Hi friend,
So, here I’m gonna continue my previous post about how to get
someone’s Facebook login password. There are lot of techniques on how to
steal someone’s Facebook password, such as stealing cookies, phising
page, stealing email’s password, bruteforce Facebook login, social
engineering, “unknown” hack trick, etc. In this post, I’m gonna share
with you on how to get Facebook password with “bruteforce Facebook
login” technique. And we’re gonna use Python script for this.
Step by step:
1. Prepare the Python compiler. If you don’t have Python installed on your computer, you can download the Python installer here:
(For Windows – 32/64 bit machine)
http://www.python.org/getit
(For Linux user – which don’t have Python 2.7.xxx and later): just
google around for the installation procedures according to your Linux
distribution.
eg:
(for Centos 6), follow here:
http://toomuchdata.com/2012/06/25/how-to-install-python-2-7-3-on-centos-6-2
2. After installing the Python compiler, you can then check the
Python installation and its version on the command line. Note, in
Windows, you can open up command terminal (cmd) or install Cygwin to get
a view looks like on Linux terminal.
In this tutorial, I’m using Cygwin in Windows.
(Linux terminal)
$ python -v
(Cygwin)
$ python --version
3. I found this Bruteforce Python script on the net, and it needs for Mechanize module.
- In Windows, you may have to download the Mechanize module package through the Python installer.
- While in Linux, you can install the Mechanize module with this command:
$ easy_install Mechanize
4. If everything has been setup. Now it’s time to run the script.
# Overview of the Bruteforce Python Script
1. I found the script on the net and got this link:
# Original script
http://pastebin.com/e49Db5BF (This is the original Python script, if you want to download the fixed script, please download from the below link)
# Fixed Script
http://q.gs/3475036/download-fixed—facebook-bruteforce-pyt
2. Create password file, pass.txt contains:
password1
password2
password3
password4
3. Trying to run the script for the first time, here what it appears:
Running the original script for the first time
4. Run the script based on the usage options:
$ python original-fbbruteforce.py -u test@yahoo.com -w pass.txt
And here what it appears:
Run the script based on the Usage Options
Looks like the script doesn’t run as what it says in the usage options.
5. I checked in the script, and found that there’s a line which reads
the pass.txt file and random the string line by line. It seems that the
script didn’t pass for the
Username (-u)
argument value inputted from the terminal.
def bruteforce(word):
try:
#sys.stdout.write("\r[*] Trying %s... " % word)
pos = word.find("::")
username = word[0:pos]
word = word[pos+len("::"):len(word)]
Looks like the script line trying to look for any “::” character. In
the pass.txt file, there’s no “::”, but the script keeps random it away.
6. Okay, so I tried to run the command based on what the script line above wants to with this command:
$ python original-fbbruteforce.py -w pass.txt
But, first I have to change the pass.txt content with this:
test@yahoo.com::password1
test@yahoo.com::password2
test@yahoo.com::password3
test@yahoo.com::password4
So that the script line above will get the exact character it wants
“::” and use it to implode the string line by line. First implode result
will be the “
Username/UserEmail
” and second will be the “
Password
“.
And here what it appears:
Run the script with only -w argument
Okay, finally the right command to run the script is:
$ python original-fbbruteforce.py -w pass.txt
7. I tried to create a new Facebook account and use it for testing purpose on this script. The file pass.txt now contains:
test@yahoo.com::password1
test@yahoo.com::password2
michaelantonio777@yahoo.com::MyP4sSw0rD
test@yahoo.com::password3
test@yahoo.com::password4
Let us see the result:
Trying to run the script with valid Facebook account login, but it fails.
Looks like the script doesn’t work well. Why? When it comes to submit login for account with the
Username: michaelantonio777@yahoo.com
and
password: MyP4sSw0rD
, it should logging in successfully, but it didn’t.
I tried several hours to learn the script code deeply and found
several issues, such as:
a. Like I said above, that this script doesn’t read the pass.txt file
like what it expected to. And also the “-u” argument not read by the
script. Whatever “-u” argument value we fill in the command, still the
script won’t read it, the script just read what contains in pass.txt
file.
b. If you ever found that this script really works, once the script
successfully logged in with certain account, it then terminates the
bruteforce looping process. In our case, what we want is the script
should continues to loop for the bruteforce looping till the end of the
line (in pass.txt file). Imagine how the script will just stopped
working when it comes in 2nd line, but the pass.txt file still has
thousands of account line to bruteforce. Wouldn’t it be nice if the
script just doing the bruteforce process automatically(?).
c. The script got problem when it encounters a “
Facebook security checkpoint page
” or the password being submitted is an old password.
So, to solve those issues above, I tried to fix the script by doing these things:
a. First issue, I’m not going to fix on how the script passed the the arguments value.
b. Second issue, process termination relates with how it loops line
by line and read the forms found on Facebook page. What I’m talking
about is about cookies and session. The script uses
cookielib.LWPCookieJar()
class in Python. It’s intended to save the cookies captured from
opening website URL link. So, once the script successfully logging in a
certain account, then the cookielib class will save the cookies &
session data of that account.
And what next? Take a look at this line:
if success in response:
print "\n\n[*] Logging in success..."
print "[*] Username : %s" % (username)
print "[*] Password : %s\n" % (word)
file.write("\n[*] Logging in success...")
file.write("\n[*] Username : %s" % (username))
file.write("\n[*] Password : %s\n\n" % (word))
sys.exit(1)
There’s a “
sys.exit(1)
” line, means it will terminate the looping process. To avoid being terminated, this line should be removed.
