
Gophish: An open source phishing toolkit - braxxox
https://github.com/gophish/gophish
======
jwcrux
Hi everyone!

What a happy surprise to see my project on HN :)

My name is Jordan, I've been developing Gophish [0] for a few years now. The
goal of the project is to let companies of all sizes perform high-quality
phishing simulation regardless of their security budget.

Happy to answer any and all questions!

[0] [https://getgophish.com/](https://getgophish.com/)

~~~
apexalpha
No question but we use it often to test our owns company's awareness, great
tool!

------
sethammons
Feedback: I have no clue what this is or what I'm looking at even after
starting to dig into docs. I have not yet Googled "phishing toolkit," but I
would expect a blurb on the readme about what this does or a link to get me
started on what the concept of a phishing toolkit is. All the comments are
glowing, so I'm really missing something here.

To me, phishing is email (or phone calls, links, websites, or other comms)
that attempt to get someone to give something away that is a secret. I don't
see the relationship between that and your tool yet.

[Edit / Update] Ok. After going 14 pages deep into the project, down through a
user guide, it is clear what this project does. But 14 pages!? I recommend
updating the readme to have, near the top, a section on selling/introducing
the tool. "Gofish allows you to easily create a fake landing page that mimics
your real landing page and send phishing email to get people in your
organization to come to the phishing site. A UI shows stats collected on
emails opened, links clicked, and data submitted to the phishing site. Set up
multiple campaigns and much more. See our list of features." Add some relevant
pics like the dashboard and your readme will really be helpful to folks like
me.

~~~
jwcrux
Thank you for the feedback! It’s really appreciated.

Just out of curiosity, does the copy on the main website [0] give a better
indication or does that still not make for a clear description?

I ask because, while the repo was linked in this case, the main website is
where most people land.

[0] [https://getgophish.com](https://getgophish.com)

~~~
sethammons
Ah, yes, that is much better :) Fanstastic tool. Looks really well done.

~~~
jwcrux
I think I can still do a better job of pointing people who hit the repo first
back to the website for more information. Right now, it’s linked, but it could
be more clear.

I’ll take that as an opportunity for improvement. Thanks so much for taking
the time to type out that feedback!

~~~
sethammons
Maybe instead not a passive link; doll it up a bit. "What is Gofish? Learn
more here!" or similar. Thanks for the response!

------
daenz
>just download and extract the zip containing the release for your system, and
run the binary

This is meta right? You're phishing us with a meta toolkit.

~~~
jwcrux
When I first launched Gophish a few years ago, I sent an email to a reporter
I'm a fan of basically saying "Hey, I made this thing, I think your readers
would benefit from it".

Their response was lightheartedly asking me if I really just sent them an
email about a phishing simulation toolkit and expected them to click the links
in the email :D

------
chrissnell
I wrote a tool in Perl, ages ago, that would generate random (but real-
looking) information for phishing site forms and submit it as fast as the
server would take them. You would tag fields with a type like "firstname" or
"creditcardnumber", "ssn", etc., and it would do the rest. The credit cards
even passed the CRC check.

The idea was that you would flood their valid data with bullshit data making
it worth less to them. It was quite effective. Most skript kiddiez didn't know
enough to stop me.

~~~
jwcrux
Nice! While Gophish is a personal project, as part of $dayjob I do security
research.

Recently, I did some analysis on phishing kits at a pretty large scale that
sounds like it’d be of interest to you [0]

[0] [https://duo.com/assets/ebooks/phish-in-a-
barrel.pdf](https://duo.com/assets/ebooks/phish-in-a-barrel.pdf)

~~~
chrissnell
I haven't looked at a phishing form in ages but I would bet that JavaScript
has made the anti-phishing crusader's job more difficult.

------
PenguinCoder
I have used GoPhish (and still currently do) to great effect. I really love
the ease of use, templated and personalized aspect, and of course pretty
graphical reports for management. I had no idea it was mainly a one man band
type of product. Tools like SET are more powerful, but geared towards pen
testing/red teaming, not phishing focused.

Thank you very much for a quality open source toolkit.

------
matt4077
So, how does this "educational tool to secure organisations against phishing"
differ from a tool to make phishing easier?

Don't get me wrong: I'm all for people having the tools to protect themselves,
and the ability to write/publish/use whatever software you want.

