BT5,Tabnabbing

Tabnabbing,即“标签钓鱼”。关于 Tabnabbing 的详细信息可见。在 BT5 中玩了玩 Tabnabbing。主要用了 pentest 工具箱。

启动一个终端,命令:

root@bt:~# cd /pentest/exploits/set/
root@bt:/pentest/exploits/set# ./set

选择第二个选项:

Select from the menu:
1.  Spear-Phishing Attack Vectors
2.  Website Attack Vectors
3.  Infectious Media Generator
4.  Create a Payload and Listener
5.  Mass Mailer Attack
6.  Teensy USB HID Attack Vector
7.  SMS Spoofing Attack Vector
8.  Wireless Access Point Attack Vector
9.  Third Party Modules
10. Update the Metasploit Framework
11. Update the Social-Engineer Toolkit
12. Help, Credits, and About
13. Exit the Social-Engineer Toolkit
Enter your choice: 2

然后选择第四个选项:

1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6. Web Jacking Attack Method
7. Multi-Attack Web Method
8. Return to the previous menu
Enter your choice (press enter for default): 4

选择第二个,克隆一个网站作为钓鱼页面:

1. Web Templates
2. Site Cloner
3. Custom Import
4.Return to main menu
Enter number (1-4):2

用百度登陆为例,出现 Press {return} to continue 就回车,接着用 IE 访问虚拟机的 IP。

1.jpg

客户端 IE 访问:

2.jpg

新建一个选项卡,Ctrl+T:

3.jpg

然后就是一个虚假的登录界面,输入账号密码后,在终端里就可以看到截获的数据了:

4.jpg