Social Engineering Tabnabbing Attack + Ettercap Local DNS Poisoning
Type : Tutorial
Level : Medium, Advanced
Platform Testing : Windows XP SP3
Browser : Mozilla Firefox 3.6.1.6
Again in this tutorial we will learn something related to Social Engineering Attack using Social Engineering Toolkit. This tutorial was talked about Social Engineering Tabnabbing Attack combining with Ettercap DNS Poisoning. This method actually comes out from common people when open a website page and then it need time to load, the user usually don’t want to waste time so they open another tab to open another website.
When the victim switches tabs because victim is multi-tasking, the website detects that a different tab is present and rewrites the webpage to a website you specify. The victim clicks back on the tab after a period of time and thinks they were signed out of their email program or their business application and types the credentials in.
Scenario :
1. Attacker will use Social Engineering Toolkit Tabnabbing Attack combined with Ettercap.
2. Attacker infected local network using Ettercap and redirected all http://mail.yahoo.com traffic to attacker computer.
Requirement :
1. Social Engineering Toolkit (this package already included in Backtrack Linux)
3. Operating System (Linux or Windows; In this tutorial I’m using Backtrack 5)
Step By Step :
1. Open Social Engineering Toolkit Console (Click here to view tutorial how to open SET step 1 and 2)
2. Choose number 2 “Website Attack Vectors” and then choose 4 “Tabnabbing Attack Method“.
3. For the next step, you need to specify number 2 “Site Cloner“, because when using Site template it won’t work and it’s better to clone the website first with the newest one.
When “Enter the url to clone” appear, input your desired website to clone(e.g facebook.com, mail.google.com, hotmail.com, etc). When it finished cloning the website, we need to force victim opened our fake Yahoo Mail server by using Ettercap Local DNS Poisoning.
4. Before run Ettercap to do ARP poisoning, we need to configure the destination address when Ettercap receive requests address where it should go.
pico /usr/share/ettercap/etter.dns
mail.yahoo.com A 192.168.8.92 --> every request for mail.yahoo.com redirected to attacker IP address 192.168.8.92 *.yahoo.com A 192.168.8.92 --> Using * as wildcard, every requests for mail.yahoo.com, messenger.yahoo.com, news.yahoo.com, etc will redirected to attacker IP address 192.168.8.92
5. The next step, open new terminal/console (CTRL+ALT+T) and type :
ettercap -G
To run Ettercap in GUI mode
6. Configure your Ettercap to do ARP poisoning and start it (View the tutorial here step no.7 to 12)
7. When victim open in their browser http://mail.yahoo.com it should be a message that the page is still loading.
8. Of course the victim won’t wasting time to wait that page load, so he/she start to open another tab google.com. As soon as victim open new tab, our fake website start working.
9. When victim input their credentials there, our Social Engineering Toolkit console start capturing the data.
We’ve got their Username and Password.
Countermeasures :
1. Always update your browser
2. Look to URL address bar carefully when you open a website, is there something wrong or not.
3. If something went wrong(error page, loading page, etc) when you open a website, stop your step there and close your browser and try to ping the URL (see here how to ping the URL on step 6).
Hope you enjoyed 
Incoming search terms:
- Error Unable to clone this specific site Email us to fix
- tabnabbing tutorial
- Error Unable to clone this specific site Check your internet connection
- * error unable to clone this specific site email us to fix
- [*] Error Unable to clone this specific site Email us to fix
- /usr/share/ettercap/etter dns
- backtrack 5 website clone
- tabnabbing
- ettercap tutorial
- etter dns in backtrack 5 r1
Written by Vishnu Valentino.
Founder of hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com
See all posts by v4L || Visit Website : http://www.vishnuvalentino.com
Popular Posts
22 Responsesto “Social Engineering Tabnabbing Attack + Ettercap Local DNS Poisoning”
Trackbacks/Pingbacks
- 3 Simple Methods Hackers Use to Compromise Your Facebook Account : Virtual Threat - [...] account a more experienced internet user, attackers may utilize a combination of tools including ettercap and the Social Engineer ...
Leave a Reply
Links
Get Updates via Networkedblogs
can i execute all hese tutorial by using VMware that will make the connection LAN right ?? it's a brilliant work .
You can use bridge connection in virtual machine and select adapter to make it work in whole network of Lan.
is this will work with firefox 5 ???
#jouj
Yep you’re right in LAN.
about FF5 I haven’t try it…maybe you can try and tell me how it works
after the step 3 what i should do because nothing happen it just display on the screen
(social – engineer toolkit crednetial harvester attack
credential harvester is running on prot 80
Information will be displayed to you as it arrives below)
and nothing happen
#jouj
What you already do is right…now you need to open the IP address from another computer/virtual machine and you will see the page you already clone
u mean open the webpage that we all ready clone it ?? or the ip adresse like 192…….. ??
#jouj
if you didn’t use Ettercap, use only the ip address…if you follow until ettercap, open the web address
Hello, is it only works in LAN?
#Kave
According to what do you want..
If you don’t want from LAN, then you should doing DNS server poisoning(not local DNS)…
This attack also you can do from WAN…
hey i need help I'm steal getting this annoying message when i want to clone a website
[*] Error. Unable to clone this specific site. Email us to fix.
how can i fix that i don't even know where to mail them WTF
#Zer00cOOll
Sorry about it, I can’t answer your question..in my opinion maybe it’s because of your Social Engineering Toolkit missing some file…my advice you can try to update your social engineering toolkit first
./set-updatefrom set folder..Can use the same for accounts via the internet connection without using LAN? if so how can it be?
#Jayeshbai
Read more here : http://www.hacking-tutorial.com/computer/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/
I’ve worked out how to use the credential harvester site cloner method.But when i send a friend my ip (even if i shorten into a url) they are denied access, only on my browser or wi-fi do i have access
how doo i fix this problem ? thanks
#Chris
you’re inside a public router, you need to allow specific port on your router;
read more : http://www.hacking-tutorial.com/hacking-tutorial/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/
Thanks a lot v4L appreciated the reply. That certainly explains a lot now that i understand the concept, however even after reading the tutorial you posted i was a bit lost. I’m very good when it comes to Business within work or sports, but the whole IT thing is smack bang completely new to me, the most complicated thing i do on a computer normally is trade shares. I will get a friend to sit me down and help me do your tutorial and get back to you, hopefully successful.
Thanks for the forum!!!
I was looking for it. love ur work man….vishnu u gav a rocking tutorial.
however i was
unable to download the SET .could u provide a link?even tried opening via TRustedESc website but was unable to download….
and one more thing….will it work only on Linux??
#Ambuj
it’s multi platform you can download it from here : svn co http://svn.trustedsec.com/social_engineering_toolkit set/
just make sure you can run python on your OS
On my backtrack 5r3, it is requesting for one IP address for post back before I put the site I want to clone. If I put any IP, it displays error. Which IP am I to use?
Please Valentino. I use BT5r3 and it requests for one IP address before the site to be cloned in the SET. What is this IP. It was not like that with my BT5r2
#Joerex
it’s your IP address, for connect back when victim. If you have public IP, you can put your public IP there otherwise just use your local LAN IP e.g:192.168.1.1.