How To: Facebook Credentials Revisited

Facebook Credentials Revisited

Hey everyone, this guide will show the process of stealing your victims Facebook credentials. This is a followup to my previous post.

To successfully trick our victim into giving up their password, we will need the following:

  • A way to insert ourselves between the victim and Facebook. I'll be using my arp spoofing script.
  • A proxy to modify data sent between them. I'll use my own.
  • A fake Facebook login page. We'll useHTTrack to copy the real one. Should be installed by default on a pentesting distro.

Step 1: Copying the Login Page

Using HTTrack to copy webpages is very simple. Type in
httrack https://xx-xx.facebook.com/login/

Where xx-xx is your language of choice, and press enter. HTTrack will quickly download the login page, and several files and directories will appear:

Image via imgur.com

What interests us is in the directory /xx-xx.facebook.com/login/. index.html will appear there, and it's what we'll show to the victim later. You can move it somewhere else and delete the rest of the files, we won't need them.

Image via imgur.com

Here is our fake login page, indistinguishable from the real one.

Step 2: Modifying Our Login Page to Suit Our Needs

Right now, if our victim logged in on our page, their credentials would be sent over HTTPS - That's no good! In order to make their data visible we'll have to change one thing in our site.

Open index.html in your favorite text editor and search for the text 'method="post"'. A bit before it you'll see an HTTPS link to xx-xx.facebook.com. Change it to HTTP, and we're golden.

Step 3: MITMing the Victim

Fun stuff starts here. We will execute a man-in-the-middle attack on the victim, causing all of their data to be sent through our computer.

If you use my script, type in
python arpspoof.py -r <router IP> <target IP>
and you're done.

If you use arpspoof, do this in two terminals:
arpspoof -t <target IP> <router IP>
arpspoof -t <router IP> <target IP>

I will be ARP poisoning my phone in this example.

Image via imgur.com

Step 4: Preparing the Proxy

We'll have to have our proxy server redirect attempts to connect to Facebook to our page. If you are using my script, you can use this:

python proxy.py --spoof-domain facebook --spoof-with localfile

This will quietly replace the contents of any domain with "facebook" in its name with the contents of index.html in the same directory.

Otherwise, if you are using a third party proxy, I can't really help you with it. Sorry!

Step 5: Executing the Attack

Make sure you are arp poisoning the target, and have started the proxy. Once everything's set up, we are ready to go!
We will now wait until our target accesses Facebook. Once they do, here's what will happen:

Image via imgur.com

Victim accesses facebook.pl...

Image via imgur.com

We can see here that our proxy successfully intercepted the request, and has shown the malicious login to our victim. Awesome! Victim's address bar still shows the original address, and the page looks identical to the real one, so there's nothing they can be suspicious about.

Image via imgur.com

Unfortunate victim enters their password, and it's shown to us! Attack successfull!

Now, there's a slight problem - the victim won't be logged in. That is because Facebook won't allow you to log in without using HTTPS, and we can't use HTTPS. What you can do is stop the proxy immediately after getting the password. The victim will likely think that Facebook just had a hiccup, and will try again, which will take them to the real login page.

Perhaps someone with greater knowledge of HTML could help solve this problem? Let me know what you think in the comments!

10 Comments

Awesome! Can you get credentials from iphone as well?

I don't have an iPhone to test, but most likely yes.

very good tut i cant wait to try this on my own profile and thanks for the py scripts!

Thank you, and you're welcome!

could you script it so that once creds are captured it immediately ends the spoof for that target? or maybe once they make a POST it sends them to a real facebook login page?

~Suser

You can add "sys.exit(0)" at line 245, after the for loop, to have the proxy exit as soon as it prints captured credentials.

Awesome tutorial mahn...you never seems to amaze

Wuzi out

Maybe you could send the POST data (using a simple php file) to 69.171.230.68 and then kill the proxy? I'm not sure though if their IP will force a redirect to facebook.com (which would just load again the fake page).

Anyway, great tutorial, thanks for that!

Does this method still work? I used the scripts given in this post and followed each and everything just as it's written. The issue I encountered was that at first, the login page wasn't even opening on the target device but after refreshing the page numerous times, it finally loaded, but the script terminal just kept on waiting for a connection. I'm also a bit confused about the path to the 'local file'. It's located in my root folder. I've tried writing it as "/root/index.html" and simply as "index.html". Rest assured, I've already checked the internet connection and it's working at optimal level. Am I doing something wrong?

Awesome! I know, it's been a while, but I just want to add that you can solve the "Auto-Disconnect-Refresh" problem by simply inserting a PHP script into index.html that refreshes the site after the POST request has been sent (Proxy needs to be turned off at this point).

Greetings!
~ chrizator

Share Your Thoughts

  • Hot
  • Latest