Do you guys know that many hackers utilize social engineering techniques to gain access into your usernames and passwords through impersonation of login sites.
This technique will cover on the usage of browser exploitation framework to redirect user’s page into a fake Facebook login.
Now Woah!! Browser exploitation framework? What?? I will show you that in this guide.
This guide is not about hacking the database of Facebook and then cracking the hashes of the victim’s saved passwords, no no! We will use technique called Browser Exploitation Framework which will make a fake pop up or login screens on the android device which will pass us the credentials when the victim enters in it.
// if you don’t know what it is, you better google it and learn. One of the important techniques any hacker should know. Totally recommend that
What you need? >>>> a Linux machine and victim itself
ON THE LINUX MACHINE:
- enter : beef -xss
/// I aint gonna explain the installation process. Youtube will help lot better than me.
- Access your beef web terminal. The credentials can be edited in the config files. You must have got that part in installation, if not fix it.
- The left side bar you see the online and offline devices connected to the server. The victim device should on the online category. Now, how do we make that.
IN VICTIM DEVICE:
You may need your social engineering skills to get access to the device or you may have backdoor installed in the device and you may access the steps through the command terminal. I recommend you to social engineer your victim. Butter em up.
- Go to any of the browser and in the URL section enter: YOUR_IP/3000
- That will make the device show up in the Online Browser section the Web terminal.
BACK TO YOUR MACHINE:
- Go to the command section and search for social in the search field./
That will show you the results and modules.
- From Network section, select Detect Social Networks
- If you select the command 1 or any from the middle section then you can see if the victim have the facebook, gmail or twitter account registered in the device or not. Its clearly explained.
- From the module tree select “pretty theft” module.
- Execute with the suitable parameters.
- You can see that there is a pop up on the android device which makes the victim looks like they are disconnected from account and they need to enter login details to access the account again. This pop up looks too legit, most people never even bother to know its fake.
- When the enter the details the results will be shown in the Command results section.
It’s THAT SIMPLE!!
Making the victim to click on the URL is the only thing we need to perform. There are many other modules which we can use like pointing out the click coordinates so that we can select any app and make anything open up. Its kinda scary and cool at the same time.
The other modules, those are for another thread.
Be cool not stupid/ Get your skills up and hack responsibly/