so I was on /b/ (I know I was looking for a cringe thread) and I noticed a thread asking how you would hack a facebook account without it's username or password
here's what I'd try
make malware that steals the facebook cookies, the user agent then sets up the targets pc as a vpn, then I'd have the correct user agent IP address and user agent so when I load facebook I'd just be logged in right?
how would you do it?
>look at their keyboard while they are typing their password
><petname>123
>?
>profit
>>57315178
here's how i'd do it:
>go to public space
>setup free wifi
>hijack facebook, gmail, hotmail, yahoo
>collect passwords for those websites
>redirect users to the legit page with a warning about wrong password
alternative 1:
>plug hardware keylogger into library PCs
alternative 2:
>peak while they type
>>57315178
1. Make sure the person has 2FA enabled on their phone for either email or facebook.
2. Repeatedly sign the person's phone number up for text message porn.
3. Call your phone provider, requesting their number every day.
4. When your provider gives you their number (because they've changed their number after getting too many porn texts), either:
5a. Hijack their email by resetting their password through text message, then reset their facebook password
5b. Hijack their facebook by resetting their password through text message
>>57315368
>>hijack facebook, gmail, hotmail, yahoo
Isn't the whole point of HTTPS so things like that don't happen?
>>57315544
tools exist that can strip SSL
>>57315497
This
>>57315368
how?
>>57315871
wifi pineapple
>>57315896
is there other way to do this? i cant get wifi pineapple in my country
>>57316138
try this I had a quick google, not read it so it might not be what you're looking for https://penturalabs.wordpress.com/2013/04/25/blue-for-the-pineapple/
also reaver for android can do MITM attacks and strip SSL IIRC
>>57315368
that will not work anymore due to hsts
even spoofing the dns wont work with facebook anymore. gmail you can sometimes get it to work by injecting a 4th w into the www part of the address, but facebook and twitter will catch it
>>57315576
HSTS protocol and SSL pinning pretty much killed high speed low drag mitm. New routes are mitb attacks mitm still holds a role though
>>57315576
they'd still get an ominous "holy fuck server cert mismatch" unless you also somehow injected a custom root CA into their system
A gun