Social engineering is an extremely powerful tool that can be deployed to exploit the human’s element of security and inherently psychological manipulation. Ultimately, social engineering can grant a hacker the victim’s Facebook login email and password, leading to the compromise of their social media account which also leads to the breach of other accounts.
Truthfully, Facebook is one of the most secure websites in the world as the company invests heavily in security with the Facebook security team rushing to patch any vulnerabilities before they could be exploited and used to extract valuable data. Hence, it’s extremely unlikely that someone can actually hack Facebook’s server. The hacker has to realize what the security team doesn’t do effectively is educate Facebook users on protecting themselves from social engineering such as acquiring and maintaining the critical mind of distinguishing complex social engineering tactics utilized to steal account information.
Even with the proper education and awareness combined, social engineering can still trick the most experienced users into disclosing their private account Facebook information such as the login emails and passwords to a ‘deceptive’ social engineer. People can and are easily fooled by psychological manipulation. Professional hackers know and take advantage of this fact.
This tutorial will teach you how to use social engineering to ‘hack’ and retrieve Facebook account email login and passwords by combining the use of:
Browser Exploitation Framework (BeEF)
Clever Psychological Manipulation Of The Victim
Simply using the collection of exploits and tools in this article isn’t enough to steal someone’s Facebook account information.
Social engineering is key.
Hence, I will emphasize in great detail how to trick and convince someone to give their social media email login and password information away to an adversary. Everyone is pretty much vulnerable to these kinds of social engineering tactics even when cybersecurity education is embraced.
1. Install/Load A Penetration Testing Linux Distro (Preferably Kali Linux)
It would be a good idea to install and load Kali Linux on your computer. Any penetration testing distro that has BeEF preinstalled will suffice.
To download Kali, click here.
Don’t know what Kali is? Click here to learn about it here.
BeEF? What? No, I don’t mean the flesh of an animal that people consume daily.
BeEF is an acronym which refers to Browser Exploitation Framework. BeEF is a penetration testing tool that permits a penetration tester to evaluate the genuine security stance of a victim environment by deploying client-side attack vectors.
Essentially, BeEF emphasizes on the web browser. BeEF will hook one or multiple web browsers and will take advantage of them for purposes of instigating controlled command components and additional attacks facing the system originating within the browser framework. BeEF runs on your computer in the background as a web server that you may access via a web browser.
In layman’s term, BeEF possesses the ability to assist you in hacking a target’s web browser and grab control of it. When you hold control of the target’s browser, you can deceive the user into providing their Facebook account information unwittingly.
If BeEF isn’t installed, go to terminal and type:
sudo apt-get install beef-xss
2. Start BeEF
To start BeEF, simply open a terminal and type in the following command:
After typing the above command, you probably have to wait a little bit before the Firefox browser automatically launches on your computer.
You’ll be presented with a BeEF login page where you’ll need to enter the following account information to log in:
After logging in successfully, you’ll be shown a Getting Started page. Pay close attention to the first paragraph where BeEF gives us two demo pages to experiment with. The demo pages assist us in learning how to ‘hook’ a web browser.
Click on the advanced demo page:
You’ll be presented with an HTML page named ‘index.html‘ in a new Firefox tab called ‘The Butcher‘ located in /demos/butcher/ which shows tasty meats. The target is very unlikely to notice that this specific webpage has a hook embedded. Fundamentally, a spiteful program that permits a hacker to hook the web browser and grab complete control of it.
Now go back to ‘BeEF Control Panel‘ tab.
If you ever run into issues and bugs with BeEF, ensure that the packages for BeEF are current and that Kali is up-to-update by typing in the following command into terminal:
sudo apt-get update && apt-get upgrade
3. Time To Hook The Target’s Web Browser
What we need to do next is use the above URL that contains the script and send it to the target.
Our URL would look like the following:
The hacker could insert the above URL in a web page by means of a compromised server, inject the script into traffic subsequent to a fruitful MITM attack. Another way is to use social engineering methods like phishing or social networking URLs to persuade the victim to visit the webpage. When the victim visits the page, the hook is instantly applied. The target doesn’t even have to run anything or place their cursor over anything for this attack to be effective. Merely visiting the page activates the attack.
Social Engineering Explanation / Example / Tricking The Victim Into Giving Their Facebook Login And Password To Steal Their Information
If the hacker knows the victim, they may have an easier time in tricking them since trust is likely to be already built and accumulated over time. The hacker can convince the target to open a webpage that has our code.
One way is knowing the target’s interests, hobbies, friends, and social connections. The hacker ‘friend’ likely has knowledge of all of this. If not, social media platforms like Facebook are excellent for conducting Open-source Intelligence (OSINT) on the victim.
