My name is Jordan, I've been developing Gophish [0] for a few years now. The goal of the project is to let companies of all sizes perform high-quality phishing simulation regardless of their security budget.
Thanks! I have used your framework a couple of times with clients and am always sure to show off how easy my phishing campaigns were to pull off using it. Really well done!
Feedback: I have no clue what this is or what I'm looking at even after starting to dig into docs. I have not yet Googled "phishing toolkit," but I would expect a blurb on the readme about what this does or a link to get me started on what the concept of a phishing toolkit is. All the comments are glowing, so I'm really missing something here.
To me, phishing is email (or phone calls, links, websites, or other comms) that attempt to get someone to give something away that is a secret. I don't see the relationship between that and your tool yet.
[Edit / Update]
Ok. After going 14 pages deep into the project, down through a user guide, it is clear what this project does. But 14 pages!? I recommend updating the readme to have, near the top, a section on selling/introducing the tool. "Gofish allows you to easily create a fake landing page that mimics your real landing page and send phishing email to get people in your organization to come to the phishing site. A UI shows stats collected on emails opened, links clicked, and data submitted to the phishing site. Set up multiple campaigns and much more. See our list of features." Add some relevant pics like the dashboard and your readme will really be helpful to folks like me.
I think I can still do a better job of pointing people who hit the repo first back to the website for more information. Right now, it’s linked, but it could be more clear.
I’ll take that as an opportunity for improvement. Thanks so much for taking the time to type out that feedback!
When I first launched Gophish a few years ago, I sent an email to a reporter I'm a fan of basically saying "Hey, I made this thing, I think your readers would benefit from it".
Their response was lightheartedly asking me if I really just sent them an email about a phishing simulation toolkit and expected them to click the links in the email :D
I wrote a tool in Perl, ages ago, that would generate random (but real-looking) information for phishing site forms and submit it as fast as the server would take them. You would tag fields with a type like "firstname" or "creditcardnumber", "ssn", etc., and it would do the rest. The credit cards even passed the CRC check.
The idea was that you would flood their valid data with bullshit data making it worth less to them. It was quite effective. Most skript kiddiez didn't know enough to stop me.
I have used GoPhish (and still currently do) to great effect. I really love the ease of use, templated and personalized aspect, and of course pretty graphical reports for management. I had no idea it was mainly a one man band type of product. Tools like SET are more powerful, but geared towards pen testing/red teaming, not phishing focused.
Thank you very much for a quality open source toolkit.
So, how does this "educational tool to secure organisations against phishing" differ from a tool to make phishing easier?
Don't get me wrong: I'm all for people having the tools to protect themselves, and the ability to write/publish/use whatever software you want.
So this question isn't provocation, but a real interest if there are any decisions that may make such software's use easier for white hats vs. black.
Because as a first approximation, it strikes me as plausible that being free-as-in-beer is unfortunately more useful to the perpetrators of phishing (usually small groups or individuals) than the victims (large organisations, usually with significant resources or they wouldn't be interesting). It's a really interesting dynamic actually, one where the weapon and the protection just happen to be the same.
I haven't used this particular tool, but in general there is a large number of free/open source "hacking" tools available and many can be used for good or ill.
Kali Linux is a prime example. It is a Linux distro prepackaged with some of the best hacking tools available.
While I'm sure some people use it maliciously it is in heavy use by security teams to discover vulnerabilities so they can be fixed.
That is exactly the point. A thing itself is never good or bad. Its what we do with it. And even that is relative again.
But lets not get too deep into philosophics here
Kinda like a lot of Java projects have a "J" in their name (e.g. Jetty, Jersey, Jackson) and most JavaScript frameworks' names end with ".js". Naming conventions are catchy.
I view Gophish as a way to volunteer and give back to the larger security community. I love engaging with the Gophish community and seeing people use the software to measure their own exposure to phishing.
That said, there aren't any plans to monetize Gophish. It will always stay free and open-source so that anyone can use it. :)
As far as support, I try and respond to every issue as fast as possible. It's a best effort, but I managed to pass 1k closed issues recently, which I was pretty proud of! And I'm fortunate that there are so many amazing people in the Gophish community who are willing to jump into issues, help out, and bounce great ideas around.
What a refreshing response. Even though I can appreciate the value that monetizing a product has for the users of that product (updates and continued support), it’s nice to be reminded that we don’t have to monetize every project we engage with. Believe it or not, sometimes people just want to give back. Thanks for your efforts. That being said, when a project becomes popular enough that people are all but throwing money at you, don’t be afraid to do them a favor and provide paid support if you are so inclined.
This is a great project and really easy to use if you're even slightly technical. If you're looking for something that someone else manages at the cost of giving away sensitive organizational data, Duo Insight is free from a well respected vendor (Cisco acquisition notwithstanding) - https://duo.com/resources/duo-insight
You're absolutely right, and I highly recommend Duo Insight! While I developed Gophish, I also work at Duo so I'm happy to discuss the differences between the two. :)
While my experience with Gophish was one of the things that brought me to Duo, Insight is not based on Gophish at all. I had the privilege of working with the team of engineers who built Insight and they are amazingly talented. It's a really high-quality product from an incredible team.
You hit the nail on the head as to why someone may prefer Insight to Gophish. Gophish, while being easy to set up, still requires _some_ setup and hosting. With Insight, everything is managed for you. This has significant time savings and infrastructure savings.
The downside to this is flexibility, which is what Gophish offers. Insight offers a good few pre-built templates while Gophish lets you create your own. You control everything and have the ability to tailor phishing campaigns exactly how you want them. Gophish was also built from the ground-up to be driven by an API, and has other features that may useful in more red-team scenarios (such as credential capture).
The other benefit to Gophish that you mentioned is that, since you control the infrastructure, you control all of the data end-to-end.
So while they're in a similar space, they're pretty different products with different strengths and weaknesses. If you're just starting to look into running a phishing simulation, I'd lean towards giving Insight a shot since it's super quick and easy to get a campaign out the door. Once you need more flexibility and power, Gophish is an easy transition. :)
they've been growing like crazy; aggressive sales, and nearly giving it away for free. Most of their value comes from the educational content they provide though, and not the actual testing infrastructure which Gophish is focused on.
Does this toolkit actually send emails out, or connect to a mail server? If it connects to a mail server, does it handle any stats with regard to if the email was successfully sent?
What a happy surprise to see my project on HN :)
My name is Jordan, I've been developing Gophish [0] for a few years now. The goal of the project is to let companies of all sizes perform high-quality phishing simulation regardless of their security budget.
Happy to answer any and all questions!
[0] https://getgophish.com/