background image

The Social-Engineer Toolkit


Putting It All Together with a Multipronged Attack

The multi-attack web vector allows you to chain multiple web attack methods 
together to perform a single attack. The multi-attack vector allows you to 
turn on and off different vectors and combine the attacks into one web page. 
When the user clicks the link, he will be targeted by each of the attack vectors 
you specify. A multipronged attack is particularly useful because, in some 
cases, the Java applet might fail, while a client-side Internet Explorer exploit 
would succeed. Or, the Java applet and the Internet Explorer exploits might 
fail, but the credential harvester succeeds.

In the following example, we’ll use the Java applet attack, the Metasploit 

client-side exploit, and the web jacking attack. When the target browses the 
affected site, he will be enticed to click the link and will then be bombarded 
with a credential harvester, Metasploit exploits, and the Java applet attack. 
Here we’ll select an Internet Explorer 7 exploit and browse the target’s 
machine using Internet Explorer 6 just to demonstrate how if one method 
fails, others can be used.

1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6. Web Jacking Attack Method

 7. Multi-Attack Web Method

8. Return to the previous menu

Enter your choice (press enter for default): 


[!] Website Attack Vectors [!]

 2. Site Cloner

Enter number (1-4): 


 Enter the url to c



Select which attacks you want to use:

 1. The Java Applet Attack Method (OFF)
 2. The Metasploit Browser Exploit Method (OFF)

3. Credential Harvester Attack Method (OFF)
4. Tabnabbing Attack Method (OFF)
5. Man Left in the Middle Attack Method (OFF)

 6. Web Jacking Attack Method (OFF)

7. Use them all - A.K.A. 'Tactical Nuke'
8. I'm finished and want to proceed with the attack.
9. Return to main menu.

Enter your choice one at a time (hit 8 or enter to launch):