I'm just curious if people can do it or it's just bullshit as everyone says
It's funny how people keep thinking 4chan is packed with "hacktivist anonymous all-powerful hackers".
Anyway, all I know is that it used to be easier, and that you can steal a friends' password if he saves it on his browser and you're using it.
>>37780
Yeah the inspect element thing works well but I was thinking something a bit more on the professional end haha
>>37776
Depends on what you mean by "hack facebook".
I don't think stealing shit directly from facebook would be that easy. But stealing shit from you while you access facebook? Easy as fuck under the right conditions.
First, virus. If you have a virus that logs shit, you account credentials can be easily transferred to whoever is controlling the virus.
Second, if someone is MITMing you, they can get your shit too. For example, if you're in a public wifi and the operator of the wifi itself is malicious, you can be tricked into believing your connection is secure when it in fact isn't, through shit like sslstrip. And not only the wifi server - any terminal connected to the same wifi can spoof being the wifi itself if it's closer to you than the wifi server.
Same with phone towers. There's a number of phone tower spoofing software, so you might believe you're communicating with the tower, but you're actually sending your data to a man in the middle, and if you are not certain, or even aware that sending it encrypted or not, the MITM can get your data.
>>37780
>it used to be easier
Yeah, when facebook didn't require SSL for all logins, because all the data went in the clear back then. But you can still use tricks like sslstrip to make both the server and the terminal believe they're connecting through ssl. Or at least make the server believe you're connecting through ssl, while the terminal is connected through cleartext.
>>37789
I'm sorry I should've clarified. I meant how to hack into someones account.
I've heard about how you can manipulate the wifi and fake the SSID so it doesn't look too suspicious and how the creator can browse what they browsed (not sure if I'm 100 accurate on this)
>>37798
And again, that depends on what you mean by "hack". If we're being pedantic, it doesn't even mean what you think it means (you're thinking of the word "crack", or maybe not even that).
No, you can't actually go and access someone's account willy nilly. But you can cheat the owner of the account into giving you their info in a number of ways, the most "hack"-like ones being either through a virus or through a MITM attack. Or through phishing. But all of that depends on input from the owner of the account. The facebook servers though? Not even the chinese.
>>37802
Thanks for the tidbit.
If we are being pedantic, how can I be able to find out the password/e-mail they use on facebook without the victim knowing and without leaving the comforts of your home?
>>37809
>how can I be able to find out the password/e-mail they use on facebook
MITM, virus, phishing or social engineering (which goes hand in hand with phishing).
>and without leaving the comforts of your home?
Mh...
MITM is pretty much out of the question unless you somehow manage to get them to remote-connect to something malicious.
I suppose you could hit one of those eastern european virus sites to see if you can pay for something, but you're gonna have to pay, and like hell I'm gonna link you.
That leaves you with phishing and social engineering. Just as an example, if you make a website and manage to get the person to register to it, it's quite possible they'll use at least the same email, if not the same email and password. Or maybe you could even trick them into believing they're logging in to facebook through your website - hell, you could actually log them in to facebook and keep the data yourself.
There's tons of ways. But of course, you'll need to know at least how to program, and how to make them fall for phishing.
My advice: give up on it. If you're not even willing to MITM from the same network, it's not worth it.
>>37789
>you can be tricked into believing your connection is secure when it in fact isn't, through shit like sslstrip
No you can't.
You can be tricked into making an unencrypted connection when you should be making an encrypted one, but there's no way to make your browser say it's secure when it isn't. You'd need Facebook's SSL certificate for that, and you don't have it.
Even OAPs know, nowadays, that if the browser doesn't show the green padlock when it should be showing the green padlock then something is amiss.
HSTS is a standard where the site can tell the browser "next time you connect, you're not allowed to use http". Browsers that support it (basically all of them) will automatically convert http requests to https, and will raise a stink if the https request is tampered with. They simply won't let the user connect if someone in the middle is trying a downgrade attack.
High-profile sites (like Google, Facebook and Paypal) are on an HSTS list built into the browser, and will never, ever, ever downgrade to http, even on the very first connection.
>>37824
>HSTS is a standard where the site can tell the browser "next time you connect, you're not allowed to use http". Browsers that support it (basically all of them) will automatically convert http requests to https, and will raise a stink if the https request is tampered with. They simply won't let the user connect if someone in the middle is trying a downgrade attack.
>High-profile sites (like Google, Facebook and Paypal) are on an HSTS list built into the browser, and will never, ever, ever downgrade to http, even on the very first connection.
There's always redirections to lookalike domains.
>>37828
You're not supposed to be able to get an EV cert for paypaI.com, though. Google, in particular, has been coming down hard on CAs that do shit like that.
And any of the big companies will UDRP your domain off you because you registered it in bad faith.
