Client Side Exploitation
◾
209
3. Once the webserver is set up and the PDF
exploits are loaded onto it, the URL is sent to the
victim via social engineering.
4. Once the victim clicks on the URL, the PDF exploit is injected and
does the rest of the work
for you.
Scenario from Real World
The purpose of the book is not only to teach you to work with the tools but to familiarize you with
a proper penetration testing methodology. Tools keep changing,
but the methodology remains
the same.
So imagine a real-world scenario where you are pentesting against a company ABC. By using
some information-gathering techniques you learned in the previous chapter,
you find out that the
e-mail address of the CEO is steven@abc.com.
By using a fake mailer, you e-mail the following message to Steven from the e-mail address of
the company’s
IT department head, say, Rolph.
210
◾
Ethical Hacking and Penetration Testing Guide
Hi Steven,
We would like to inform you about a critical update for all Windows users. We recommend you read
the attached PDF document and follow the step-by-step instructions mentioned in the document to
update your system
.
Warm regards
,
Rolph | ABC.com
ABC IT DEPT
The CEO will think that the e-mail is legitimate and is really from the IT department, so he will
open the PDF
document without hesitation, thereby enabling the attacker to take full control of
his computer.
Dostları ilə paylaş: 
