Hello Hackrs, today i will show you how facebook can be hacked in 2k17.
People today always search for the way to hack facebook without any pre-requisite skills. Facebook in infact far unreachable from getting hacked. But, you will need some skills for doing so and we thats what TheHackr is here for!
Looks damn complex, but it is very easy in reality to achieve success in social engineering. It is our favorite module in the Social Engineering Toolkit here at TheHackr.
By-the-way, all Facebook users should probably take note of this if you don’t want to get hacked!
STEP 1 Install Kali or run it in Live USB Mode
The first step is to download and install Kali Linux or Boot into Live USB mode without actually installing it. There are appropriate packages in Kali which we here use at TheHackr for real hacking.
If installed earlier, fire up Kali.
STEP 2Fire up BeEF
After booting into Kali, you could probably see an icon with a cow image. It is the BeEF package which we’re going to use here. When you click on it, it actually starts BeEF by starting a terminal.
BeEF runs in the background creating a web server on your machine such that you can access the UI from a browser. Once BeEF is up and running, open your browser, IceWeasel or Firefox depending on your Kali build. Enter the UI url to access the UI panel through the browser. You can login to BeEF by entering username as beef and the password as beef.
Now that you’ll be greeted by the BeEF’s ‘Getting Started’ screen.
STEP 3Hook the Victim’s Browser
We can simply embed the code into our website and entice the victim to click it. The script looks something like this-
Embed this into a webpage, so that we can lure the victim to click on it and hence you own their browser! There are other numerous ways to achieve this.
This can be also done using MitMf to send the code to the victim.
BeEF framework also has inbuilt sample malicious page. It can be accessed through the welcome page. Copy the address link and share it to the victim through other means.
So, for now let’s assume that the victim has clicked the vulnerable link and we’ve a hooked browser in the left list tab of our UI. If so, we officially own the victim’s browser by exploiting it.
STEP 4Send Facebook Session Timeout Dialoue Box to the Victim
Just after we’d successfully hooked the victim’s browser, we get the credentials of the victim such as IP address of it, along with the operating system information and the browser details in the left panel.
Clicking on the hooked browser, it opens a BeEF interface on the right side. On this first click, it shows up with the details of the hooked browser. Here we’re interested in Commands tab.
So click on the Commands tab and scroll down till you see the Modules Tree. Upon scrolling, you will come across with Social Engineering. Upon expanding it, you will be invited with number of social engineering modules. Here, we require Pretty Theft. Click on Pretty Theft and the options of it are showed up in the right column of the browser.
This module enables us to send a pop-up windows to the victim’s browser to rob any sort of information entered in it! Here we will be creating a fake Facebook session timeout popup dialog box.
Select Facebook in the Dialogue Type box. You might’ve already noticed that it also supports LinkedIn, YouTube, Windows or least, a generic dialog box. Now, without altering any thing else, click on the Execute button in the bottom to send a popup to the victim’s browser.
STEP 5Fake Popup Appears on the Victim’s Browser
Just after clicking the Execute button in the BeEF, a dialog box will appear in the victim’s browser like the on shown in the fig. below. It cites that their Facebook session has expired and they need to re-enter their credentials.
Though it may look suspicious for us as we’re Hackrs, it will look normal to daily users and simply enter their user credentials!
STEP 6Harvest the Acquired Credentials
It’s as simple as a click to harvest the thus acquired credentials of the victim. Back on our machine, we can see the credentials in the Command results window. As shown in the fig., in my case the email address is “email@example.com” and the password as “thehackr” as they’ve been captured from the hooked browser.
NOTEIf the Server Didn’t Start Properly
BeEF utilizes Apache as to create server environment to lure the victim to click on the malicious page under the same wifi or lan. If clicking on the BeEF icon didn’t start the server, one can always start beef by typing,
cd usr/share/beef-xss ./beef
So, let us know what you feel about this hack in the comments below!