Social Engineering Tabnabbing Attack + Ettercap Local DNS Poisoning

Social Engineering Tabnabbing Attack + Ettercap Local DNS Poisoning


Type : Tutorial

Level : Medium, Advanced

Platform Testing : Windows XP SP3

Browser : Mozilla Firefox

Again in this tutorial we will learn something related to Social Engineering Attack using Social Engineering Toolkit. This tutorial was talked about Social Engineering Tabnabbing Attack combining with Ettercap DNS Poisoning. This method actually comes out from common people when open a website page and then it need time to load, the user usually don't want to waste time so they open another tab to open another website.

When the victim switches tabs because victim is multi-tasking, the website detects that a different tab is present and rewrites the webpage to a website you specify. The victim clicks back on the tab after a period of time and thinks they were signed out of their email program or their business application and types the credentials in.

Scenario :

1. Attacker will use Social Engineering Toolkit Tabnabbing Attack combined with Ettercap.

2. Attacker infected local network using Ettercap and redirected all traffic to attacker computer.

Requirement :

1. Social Engineering Toolkit (this package already included in Backtrack Linux)

2. Metasploit Framework

3. Operating System (Linux or Windows; In this tutorial I'm using Backtrack 5)

Step By Step Social Engineering Tabnabbing Attack + Ettercap Local DNS Poisoning:

1. Open Social Engineering Toolkit Console (Click here to view tutorial how to open SET step 1 and 2)

2. Choose number 2 "Website Attack Vectors" and then choose 4 "Tabnabbing Attack Method".

Social Engineering Attack + Ettercap Local DNS Poisoning

3. For the next step, you need to specify number 2 "Site Cloner", because when using Site template it won't work and it's better to clone the website first with the newest one.

Social Engineering Attack + Ettercap Local DNS Poisoning

When "Enter the url to clone" appear, input your desired website to clone(e.g,,, etc). When it finished cloning the website, we need to force victim opened our fake Yahoo Mail server by using Ettercap Local DNS Poisoning.

4. Before run Ettercap to do ARP poisoning, we need to configure the destination address when Ettercap receive requests address where it should go.

pico /usr/share/ettercap/etter.dns

Social Engineering Attack + Ettercap Local DNS Poisoning       A  --> every request for
redirected to attacker IP address

*             A  --> Using * as wildcard, every requests for,,, etc will redirected to attacker IP address

5. The next step, open new terminal/console (CTRL+ALT+T) and type :

ettercap -G

To run Ettercap in GUI mode

6. Configure your Ettercap to do ARP poisoning and start it (View the tutorial here step no.7 to 12)

7. When victim open in their browser it should be a message that the page is still loading.

Social Engineering Attack + Ettercap Local DNS Poisoning

8. Of course the victim won't wasting time to wait that page load, so he/she start to open another tab As soon as victim open new tab, our fake website start working.

Social Engineering Attack + Ettercap Local DNS Poisoning

9. When victim input their credentials there, our Social Engineering Toolkit console start capturing the data.

Social Engineering Attack + Ettercap Local DNS Poisoning

We've got their Username and Password.

Countermeasures :

1. Always update your browser

2. Look to URL address bar carefully when you open a website, is there something wrong or not.

3. If something went wrong(error page, loading page, etc) when you open a website, stop your step there and close your browser and try to ping the URL (see here how to ping the URL on step 6).

Hope you enjoyed πŸ™‚

(Visited 2,348 times, 2 visits today)

Share this article if you found this post was useful:

Blogger at Love PHP, offensive security and web.
Contact him at me[-at-]

See all posts by || Visit Website :

  • jouj

    can i execute all hese tutorial by using VMware  that will make the  connection LAN right ?? it's a brilliant work .

    • You can use bridge connection in virtual machine and select adapter to make it work in whole network of Lan.

  • jouj

    is this will work with firefox 5 ???

    • v4L

      Yep you’re right in LAN.
      about FF5 I haven’t try it…maybe you can try and tell me how it works πŸ™‚

  • jouj

    after the step 3 what i should do because nothing happen it just display on the screen
    (social – engineer toolkit crednetial harvester attack
    credential harvester is running on prot 80
    Information will be displayed to you as it arrives below)        
    and nothing happen

    • v4L

      What you already do is right…now you need to open the IP address from another computer/virtual machine and you will see the page you already clone

  • jouj

    u mean open the webpage that we all ready  clone it ?? or the ip adresse like 192…….. ??

