How to steal Facebook Authentication cookies

How to hack a facebook account – or, basically how to hijack php sessions. Yes – this is old news – yes its a common vulnerability – but you get a better idea for what it is and how it works when things are explained in detail (with screenshots!).

Before we begin, however, I want to re-emphasize that it is VERY EASY to protect yourself against this sort of attack. Facebook supports HTTPS, so when you browse facebook (or twitter for that matter) or if you have it bookmarked – please make sure you’re using HTTPS:// rather than HTTP:// in the URL at the very least, if not using a VPN solution for further encryption. Also, if the ‘victim’ logs out of facebook, the attackers session becomes invalid – so it’s a good practice to actually log out of facebook and log back in again rather than using the ‘remember me’ checkbox.

Facebook like many sites operates using authentication cookies. Their auth cookies contain a variety of information, but for our purposes this is irrelevant. Here is a sanitized cookie for reference:

Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc; lsd=Xesut; lxe=greg.evans%40****************; c_user=100001230367821; lo=wl9fcGXMhPfoT4bAhKFP3Q; lxs=1; sct=1276721745; xs=a615cfe596448194d6e2a8d062a90e4e

You can see the ‘lxe’ field is the login. We haven’t done any further research into what the various other fields mean, but using facebook without any kind of security you’re both leaking the email address used for your login and the session cookie.

First thing you’ll want to do is fire up your favorite packet capture application. For this example we’ve used Wireshark:

Next, set the filter in the top left to ” http.cookie contains “datr” “. This should show you only packets captured which contain the cookie we’re looking for. You can see that in this screenshot we’ve already captured a cookie.

Once you’ve found a suitable cookie, you can copy it into the buffer by right clicking on the cookie line, and clicking Copy -> Bytes (Printable Text Only)

Next you’ll want to open up firefox. You’ll need both greasemonkey and the cookieinjector script.

Simply browse to facebook – make sure you are not logged in:

Hit ALT-C to bring up the cookie injector dialog box:

Then paste in the cookie!

Hit refresh and – VIOLA! you’re now logged in as your victim! Now this doesn’t give you access to their credentials, this is about the equivalent to walking up to their workstation while they’re away from their desk and using facebook.

Neat huh? Pretty easy too. I smiled big when we demo’ed the attack in our lab – its old, sure, but being successful is always a good feeling!

P.S: This isnt REALLY Gregory Evans account. We setup this account because .. well.. the name was available! We thought it was in good taste as the No #1 hacker’s twitter feed got hacked the other day, his site is riddled with XSS exploits, and his book is copypasta from a variety of certification exam prep books. Thanks to Nick and mckt for the work and tootilage, respectively. No noobs were harmed in the making of this film.

Tags: , , , , , , , , , , , , , , , , ,

48 Responses to “How to steal Facebook Authentication cookies”

  1. James says:

    Where are you running wireshark that you’re capturing another users cookies? Woudn’t that have to be run local to their system? Or local to system they login on?

  2. Dan says:

    Yes, this attack is structured towards people on the lan. In this case, we’re assuming the attacker either has gained control of the upstream device (wifi AP, switch etc) or has performed an arp poison attack, or another MITM (man in the middle) attack.

  3. Hugo says:

    A shame you’re not publishing on your blog anymore !
    It was really interesting !
    I am a Derren Brown fanatic and a hak n00b, and so was really interested
    in your posts !
    Keep up the great posts and stuff …please !!!

    Hugo

  4. kyle says:

    hey i am a n00b hacker, well i am more a beginner than n00b
    anyway, this post is very very interesting and really shame 4 not publishing
    posts like this any more

  5. ARB says:

    i dont think this trick works anymore.

  6. Dan Tentler says:

    it does

  7. Xak says:

    Does this work even if encryption is present over wireless network ? eg WPA2 ?

  8. Justin says:

    Thanks for this info! It may help catch the thief who robbed my neighbors house.

    On my advice, they were running web backup software on their new iMac. We saw there had been backups today (the day after the robbery). I recovered the Safari history and cookies which had been touched today. I could see the thief had logged into facebook in the history file. Stumped for a while, but then hit this page with a lucky Google search. The cookies in the cookies file didn’t quite match up, and had already expired, but I tried it anyway. Didn’t log me in, but did populate the login/email field with the thief’s email address. Got their profile page: picture, name, and a few other personal facts.

