How to hack any Facebook account in under a minute, by sending just one SMS
A UK-based security researcher going by the name of "fin1te" has earned himself $20,000 after uncovering a way to hack into any account on Facebook, just by sending a mobile phone text message.
This should - obviously - have been impossible, but due to a weakness in Facebook's tangled nest of millions and millions of lines in code, potentially hundreds of millions of accounts were vulnerable to hijacking through the simple technique.
The first thing to do is send the letter "F" in an SMS message to Facebook, as though you were legitimately registering your mobile phone with the social network. In the UK, the SMS shortcode for Facebook is 32665.
Facebook responds, via SMS, with an eight character confirmation code.
The normal sequence of events would be to enter that confirmation code into a Facebook form, and go on your merry way...
But fin1te discovered that a vulnerability existed on that form, that could be exploited to use the confirmation code he had been sent by Facebook via SMS with *anyone* else's account.
What fin1te had uncovered was that one of the elements of the mobile activation form contained, as a parameter, the user's profile ID. That's the unique number associated with your intended target's account.
Change the profile ID that is sent by that form to Facebook, and the social network might be duped into thinking you are someone else linking a mobile phone to their account.
Therefore, the first step needed to hijack someone's account in this way requires your victim's unique Facebook profile ID.
If you don't know what someone's numeric profile ID is, you can always look it up using freely-available tools - they aren't supposed to be a secret.
Sure enough, fin1te was able to replace the profile ID parameter sent by his browser to Facebook with the unique number of the account he wanted to access...
.. and within seconds his his mobile phone was sent an SMS confirming that he had successfully connected the device to the account.
Success. A Facebook account now has a third-party's mobile phone number associated with it. Without any need for malware or phishing. All that was done was to send an SMS text message.
The final stage of the account hijacking is straightforward. Facebook allows you to log into its system using your mobile number rather than an email address if you want, so at login you enter the mobile phone number you have associated with your victim's account, and request a password reset via SMS.
Sure enough, fin1te discovered that Facebook duly sent him the password reset code for the account - meaning he could change the account's password, and lock out its legitimate user.
This is an incredibly simple but powerful way to take over anybody's Facebook account.
The good news is that fin1te disclosed the vulnerability responsibly to Facebook, rather than exploited it for malicious intentions or sold it to other parties. Facebook has fixed the problem so others can no longer take advantage of this serious security hole. For his troubles, Facebook awarded fin1te a hefty $20,000 worth of bug bounty and fixed the vulnerability.
But there's no doubt that on the underground market, perhaps sold to cybercriminals or intelligence agencies, fin1te's discovery could have earned him even more money.
Who knows what other serious security vulnerabilities may lay inside Facebook that haven't been responsibly reported to the company's security team?
4 Ways to Crack a Facebook Password and How to Protect Yourself from Them
Despite the security concerns that have plagued Facebook for years, most people are sticking around and new members keep on joining. This has led Facebook to break records numbers with over one billion monthly active users as of October 2012—and around 600 million active daily users.
We share our lives on Facebook. We share our birthdays and our anniversaries. We share our vacation plans and locations. We share the births of our sons and the deaths of our fathers. We share our most cherished moments and our most painful thoughts. We divulge every aspect of our lives. We even clamor to see the latest versions even before they're ready for primetime.
But we sometimes forget who's watching.
We use Facebook as a tool to connect, but there are those people who use that connectivity for malicious purposes. We reveal what others can use against us. They know when we're not home and for how long we're gone. They know the answers to our security questions. People can practically steal our identities—and that's just with the visible information we purposely give away through our public Facebook profile.
The scariest part is that as we get more comfortable with advances in technology, we actually become more susceptible to hacking. As if we haven't already done enough to aid hackers in their quest for our data by sharing publicly, those in the know can get into our emails and Facebook accounts to steal every other part of our lives that we intended to keep away from prying eyes.
In fact, you don't even have to be a professional hacker to get into someone's Facebook account.
It can be as easy as running Firesheep on your computer for a few minutes. In fact, Facebook actually allows people to get into someone else's Facebook account without knowing their password. All you have to do is choose three friends to send a code to. You type in the three codes, and voilà—you're into the account. It's as easy as that.
In this article I'll show you these, and a couple other ways that hackers (and even regular folks) can hack into someone's Facebook account. But don't worry, I'll also show you how to prevent it from happening to you.
