Description: In this video i'll continue talking about the Website Attack methods and i'll show how to phishing a website and obtain the credentials of any victim/user using a new method named Tabnabbing Attack..
Plase leave your comments
Tags: SET ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Thank you for the clear explanation and demonstration. I can't play around with this for a little while so I have a question:
When the victim has, inadvertently, browsed to the fake site, does he see anything on his system? Does it redirect to the real site or does it simply "hang"? If the latter, I suppose he will think "Great .... it's crashed" and maybe close the browser in order to start again. If so, I suppose the attacker must stop the attack quickly, otherwise the same will happen to the victim and he might get suspicious.
I suppose that the ideal would be for the victim to be redirected to the real site (via the fake site) after the credentials have been captured.
Hi @Ignatius thanks for the comments and good point
You are rigth, in my case I use the tabnabbing with a dsn spoof attack and of course when the victim log in will not be redirected to the real page because the dns spoof... but the tabnabbing by itself after the victim is log in the faked site will be redirected to the real site immediately... In my case just return to the login page, but as I said there are different ways to perform this attack..
Thanks for awesome videos MR Zerocool keep up the work :)
Yes, I understand that the dns spoof attack will direct the victim to the fake site, but I just wondered if there was something within SET that might redirect him automatically to the legitimate site after the credentials had been harvested. I realise that this would mean that the attacker's machine would have to remain up and running whilst the victim is accessing, for instance, twitter. If not, he would be disconnected suddenly and have to start again, but log in normally, without going through the attacker's machine.
@zerocool394 waiting for sms spoofing tutorial.
please post it soon.
@zerocool394: I wrote on my blog how to use S.E.T web attack vector on a port other then port 80 this helps using it over the internet if the ISP blocks port 80.
:) Thanks for you're tutorials!
Hi @j0k3rr please paste the direct link here, can be very useful for many
thanks for the comments and your contribution
@zerocool394: here is the link to the post on my blog
http://blog.thawildcard.com/archives/154
:)