Facebook sessions is probably the easiest target for hijacking out there, because by default it runs on unsecured HTTP connection. If you want to force it to run on HTTPS you should go to your Account Settings -> Security -> Secure Browsing and turn it on.
Session hijacking is a way use that somebody is logged in and use their account without the need for actually knowing their login credentials.
Get one’s Facebook account on 4 easy steps:
1. Get the fb session information from the victim’s browser.
The way that I did it is with package sniffing but if you are far away from your victim you can use other techniques like phishing, for example.
In order to sniff for the packages that are going around you, you should turn your network card to listening mode, for that I used airmon which is part of the program aircrack-ng (available for both Linux and Windows).
Ubuntu install:
wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz tar -zxvf aircrack-ng-1.1.tar.gz cd aircrack-ng-1.1 make sudo make install
When you have aircrack installed just run this code, in order to start package listening:
sudo airmon-ng start wlan0 9
As a result you will get something like:
Process with PID 13910 (dhclient) is running on interface wlan0 Interface Chipset Driver mon1 Unknown iwlwifi - [phy0] mon0 Unknown iwlwifi - [phy0] wlan0 Unknown iwlwifi - [phy0] (monitor mode enabled on mon0)
Now you get the packages and you only need a way to view the content of them. Here I am using Wireshark, because I do like the graphic interface.
In Wireshark you should:
a. Choose the network interface that airmon just created (default: mon0)
b. Add filter – the one that I used is http.cookie (it is a bit of a stretch, because you get all packages with cookies in them but you could find other interesting stuff there :D)
At the end you will get cookie values looking like:
datr=yJQ**; lu=Tgsa**; locale=en_US; sub=354**; p=2; c_user=15**; fr=0**; xs=2%**; act=13**; presence=EM3**
2. Use the session info into your browser, in order to login in the victim account.
Here I use one really nice and easy add-on for Firefox called Greasemonkey and JavaScript called Cookie injector.
a. Install Greasemonkey
b. Go to this site http://userscripts.org/scripts/show/119798 and install the Cookie injector into your Greasemonkey (Just click on the green button ‘Install’).
When you have all that set up go to http://facebook.com, press Alt + c and paste the cookie values to the small grey box:
Now refresh the page and you are in the victim account:
Cheers and do not do harmfull stuff