Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Tabnabbing Attack
- Other Attack Vectors
|
Tabnabbing Attack
Tabnabbing is another form of phishing attack, where the attacker takes advantage of the fact that the victim doesn’t normally think that tabs will change when he is not around. This type of attack would rewrite the existing tab with the attacker’s website. Whenever the victim comes back to that tab, he will think that he has logged out of a particular website and would try to log in again, and as soon as the victim logs in to his account, the attacker will capture the credentials. The SET can be used to launch this attack. Let’s see how it’s done. Step 1 —Just beneath the “Credential Harvester” option, you will see “Tabnabbing attack.” Inside it, you will see the options for “Web templates.” Click on the “Site Cloner,” since the tabnabbing attack method does not support the first one. Step 2 —Next, it will ask for the IP address where the attack is to be hosted followed by the website to clone, which in our case is gmail.com. Once you are done providing this informa- tion, the attack will be launched automatically. 216 ◾ Ethical Hacking and Penetration Testing Guide Step 3 —Now, let’s see the attack on the victim’s website. As soon as the victim loads the site, he will see the following screen: As soon as he switches the tab, the website will be redirected to the fake gmail log-in page. As soon as our victim enters the credentials, his credentials will be saved. Other Attack Vectors We have other advanced attack vectors in the SET related to phishing. One of them is “Man Left in the Middle,” where the attacker requires an XSS vulnerability to trigger an attack. Since we haven’t learned about XSS vulnerability yet, we won’t discuss it now. We will learn all about it in the “Web Hacking” chapter (Chapter 12). Another great attack vector is the “Web Jacking” attack vector, where the victim would be presented a link stating “Website has been moved.” When the victim hovers his mouse over the link, it would point to the real URL, not the attacker’s URL. Here is what the victim would be presented with: Whenever the victim clicks on it, gmail.com will open; however, it will be replaced with our malicious webserver after a few seconds. Tip : A better attack strategy is to register a domain similar to the real domain; for example, in the case of facebook.com, you can register faceboook.com and host your attack there . |