Facebook Credentials Revisited
Hey everyone, this guide will show the process of stealing your victims Facebook credentials. This is a followup to my previous post.
To successfully trick our victim into giving up their password, we will need the following:
Using HTTrack to copy webpages is very simple. Type in
Where xx-xx is your language of choice, and press enter. HTTrack will quickly download the login page, and several files and directories will appear:
What interests us is in the directory /xx-xx.facebook.com/login/. index.html will appear there, and it's what we'll show to the victim later. You can move it somewhere else and delete the rest of the files, we won't need them.
Here is our fake login page, indistinguishable from the real one.
Right now, if our victim logged in on our page, their credentials would be sent over HTTPS - That's no good! In order to make their data visible we'll have to change one thing in our site.
Open index.html in your favorite text editor and search for the text 'method="post"'. A bit before it you'll see an HTTPS link to xx-xx.facebook.com. Change it to HTTP, and we're golden.
Fun stuff starts here. We will execute a man-in-the-middle attack on the victim, causing all of their data to be sent through our computer.
If you use my script, type in
python arpspoof.py -r <router IP> <target IP>
and you're done.
If you use arpspoof, do this in two terminals:
arpspoof -t <target IP> <router IP>
arpspoof -t <router IP> <target IP>
I will be ARP poisoning my phone in this example.
We'll have to have our proxy server redirect attempts to connect to Facebook to our page. If you are using my script, you can use this:
python proxy.py --spoof-domain facebook --spoof-with localfile
This will quietly replace the contents of any domain with "facebook" in its name with the contents of index.html in the same directory.
Otherwise, if you are using a third party proxy, I can't really help you with it. Sorry!
Make sure you are arp poisoning the target, and have started the proxy. Once everything's set up, we are ready to go!
We will now wait until our target accesses Facebook. Once they do, here's what will happen:
Victim accesses facebook.pl...
We can see here that our proxy successfully intercepted the request, and has shown the malicious login to our victim. Awesome! Victim's address bar still shows the original address, and the page looks identical to the real one, so there's nothing they can be suspicious about.
Unfortunate victim enters their password, and it's shown to us! Attack successfull!
Now, there's a slight problem - the victim won't be logged in. That is because Facebook won't allow you to log in without using HTTPS, and we can't use HTTPS. What you can do is stop the proxy immediately after getting the password. The victim will likely think that Facebook just had a hiccup, and will try again, which will take them to the real login page.
Perhaps someone with greater knowledge of HTML could help solve this problem? Let me know what you think in the comments!