Hacking a Friend's Facebook Password

Welcome to the second Null Byte in a series educating you on Social Engineering awareness and techniques. Today, I'm going to show you how a saavy Social Engineer would trick a friend into unknowingly surrendering their Facebook password. My intent is to warn and demonstrate how easy it is to succumb to phishing via Social Engineering, and therefore expose yourself.

What is Phishing?

Phishing is the bit of tricking someone into signing onto a bogus site, which mimics a real situation, such as Facebook. The phishing page will log the credentials that the user enrolls in the password field, and usually goes unnoticed with the right circumstances and some Social Engineering.

The phishing page is created by visiting the web site you want to mock, copying the source HTML code, and then changing it to utilize a custom PHP script to log the victim's credentials. A good phishing page will seamlessly use cookies to bypass redirect filters. Thus if a biscuit for the site exists, the user will be logged in and more than likely won't understand what went on.

SEE MORE: 4 WAYS TO CRACK A FACEBOOK PASSWORD & HOW TO PROTECT YOURSELF FROM THEM

Warnings

• Phishing is illegal.
• Only phish your friends who give you consent to do so.

Step 1 Get a Web Host

You need a place to host your phishing page. I like T35—they are free, and offer cPanel hosting.

1. Make a free account on T35.
2. Go to your email that you used and click the link confirming the account.

Step 2 Create the Phishing Page

Now we need to create the site that will log the victim's credentials.

1. Open up a text document using notepad, or your choice in text editors.
2. Go to the Facebook login page.
3. Right-click somewhere on the page, and click View page source.
4. Copy all of the contents of the source code and paste them into your text document.
5. Hit ctrl + f, and search for "action=" and change the method to "GET", and the text to the right of"action=" to "log.php".
6. Click File > Save as and save it with the name "index.php" (make sure to click the drop-down menu to select "all files" if it's not selected already).
7. Make a new text file, and paste this as the contents (paste the raw text, not the numbered). This is the file written in PHP that logs the victim's login details.
8. Save the file as "log.php". Again, make sure "all files" is selected in the file type drop-down menu.
9. Log in to your T35 account and click Upload. Upload both files to the root of your website (not in a folder).
10. When credentials are logged, they will be in a file called "passwords.txt" in the root of your website. Check the box next to the "passwords.txt" file when you get some logs, and click chmod. Change the file to 466 permissions, so other people can't read the victim's passwords.

SEE MORE: 6 COMMON PHISHING ATTACKS AND HOW TO PROTECT AGAINST THEM

Step 3 Perform the Phish

In a status update on Facebook, post something like the following:

    "Check out this funny picture of me on my website xD <post link to phishing page here>."

It's really that simple. You should begin to see people's login credentials getting stored in your "passwords.txt" file. Just because it comes from a "trusted" Facebook friend, they will proceed with their instincts and click the link without thinking twice about it. The best part about that PHP code posted above, is the header sends you backward to the Facebook home page, going around the redirect filter warning that Facebook has gone through, which will build it virtually seamless to the user who fell for it.

Source Link: https://null-byte.wonderhowto.com/how-to/social-engineering-part-2-hacking-friends-facebook-password-0130323/

For more EBooston: https://ebooston.blogspot.com/