Method 1: Reset the Password
The easiest way to "hack" into someone's Facebook is through resetting the password. This could be easier done by people who are friends with the person they're trying to hack.
The first step would be to get your friend's Facebook email login. If you don't already know it, try looking on their Facebook page in the Contact Info section.
Next, click on Forgotten your password? and type in the victim's email. Their account should come up. Click This is my account.
It will ask if you would like to reset the password via the victim's emails. This doesn't help, so press No longer have access to these?
It will now ask How can we reach you? Type in an email that you have that also isn't linked to any other Facebook account.
It will now ask you a question. If you're close friends with the victim, that's great. If you don't know too much about them, make an educated guess. If you figure it out, you can change the password. Now you have to wait 24 hours to login to their account.
If you don't figure out the question, you can click on Recover your account with help from friends. This allows you to choose between three and five friends.
It will send them passwords, which you may ask them for, and then type into the next page. You can either create three to five fake Facebook accounts and add your friend (especially if they just add anyone), or you can choose three to five close friends of yours that would be willing to give you the password.
How to Protect Yourself
Use an email address specifically for your Facebook and don't put that email address on your profile.
When choosing a security question and answer, make it difficult. Make it so that no one can figure it out by simply going through your Facebook. No pet names, no anniversaries—not even third grade teacher's names. It's as easy as looking through a yearbook.
Learn about recovering your account from friends. You can select the three friends you want the password sent to. That way you can protect yourself from a friend and other mutual friends ganging up on you to get into your account.
Method 2: Use a Keylogger
Software Keylogger
A software keylogger is a program that can record each stroke on the keyboard that the user makes, most often without their knowledge. The software has to be downloaded manually on the victim's computer. It will automatically start capturing keystrokes as soon as the computer is turned on and remain undetected in the background. The software can be programmed to send you a summary of all the keystrokes via email.
CNET has Free Keylogger, which as the title suggests, is free. If this isn't what you're looking for, you can search for other free keyloggers or pay for one.
Hardware Keylogger
These work the same way as the software keylogger, except that a USB drive with the software needs to be connected to the victim's computer. The USB drive will save a summary of the keystrokes, so it's as simple as plugging it to your own computer and extracting the data. You can look through Keelog for prices, but it's bit higher than buying the software since you have the buy the USB drive with the program already on it.
How to Protect Yourself
Use a firewall. Keyloggers usually send information through the internet, so a firewall will monitor your computer's online activity and sniff out anything suspicious.
Install a password manager. Keyloggers can't steal what you don't type. Password mangers automatically fill out important forms without you having to type anything in.
Update your software. Once a company knows of any exploits in their software, they work on an update. Stay behind and you could be susceptible.
Change passwords. If you still don't feel protected, you can change your password bi-weekly. It may seem drastic, but it renders any information a hacker stole useless.
Method 3: Phishing
This option is much more difficult than the rest, but it is also the most common method to hack someone's account. The most popular type ofphishing involves creating a fake login page. The page can be sent via email to your victim and will look exactly like the Facebook login page. If the victim logs in, the information will be sent to you instead of to Facebook. This process is difficult because you will need to create a web hosting account and a fake login page.
The easiest way to do this would be to follow our guide on how to clone a website to make an exact copy of the facebook login page. Then you'll just need to tweak the submit form to copy / store / email the login details a victim enters. If you need help with the exact steps, there are detailed instructions available by Alex Long here on Null Byte. Users are very careful now with logging into Facebook through other links, though, and email phishing filters are getting better every day, so that only adds to this already difficult process. But, it's still possible, especially if you clone the entire Facebook website.
How to Protect Yourself
Don't click on links through email. If an email tells you to login to Facebook through a link, be wary. First check the URL (Here's a great guide on what to look out for). If you're still doubtful, go directly to the main website and login the way you usually do.
Phishing isn't only done through email. It can be any link on any website / chat room / text message / etc. Even ads that pop up can be malicious. Don't click on any sketchy looking links that ask for your information.
Use anti-virus & web security software, like Norton or McAfee.
Method 4: Stealing Cookies
Cookies allow a website to store information on a user's hard drive and later retrieve it. These cookies contain important information used to track a session that a hacker can sniff out and steal if they are on the same Wi-Fi network as the victim. They don't actually get the login passwords, but they can still access the victim's account by cloning the cookies, tricking Facebook into thinking the hacker's browser is already authenticated.
