Facebook Credentials Revisited

Hey everyone, this guide will show the process of stealing your victims Facebook credentials. This is a followup to my previous post.

To successfully trick our victim into giving up their password, we will need the following:

• A way to insert ourselves between the victim and Facebook. I'll be using my arp spoofing script.
• A proxy to modify data sent between them. I'll use my own.
• A fake Facebook login page. We'll useHTTrack to copy the real one. Should be installed by default on a pentesting distro.

Step 1: Copying the Login Page

Using HTTrack to copy webpages is very simple. Type in

httrack https://xx-xx.facebook.com/login/

Where xx-xx is your language of choice, and press enter. HTTrack will quickly download the login page, and several files and directories will appear:

What interests us is in the directory /xx-xx.facebook.com/login/. index.html will appear there, and it's what we'll show to the victim later. You can move it somewhere else and delete the rest of the files, we won't need them.

Here is our fake login page, indistinguishable from the real one.

Step 2: Modifying Our Login Page to Suit Our Needs

Right now, if our victim logged in on our page, their credentials would be sent over HTTPS - That's no good! In order to make their data visible we'll have to change one thing in our site.

Open index.html in your favorite text editor and search for the text 'method="post"'. A bit before it you'll see an HTTPS link to xx-xx.facebook.com. Change it to HTTP, and we're golden.

Step 3: MITMing the Victim

Fun stuff starts here. We will execute a man-in-the-middle attack on the victim, causing all of their data to be sent through our computer.

If you use my script, type in

python arpspoof.py -r

and you're done.

If you use arpspoof, do this in two terminals:

arpspoof -t

arpspoof -t

I will be ARP poisoning my phone in this example.

Step 4: Preparing the Proxy

We'll have to have our proxy server redirect attempts to connect to Facebook to our page. If you are using my script, you can use this:

python proxy.py --spoof-domain facebook --spoof-with localfile

This will quietly replace the contents of any domain with "facebook" in its name with the contents of index.html in the same directory.

Otherwise, if you are using a third party proxy, I can't really help you with it. Sorry!

Step 5: Executing the Attack

Make sure you are arp poisoning the target, and have started the proxy. Once everything's set up, we are ready to go!

We will now wait until our target accesses Facebook. Once they do, here's what will happen:

Victim accesses facebook.pl...

We can see here that our proxy successfully intercepted the request, and has shown the malicious login to our victim. Awesome! Victim's address bar still shows the original address, and the page looks identical to the real one, so there's nothing they can be suspicious about.

Unfortunate victim enters their password, and it's shown to us! Attack successfull!

Now, there's a slight problem - the victim won't be logged in. That is because Facebook won't allow you to log in without using HTTPS, and we can't use HTTPS. What you can do is stop the proxy immediately after getting the password. The victim will likely think that Facebook just had a hiccup, and will try again, which will take them to the real login page.

Perhaps someone with greater knowledge of HTML could help solve this problem? Let me know what you think in the comments!