Tabnabbing Attack Method

20 Mar

Another method that you can use when you conduct a social engineering attack is the Tabnabbing attack.The only thing that it requires from the user is to switch tabs in his browser in order to load the fake website and then if he inserts his credentials it harvest them.

There are not many things to explain here so we will have a look at the attack itself.

First thing we have to do of course is to open the Social Engineering Toolkit and to choose the Website Attack Vectors option.

Website Attack Vector

Next we will see the available attacks that we can use.Of course our choice here is option number 4 and the Tabnabbing Attack Method.

Selecting the Tabnabbing Attack

In the next menu we will choose option number 2 in order to clone the Website of our preference.Remember that the Tabnabbing attack only works with websites that they have fields for username and password so choose these kind of websites for cloning.

Selecting the Site Cloner

Now it is time to choose the website that the SET will clone.In this scenario our choice will be the Gmail.

Enter the Fake Website for Cloning

If we send a link with our IP address to our victim and he opens it he will notice that a new tab will open and a message will appear saying the following:

Opening the webpage

This message will stay there until the user switch tabs in his browser.Then the fake website will load and we just have to wait to enter his credentials in order to capture them.

Fake Gmail Page

The next image is showing what we will see in SET when the victim inserts his credentials into the username and password fields.

Capturing the Credentials


As most social engineering attacks and this type of attack requires to cover our IP address with a domain that it will look legitimate.This technique is similar to the Credential Harvester method with the only difference that the user needs to switch tabs thinking that the page will take too long to load.

This attack is very easy to implement it by anybody and many unexperienced users will probably become victims so these type of users they need to have extra awareness.


Posted by on March 20, 2012 in Social Engineering


Tags: , ,

6 responses to “Tabnabbing Attack Method

  1. hanish

    March 20, 2012 at 1:34 pm

    How to send the link to a victim.

  2. netbiosX

    March 20, 2012 at 4:57 pm

    You can spoof your email address to something that it looks real like in order to convince the target to open the link.

  3. cybersynch

    March 22, 2012 at 4:07 pm

    Thank you, netbiosX, for this very informative demonstration.

  4. Fane

    August 4, 2012 at 12:27 pm

    Here is the problem ,

    this is work on the same network , i mean , it local network , how can we use the victim on other network ,

  5. netbiosX

    August 4, 2012 at 8:22 pm

    Fane the Social Engineering Toolkit can be used on different networks as well.The only thing that you have to do is to set the AUTO_DETECT option to Off from the configuration file of SET.

    • anashlali

      August 10, 2012 at 11:47 pm

      Hi netbios

      the AUTO-DETECT is off but it seems the link don’t work from another network, I used to generate the link. Help Pls.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: