 |
By: Nikola Strahija on October 26, 2010
Anybody can do it. You'll just need to follow this idiot-proof tutorial; in which I'm gonna try to explain what
should be happening from 2 points of view. n00b and wannabe.
* hacking facebook accounts - even though it's basic network packet sniffing and not actual "hacking"
Step 1. n00b
Install this cool browser called Firefox. Unlike your Safari/Chrome :) it supports numerous addons.
Not only that, it will also pause for a few tens of miliseconds when you're browsing youbeetuby.
Step 2. n00b
Install the secret-facebook-hacking-firefox-addon and use at least 3 apps on facebook to meet with someone for real-life coffee!
The place you're meeting should be a crowded coffee shop/bar full of iPhone/Samsung/Nokia Hipsters, just like yourself.
Lets say there are 10 users which have used the facebook app on their phone (and thus stored their account credentials on their phone).
We can safely assume that at least 3 of them are (un)knowingly running some kind of background process which refreshes
facebook/last visited browser page/ajax script. You get my drift? Yay!
Make sure your power options are set in such a way that your netbook keeps running after you close it.
Step 3. n00b
Restart your firefox.
You should have a sidebar titled "Firesheep".
Make sure you're connected to the coffee shop's wireless network and click the "Start Capturing" button.
As soon as Firesheep sniffs enough data for an account, it will show basic facebook account data.
Step 4. n00b
Go home, try not to run-over somebody on the street and login to the account you're interested in from your
Firesheep sidebar. Don't forget to DELETE your cookies between logins. Even better, close all tabs you may
have been running and restart your browser. :-)
Now some info you should also know:
Facebook has a GeoIP login security mechanism. This means that if your target account is on a different IP or your ISP
has really fresh IP ranges, it may block you and ask for the verification code it has sent to your target's mobile phone
in order to identify you. This of course may or may not work. Maybe your target is using facebook on only 2 networks
(mobile and ... work?), so the GeoIP security mechanism won't kick-in. That would be a perfect target.
So... did you already check if they were saying those bad things about you? :)
Therefore, anybody can do it. As you see I didn't actually write the step-by step tutorial since the ones who fail at n00b level are just too lazy. The Wannabe level presumes you are using your keyboard when you browse for information. You do know which is xatrix's SSH port? (watch out! you will be firewalled after a couple of tries). So... Wannabe's... let's GO!
Step 1 - Wannabe
The connected network interface is connected in promiscious mode
IP Forwarding is enabled?
sysctl -w net.inet.ip.forwarding=1
Arp Poisoning Running?
arpspoof -t 192.168.1.1 192.168.1.2 & >/dev/null
Coolio.
Step 2 - Wannabe
Start spoofing between your $target[x] and $gateway, ommiting the output:
arpspoof -t 192.168.0.1 192.168.0.101 & >/dev/null
or for debugging purposes, see the output using:
arpspoof -t 192.168.0.1 192.168.0.101
Now that arpspoof is running, dump the packets!
Step 3 - Wannabe
Dump the packets:
tcpdump -i wlan0 -w facebook.pcap tcp port 80
.... and after some time ....
Step 4 - Wannabe
Open the pcap dump file in your favorite network protocol analyzer and filter out the requests to and from facebook :)
Read RAW text. Prefferably black background, white text, blue tags.
Or simply copy+paste this filter rule:
Cmon... you already have a frontend GUI, why should I write the filter rule for you?
In my time, we didn't have frontends for everything...
wannabe disqualification:
- If you didn't have arpspoof|ip_forward|libpcap installed or enabled.
- If you couldn't find hosts/targets on the network
- If you're using Ubuntu ;)
Reminds you of sobody ? Please read the n00b sections from now on.
wannabe karma points:
- If you also poisoned the DNS queries for www|facebook.com and got the HTTPS certificates
- If you piped the output to wireshark/Ethereal instead of the pcap file
FYI
- Wannabe: You can capture traffic directly from the interface
-- Me: Don't doubt me :) There's a good reason to go through the typing-everything course. :)
- Wannabe: when you yum install wireshark you get libpcap as a dependency.
-- Me: You should have used yum -y install wireshark
- Wannabe: There's no GPS security mechanism on Facebook!
-- Me: WTF are you reading the n00b section? Doubting ourselves, are we?
If anybody is interested, an automated "device" is available for social network penetration testing made by a startup security company.
The proof-of-concept automated software running on this device features:
- sniffing for social network logins and passwords
- backing up the primary information-database for every facebook account
- GPS mapping
and much more!
For this "poC-hacktool" please contact strahija.nikola@gmail.com for more information. |
Show printable version
Send this article to a friend 
