Social Engineering is one of the most common attack vectors out there. Your users are frequently targeted by convincing campaigns, urging them to enter creds, open files, or otherwise perform an action that can ruin their day. One of the most effective defenses we have is user awareness training - but how do you start a phishing program with little or no budget? In this talk, we'll solve this problem with GoPhish, a popular phishing framework available for free. For blueteamers, we will discuss building and monitoring an effective internal phishing campaign. For redteamers, we'll talk about how to use GoPhish to get creds, send payloads, and pwn your targets. This talk is intended for beginners, but a solid technical background will be helpful.

Jayme Hancock

Jayme is a Senior Network Penetration Tester with BSI AppSec, with a heavy background in systems administration. His interests and experience includes black box penetration testing, social engineering, physical security, open source intelligence gathering, and security control evasion. Jayme entered the security field by building out and implementing a security program in the healthcare space, including user awareness training, internal security control auditing and compliance, and vulnerability management. He has spoken at B-Sides DC, HackWest, Cascadia IT Conference, and teaches the 4-day course "Full Scope Social Engineering and Physical Security Testing" at BlackHat. He holds the GXPN, OSCP, CISSP, and other certifications. Originally from Southern California, Jayme resides in Washington, DC and enjoys astronomy, astrophotography, and good coffee. Twitter: @highmeh