282 283 + Response 404 (application/json) 284 285 + Body 286 287 [] 288 289 ### Create New Group [POST] 290 Create a new group 291 292 + Request (application/json) 293 294 + Attributes (Group) 295 296 + Response 201 (application/json) 297 298 + Attributes (Group) 299 300 + Response 400 (application/json) 301 302 + Attributes (BadRequestResponse) 303 304 ## Group [/groups/{id}] 305 ### Get Group [GET] 306 Get a group by its ID. 307 308 + Parameters 309 310 + id: `1` (number, required) - The Group ID 311 312 + Response 200 (application/json) 313 314 + Attributes (Group) 315 316 + Response 404 (application/json) 317 318 + Body 319 320 { 321 "message": "Group not found", 322 "success": false, 323 "data": null 324 } 325 326 ### Delete a Group [DELETE] 327 Delete a Group by its ID. 328 329 + Parameters 330 331 + id: `1` (number, required) - The Template ID 332 333 + Response 200 (application/json) 334 335 + Body 336 337 { 338 "message": "Group deleted successfully!", 339 "success": true, 340 "data": null 341 } 342 343 + Response 404 (application/json) 344 345 + Body 346 347 { 348 "message": "Group not found", 349 "success": false, 350 "data": null 351 } 352 353 # Group Sending Profiles 354 ## Sending Profiles [/smtp/] 355 356 ### Get Sending Profiles [GET] 357 Get a list of sending profiles. 358 359 Sending profiles contain the details for SMTP or other settings used to control how emails are sent in campaigns. Sending profiles contain the following attributes: 360 361 + ```id```: 1 (required, number) - Unique identifier 362 + ```name```: Example Profile (string, required) - Name of the Sending Profile 363 + ```interface```: SMTP (string) - Interface type of the sending profile. By default, this is "SMTP" 364 + ```host```: 1.1.1.1:25 (string, required) - The hostname:port for the SMTP configuration 365 + ```username```: foo (string) - The username to authenticate to the SMTP server (optional) 366 + ```password```: bar (string) - The password to authenticate to the SMTP server (optional) 367 + ```from_address```: Foo Bar <foo.bar@example.com> (string) - The email address to use in the "From" header. This is typically used to spoof email addresses 368 + ```ignore_cert_errors```: false (boolean) - Whether or not to disable certificate validation when connecting to the SMTP server via TLS 369 + ```modified_date```: `2015-01-01T01:02:03.000000Z` (string) - Date the Group was last modified 370 371 ::: note 372 **Receiving Certificate Errors?** 373 374 It's common to have an SMTP server that is configured using a self-signed or otherwise untrusted SSL certficate. To avoid errors when connecting to the server, set ```ignore_cert_errors``` to "true". 375 ::: 376 377 + Response 200 (application/json) 378 379 + Attributes (array[SendingProfile]) 380 381 + Response 404 (application/json) 382 383 + Body 384 385 [] 386 387 ### Create New Sending Profile [POST] 388 Create a new sending profile 389 390 + Request (application/json) 391 392 + Attributes (SendingProfile) 393 394 + Response 201 (application/json) 395 396 + Attributes (SendingProfile) 397 398 + Response 400 (application/json) 399 400 + Attributes (BadRequestResponse) 401 402 ## Sending Profile [/smtp/{id}] 403 ### Get Sending Profile [GET] 404 Get a sending profile by its ID. 405 406 + Parameters 407 408 + id: `1` (number, required) - The sending profile ID 409 410 + Response 200 (application/json) 411 412 + Attributes (SendingProfile) 413 414 + Response 404 (application/json) 415 416 + Body 417 418 { 419 "message": "SMTP not found", 420 "success": false, 421 "data": null 422 } 423 424 ### Delete a Sending Profile [DELETE] 425 Delete a Sending Profile by its ID. 426 427 + Parameters 428 429 + id: `1` (number, required) - The Sending Profile ID 430 431 + Response 200 (application/json) 432 433 + Body 434 435 { 436 "message": "SMTP deleted successfully!", 437 "success": true, 438 "data": null 439 } 440 441 + Response 404 (application/json) 442 443 + Body 444 445 { 446 "message": "SMTP not found", 447 "success": false, 448 "data": null 449 } 450 451 # Group Pages 452 ## Pages [/pages/] 453 ### Get Pages [GET] 454 Get a list of pages. 455 Pages are the HTML page that a user lands on after clicking on a phishing link. 456 457 + ```id```: 1 (required, number) - Unique identifier 458 + ```name```: Example Page (required, string) - Name of Page 459 + ```html```: `<html><head></head><body>This is a test message!