Scribd Logo
Upload

Welcome to Scribd!

  • 120 views

    Tabnabbing Attack Method Penetration Testing Lab

    Uploaded by

    Eugenia Casco
    The document describes the tabnabbing attack method, which uses social engineering to harvest user credentials. It involves cloning a legitimate website, like Gmail, that users would enter username and password into. When the victim clicks a spoofed link, a fake page loads in a new tab telling them to switch back. This loads the fake site, and any credentials entered are captured without the user's knowledge. The attack is easy for untrained users to fall for but covers the attacker's IP to appear legitimate.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    Tabnabbing Attack Method Penetration Testing Lab

    Uploaded by

    Eugenia Casco
    120 views6 pages
    The document describes the tabnabbing attack method, which uses social engineering to harvest user credentials. It involves cloning a legitimate website, like Gmail, that users would enter username and password into. When the victim clicks a spoofed link, a fake page loads in a new tab telling them to switch back. This loads the fake site, and any credentials entered are captured without the user's knowledge. The attack is easy for untrained users to fall for but covers the attacker's IP to appear legitimate.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document describes the tabnabbing attack method, which uses social engineering to harvest user credentials. It involves cloning a legitimate website, like Gmail, that users would enter username and password into. When the victim clicks a spoofed link, a fake page loads in a new tab telling them to switch back. This loads the fake site, and any credentials entered are captured without the user's knowledge. The attack is easy for untrained users to fall for but covers the attacker's IP to appear legitimate.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    120 views6 pages

    Tabnabbing Attack Method Penetration Testing Lab

    Uploaded by

    Eugenia Casco
    The document describes the tabnabbing attack method, which uses social engineering to harvest user credentials. It involves cloning a legitimate website, like Gmail, that users would enter username and password into. When the victim clicks a spoofed link, a fake page loads in a new tab telling them to switch back. This loads the fake site, and any credentials entered are captured without the user's knowledge. The attack is easy for untrained users to fall for but covers the attacker's IP to appear legitimate.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 6

    Tabnabbing Attack Method Penetration Testing Lab

    http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

    Penetration Testing Lab


    Explore the labmaybe you will nd some interesting things RSS

    Tabnabbing Attack Method


    20 Mar About these ads that you can use when you conduct a social Another method(h p://en.wordpress.com/about-these-ads/) engineering a ack is the Tabnabbing a ack.The only thing that it requires from the user is to switch tabs in his browser in order to load the fake website and then if he inserts his credentials it harvest them. There are not many things to explain here so we will have a look at the a ack itself. First thing we have to do of course is to open the Social Engineering Toolkit and to choose the Website A ack Vectors option.

    1 de 6

    09/12/2012 11:08 a.m.

    Tabnabbing Attack Method Penetration Testing Lab

    http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

    (h p://pentestlab.les.wordpress.com/2012/03/14.png) Website A ack Vector Next we will see the available a acks that we can use.Of course our choice here is option number 4 and the Tabnabbing A ack Method.

    (h p://pentestlab.les.wordpress.com /2012/03/23.png) Selecting the Tabnabbing A ack In the next menu we will choose option number 2 in order to clone the Website of our preference.Remember that the Tabnabbing a ack only works with websites that they have elds for username and password so choose these kind of websites for cloning.

    2 de 6

    09/12/2012 11:08 a.m.

    Tabnabbing Attack Method Penetration Testing Lab

    http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

    (h p://pentestlab.les.wordpress.com/2012/03/33.png) Selecting the Site Cloner Now it is time to choose the website that the SET will clone.In this scenario our choice will be the Gmail.

    (h p://pentestlab.les.wordpress.com/2012/03/42.png) Enter the Fake Website for Cloning If we send a link with our IP address to our victim and he opens it he will notice that a new tab will open and a message will appear saying the following:

    (h p://pentestlab.les.wordpress.com/2012/03/53.png) Opening the webpage This message will stay there until the user switch tabs in his browser.Then the fake website will load and we just have to wait to enter his credentials in order to capture them.

    3 de 6

    09/12/2012 11:08 a.m.

    Tabnabbing Attack Method Penetration Testing Lab

    http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

    (h p://pentestlab.les.wordpress.com/2012/03/63.png) Fake Gmail Page The next image is showing what we will see in SET when the victim inserts his credentials into the username and password elds.

    (h p://pentestlab.les.wordpress.com/2012/03/82.png) Capturing the Credentials Conclusion As most social engineering a acks and this type of a ack requires to cover our IP address with a domain that it will look legitimate.This technique is similar to the Credential Harvester method with the only dierence that the user needs to switch tabs thinking that the page will take too long to load.

    4 de 6

    09/12/2012 11:08 a.m.

    Tabnabbing Attack Method Penetration Testing Lab

    http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

    This a ack is very easy to implement it by anybody and many unexperienced users will probably become victims so these type of users they need to have extra awareness.

    About netbiosX
    Penetration Tester,Metasploit Framework addicted and a Social Engineer guy. View all posts by netbiosX 6 Comments Posted by netbiosX on March 20, 2012 in Social Engineering

    Tags: SET, social engineering, Tabnabbing

    6 Responses to Tabnabbing Attack Method


    1. hanish March 20, 2012 at 1:34 pm How to send the link to a victim. Reply 2. netbiosX March 20, 2012 at 4:57 pm You can spoof your email address to something that it looks real like [email protected] in order to convince the target to open the link. Reply 3. cybersynch March 22, 2012 at 4:07 pm Thank you, netbiosX, for this very informative demonstration. Reply 4. Fane
    5 de 6 09/12/2012 11:08 a.m.

    Tabnabbing Attack Method Penetration Testing Lab

    http://pentestlab.wordpress.com/2012/03/20/tabnabbing-attack-method/

    August 4, 2012 at 12:27 pm Here is the problem , this is work on the same network , i mean , it local network , how can we use the victim on other network , Reply 5. netbiosX August 4, 2012 at 8:22 pm Fane the Social Engineering Toolkit can be used on dierent networks as well.The only thing that you have to do is to set the AUTO_DETECT option to O from the conguration le of SET. Reply anashlali August 10, 2012 at 11:47 pm Hi netbios the AUTO-DETECT is o but it seems the link dont work from another network, I used goo.gl to generate the link. Help Pls. Best, Anashlali Reply

    Blog at WordPress.com. Theme: Choco by .css{mayo}. Entries (RSS) and Comments (RSS)

    6 de 6

    09/12/2012 11:08 a.m.

    You might also like