Most people don’t have their Facebook profiles tuned down in their Privacy settings. Hence, anyone can simply view their profiles without being added as a friend. For that reason, hackers who don’t actually know the target can do research on them, learn their interests, hobbies, who their friends are, the people they interact on a daily basis, and ‘pretend’ to know them. There is significant flexibility in this. The hacker could send a phishing email to the target, exploiting the interests of the target or pretend to be a service they use to their own advantage. What the Facebook user ‘likes,’ the things they adore could serve as hints for adversaries to resetting their target’s social media and email account passwords via secret/recovery questions.
One way to build trust if it hasn’t been built yet or to a certain extent which could be exploited successfully is constructing a false ‘story‘ and sticking with that ‘story‘ no matter what. If the victim draws skepticism toward your story, you ought to stick with the story and not change it even when pressured greatly. To make the target ‘believe‘ your story, you ought to convince yourself to ‘believe‘ it too. When they genuinely ‘believe‘ the ‘story‘, they’ll start to ‘believe‘ you too. This leads to them being subject to further manipulation which they will start ‘talking’ more often. The more they ‘talk‘, the more we ‘learn‘ of them. Therefore, the hacker could use the newly acquired information against the target to their own advantage.
All of this research along with the proper execution of social engineering tactics to psychologically manipulate the victim will very likely lead to compromising the target’s social media account information. Also, keep practicing with the modules in BeEF to gain a better understanding of their capabilities, reliability, and how to ideally use them in social engineering situations. Therefore, sharpening and maintaining your skills in using BeEF modules and social engineering is crucial in enhancing your ‘façade‘ and reducing the target’s ‘skepticism’ which ultimately will lead to their Facebook account being compromised.
4. Executing A Facebook Dialogue Box And Send It To The Victim’s Browser As A Pop-Up Window (With Love, Of Course)
The example below is where I use my own web browser to illustrate how to create a Facebook dialog box and execute it in the victim’s browser so they will enter their Facebook account information unintentionally. Furthermore, I provide additional screenshots that indicate how the attack looks like in the victim’s browser and how to obtain their Facebook account and password.
Go back to ‘BeEF Control Panel’ tab. Within a couple of seconds, you shall see the target’s IP address, their operating system, and browser information appear when you click on the IP address in the ‘Hooked Browsers’ panel located on the left.
We see on our various right tabs. Click on “Commands” tab.
In the “Module Tree”, click on “Social Engineering” to expand the folder which will show various social engineering modules.
Click on “Pretty Theft”, we’ll be greeted with a “Module Results History” and “Pretty Theft” window on our right. The “Pretty Theft” module allows you to send a pop-up window to the target’s web browser. Click on the “Dialog Type” box and select “Facebook”.
Click on the “Backing” box and select “Grey”. Click on the “Execute” button shown at the bottom.
We obviously see that the module is not merely restricted to creating a Facebook dialog box. But for purposes of this tutorial, we’ll stick with Facebook.
5. Facebook Dialogue Box Attack On Target’s Browser Successfully Shown
A dialog box that is a replica of Facebook appears in the target’s browser. The pop-up window notifies the target that their Facebook session has expired and that they require re-entering their Facebook email account and password to “Log in.”
Keep in mind that I am using a custom theme in Kali. Hence, the Facebook dialogue box looks different for me. For everyone else not using a custom theme, they’ll see the exact style theme from Facebook.
Obviously, we wouldn’t be using the appearance of the webpage ‘The Butcher’ to lure the target in real-life. We would modify the webpage’s appearance to fit our purpose and customize it specifically to align with our social engineering mission. The advanced demo webpage allows me to quickly show how this entire attack is executed on the host system.
The majority of social media users will simply trust and be fooled that their Facebook session has expired and will re-enter their account information.
6. Getting/Stealing The Target’s Facebook Account Information Without Them Finding Out
When we go back to the BeEF GUI, we see the social media account login and password in the “Command results” window on our right. The victim who is me ‘foolishly’ entered his email address “email@example.com” and his password “firstname.lastname@example.org.” My account information has been successfully ‘captured’ and ‘shown’ to the ‘elite hacker’ in BeEF. We wonder what kind of victim uses the same password as his login on Facebook. Apparently, I do.
Okay, so an actual victim may very well use the same password as their other social media and email accounts which an attack could use to compromise those accounts as well.
BeEF can also be combined with Metasploit to initiate a broader span of exploits against the host system.
Master both BeEF and social engineering. Become the best liar you can and stick with the story you come up with. Don’t let your façade slip or you’ll fail your mission. Play it smart. Work it harder. The end result will be wonders.
Until next time.
Have a great day!