Firesheep is a Firefox add-on that sniffs web traffic on an open Wi-Fi connection. It collects the cookies and stores them in a tab on the side of the browser.
From there, the hacker can click on the saved cookies and access the victim's account, as long as the victim is still logged in. Once the victim logs out, it is impossible for the hacker to access the account.
How to Protect Yourself
On Facebook, go to your Account Settings and check under Security. Make sure Secure Browsing is enabled. Firesheep can't sniff out cookies over encrypted connections like HTTPS, so try to steer away from HTTP.
Log off a website when you're done. Firesheep can't stay logged in to your account if you log off.
Use only trustworthy Wi-Fi networks. A hacker can be sitting across from you at Starbucks and looking through your email without you knowing it.
Use a VPN. These protect against any sidejacking from the same WiFi network, no matter what website you're on as all your network traffic will be encrypted all the way to your VPN provider.
Protecting Yourself: Less Is More
Social networking websites are great ways to stay connected with old friends and meet new people. Creating an event, sending a birthday greeting and telling your parents you love them are all a couple of clicks away.
Facebook isn't something you need to steer away from, but you do need to be aware of your surroundings and make smart decisions about what you put up on your profile. The less information you give out on Facebook for everyone to see, the more difficult you make it for hackers.
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy)
A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup (WPS), allows WPA and WPA2 security to be bypassed and effectively broken in many situations. Many access point they have a Wifi Protected Setup enabled by default (even after we hard reset the access point).
this command will lists our wireless card that attached with our system.
2. The next step we need to stop our wireless monitor mode by running airmon-ng stop wlan0
3. Now we ready to capture the wireless traffic around us. By running airodump-ng wlan0 our wireless interface will start capturing the data.
From the picture above, we can see many available access point with all the information. In the green box is our victim access point which is my own access point
Information:
BSSID (Basic Service Set Identification): the MAC address of access point
PWR: Signal level reported by the card.
Beacons: Number of announcements packets sent by the AP
#Data: Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
#/s: Number of data packets per second measure over the last 10 seconds.
CH: Channel number (taken from beacon packets).
MB: Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g.
ENC: Encryption algorithm in use.
CIPHER: The cipher detected. TKIP is typically used with WPA and CCMP is typically used with WPA2.
AUTH: The authentication protocol used.
ESSID: Shows the wireless network name. The so-called “SSID”, which can be empty if SSID hiding is activated.
4. From the step 3 above, we can find access point with encryption algorithm WPA2 and note the AP channel number. Now we will find out whether target AP has WPS enabled or not.
wash -i wlan0 -c 8 -C -s
if the WPS Locked status is No, then we ready to crack and move to step 5.
5. The last step is cracking the WPA2 password using reaver.
reaver -i <your_interface> -b <wi-fi victim MAC address> –fail-wait=360
Because we already get the information from step 3 above, so my command look like this:
it took about 5 hours to crack 19 characters WPA2 password (vishnuvalentino.com) from my Kali virtualBox, but it depend with our hardware and wireless card.
Conclusions:
1. WPA and WPA2 security implemented without using the Wi-Fi Protected Setup (WPS) feature are unaffected by the security vulnerability.
2. To prevent this attack, just turn off our WPS/QSS feature on our access point. See picture below (I only have the Chinese version )
Notes: Only practice this tutorial on your own lab and your own device. Hacking can be a crime if you don't know where to put it.
How To Make Format Hard Disk Virus Using Notepad
Steps:
1. Open Notepad, click on Start, All Programs, Accessories and then click on Notepad.
3. Now click on Save Button or simply press Ctrl + S to Save your Document As A .bat Like Virus.bat
Description:
Note:- This is for Educational Purpose Only. Do it with your own Risk.
AND So Carefully us it
How to create app without coding
If you want to make app you should have to make an gmail account
After making an gmail account you should have to install speede bro app from this web site http://www.appsgeyser.com/171
Then you should have to click on the appsgeyser tile and click on create app
Then select that which type of app you have to make and make it
Then by clicking on submit button you will appear a form then fill that form and then enjoy your app has been done then you can publish app at play store.
)
No comments:
Post a Comment