Hi!
Ok, then let’s go step by step.
Launch a simple arp spoof attack (without using the hstshijack caplet) and visit vulnweb.com in victim machine, check if you can get the credentials.
Also share a screenshot of arp -a in windows before and during the attack.
And in any case you don’t have to enter facebook.com in the search bar nor the text in it will change to facebook.corn, I suggest to watch the lecture again and pay attention to the things Zaid does and take notes, it will be very helpful.
Greetings!
Diego
