Here is the setup. I setup a wireless LAN, one attacker with BT5r2 and one Win7 victim PC. I use SET Credential Harvester to setup a duplicate webpage. If I type in the attack PC IP address into the victim browser everything works great, first log in attempt fails, forwards the credentials to the attack PC, then presents the victim PC with the real site in which I can then log in.

To make the attack more convincing, I chose to use Ettercap to do some DNS spoofing. So I edit the etter.dns file to send the victim PC to the attack PC when they type in X site. Now the victim can browse to said site, get redirected to the fake Credential Harvester site, and the browser address bar shows the site they typed in rather than the attack PC's IP address, everything is good up to here.

The problem. When Credential Harvester sends the victim PC to the real site after the first log in attempt, ettercap then again spoofs the site and sends that second request back to the attackers fake page, at this point Credential Harvester has already shut down the fake site after getting the credentials, so to the victim PC it looks as if the site is down. So I have fixed the one problem of the browser bar not showing the legit site name, but in turn caused another by Ettercap not allowing the victim PC to continue to the legit site. I realize there may be another issue and that is that the victim PC's DNS cash is poisoned, and it may not be able to get to the real website.

Is there any way around this? Maybe some type of scripting I can do with ettercap, or am I re-inventing the wheel and there is already a better way to do this? I know one way is to just use ettercap with SSLstrip, but I want to specifically get this targeted attack working, rather than SSLstrip going after every page that is loaded.

Thanks for your help,
Ech3l0n