Hi to everyone,
This is a long time when HD MOORE has invented this stuff and everyone is scare regarding its server security, youtube is full of thousands of videos showing peoples making exploits running on computers, then the shell pop out and hope I have access to the system, but do you know that metasploit is the last thing to think about to make a real remote exploit ?
Metasploit and SET "Social Engineer Toolkit" are useless below is the reasons :
First of all, the goal of a real and smart attack is not destroying a system but instead get users credentials from the server, ask just yourself this question : What are you going to win if you just destroy e.g. google servers ? Instead it is better to leave the server working fine and steal credentials of some users for later use no ?
All successful Metasploit and SET attacks that steal credentials e.g. sniffing ssl traffic and decrypt it are almost local !!! But who sniff, attack or catch creds of his own network ? Those attacks are just STUPID. Maybe they will be useful for an agent who is managing a corporate server and wants to steal creds of this corporation for later use but this is very far for being useful to 99.999% of the rest of the world.
Lately, People are talking about Browser Web attacks and a revolution of exploitation, I want to know just what thos people are talking about ??? If you succeed to clone any website in the world ~~YAY I am a Hero~~ into something like 192.168.1.7:8081 but who care about your link ? ~~Shut up you are a complete idiot not a hero at all~~ because if you want this attack to succeed than you should give this link to the victim to click on it. And I am just talking about myself, I have never got such links from someone neither clicked on it.
All that to said that there is no single exploit that can create a shell to the victim machine if this one browse directly to the website "I mean here without clicking any abnormal link" we wants to steal credentials from it. Of course this exploit doesn't exist yet not because Google is strong, but because it can't be done for almost any website online. It is not a server security issue but rather it is network topology issue that makes it impossible for those tools even for normal configured servers.
So you still believe that Metasploit & Social Engineer toolkit can do something really useful for you ?