Ohai guys. Today I'm going to show you a very blackhat tutorial, how to steal Facebook logins (or any other website really) over any wifi connection.
It's pretty simple really; we'll be using a method called
ARP Spoofing, or
ARP Cache Poisoning. The way it works is the attacker (you) sends out a fake ARP packet to the victim (hipster at Starbucks) that associates your computer with his packets instead of the router. You then forward all of his packets to the router, and act as a
man-in-the-middle, allowing you to grab any data he's sending while he continues to drink his shitty latte and is none-the-wiser.
How the fuck do we do this?Okay, so that sounded complicated. Luckily, there's a tool that'll let us do this without messing around with crafting packets from scratch, it's called
Cain and Able.
Cain and Able is defined as "a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols".
How do I use it?First, you have to download it here:
http://www.oxid.it/cain.html and install. After than, simply fire up the tool and select
Sniffer tab. You'll want to put your card in monitor mode; you can do so by clicking the little card icon. It might come up asking for your network card, just select the one you normally use and hit enter.
Okay, so now what?Now we have to see who's on our network so we can target hipsters.
Right click and hit "Scan MAC Address", and then click OK.
Your table should now show everyone on the network. Pick one of those IPs and remember it; this is our target.
Now you can click the little "APR" tab on the bottom. Next, click the plus and select the IP of the router (192.168.0.1 in our case) and the IP of the target (192.168.0.103) and click OK.
Sweet, but how do we steal?Okay, so now we are ready to attack. Before we actually poison the target, we should set up some DNS spoofing. DNS stands for
Domain Name Server or
Domain Name System. It basically is the system that tells your computer to go to a website's IP when you type in the URL.
Using Cain, we can change the IP it goes to, so we can route facebook.com's URL to our local machine.
First, click "APR-DNS" and then click add to list. In the box, type "facebook.com" and then your local IP (mine was 192.168.0.110). I've done this for "
www.facebook.com" as well.
Wait, what does this all mean?So now, whenever the hipster goes to "
http://facebook.com" he is automatically redirected to your computer without knowing. At this point, all that will come up is a 404, because we're not actually running anything at port 80 on our box.
You can run a web server to server up some pages, and they'll look exactly the same as facebook to our victim (the URL bar will still say facebook.com).
I'm running WAMP, which is free to download and use. I'm not going to cover setting it up in this tutorial, but it's pretty easy and you should be able to without much of an issue.
I've also created a clone of facebook for you guys to use. This little script automatically takes whatever the user types in as his username and password and saves it to a text file for you, while looking exactly like Facebook's homepage. I've uploaded the files here:
http://www.mediafire.com/?m6d3gu3o13d16d5Simply put those files in the "www" folder of your web server, and you're good to go.
So how do we start the attack?All you need to do now is make sure WAMP is running, and click the little radioactive symbol in Cain. This will start the attack, and you should see some data flowing.
After a while, our target tries to visit facebook, and we steal his username and password! (I'm just running on my home network, so I used a dummy account)
That's all, happy hacking!