But, even if we have removed the “
sys.exit()
” line, still the cookies & session saved for the next
POST submit
. And ofcourse, there will raise a problem. What is it? Look at this line:
opensite = br.open(fblogin)
br.select_form(nr=0)
br.form['email'] = username
br.form['pass'] = word
br.submit()
The second line above, “
br.select_form(nr=0)
” trying to find and select for “
Login Form
”
for the next POST submit, but since there’s a “successful login
cookies” saved from the previous process, ofcourse it will raise error
message that the “Form is not found” generated by this exception line:
except mechanize._mechanize.FormNotFoundError:
print "\n[*] Facebook changing their system, please report bug at yudha.gunslinger@gmail.com\n"
file.write("\n[*] Facebook changing their system, please report bug at yudha.gunslinger@gmail.com\n")
sys.exit(1)
In real example, you can check by yourself, try to login to Facebook with your account, and see whether there’s any “
Login Form
” or not. Ofcourse you would’t find it, because you are already logged in.
So, how to solve this? There are several ways to solve this issue:
1. By adding “
CookieJar.clear_session_cookies()
”
to clear all the cookies and session. But, this is not recommended,
because even it clears all the cookies and sessions, it is similar to
“closing” the “simulate browser”, means closing/terminate the script
also. So, this would not solve the problem.
2. By finding the “
Log Out
” form and submit it.
This will simulate for logging out process, and clear the cookies and
session. And the script will continue the bruteforce looping and get the
“
Log In
” form to submit for the next account.
c. Third issue, the script can not handle if the successful login encounters with “
Facebook security checkpoint
” page and “
submitted password is an old password
” page or the login attempts encounter error for several times.
In real example, try to login with your account, but with incorrect
password (not your real password). After first failed login attempt, you
should be redirected to an error login page which it contains a
somekind of Login Form, but the Username/UserEmail has been
auto-filled/auto-complete by the Facebook. Again, this will raise an
error, that is “Control not Found”, generated by this exception line:
except mechanize._form.ControlNotFoundError:
print "\n[*] Facebook changing their system, please report bug at yudha.gunslinger@gmail.com\n"
file.write("\n[*] Facebook changing their system, please report bug at yudha.gunslinger@gmail.com\n")
sys.exit(1)
What does it mean by “
Control Not Found
“? It means that the script could not find for the “
Email
”
field Control in the Login Form. Why? Because there has already an
auto-filled/auto-complete for the Email account, and the form element
doesn’t contain it (for the next POST SUBMIT).
So what can we do to solve this problem? We should force the page to release the auto-filled/auto-complete “
Email
” field by simulating a “
click
” or submit to link which contains string like “
notme.php
“. By forcing to click this “
Not Me
” link, it will then load for the Facebook login page and the script can find for the “
Email
” and “
password
” Control field successfully.
Conclusion, the main idea for Facebook bruteforce is keeping the script to always open this page :
"https://login.facebook.com/login.php?login_attempt=1"
# Download the Fixed Script
I have fixed the script by adding several codes in it, especially in
handling the form submit, and the script works well in many test-cases.
Test case examples:
1. Test Case 1
File pass.txt contains:
test@yahoo.com::password1
test@yahoo.com::password2
michaelantonio777@yahoo.com::MyP4sSw0rD
test@yahoo.com::password3
test@yahoo.com::password4
$ python fixed-fbbruteforce.py -w pass.txt
Test Case 1 – Script works good
2. Test Case 2
Let’s see how the “
Log Out
” click simulation works. File pass.txt contains:
test@yahoo.com::password1
test@yahoo.com::password2
michaelantonio777@yahoo.com::MyP4sSw0rD
juliawoods880@yahoo.com::Th3P4s5W0rd
test@yahoo.com::password3
test@yahoo.com::password4
$ python fixed-fbbruteforce.py -w pass.txt
Test Case 2 – Script works good, for Login – Logout simulation
3. Test Case 3
Test the script to bruteforce 5000 reserved accounts, along with its password (dumped from certain website).
$ python fixed-fbbruteforce.py -w pass.txt
Run script on VPS with 5000 accounts to bruteforce
In bruteforcing process, found 2 successful logins
and many test cases I can not post all here, like “
security checkpoint page
“, “
the password is an old password
“, “
Not Me Trapped
“, etc. But, as you run this script many times with different accounts to bruteforce, you will find out by yourself.
You can view/download the fixed Facebook bruteforce Python script here:
http://q.gs/3475036/download-fixed—facebook-bruteforce-pyt
Note:
- I have added some commented lines for the clear explanation and in
case you need to trace the script output, especially on cookies data,
form elements, forms list, the link where it goes after GET/POST submit,
User Agent used, etc.
- I recommend you to use VPS (Virtual Private Server) to gain max speed when bruteforcing
- You can compare the script line between the original script and the fixed script one.
- Keep in mind, pass.txt file should contains format like this:
userEmail::password
(we can login in Facebook using either User Email or UserName).
https://www.facebook.com/michael.antonio
“
michael.antonio
” is the UserName.
- To run the bruteforce process in background, use this command:
$ nohup nice -n 3 python2.7 fixed-fbbruteforce.py -w pass.txt 1>/[dir]/logs.txt &
or
$ nohup nice -n 3 python fixed-fbbruteforce.py -w pass.txt 1>/[dir]/logs.txt &
Enjoy your bruteforcing .. please comment if you find any error. Thank you.