The Social-Engineer Toolkit
153
Putting It All Together with a Multipronged Attack
The multi-attack web vector allows you to chain multiple web attack methods
together to perform a single attack. The multi-attack vector allows you to
turn on and off different vectors and combine the attacks into one web page.
When the user clicks the link, he will be targeted by each of the attack vectors
you specify. A multipronged attack is particularly useful because, in some
cases, the Java applet might fail, while a client-side Internet Explorer exploit
would succeed. Or, the Java applet and the Internet Explorer exploits might
fail, but the credential harvester succeeds.
In the following example, we’ll use the Java applet attack, the Metasploit
client-side exploit, and the web jacking attack. When the target browses the
affected site, he will be enticed to click the link and will then be bombarded
with a credential harvester, Metasploit exploits, and the Java applet attack.
Here we’ll select an Internet Explorer 7 exploit and browse the target’s
machine using Internet Explorer 6 just to demonstrate how if one method
fails, others can be used.
1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6. Web Jacking Attack Method
7. Multi-Attack Web Method
8. Return to the previous menu
Enter your choice (press enter for default):
7
[!] Website Attack Vectors [!]
2. Site Cloner
Enter number (1-4):
2
Enter the url to c
l
one:
https://gmail.com
Select which attacks you want to use:
1. The Java Applet Attack Method (OFF)
2. The Metasploit Browser Exploit Method (OFF)
3. Credential Harvester Attack Method (OFF)
4. Tabnabbing Attack Method (OFF)
5. Man Left in the Middle Attack Method (OFF)
6. Web Jacking Attack Method (OFF)
7. Use them all - A.K.A. 'Tactical Nuke'
8. I'm finished and want to proceed with the attack.
9. Return to main menu.
Enter your choice one at a time (hit 8 or enter to launch):
1