Hacking Your Social Account (Critical)

13 min readAug 31, 2019

You may often have heard about how someone’s friends facebook account got hacked, well thats not so serious until it starts leaking your private conversation(right?). What if I say, anyone can hack your social account password or in-fact your bank account password in just a minute? Well you first need to know how it works and start taking preventive measure right now.

I have divided this medium read into two parts,

Theoretical
Practical

ENJOY READING :)

Facebook : http://www.fb.com/bindassbasanta

1.1 INTRODUCTION

In the computer world, the tools used for penetration testing can be subdivided in hardware and software tools. The different techniques can be used combining hardware and software to hack or penetrate into a system. DNS spoofing and phishing sites are one of the major problems these days in country like Nepal and around the globe since most of the people use free networks provided in city areas and tries to login into the social networking site it could be very dangerous. In this medium post, we can see how a free network SSID like worldink_free_wifi can be used to fish the social media site like Facebook using DNS spoofing using hardware called WIFI Pineapple and a phishing site of Facebook created using a software tool called Z-shadow.

The software and hardware used in ethical hacking are numerous and different tools used in penetration testing can be selected on one’s preference and convenience. There are several software tools that were developed by Chinese state hackers whereas Russians and Israelis have their own reputation in building their own customized tools (Courses, 2018). For this report I have used a penetration testing device called Hack5 Pineapple and a phishing site called Z-shadow, The details about the tools used is in section Tools.The demonstration involves how a free WIFI network can be used to redirected victims from a genuine browsing site to a phishing site and how a layman user can save himself from being a victim also the report demonstrate possible remedies for both the user and developer from being aware of the hacking.

1.2 PROBLEM STATEMENT

DNS spoofing is a type of computer attack where a user unknowingly gets redirected to fake addresses which could be harder to distinguish (Times, 2018).The journal published by Amal Al.Hajeri explains about the different type of attack involved while performing DNS spoofing.

According to the report the type of vulnerability within 30 days was as follows

Top 10 attack of DNS spoofing report (Al.Hajeri, 2017)

For each day, the vulnerability is as follows

The frequent DNS spoofing report (Al.Hajeri, 2017)

The type of vulnerability involved in DNS spoofing are (Al.Hajeri, 2017)

· Zone transfer

· Cache poisoning

· Buffer overflow

· Denial of service attack

Phishing is considered as one of the major problem in computer security, according to a report of Verizon’s 2017 Data Breach Investigations(Wright RT., 2014)among all successful phishing attack was for installing malware and of which 66% were from email attachments. Since the most of victims are general people while the attractive victims are mostly banks, defense organization and private companies.

1.4 AIM & OBJECTIVES

1.4.1 Aims

The main aim of this medium post is to use the software and hardware used in ethical hacking and to demonstrate how the hacking is performed in public free Wi-Fi network and how one could secure himself from being a victim of DNS spoofing.

1.4.2 Objectives

The objectives of this medium read includes

· Elaborate on different software and hardware used in ethical hacking

· Elaborating the current problem of free Wi-Fi networks

· Examination of the tool

· Prevention measure to be taken to secure from DNS spoofing

· Evaluate the social, ethical and moral issue

2 CHAPTER 2: BACKGROUND AND LITERATURE REVIEW

2.1 SECTION A: PRE-REQUIREMENTS AND TOOLS

The hardware tools required to perform DNS spoofing are

· Wi-Fi pineapple

The software tools required for phishing

· Z-shadow for phishing social account page

2.2 PRE-REQUIREMENTS

DNS spoofing and social media phishing requires following

· The attacker

· The victim

· The vulnerable Web site that the attacker exploits to take action on the victim

2.2.1 Tools

The tools required for DNS spoofing and Social media phishing are listed below

· WIFI pineapple hack5

The steps required to install pineapple OS in hack5 is in Appendix A — Installing pineapple OS (GUI).

This is the first dual-band wireless auditing device and considered as second in the 6thgeneration line which uses the new software platform which is designed around usability and performance (Pineapple, 2015). This is considered as next level hardware for penetration and security testing which has two Atheros dual band(2.4/5 GHz) 2:2 MIMO radios capable of 802.11 with a/g/b/n with a solid PCI express bus connected directly with four integrated skybridge amplifier and also includes 5 dBi antennas which sums up as 29dBm EIRP which is much more than generally required. It consist of a 533 MHz RISC CPU from Atheros which is capable of running pineapple firmware with 64MB of DDR2 RAM of 32 bit and a fast SLC NAND controller of 2 GB on board storage. The port selection has a fast ethernet RJ45 with a eth mini USB and one mini power port which support a 5v adapter or a power bank.

