How to Hack Facebook (Facebook Password Extractor)

             Welcome back, my novice hackers!

    As we saw in my first tutorial on Facebook hacking, it is not a simple task. However, with the right skills and tools, as well as persistence and ingenuity, nothing is beyond our capabilities.

One of the cardinal rules of hacking is: "If I can get physical access to the computer... GAME OVER!" This means that if I were given even just a few moments to the machine itself, I can hack anything I want from that computer—including Facebook passwords.

I recognize that not all of you are technically savvy, though, that doesn't mean you can't be with some hard work. So this Facebook hack is for those of you without either the technical savvy or the work ethic to become so. All you need is a moment or two of unfettered physical access to the target's computer and you can easily have their Facebook password.

Remember Me?

This hack relies upon the fact that most of us want websites to remember us when we return. We don't want to put in our username and password every time we want to access the site, so we tell the browser to "Remember me." In that way, we don't need to re-authenticate and provide our password, our system simply remembers it and provides it to the website.

Of course, those passwords must be stored somewhere on our computer. The key is to know where those passwords are stored and how to crack the hashed passwords when we find them. For instance, Mozilla stores the users passwords at:

c:/Users/Username/AppData/Local/Mozilla/Firefox/Profiles/**.default/cache2/entries

As you can see in the screenshot below, I have displayed that directory and password hashes from a Windows 7 computer running Firefox 36. These are all the saved passwords from various websites that Firefox has stored.

Note that the location of these passwords is in different places for each browser and sometimes in different places on different operating systems with the same browser. Look for more on this subject in my Digital Forensics series in the near future.

Elcomsoft's Facebook Password Extraction Tool

Fortunately for us, there is a company in Russia named Elcomsoft.

This company employs first-rate cryptographers and they develop and sell software to crack various password encryption schemes. (As a side note, a cryptographer from Elcomsoft was the first person arrested and prosecuted under the DCMA when he came to the U.S. for a conference. He was eventually acquitted.)

Their software is listed as digital forensic tools, but they can just as easily be used for hacking purposes. One of their tools was used for the iCloud hack that revealed nude photos of Jennifer Lawrence and other Hollywood stars in August 2014.

Elcomsoft developed a Windows tool named Facebook Password Extractor (FPE, for short) that extracts the user's Facebook password from its location on the user's system (the user must have used the "Remember me" feature) and then cracks it. Of course, we need physical access to the system to do this in most cases. Alternatively, if we can hack their system, we could upload this tool to the target system and then use it or we could simply download the user's browser password file and use this tool locally on our system.

You can download this free tool from Elcomsoft's website, which officially supports the following web browsers (though it may work on newer versions).

• Microsoft Internet Explorer (up to IE9)
• Mozilla Firefox (up to Firefox 4)
• Apple Safari (up to Safari 5)
• Opera (up to Opera 11)
• Google Chrome (up to Chrome 11)

The process of using this tool is almost idiot-proof. (Almost a requirement for Facebook hacking, wouldn't you agree?) You simply install it on the system whose Facebook password you want to extract and it does everything else.

One of the drawbacks to using this tool is that Elcomsoft released it back in 2011 and it has not been updated since. Maybe we should make this a Python project for the Null Byte community in the near future?

Look for more on Facebook hacking and developing the skills and arts of a professional hacker here in the near future, my novice hackers!

Metasploit Basics, Part 5

Metasploit Basics, Part 5: Using Metasploit for Reconnaissance

Welcome back, my rookie hackers!

As you know, reconnaissance is a crucial part of the hacker/pentester's job. Without good reconnaissance, it is likely that all your work and effort will go for naught. As Metasploit has evolved from strictly an exploitation framework to a multi-faceted penetration testing tool, it has added additional capabilities including reconnaissance. No longer do you need to carry separate tools for reconnaissance and then exploitation. Metasploit can do it all.

Now, with the PostgreSQL database attached to Metasploit, we can save our results from port scanning and vulnerability scanning into the database and then use those results in the next phase of the penetration test.

Step #1 Fire Up Metasploit

The first step, of course, is to fire up Kali and start the msfconsole.

kali > msf

Step # 2 nmap and db_nmap

Usually, before starting a hack, we want to gather as much info on the target as possible. Let's begin by finding out what ports are open. Metasploit enables us to run nmap right from the msf prompt. Let's try scanning systems on our local area network with a TCP scan (-sT) looking for open ports between 1 and 1000 (-p1-1000).

msf >  nmap -sT 192.168.1810/24 -p1-1000

As you can see above, nmap was able to scan all the machines on our internal network and return the results of the open ports.

As I demonstrated in Metasploit Basic, Part 4, you can also use the DB-Nmap command to scan and save the results into Metasploit's PostgreSQL attached the database. In that way, you can use those results in the exploitation stage later.

msf > db_nmap 192.168.181.0/24

Step #3 Scanning Modules

Metasploit has a multitude of scanning modules built in. If we open another terminal, we can navigate to Metasploit's auxiliary modules and list all the scanner modules.

cd /usr/share /metasploit-framework/modules/auxiliary

kali > ls -l

Note in the screenshot above, the numerous directories containing modules for all sorts of auxiliary purposes. Let's navigate to the scanner directory and look inside.

kali > cd scanner

kali > ls -l

As you can see below, there are hundreds of scanner modules each inside a directory of a specific target type.

Let's go to the scada directory and look inside there.

As you can see there are 11 scada scanner modules.

Step #4 Conducting a SCADA Scan

Let's try using one of those SCADA scanner modules to conduct a scan on a SCADA system (for more on SCADA Hacking, see my SCADA series here).

msf > use auxiliary/scanner/scada/modbusclient

We need to set the RHOST, the NUMBER of coils to read and READ_COIL parameters.

As you can see in the screenshots above, we used this scada scanner to read the coils (the coils are ON/OFF switches inside the SCADA facility) on a remote SCADA system. This would be the first step before exploiting this system.

Step #5 MS SQL Login Scan

Among the numerous scans within Metasploit is one that can enumerate logins on Microsoft's flagship database server, SQL Server.

We can use this module by typing;

msf > use auxiliary/admin/mssql/mssql_enum_sql_logins

After loading the module, we learn more about this scanner by typing info.

msf > info

As you can see in the description, this module can be used to fuzz available SQL Server logins providing us with logins that can then be brute forced with one of many different passwords

cracking tools.

Once we provide it an RHOST, it begins scanning for available logins on the database server.

msf > set RHOST 192.168.181.129

msf > exploit

As you can see above, this scanner was able to find the login "as" account or the sysadmin of this SQL Server installation!

Conclusion

Reconnaissance is a crucial phase of the hacking/penetration testing process. Metasploit has added hundreds of reconnaissance modules, so that we may complete most of our reconnaissance right from Metasploit. Here, I have demonstrated just a few reconnaissance modules in Metasploit, but there are literally hundreds more so take some time to explore the many recon modules in Metasploit and it will likely save you hundreds of hours in your hack/most pent.