How Elliot of Mr. Robot Could Easily Hack Fb and Bank Accounts.

First of all there is no such thing as hacking Facebook ID, Second of all the show won't be 100% real right? The only ways to hack someone facebook is by phishing or installing a keylogger on their computer or stealing the saved data from the browser.

And that's what Elliot did, he hacked a target and got access by others ways in order to use malware/keylogger
There was also a password generator with keywords, that were obtained from social engineering

If you think that, you have no idea what you are talking about, you can easily hack ANY social Media account with bruters or using exploit tools such as metasploit.

What do you mean by "those are the only ways"? Where did you put data dumps, dictionary attacks, rainbow tables, brute-force?

As Butwhy42 already mentioned Elliot has an Wordlist generator.

The good news is: Kali already has one pre installed AND here is an Tutorial for that Bad news: I'm to fool to search for the tutorial right now and i'm running Arch and don't have everything installed so i cannot even tell you the name but i will explain to you how it works.

Elliot also explains most of this in the Show.

At the End of the first Episode Elliot is trying to crack the password of Michael Handson (i hope that's how you spell it haha :)).

As you probably know it didn't work and he says that he is too old to have an complicated password.

People often use password which include their Birthday (i have to mention that my birthday is not in 1967..) so they can memorize it easier.

For sure this 2-3 minutes attacks are really unrealistic but i think when you have the right informations about your victim you can get the password in 1-2 hours.

You don't even have to crack the Facebook password.
It's important to attack the weakest link.

The reason for this is that most people use the same password for every service. When you know you're victim is on an Website which isn't really secure against any Brute-Force or Wordlists attacks you should try to attack those because then you most likely will have access to all other Accounts like Facebook, Amazon or G-Mail.

Firstly, Elliot uses his own program called elpsrk. But that is not a realistic tool. In order to mimic elliot's attack u will need cupp and hydra or even medusa.

Hope this helps.

You can't crack facebook accounts since they are brute-force protected

Does brute-force protected mean "IMPENETRABLE" to you? And with the right time, nothing is brute-force protected. Facebook accounts, with the right knowledge and time, CAN be hacked. Facebook is a not a godly, impenetrable, holy system.

But if u use the attack I mentioned u can brute force the brute "forcable" accounts. Get the password, try it out on the other accounts like fb, maybe u'll be lucky.

Yeah i know, but other websites are implementing anti-brute force techniques, so it's getting harder

you can write some sort of script that changes your IP automatically after a number of attempts,so the anti-brute force systems won't be a problem.

They aren't that stupid, the anti-brute force system doesn't rely on the ip but Rely on the account ID, so changing ip's won't help

I would go after email since that would be a way to reset the FB account to get access. Just saying.

Gmail implented an anti-brute force system afaik, you could try for yourself

Elliot didn't really brute force the passwords. He attempted well known passwords (such as 123456seven ) and built password lists that included information he knew about the target (birthdate reversed for his psychotherapist).

People build passwords based upon things they can easily remember. These passwords usually embed some characteristic of the target such as pet names, spouse names, birthdates, etc. Elliot simply is exploiting this human "flaw". He is not brute forcing millions of passwords. That is inefficient and should only be used as a last resort.

CUPP wordlist profiler is the solution.

what about this?

Facebook is constantly updating, look the date of the video: 2012. There will always be weakness in programs/websites, but if you can't find it, you wont be able (more or less) to use it before it got patched.

also you can use the following

social engineering attack buy cloning FB, use tiny url so you dont make suspicious URL, then gather information about victim to create a trust,

shit, iam helping the evil to breed...

anyway its what called Credential Harvester Attack Method

One word: Social engineering, oops those are two words :p

In the real world, hacking websites like Facebook is not always a one trick pony. I believe I mentioned this in another forum, but I love hacking because of it's creative aspects. That is also why I love social engineering; There will never be just one way to do anything.

Hopefully this will help you come to a conclusion and maybe even plan a well thought out Facebook attack to post to Null Byte!

I agree with all of you. there can be numerous possibilities. people at fb and gmail are not fools who would let anyone hack the accounts.

but the way elliot did in the show was very quick. I mean he would just crack passwords in minutes (again im not talking about brute force).

he even logged into the bank account of her friend. Maybe it is unreal. Hacking is not that easy. we all know this.

I think it's good that it show how it's easy to crack anything, because even if it's obviously more difficult, for the random user there is no difference between the show and the 'little more difficult reality' and let's be honest, it's a low price to pay for such a (finally) good serie about security

You all seem to forget elliot had physical/proximity access to everything he hacked

24 Responses

Share Your Thoughts