In summary it’s a beast in its category of mobile penetration and security testing device. It can be carried with a movable power bank and be controlled over internet or using mobile phones. The other variant are also available like pineapple NANO with similar variant but smaller specs and formfactor. The cost of pineapple tetra in office website is 199.99$ and for NANO its 99.99$.

· Z-shadow phishing

The use of phishing site is demonstrated in Appendix c — Using phishing site for facebook

The very first web phishing started in year 1995 when a phisher successfully obtained credential of AOL and it doesn’t only abused the credit card system but also indicated that attach on online payment system was feasible (Yuxiang Guan, 2018).

There are several ways of exploiting victims using phishing sites to gain confidential information using phishing sites which looks similar to genuine site which can further be used in trust exploitation where a user click on such links or visits unknowingly and gives crucial information like username and password.

For example links of phishing site looks like

Facebook : http://boookpage.com/68320//oRpN6/?sc=1&sc=1&l=1&ppy=4504920&i=4504920

Twitter : http://lezzizdriffield.co.uk/58432/wzLDQFio21EeNrG/tw/en/?i=4504920

Clicking on theses links asks for username and password which is further saved in my personal account. Few available phishing apps are

2.2.2 Pros and Cons

The following table explains about it

2.3 SECTION B: DEMONSTRATION

Connecting to free Wi-Fi network available in most of the places

Trying to open social site

Here we can see we have our victim Facebook credential, we could choose to redirect victims request to any phishing site we desire.

3 CHAPTER 3: PREVENTION AND RECOMMENDATIONS

3.1 SECTION A: ANALYSIS OF THE PREVENTION METHODOLOGY

There could be two aspects for prevention methodology, one could be for developers and other for the clients or visitors. Following are the brief explanation of preventive measures that can be taken

3.1.1 For Developers

The best way to make a site DNS proof or phishing poof can be from developers side, since human couldn’t remember dozens of IP addresses and requires easy way names were given to site which later on gets resolved in IP addresses using DNS server. There are two ways like recursive and Iterative DNS queries. Generally when a user query domain name recursive query is used and when a user queries a DNS server an iterative is used if the server knows any resolution (Singh & Maini, 2011).

Working of DNS Spoofing (Singh and Maini 2011)

The best way to avoid spoofing are (Babu, et al., 2010)

· Ingress Filtering Method — IFM

o Making sure that the incoming packet are actually from site requested

o Sending IP address can be spoofed, this is usually done as a part of an attack so the victim cannot know where the attack came from

· Egress Filtering Method — EFM

o The practice of monitoring and potentially restricting the flow of information going outside from one network to another. Typically in TCP network

o It helps to ensure that unauthorized or malicious traffic never leaves the internal network

· Spoofing Prevention Method — SPM

o Using crypto signature to exchange authenticated emails

o Configuring mail delivery daemon to assist in tracking origin of spoofed emails

3.1.2 For Users

The user should know how the internet works and could follow possible remedies to overcome the issue, Internet protocols (IP) is used to link several billion devices, Domain Name Service(DNS) helps to translate name to IP address for example www.example.comis translated to 93.184.216.34 which can be understood by computer. A computer attack named as DNS spoofing or DNS cache poisoning where data is diverted from original destination to compromised destination (Sharma, 2014). The preventive measures for normal users are

· Identifying the fake URL

· Always check for HTTPS

DNS spoofing generally acts faking the exact replica of genuine site. The difference is that the imposter won’t have a SSL certificate which will lead to not having HTTPS and will have HTTP in URL bar.

Here a message saying not secured website since it doesn’t have SSL certificate and is HTTP instead of HTTPS.

· Use VPN connection

VPN stands for Virtual Private Network and is service that encrypts all the internet traffic going in your outbound connection (Anon, 2018)as demonstrated in this fig

3.2 SECTION B: DEMONSTRATION

There are several preventive measure that can be taken against DNS spoofing and Phishing which is described in Appendix D — Preventive measures

4 CHAPTER 4: CONCLUSION AND FURTHER WORK

4.1 SUMMARY

The report successfully demonstrate on how a hardware can be used to generate rouge access points with exact SSID available in different public areas which can be used in sniffing public critical information. According to different journals, Human error has been suggested as one of the weakest link in most secure system, a report by Peltier TR suggest that people poor capacity of detecting the phishing or suspicious link is the reason of being victim (TR, 2006).

