BT5,Tabnabbing
Tabnabbing,即“标签钓鱼”。关于 Tabnabbing 的详细信息可见。在 BT5 中玩了玩 Tabnabbing。主要用了 pentest 工具箱。
启动一个终端,命令:
root@bt:~# cd /pentest/exploits/set/ root@bt:/pentest/exploits/set# ./set
选择第二个选项:
Select from the menu: 1. Spear-Phishing Attack Vectors 2. Website Attack Vectors 3. Infectious Media Generator 4. Create a Payload and Listener 5. Mass Mailer Attack 6. Teensy USB HID Attack Vector 7. SMS Spoofing Attack Vector 8. Wireless Access Point Attack Vector 9. Third Party Modules 10. Update the Metasploit Framework 11. Update the Social-Engineer Toolkit 12. Help, Credits, and About 13. Exit the Social-Engineer Toolkit Enter your choice: 2
然后选择第四个选项:
1. The Java Applet Attack Method 2. The Metasploit Browser Exploit Method 3. Credential Harvester Attack Method 4. Tabnabbing Attack Method 5. Man Left in the Middle Attack Method 6. Web Jacking Attack Method 7. Multi-Attack Web Method 8. Return to the previous menu Enter your choice (press enter for default): 4
选择第二个,克隆一个网站作为钓鱼页面:
1. Web Templates 2. Site Cloner 3. Custom Import 4.Return to main menu Enter number (1-4):2
用百度登录为例,出现 Press {return} to continue 就回车,接着用 IE 访问虚拟机的 IP。
客户端 IE 访问:
新建一个选项卡,Ctrl+T:
然后就是一个虚假的登录界面,输入帐号密码后,在终端里就可以看到截获的数据了: