Hello People…… this going to be about how to get Facebook password via setting up a fake login environment for the victim to login and we able to harvest the username and password without any indication to the Facebook owner….
Facebook is a popular social site… a lot of people use it on daily basis, what they are not aware is, its hackable…, most people think its just a social site, hence, its not so important to secure it, so, they ignore…. logging into Facebook account in public network may give away your credentials and your informations… [ This really happened to me several years ago, someone got my page and posted that i’m dead! my phone rang non stop on that day… sigh ]
In my training days, my students would login Facebook on the training pc and start checking the update status while the training is going on, well its not a big problem, it doesn’t really distract them, but, they just keep an eye on the status updates and another eye on me.. :)….and I would warn them, that logging in using public computers is dangerous…. but… well, they don’t really care much.
So, I decided to reveal the easiest method to catch the username and password in a public environment. e.g Starbucks, Training Rooms, Hotels, Train Stations , Airports…. and so on….
With this information, I hope, people will be more vigilant before logging into Facebook from a public network.
UPDATE!!! :: this method called MiTM ( Man in the Middle Attack ) means, you need to be in the middle of the victim and the Internet!
I’ve designed a structure to understand the steps involved.
- Configure SET Tool kit [ Social-Engineer Toolkit ]
- Configure DNS Spoofing
Before you begin to run this and test it on your own environment, make sure this requirements are met,
- A Laptop : 4GB Ram and above
- VMware Workstation / VMware Fusion [ www.vmware.com ]
- A Switched Network ( LAN or WLAN ) [ http://en.wikipedia.org/wiki/Fully_switched_network ]
- Kali Linux [ www.kali.org ]
- Network Protocol Knowledge : e.g IP , TCP , HTTP & HTTPS [ http://en.wikipedia.org/wiki/Lists_of_network_protocols ]
- Linux Command Knowledge [ http://www.tldp.org/LDP/intro-linux/html/ ]
Setup your VM to boot Kali Linux [ I assume you know how to setup a Virtual Machine, if not head to this site and learn] then, get connected to your target network , make sure you are in the Network by performing a casual browsing. Once you are set in the target network, boot your Kali Linux VM and get the VM to be connected to the target network as well.
3. Configure SET Tool kit [ Social-Engineer Toolkit ]
Once you got your IP address, you need to start SET tool in Kali Linux, just run ” setoolkit ” from your terminal, SET is a tool that included inside Kali Linux to perform massive Hacking Attack, there’s a tool within that can create a fake page of www.facebook.com and it will setup a web server to run inside your computer and act as the www.facebook.com itself…. and all this is done automatically…. cool huh?
Lets take a look at the steps to create a fake Facebook page…
Once the SET tool started the fake Facebook login, Now Leave that window alone and move to next step… [ You may want to browse to your OWN ip address to verify the fake website is up and running ]
4. Setup DNS Spoofing
DNS Spoofing, is an old type attack that exist very very long time ago…. what actually they do is, an attacker will forge entry of a specific DNS host ( in our case, its www.facebook.com ) and poison the network with that forged entry, any victim that query for www.facebook.com, will be given with a fake DNS record/answer that eventually pointing to our fake Facebook page….
So, lets take a look at the setup.
Then, you need to run these command to poison the whole network [ Be very careful when doing this, the whole network will be poisoned, therefore not recommended to run in a large network ]. As a part of technical view, I’ve included the before and after effects from 2 most used client computers, a MAC and Windows.
Now your whole network would be poisoned with your fake DNS record…, by now if anyone is trying to access www.facebook.com, it will land on your fake FB page… the results? Next…
This is the result of logging in Facebook via the fake Facebook login…
I’ve tried with my own account and my friend’s account [ off course, its with her 100% permission 🙂 ]
So… That’s the FACEBOOK password hack…. it can work with bank’s website as well, but, that’s the reason banks have dual login method, first they give you the Username prompt and then they give you the password prompt …. so, its still safe…. 🙂
All I would suggest is, be vigilant, and DO NOT login to WEBSITES that has your information in PUBLIC network, so, the next time you visit Starbucks, just drink coffee and socialise with a human instead with Facebook! Okay? Have Fun !!!
and there’s one more thing, you need to setup CA Server, Certificate Signing and Configure some Certificate settings and proxy redirect before this can be done…if not, the victim would know its a fake page, that would be a long tutorial to write here, so, if you are interested, Attend training, read wiki’s, google it , bing it..or buy me beer… you can get the detailed info… 🙂
*all this DEMO was done in a Controlled environment, no DOGS or CATS were harmed during the production of this DEMO.
*all FACEBOOK account used in the DEMO is with 100% permission from the owner[s].
*Use all the information with your own risk, www.steven.com.my do not condone this demo to be used in real public environment.