Hi everyone!<p>What a happy surprise to see my project on HN :)<p>My name is Jordan, I've been developing Gophish [0] for a few years now. The goal of the project is to let companies of all sizes perform high-quality phishing simulation regardless of their security budget.<p>Happy to answer any and all questions!<p>[0] <a href="https://getgophish.com/" rel="nofollow">https://getgophish.com/</a>
Feedback: I have no clue what this is or what I'm looking at even after starting to dig into docs. I have not yet Googled "phishing toolkit," but I would expect a blurb on the readme about what this does or a link to get me started on what the concept of a phishing toolkit is. All the comments are glowing, so I'm really missing something here.<p>To me, phishing is email (or phone calls, links, websites, or other comms) that attempt to get someone to give something away that is a secret. I don't see the relationship between that and your tool yet.<p>[Edit / Update]
Ok. After going 14 pages deep into the project, down through a user guide, it is clear what this project does. But 14 pages!? I recommend updating the readme to have, near the top, a section on selling/introducing the tool. "Gofish allows you to easily create a fake landing page that mimics your real landing page and send phishing email to get people in your organization to come to the phishing site. A UI shows stats collected on emails opened, links clicked, and data submitted to the phishing site. Set up multiple campaigns and much more. See our list of features." Add some relevant pics like the dashboard and your readme will really be helpful to folks like me.
>just download and extract the zip containing the release for your system, and run the binary<p>This is meta right? You're phishing us with a meta toolkit.
I wrote a tool in Perl, ages ago, that would generate random (but real-looking) information for phishing site forms and submit it as fast as the server would take them. You would tag fields with a type like "firstname" or "creditcardnumber", "ssn", etc., and it would do the rest. The credit cards even passed the CRC check.<p>The idea was that you would flood their valid data with bullshit data making it worth less to them. It was quite effective. Most skript kiddiez didn't know enough to stop me.
I have used GoPhish (and still currently do) to great effect. I really love the ease of use, templated and personalized aspect, and of course pretty graphical reports for management. I had no idea it was mainly a one man band type of product. Tools like SET are more powerful, but geared towards pen testing/red teaming, not phishing focused.<p>Thank you very much for a quality open source toolkit.
So, how does this "educational tool to secure organisations against phishing" differ from a tool to make phishing easier?<p>Don't get me wrong: I'm all for people having the tools to protect themselves, and the ability to write/publish/use whatever software you want.<p>So this question isn't provocation, but a real interest if there are any decisions that may make such software's use easier for white hats vs. black.<p>Because as a first approximation, it strikes me as plausible that being free-as-in-beer is unfortunately more useful to the perpetrators of phishing (usually small groups or individuals) than the victims (large organisations, usually with significant resources or they wouldn't be interesting). It's a really interesting dynamic actually, one where the weapon and the protection just happen to be the same.
This is a great project and really easy to use if you're even slightly technical. If you're looking for something that someone else manages at the cost of giving away sensitive organizational data, Duo Insight is free from a well respected vendor (Cisco acquisition notwithstanding) - <a href="https://duo.com/resources/duo-insight" rel="nofollow">https://duo.com/resources/duo-insight</a>
similar software to the testing part of this startup's saas offering. <a href="https://www.knowbe4.com/" rel="nofollow">https://www.knowbe4.com/</a><p>they've been growing like crazy; aggressive sales, and nearly giving it away for free. Most of their value comes from the educational content they provide though, and not the actual testing infrastructure which Gophish is focused on.
Does this toolkit actually send emails out, or connect to a mail server? If it connects to a mail server, does it handle any stats with regard to if the email was successfully sent?