4.2 LEGAL ISSUE

The increase in necessity of computer in modern society is huge. The amalgamation of communication and computing field has permitted computer worldwide and provided internet to give access of inter connectivity in large network. The increase in use of free WIFI could lead to various issues (Brungs, 2011).

It is very important to take necessary steps in order to identify and highlight the existing and potential legal issue.

4.3 SOCIAL ISSUE

The attack like phishing and DNS spoofing has main impact on society. The fields can be listed as

4.3.1 Privacy preservation from user’s prospective

The major problem to safe guard the one’s privacy is due to lack of knowledge and understanding. General user has no knowledge of how computer phishing and DNS spoof works.

4.3.2 Privacy preservation from forensic investigator prospective

The method of collecting evidence of social engineering which includes phishing and DNS spoofing. They should be careful on social issue of those data collected (Aminnezhad, 2012).

4.4 ETHICAL ISSUE

The computer hacking has mainly 3 issue:

· Technical

· Socio-economical

· Legal

It is common to have ethical issues span in one or all the major classes which leads to a number of concerns (Balogun, 2017).

4.4.1 Privacy and confidentiality

Infringing the privileges of involved parties and leading computer incidents including data breaches, identify crimes, intellectual property and trade secret theft and cyber warfare amongst others (Balogun, 2017).

4.5 RECOMMENDATION

There is nothing bad in using free WIFI networks in public areas but certain precaution should be followed in order to be safe (Wegman, 2011). The report in anyway don’t suggest not using free WIFI or not clicking on any links getting from emails or in social media but aware how these things works and how one can save from getting fake WIFI networks and explains about how phishing works can could be saved from being victim of phishing

4.6 Demonstration

The steps required to configure and run WIFI pineapple are as follows

Step 1. Connecting WIFI pineapple ETH port with laptop

Step 2. Browsing the default IP address with port number 1471

First webpage while browsing IP address with port

Step 3. Setting up pineapple and installing latest software

Step 4. Configuring for the first time

Step 5. Setting management and AP password

Step 6. Login into WIFI pineapple

1.1 INSTALLING PINEAPPLE OS(CLI)

1.2 APPENDIX C — USING PHISHING SITE FOR FACEBOOK

The steps required for setting z-shadow phishing site for the first time

Step 1. Browse to http://z-shadow.info/#

Step 2. Signup for the first time

Step 3. Getting phishing social media link

Getting link for phishing social media site

Sharing this phishing address leads the victim to the fake login page of Facebook and credential inserted there is listed as a victim in this site (z-Shadow, 2018).

1.3 — PREVENTIVE MEASURES

1.3.1 DNS spoofing

The following measures can be taken to help prevent from DNS spoofing (Rubens, 2017)

· Make DNS resolver private and protected

· Managing DNS server securely

· Configuring it to be as much secure as possible to mitigate cache poisoning

1.3.2 Phishing

The possible techniques are

· Making more holistic approach

· Use of technology for screening emails

· Securing ourselves from malicious websites

· Sticking to security basics

· Concentrate on phishing security awareness

· Establishing a common way of identifying suspicious links

1.4 APPENDIX E : SIMILAR PROJECTS

· SN1PER

The tools is used to scan the vulnerabilities and is also considered ideal for penetration testing. It is an automated vulnerability tester (Security, 2018).

· JOHN THE RIPPER

The tool is used in fast password cracking which is available for many platforms like Windows, Linux and macOS. Its main purpose is to detect weak Unix passwords (Wall 2017).

Similarly, many software tools can be listed which is generally used in computer hacking. The hardware tools used for hacking has also wide variety and these days IoT devices can also be used as a medium for hardware hacking like raspberry pi and modern routers which can be compromised to bridge the data, few examples are (Nagdive, 2018)

· HackRF one kit

A software defined radio which is used for fast and reliable transmission of radio signals with ride range capability. It generally acts as soundcard of a computer. It is developed to test, improvise and modify the contemporary Radio Frequency System

Figure 32Hackrf one kit (Nagdive 2018)

· Ubertooth One

It is used for Bluetooth experimentations, the commercial Bluetooth monitoring devices could be of thousands of dollars so the Ubertooth was designed as affordable alternative platform (Nagdive, 2018)

· LAN tap pro

It is a passive LAN taps which requires no power for operation. One could find the active method of tapping ethernet but LAN tap pro is considered as one of the best method. It seems like a normal section of cable but wires in the cable extends to the monitoring ports (greatscottgadgets.com, 2018).