</body></html>` (required, string) - HTML of the landing page users hit when clicking links in the email template 460 + ```modified_date```: `2015-01-01T01:02:03.000000Z` (string) - Date the Page was last modified 461 462 ::: note 463 **Importing a Site** 464 465 Let gophish do the hard work for you in importing a site. By using the [Import Site](#import-site) endpoint, you can simply give gophish a URL and have the site imported for you. 466 ::: 467 468 + Response 200 (application/json) 469 470 + Attributes (array[Page]) 471 472 + Response 404 (application/json) 473 474 + Body 475 476 [] 477 478 ### Create New Page [POST] 479 Create a new page 480 481 + Request (application/json) 482 483 + Attributes (Page) 484 485 + Response 201 (application/json) 486 487 + Attributes (Page) 488 489 + Response 400 (application/json) 490 491 + Attributes (BadRequestResponse) 492 493 ## Page [/pages/{id}] 494 ### Get Page [GET] 495 Get a page by its ID. 496 497 + Parameters 498 499 + id: `1` (number, required) - The Page ID 500 501 + Response 200 (application/json) 502 503 + Attributes (Page) 504 505 + Response 404 (application/json) 506 507 + Body 508 509 { 510 "message": "Page not found", 511 "success": false, 512 "data": null 513 } 514 515 ### Put Page [PUT] 516 Modify a page by its ID. 517 518 + Request 519 520 + Attributes (Page) 521 522 + Response 200 (application/json) 523 524 + Attributes (Page) 525 526 + Response 404 (application/json) 527 528 + Body 529 530 { 531 "message": "Page not found", 532 "success": false, 533 "data": null 534 } 535 536 + Response 400 (application/json) 537 538 + Attributes (BadRequestResponse) 539 540 ### Delete a Page [DELETE] 541 Delete a page by its ID. 542 543 + Parameters 544 545 + id: `1` (number, required) - The Page ID 546 547 + Response 200 (application/json) 548 549 + Body 550 551 { 552 "message": "Page deleted successfully!", 553 "success": true, 554 "data": null 555 } 556 557 + Response 404 (application/json) 558 559 + Body 560 561 { 562 "message": "Page not found", 563 "success": false, 564 "data": null 565 } 566 567 # Group Import 568 Import functions facilitate the ability to import emails, groups and more using simple interfaces. 569 570 ## Group [/import/group] 571 572 ### Import a Group [POST] 573 This endpoint allows you to import a group from a CSV. 574 575 The fields expected in the CSV are as follows: 576 577 + First Name 578 + Last Name 579 + Position 580 + Email 581 + Company 582 583 + Request (multipart/form-data; boundary=----BOUNDARY) 584 585 + Body 586 587 ------BOUNDARY 588 Content-Disposition: form-data; name="files[]"; filename="filename.csv" 589 Content-Type: application/vnd.ms-excel 590 591 [File Content] 592 ------BOUNDARY 593 594 + Response 201 (application/json) 595 596 + Attributes (array[Target]) 597 598 + Response 400 (application/json) 599 600 + Attributes (BadRequestResponse) 601 602 ## Email [/import/email] 603 604 ### Import an Email [POST] 605 This endpoint allows you to parse and import an email in RFC 5322 format. 606 607 You can use this endpoint to easily import an email that you have received legitimately to re-use it for simulated phishing. 608 609 + Request (text/plain) 610 611 + Body 612 613 MIME-Version: 1.0 614 Date: Fri, 25 Dec 2015 21:22:28 -0600 615 Subject: Foo Bar 616 From: John Doe <john.doe@example.com> 617 To: Jane Doe <jane.doe@example.com> 618 Content-Type: multipart/alternative; boundary=14dae9473639dc6b2a0527c4945f 619 620 --14dae9473639dc6b2a0527c4945f 621 Content-Type: text/plain; charset=UTF-8 622 623 Foo bar 624 625 --14dae9473639dc6b2a0527c4945f 626 Content-Type: text/html; charset=UTF-8 627 628 <div dir="ltr">Foo bar</div> 629 630 --14dae9473639dc6b2a0527c4945f-- 631 632 + Response 201 (application/json) 633 634 + Attributes (ImportEmailResponse) 635 636 + Response 400 (application/json) 637 638 + Attributes (BadRequestResponse) 639 640 ## Site [/import/site] 641 642 ### Import a Site [POST] 643 Imports a site via the URL. This causes gophish to reach out to the site and pull down the HTML of the URL given. 