BT5,Tabnabbing

Tabnabbing,即“标签钓鱼”。关于Tabnabbing的详细信息可见。 在BT5中玩了玩Tabnabbing。主要用了pentest工具箱。 启动一个终端,命令:

root@bt:~# cd /pentest/exploits/set/
root@bt:/pentest/exploits/set# ./set

选择第二个选项:

Select from the menu:
1.  Spear-Phishing Attack Vectors
2.  Website Attack Vectors
3.  Infectious Media Generator
4.  Create a Payload and Listener
5.  Mass Mailer Attack
6.  Teensy USB HID Attack Vector
7.  SMS Spoofing Attack Vector
8.  Wireless Access Point Attack Vector
9.  Third Party Modules
10. Update the Metasploit Framework
11. Update the Social-Engineer Toolkit
12. Help, Credits, and About
13. Exit the Social-Engineer Toolkit
Enter your choice: 2

然后选择第四个选项:

1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6. Web Jacking Attack Method
7. Multi-Attack Web Method
8. Return to the previous menu
Enter your choice (press enter for default): 4

选择第二个,克隆一个网站作为钓鱼页面:

1. Web Templates
2. Site Cloner
3. Custom Import
4.Return to main menu
Enter number (1-4):2

用百度登陆为例,出现Press {return} to continue就回车,接着用IE访问虚拟机的IP。

1.jpg

客户端IE访问:

2.jpg

新建一个选项卡,Ctrl+T:

3.jpg

然后就是一个虚假的登录界面,输入账号密码后,在终端里就可以看到截获的数据了:

4.jpg