    • v4L

      if you didn’t use Ettercap, use only the ip address…if you follow until ettercap, open the web address

  • Kave

    Hello, is it only works in LAN?

    • v4L

      According to what do you want..
      If you don’t want from LAN, then you should doing DNS server poisoning(not local DNS)…
      This attack also you can do from WAN…

  • Zer00cOOll

    hey i need help I'm steal getting this annoying message when i want to clone a website
    [*] Error. Unable to clone this specific site. Email us to fix.
    how can i fix that i don't even know where to mail them WTF

    • v4L

      Sorry about it, I can’t answer your my opinion maybe it’s because of your Social Engineering Toolkit missing some file…my advice you can try to update your social engineering toolkit first ./set-update from set folder..

  • Jayeshbai

    Can use the same for accounts via the internet connection without using LAN? if so how can it be?

  • Pingback: 3 Simple Methods Hackers Use to Compromise Your Facebook Account : Virtual Threat()

  • Chris

    I’ve worked out how to use the credential harvester site cloner method.But when i send a friend my ip (even if i shorten into a url) they are denied access, only on my browser or wi-fi do i have access πŸ™‚ how doo i fix this problem ? thanks

    • v4L

      you’re inside a public router, you need to allow specific port on your router;
      read more : http://www./hacking-tutorial/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/

      • Chris

        Thanks a lot v4L appreciated the reply. That certainly explains a lot now that i understand the concept, however even after reading the tutorial you posted i was a bit lost. I’m very good when it comes to Business within work or sports, but the whole IT thing is smack bang completely new to me, the most complicated thing i do on a computer normally is trade shares. I will get a friend to sit me down and help me do your tutorial and get back to you, hopefully successful. πŸ™‚ Thanks for the forum!!!

  • Ambuj

    I was looking for it. love ur work man….vishnu u gav a rocking tutorial.
    however i was
    unable to download the SET .could u provide a link?even tried opening via TRustedESc website but was unable to download….
    and one more thing….will it work only on Linux??

    • v4L

      it’s multi platform you can download it from here : svn co set/
      just make sure you can run python on your OS

  • On my backtrack 5r3, it is requesting for one IP address for post back before I put the site I want to clone. If I put any IP, it displays error. Which IP am I to use?

  • Please Valentino. I use BT5r3 and it requests for one IP address before the site to be cloned in the SET. What is this IP. It was not like that with my BT5r2

    • v4L

      it’s your IP address, for connect back when victim. If you have public IP, you can put your public IP there otherwise just use your local LAN IP e.g:

      • MBELL

        in backtrack set method. i finish the site cloning and then i send the ip link to my friend but he says that link is not working. but in my pc its working good.. im using a wifi modem in my windows 7 pc. and im using bridged adapter network in vm… any one help me plz…

  • Dave

    Thanks for the tutorial.

    I am having an issue. My fake page never loads it just says “Please wait while the site loads… ” even after I open a new tab and browse somewhere else.

    Any idea what could be the issue?


    • v4L


      yes it will be like that, you need to change to another tab to make the exploit work

      • Dave

        But even when I change to another tab it doesn’t seem to work. My exploit page never loads for the user to input their username and password.

        • v4L


          Maybe its outdated, but if you still want to give a try, you can download the older version of firefox here

  • exxraided

    I am having problems getting the site cloner tool to open on a mobile browser… I have it configured properly, my ports are forwarded and this is working excellent on a PC.
    However, when i try to open the IP, or link on both my Android and Ipad the site will not load.
    I also even tried to set up the mobile yahoo login page as the site to clone and that didnt work either.
    Let me know if this is possible to use on a mobile phone, or if you have any suggestions on where i might be able to develop a phishing page to be comparable with an Iphone.

    • v4L


      you can build the code by yourself, you can use the tools like httrack and re-code manually. Maybe if have time I will write some tutorial about it.

  • kunal

    hello sir

    i have done evrything you have mentioned but still when i try to open yahoo on the target computer it does not load the fake site.

    please help me. i am connected to a wifi network


    in backtrack set method. i finish the site cloning and then i send the ip link to my friend but he says that link is not working. but in my pc its working good.. im using a wifi modem in my windows 7 pc. and im using bridged adapter network in vm… any one help me plz…

  • anon

    why didnt you need to input the ip??