Primary Use Case

Goblin is primarily used by red and blue teams to conduct phishing drills and security awareness exercises by simulating realistic phishing scenarios without disrupting user operations. It enables security professionals to capture user interactions and modify web content dynamically, helping organizations test and improve their phishing detection and response capabilities.

Key Features

Supports caching of static files to accelerate access

Dumps all or rule-matched HTTP requests for analysis

Outputs access logs to Elasticsearch, syslog, or files

Plugin system for quick configuration and content adjustment

Supports injection of custom JavaScript into web pages

Modifies response content or Goblin request content

Hides real server IP via proxy mode

Reverse proxy based operation enabling stealthy user data capture

Insights & Recommendations

When deploying on a server, ensure to update the server_ip or domain in the configuration to avoid connectivity issues. Using Goblin behind a CDN or proxy (e.g., Cloudflare) helps conceal the actual Goblin host IP for stealth. Properly configure plugins and JS injection modules to tailor phishing scenarios. Review log levels carefully to balance between detailed capture and performance. Joining the project’s user group (via QR code) may provide additional support and updates.

Installation

Pull the Docker image with: docker pull becivells/goblin
Create and switch to a working directory for Goblin
Run Goblin container with volume mount and port mapping: docker run -it --rm -v $(pwd):/goblin/ -p 8084:8084 becivells/goblin
Alternatively, download the appropriate binary from the GitHub releases page: https://github.com/xiecat/goblin/releases
Modify the configuration file parameters as needed according to the documentation
Refer to the official usage documentation for detailed config file instructions

Usage

docker run -it --rm -v $(pwd):/goblin/ -p 8084:8084 becivells/goblin

Run Goblin container with local directory mounted and port 8084 exposed for proxy usage

docker run -it --rm -p 8083:8083 -p 8084:8084 -p 8085:8085 -p 8086:8086 becivells/goblin-demo-flash

Run the Goblin Flash demo for quick phishing simulation experience

goblin -config goblin.yaml

Start Goblin using the specified configuration file

goblin -log goblin.log -log-level 2

Start Goblin with logging enabled to record POST requests

goblin -gen-plugin <plugin_name>

Generate a plugin rule file for customizing Goblin behavior

goblin -print-config

Print the current configuration file contents

goblin -test-notice

Send a test message alarm to verify notification setup

goblin -v

Show the Goblin version

Smart Usage Notes

Integrate Goblin with SIEM platforms via Elasticsearch or syslog for real-time phishing detection and alerting.Leverage the plugin system to customize phishing scenarios tailored to organizational risk profiles and user roles.Use Goblin's reverse proxy mode to simulate advanced phishing attacks while preserving operational continuity.Combine Goblin with user behavior analytics tools to enhance detection of credential harvesting attempts.Deploy Goblin in continuous security training programs to improve phishing resilience and incident response readiness.

OpenSec Atlas

goblin

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like