Type : Tutorial
Level : Medium, Advanced
Platform Testing : Windows XP SP3
Browser : Mozilla Firefox 184.108.40.206
Again in this tutorial we will learn something related to Social Engineering Attack using Social Engineering Toolkit. This tutorial was talked about Social Engineering Tabnabbing Attack combining with Ettercap DNS Poisoning. This method actually comes out from common people when open a website page and then it need time to load, the user usually don’t want to waste time so they open another tab to open another website.
When the victim switches tabs because victim is multi-tasking, the website detects that a different tab is present and rewrites the webpage to a website you specify. The victim clicks back on the tab after a period of time and thinks they were signed out of their email program or their business application and types the credentials in.
1. Attacker will use Social Engineering Toolkit Tabnabbing Attack combined with Ettercap.
2. Attacker infected local network using Ettercap and redirected all http://mail.yahoo.com traffic to attacker computer.
1. Social Engineering Toolkit (this package already included in Backtrack Linux)
3. Operating System (Linux or Windows; In this tutorial I’m using Backtrack 5)
1. Open Social Engineering Toolkit Console (Click here to view tutorial how to open SET step 1 and 2)
2. Choose number 2 “Website Attack Vectors” and then choose 4 “Tabnabbing Attack Method“.
3. For the next step, you need to specify number 2 “Site Cloner“, because when using Site template it won’t work and it’s better to clone the website first with the newest one.
When “Enter the url to clone” appear, input your desired website to clone(e.g facebook.com, mail.google.com, hotmail.com, etc). When it finished cloning the website, we need to force victim opened our fake Yahoo Mail server by using Ettercap Local DNS Poisoning.
4. Before run Ettercap to do ARP poisoning, we need to configure the destination address when Ettercap receive requests address where it should go.
mail.yahoo.com A 192.168.8.92 --> every request for mail.yahoo.com redirected to attacker IP address 192.168.8.92 *.yahoo.com A 192.168.8.92 --> Using * as wildcard, every requests for mail.yahoo.com, messenger.yahoo.com, news.yahoo.com, etc will redirected to attacker IP address 192.168.8.92
5. The next step, open new terminal/console (CTRL+ALT+T) and type :
To run Ettercap in GUI mode
6. Configure your Ettercap to do ARP poisoning and start it (View the tutorial here step no.7 to 12)
7. When victim open in their browser http://mail.yahoo.com it should be a message that the page is still loading.
8. Of course the victim won’t wasting time to wait that page load, so he/she start to open another tab google.com. As soon as victim open new tab, our fake website start working.
9. When victim input their credentials there, our Social Engineering Toolkit console start capturing the data.
We’ve got their Username and Password.
1. Always update your browser
2. Look to URL address bar carefully when you open a website, is there something wrong or not.
3. If something went wrong(error page, loading page, etc) when you open a website, stop your step there and close your browser and try to ping the URL (see here how to ping the URL on step 6).
Hope you enjoyed