Tabnabbing Attack Method Penetration Testing Lab

http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

Penetration Testing Lab

Explore the labmaybe you will nd some interesting things RSS

Tabnabbing Attack Method

20 Mar About these ads that you can use when you conduct a social Another method(h p://en.wordpress.com/about-these-ads/) engineering a ack is the Tabnabbing a ack.The only thing that it requires from the user is to switch tabs in his browser in order to load the fake website and then if he inserts his credentials it harvest them. There are not many things to explain here so we will have a look at the a ack itself. First thing we have to do of course is to open the Social Engineering Toolkit and to choose the Website A ack Vectors option.

1 de 6

09/12/2012 11:08 a.m.

Tabnabbing Attack Method Penetration Testing Lab

http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

(h p://pentestlab.les.wordpress.com/2012/03/14.png) Website A ack Vector Next we will see the available a acks that we can use.Of course our choice here is option number 4 and the Tabnabbing A ack Method.

(h p://pentestlab.les.wordpress.com /2012/03/23.png) Selecting the Tabnabbing A ack In the next menu we will choose option number 2 in order to clone the Website of our preference.Remember that the Tabnabbing a ack only works with websites that they have elds for username and password so choose these kind of websites for cloning.

2 de 6

09/12/2012 11:08 a.m.

Tabnabbing Attack Method Penetration Testing Lab

http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

(h p://pentestlab.les.wordpress.com/2012/03/33.png) Selecting the Site Cloner Now it is time to choose the website that the SET will clone.In this scenario our choice will be the Gmail.

(h p://pentestlab.les.wordpress.com/2012/03/42.png) Enter the Fake Website for Cloning If we send a link with our IP address to our victim and he opens it he will notice that a new tab will open and a message will appear saying the following:

(h p://pentestlab.les.wordpress.com/2012/03/53.png) Opening the webpage This message will stay there until the user switch tabs in his browser.Then the fake website will load and we just have to wait to enter his credentials in order to capture them.

3 de 6

09/12/2012 11:08 a.m.

Tabnabbing Attack Method Penetration Testing Lab

http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

(h p://pentestlab.les.wordpress.com/2012/03/63.png) Fake Gmail Page The next image is showing what we will see in SET when the victim inserts his credentials into the username and password elds.

(h p://pentestlab.les.wordpress.com/2012/03/82.png) Capturing the Credentials Conclusion As most social engineering a acks and this type of a ack requires to cover our IP address with a domain that it will look legitimate.This technique is similar to the Credential Harvester method with the only dierence that the user needs to switch tabs thinking that the page will take too long to load.

4 de 6

09/12/2012 11:08 a.m.

Tabnabbing Attack Method Penetration Testing Lab

http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

This a ack is very easy to implement it by anybody and many unexperienced users will probably become victims so these type of users they need to have extra awareness.

About netbiosX
Penetration Tester,Metasploit Framework addicted and a Social Engineer guy. View all posts by netbiosX 6 Comments Posted by netbiosX on March 20, 2012 in Social Engineering

Tags: SET, social engineering, Tabnabbing

6 Responses to Tabnabbing Attack Method

1. hanish March 20, 2012 at 1:34 pm How to send the link to a victim. Reply 2. netbiosX March 20, 2012 at 4:57 pm You can spoof your email address to something that it looks real like admin@gmail.com in order to convince the target to open the link. Reply 3. cybersynch March 22, 2012 at 4:07 pm Thank you, netbiosX, for this very informative demonstration. Reply 4. Fane
5 de 6 09/12/2012 11:08 a.m.

Tabnabbing Attack Method Penetration Testing Lab

http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

August 4, 2012 at 12:27 pm Here is the problem , this is work on the same network , i mean , it local network , how can we use the victim on other network , Reply 5. netbiosX August 4, 2012 at 8:22 pm Fane the Social Engineering Toolkit can be used on dierent networks as well.The only thing that you have to do is to set the AUTO_DETECT option to O from the conguration le of SET. Reply anashlali August 10, 2012 at 11:47 pm Hi netbios the AUTO-DETECT is o but it seems the link dont work from another network, I used goo.gl to generate the link. Help Pls. Best, Anashlali Reply

Blog at WordPress.com. Theme: Choco by .css{mayo}. Entries (RSS) and Comments (RSS)

6 de 6

09/12/2012 11:08 a.m.