As SE is more and more popular, I'm trying to practice some spear phishing, but in more sophisticated way. Well, I wanted to inject some content to webpage, locally in victim's brawser. Of course I can redirect to my site, hosted on my machine or hack webserver, but... in real life pentests, nobody swap real webpage content like gmail or stuff like that because it's illegal. Let's assume that I've managed to inject beef iframe into brawser. What's next? I was trying to play around with iframes, but.. well nothing. I even thought about driveby usb hack, but well nothing comes to my mind (without creating malware - it could leak and then inspire someone to write better code and do some harm to people).
Thanks for your ideas guys!