644 645 To keep styles, images, and Javascript setup and working, gophish adds a ```base``` tag to the returned HTML pointing to the original site. 646 647 + Request (application/json) 648 649 + Attributes (ImportSiteRequest) 650 651 + Response 201 (application/json) 652 653 + Attributes (ImportSiteResponse) 654 655 + Response 400 (application/json) 656 657 + Attributes (BadRequestResponse) 658 659 # Data Structures 660 661 ## Target (object) 662 + id: 1 (number, required) - Unique identifier 663 + first_name: John - First name of Target 664 + last_name: Doe - Last name of Target 665 + email: john.doe@example.com - Email address of Target 666 + position: System Administrator - Company position of the Target 667 668 ## Group (object) 669 + id: 1 (number, required) - Unique identifier 670 + name: Example Group (required) - Name of the Group 671 + modified_date: `2015-01-01T01:02:03.000000Z` (string) - Date the Group was last modified 672 + targets: array[Target] (required) - The targets in the group 673 674 ## Attachment (object) 675 + id: 1 (number, required) - Unique identifier 676 + name: Example Attachment (string, required) - Filename of Attachment 677 + content: (string, required) - Base64 encoded attachment content 678 + type: `text/plain` (string, required) - MIME type of the Attachment 679 680 ## Template (object) 681 + id: 1 (number, required) - Unique identifier 682 + name: Example Template (string, required) - Name of template 683 + subject: Example email template subject (string) - Subject of email sent to users 684 + text: `This is a test message!` (string) - Raw text of email sent to users 685 + html: `<html><head></head><body>This is a test message!</body></html>`(string) - HTML of email sent to users 686 + attachments: (array[Attachment]) - The attachments sent with the email template 687 + modified_date: `2015-01-01T01:02:03.000000Z` (string) - Date the Template was last modified 688 689 ## Page (object) 690 + id: 1 (number, required) - Unique identifier 691 + name: Example Page (string, required) - Name of Page 692 + html: `<html><head></head><body>This is a test message!</body></html>` (required, string) - HTML of the landing page users hit when clicking links in the email template 693 + modified_date: `2015-01-01T01:02:03.000000Z` (string) - Date the Page was last modified 694 695 ## Result (object) 696 + id: 1 (number, required) - Unique identifier 697 + email: foo@example.com - The email address of the target 698 + first_name: John - First name of the target 699 + last_name: Doe - Last name of the target 700 + status: Email Sent - The status of the result 701 + ip: 1.2.3.4 - The IP address that created the event (if any) 702 + latitude: 0.00000 (number) - The latitude of the IP address 703 + longitude: 0.00000 (number) - The longitude of the IP address 704 705 ## Event (object) 706 + id: 1 (number, required) - Unique identifier 707 + email: foo@example.com (required) - The email address of the target 708 + time: `2015-01-01T01:02:03.000000Z` (string) - Date the event was generated 709 + message: Campaign Created (string) - The description of the event 710 711 ## SendingProfile (object) 712 + id: 1 (number, required) - Unique identifier 713 + host: smtp.example.com:25 (required) - The hostname and port for the SMTP server 714 + username: foo (string, required) - The username used for SMTP authentication 715 + password: bar (string, required) - The password used for SMTP authentication 716 + from_address: John Doe <foo@example.com> (string, required) - The "From" address to spoof 717 + ignore_cert_errors: false (boolean) - Whether or not to ignore certificate errors 718 719 ## Campaign (object) 720 + id: 1 (number, required) - Unique identifier 721 + name: Example Campaign (required) - Title of Campaign 722 + created_date: `2015-01-01T01:02:03.000000Z` (string) - Date the Campaign was created 723 + completed_date: `2015-01-01T01:02:03.000000Z` (string) - Date the Campaign was completed 724 + template: (Template) (required) - Email template to use in Campaign 725 + page: (Page) (required) - Landing page for users who click the phishing link 726 + status: Emails Sent (required, string) - The current status of the campaign 727 + results: (array[Result]) - The results of the campaign 728 + timeline: (array[Event]) - The event timeline 729 + smtp: (SendingProfile) - The Sending Profile settings used in the campaign 730 + url: http://foo.bar (string, required) - The URL used in the Template sent to users 731 732 ## ImportSiteRequest (object) 733 + url: http://foo.bar (string, required) - The URL to be retrieved 734 735 ## ImportSiteResponse (object) 736 + html: `<html><head></head><body>This is a test message!</body></html>` (string, required) - HTML of the requested URL. 737 738 ## ImportEmailResponse (object) 739 + text: Foo bar (string) - The email text part 740 + html: "\u003cdiv\u003eFoo bar\u003c/div\u003e" (string) - The email HTML part 741 + subject: Foo Bar (string) - The email subject 742 743 ## BadRequestResponse (object) 744 + message: Error message (string) - The detailed error message 745 + success: false (boolean) - The success status of the request 746 + data: Any associated data 747