daily pastebin goal

Facebook Hacking via Session Hijacking

a guest Jun 1st, 2012 172 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.                          +--------------------------------------------------------+
  2.                          +------>[ Facebook Hacking via Session Hijacking ]<------+
  3.                          +---------------------->[ @Fe1S ]<-----------------------+
  4.                          +------->[ #OpFacebook / #OpDefence / #Anonymous ]<------+
  5.                          +--------------------------------------------------------+
  6.                                                                             ~FuckCISPA.
  8. [Introduction]
  10.     Hello everyone, in this tutorial I will be showing you how to hack facebooks using one particular method of session hijacking. Please note that this tutorial was written so the most absolute beginner could easily understand and follow along. With that being said some of the information in the tutorial may be obsolete depending on your skill level. So what exactly is session hijacking? Session hijacking is a very simple concept. The idea is to steal a user’s authentication cookie and then replace your own with the stolen cookie, allowing you to login as that person. There are a few ways you can steal cookies such as cross site scripting or by using wireshark. In this method we will be using wireshark to sniff authentication packets from facebook, but we will get to all that later. Note that this will only work on a LAN so the best places to do this is at a school, university, hotspot, or some other public internet connection. What’s great about this method is how it works compared to other methods. I believe that this method of hacking facebooks is probably the easiest. This is because it bypasses some facebook login security. Facebook can detect if you are logging into your facebook from a different location (using ip address) prompting you with security questions such as recognizing tagged photos of friends. Since we will be hacking facebooks from a LAN everyone will have the same external IP, or the IP that facebook see’s will be the same. This IP is usually that of the modem or server of where the initial internet connection comes from. All in all it fools facebook into thinking it’s still the same person.
  12. [What you will need]
  14. *All downloads can be found at the bottom of this section*
  16.     First off you are going to need some tools in order to do this. The first thing you will need is firefox, if you already have firefox then good, read on. The reason we need firefox is because it has a few plug-ins that allow us to inject cookies easily. This plug-in is called greasemonkey and it allows you to run scripts. Later we will be using a cookie injector script in conjunction with greasmonkey. Once you have installed greasemonkey you are ready to get the network sniffing tools. This is how you will be stealing the cookies. So first you will need to download Cain & Able. What cain does is it brings the packets through your computer (using a man-in-the-middle attack via ARP poisoning) so that wireshark can see, and sniff them. Without cain this would be impossible because wireshark can only sniff network packets, other than your own, on a hubbed network. On a switched network (using a router) Wireshark would only be able to capture the packets being sent to and from your own machine. With that being said the last tool you will need is Wireshark. Once you have all of these tools installed and have tested to make sure they run properly you are ready to move onto the next step.
  20. Firefox: http://www.mozilla.org/products/download.html?product=firefox-11.0&os=win&lang=en-US
  21. Greasemonkey: https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/
  22. Cain: http://www.oxid.it/downloads/ca_setup.exe
  23. Wireshark: http://www.wireshark.org/download.html
  25. [Running Cain]
  27.     Start cain by right clicking on it and selecting run as administrator. You may get some messages about firewall settings, if so just allow cain through or turn your firewall off. Either way will work. If you have more than one network adapter (such as a NIC and Wifi card) cain should automatically select the active adapter but if not you can manually select which adapter you want. Do this by clicking on configure in the menu bar, select the adapter you wish to use, click apply and then Ok. Next were going to want to run the sniffer so we can see what machines are running on the network. To do this click on the sniffer tab and activate the sniffer by pressing the button that is in between the folder icon and the icon that looks like a radiation sign. After activating the sniffer a warning message may come up. Just hit ok. Next click the blue plus sign and a dialog box should come up. Leave the default settings and click ok. Cain is now Sniffing the network for machines. You should see the machines listed by their IP address, MAC address, and OUI fingerprint. At this point you want to locate which IP is the main router. You can do this by looking at the OUI fingerprint and looking for things like ‘Linksys LLC’, or ‘NETGEAR’, ect. This is important for later when we begin our ARP poisoning. If you still cannot locate the router/switch you can find it by using the command prompt. To do so goto start and in the search box type 'cmd' and press enter. Next enter the following command: ipconfig /all. Scroll up until you see your current network adapter, the router/switch IP address is listed under default gateway. Once you’ve located the router the next thing you will want to do is click on the APR tab located at the bottom. You should see a top section and a bottom section. Click somewhere in the top section and then click the blue plus sign again. A dialog box should come up with the Sniffed IP addresses on the left side. Go through the machines until you find the router IP and click on it. Then you should then see all the other IP addresses on the right side. Select all of the IPs from the right and then click Ok. The only thing left to do is to start poisoning. To start the ARP poisoning click the button that looks like a radioactive sign. The status of each connection should change from idle to poisoning. And you should see the packets moving in the bottom table. To actually steal the authentication cookies we will have to use wireshark, But first we will setup firefox for cookie injection.
  29. [Cookie Injection with Firefox]
  31.     Before we actually steal an authentication cookie I find it quicker and easier to setup firefox for cookie injection first. This is because the longer you wait after an authentication cookie is stolen the less chance you have of logging in with it (or at least from my experience). So the first thing you will want to do is delete all of your cookies. Do this by clicking firefox in the top left and then clicking on options. Next in the dialog box click on the privacy tab and then clicking the link that says “remove individual cookies” and then click remove all. Next you will need the cookie injector script which can be found here:
  33. http://dustint.com/code/cookieinjector.user.js
  35.     Please note that the cookie injector script is like some kind of temporary thing. I haven’t quite figured it out yet but if you remove all cookies with the above method then the cookie injector script will disappear (if anyone can shed some light on this let me know). Also when you close firefox the script will disappear. To make sure the script is installed click on the down arrow next to the greasemonkey icon located at the right under the close button. And make sure that the cookie injector script is there and checked. If you wish to use the script for more than one cookie you must delete the prior cookies before you inject a new one. Since clicking ‘remove all cookies’ will delete the script you can select the facebook.com folder and click ‘remove cookie’ and then proceed to inject the next cookie.
  37. [Running Wireshark]
  39.     Now it is finally time to steal some cookies. With cain already running, go ahead and startup wireshark. To start capturing packets just select the network adapter you wish to use under ‘Capture’. And you should see a flood of packets coming in the top box. The middle box shows the packet contents and the bottom shows the raw packet data which we can really ignore as we won’t be using it. Now we want to filter the packets so we only see packets which contain http cookies. To do this just type ‘http.cookie’ in the filter box located at the top left. Now look under the info column for packets that say ‘GET /pull?channel= . . .’ These are the authentication cookies. To copy the cookie click on the plus sign next to ‘Hypertext Transfer Protocol’ you should then see some information like ‘host’, ‘connection’, ‘origin’ and other things. Locate the line that says ‘cookie: c_user=2983749823; datr=wdfDfeVdsa . . . ‘ and click on it so the line is blue. Then right click on it, goto copy > bytes > and select printable text only. You now have the authentication cookie copied to your clipboard. All there is to do now is inject the cookie and login.
  41. [Injecting the cookie]
  43.     Now that we have the cookie copied just pull firefox back up and then navigate to facebook.com. Next press alt+c to start the cookie injector script and paste the copied cookie into the dialog box and press ok. You should get a confirmation that the cookie has been written. Now just refresh the page and you should be logged in.
  45. [conclusion]
  47.     If you have any questions please feel free to contact me via twitter @Fe1S.
  50. -Fe1s
RAW Paste Data