So this question isn't provocation, but a real interest if there are any
decisions that may make such software's use easier for white hats vs. black.

Because as a first approximation, it strikes me as plausible that being free-
as-in-beer is unfortunately more useful to the perpetrators of phishing
(usually small groups or individuals) than the victims (large organisations,
usually with significant resources or they wouldn't be interesting). It's a
really interesting dynamic actually, one where the weapon and the protection
just happen to be the same.

~~~
alpenbazi
Like a knife is used for good or bad reasons..

~~~
vectorEQ
good and bad is an opinion.

~~~
alpenbazi
That is exactly the point. A thing itself is never good or bad. Its what we do
with it. And even that is relative again. But lets not get too deep into
philosophics here

------
vijaybritto
Why is every project written in golang have go in their names?! This is
present even in some rust libraries.

~~~
jwcrux
Guilty as charged :) in this case, I thought it made for a nice name, giving a
nod to the old card game “Go Fish”.

~~~
vijaybritto
Its cool. I just realised that during pre npm era almost all js libraries had
js in their names. So its pretty common I see.

------
bdibs
Very interesting, and your site looks great!

I'm interested in how you plan on monetizing, enterprise support?

~~~
jwcrux
Thank you so much!

I view Gophish as a way to volunteer and give back to the larger security
community. I love engaging with the Gophish community and seeing people use
the software to measure their own exposure to phishing.

That said, there aren't any plans to monetize Gophish. It will always stay
free and open-source so that anyone can use it. :)

As far as support, I try and respond to every issue as fast as possible. It's
a best effort, but I managed to pass 1k closed issues recently, which I was
pretty proud of! And I'm fortunate that there are so many amazing people in
the Gophish community who are willing to jump into issues, help out, and
bounce great ideas around.

~~~
thx4allthestuff
What a refreshing response. Even though I can appreciate the value that
monetizing a product has for the users of that product (updates and continued
support), it’s nice to be reminded that we don’t have to monetize every
project we engage with. Believe it or not, sometimes people just want to give
back. Thanks for your efforts. That being said, when a project becomes popular
enough that people are all but throwing money at you, don’t be afraid to do
them a favor and provide paid support if you are so inclined.

------
casca
This is a great project and really easy to use if you're even slightly
technical. If you're looking for something that someone else manages at the
cost of giving away sensitive organizational data, Duo Insight is free from a
well respected vendor (Cisco acquisition notwithstanding) -
[https://duo.com/resources/duo-insight](https://duo.com/resources/duo-insight)

~~~
jwcrux
You're absolutely right, and I highly recommend Duo Insight! While I developed
Gophish, I also work at Duo so I'm happy to discuss the differences between
the two. :)

While my experience with Gophish was one of the things that brought me to Duo,
Insight is not based on Gophish at all. I had the privilege of working with
the team of engineers who built Insight and they are _amazingly talented_.
It's a really high-quality product from an incredible team.

You hit the nail on the head as to why someone may prefer Insight to Gophish.
Gophish, while being easy to set up, still requires _some_ setup and hosting.
With Insight, everything is managed for you. This has significant time savings
and infrastructure savings.

The downside to this is flexibility, which is what Gophish offers. Insight
offers a good few pre-built templates while Gophish lets you create your own.
You control everything and have the ability to tailor phishing campaigns
exactly how you want them. Gophish was also built from the ground-up to be
driven by an API, and has other features that may useful in more red-team
scenarios (such as credential capture).

The other benefit to Gophish that you mentioned is that, since you control the
infrastructure, you control all of the data end-to-end.

So while they're in a similar space, they're pretty different products with
different strengths and weaknesses. If you're just starting to look into
running a phishing simulation, I'd lean towards giving Insight a shot since
it's super quick and easy to get a campaign out the door. Once you need more
flexibility and power, Gophish is an easy transition. :)

------
sunsetMurk
similar software to the testing part of this startup's saas offering.
[https://www.knowbe4.com/](https://www.knowbe4.com/)

they've been growing like crazy; aggressive sales, and nearly giving it away
for free. Most of their value comes from the educational content they provide
though, and not the actual testing infrastructure which Gophish is focused on.

------
nabeards
Does this toolkit actually send emails out, or connect to a mail server? If it
connects to a mail server, does it handle any stats with regard to if the
email was successfully sent?

------
KiDD
Cool!

