Metasploit Master : Setoolkit

Now, I hope you remember how to navigate SEToolkit, as it is very simple. Let’s start by opening the attacks menu.

Step 1Open the Attacks Menu

Open SEToolkit by opening a terminal and typing setoolkit.

Open up the Website Attack Vectors menu by pressing 2:

Step 2Choose Your Attack

For this tutorial, we will be using the Metasploit Browser Exploit Method. Once you open that menu, you will be prompted to choose a template for your malicious website. For this purpose, I’m going to choose the Web Templates by pressing 1.

You will then be prompted to choose a browser exploit. I find the Metasploit Browser Autopwn to be the most successful. This auxiliary module loads many exploits and payload handlers at once to to grab a wildcard target. This is the best method of attack if you are phishing. However, this can red flag many security systems, so just be careful! Type 43 to choose this option.

Next, SEToolkit will ask you for the payload to use. I find that using your own custom payload will work the best. I will use my own custom executable in this tutorial.

Step 3Fill in the Blanks

You will then be prompted to insert the port and IP address. I’m going to hide mine in this picture, sorry. (I recommend port 443.) The rest is pretty self explanatory.

If you are using the custom payload, you must upload it to your Apache server, and give SEToolkit the download link. For example, when you put the payload into the root directory of your Apache server, your URL should look similar tohttp:// . Just make sure you use your own IP address!

Step 4Integrate with Metasploit

Now that we have told SEToolkit where our payload lies, it should give you this screen, and then load Metasploit to listen.

Once Metasploit has started, it will automatically start loading its Autopwn auxiliary tool, and listen for incoming connections on port 443. Do not stop Metasploit from loading! It may take a minute. The first thing you should see is something similar to this:

Once Metasploit has finished loading the modules, it should display the amount of modules loaded, and one URL to send to a victim. In this case, Metasploit found 20 exploit modules that would work.

Make sure you port forward if you’re doing this over the Internet!

Step 5Get a Victim

Send this link out on social media, or by email to a friend. While they check out your fake website, Metasploit will try to automatically exploit them. Just make sure you set up persistence before it’s too late!


SEToolkit and Metasploit combined are just unstoppable! The exploits of Metasploit and the phishing methods of Social Engineering Toolkit are the way to get the job done.

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Đăng xuất /  Thay đổi )

Google photo

Bạn đang bình luận bằng tài khoản Google Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Connecting to %s