    Hope the police can/will arrest the guy with this evidence!

  9. Dan Tentler says:

    Oh epic! Good work Justin!
    You might want to check this out too, since it touches directly on that subject:

    Also some things to consider:
    - use maltego to find everything you can about the email address
    - Contact facebook and ask for their cooperation (though I’d contact the police/FBI first to get the paperwork started – companies are a lot more likely to work with you if you already have a case number)
    - email that address and try to start a conversation with the thief – if he replies, its very likely you can get his home IP address, that way you can contact the ISP, give them the case number from the police and try to get them to act faster than they did for zoz (that youtube link)

    Good luck!

  10. Justin says:

    Thanks! Watched the video. Hilarious. Gave me the idea to look at the Keychain file – now I have the Air Port network name and password – the password is a phone number that according to a reverse lookup site, is a landline in Hayward, CA (about 10 miles from where I live).

    The online backup service is BackBlaze. They’ve kindly provided the ip address from which the computer was last backing itself up. That also traces to Hayward, CA.

    The kid is on the football team at the community college in Hayward (facebook profile), and the 2010 roster lists his high school (guess which city?).

    For all intents and purposes, I know exactly where the computer is. Not that I’m going to mess with a 19 year-old thug from a bad neighborhood by myself. I really hope the police jump on this. Also, if our local police department (castrated by budget cuts) can’t pursue this, perhaps we can try the Hayward police.

    I’m a software guy (lots of enterprise SAS stuff) – this security stuff/white hat hacking is pretty fun and eye-opening!

    Thanks again!

  11. [...] try before heading to bed, I searched for “hacking Facebook cookies” and found this: http://atenlabs.com/blog/how-to-steal-facebook-authentication-cookies/. I didn’t think it’d work, since the cookies I had didn’t match the article, and [...]

  12. cookie monster says:

    I’ve got a question for anyone who might be able to answer it:

    I am familiar with the more complex methods of hijacking HTTP sessions, and have regularly used wireshark to extract cookie data. However, I also have access to live .txt cookies (i.e., in the %userprofile%Cookies directory), and expect I can also use these in some manner. I’ve been trying to manipulate them for a few hours and have been unsuccessful.

    The cookie data I see includes “lu” and “datr”. Cookies are not marked “secure”. Via a network sniff (as above), I’ve noted that the wireshark cookie dump also includes a “c_user” cookie, not contained in the file-level cookies. I am curious if this might be necessary.

    I have also tried running application-level import / exports (with proper reencoding), and using manual cookie editors.

    The strange thing is, I actually got an import to work for me, only once, the very first time I tried it. I expected it would be easier, so I didn’t pay attention to the procedure.

    Anyone?

  13. Dan Tentler says:

    @Cookie Monster: I’ve had my luck purely with copying the entirety of the cookie and pasting it in. I guess technically if each value is a cookie, then its multiple cookies, but it seems easy to just fork lift it like I’ve described. I’d start by comparing the values side to side. My presumption is that whatever facebook is using now will be the objective, so see what from that you can get with the directory method and see what else you need to fill in the gaps. Sorry I couldn’t be of more help! Try it and report back your success! :D

  14. cookie monster says:

    Thanks, Dan. Here is my update:

    The only two cookies required are c_user and xs. In a non-TLS’d wireshark capture, you will see that these are also present in POST packet which is being alt-c’d into Firefox. The datr and lu cookies are not needed.

    At a file level, there is the additional problem that IE8 is storing non-persistent cookies in memory only. They simply do not exist on disk. I’ve noted this behavior on my test systems, which are clean VM’s running IE8 with default values (no in-private filtering, etc.).

    I have also noted that – with Firefox and Chrome – the c_user and xs cookies are in fact available from disk. Maybe this is why your forklift was successful. I was also successful utilizing file data stored by these browsers.

    At this point, I am interested in either (a) finding a method to dump session cookies from RAM on a remote machine, or (b) forcing IE to write session cookies back to disk. Of course, any advice would certainly be welcome.

    Dan – I really enjoyed that Youtube video.

  15. Adel Ali says:

    I have a question that might be a bit dump!
    I use firebug addon with firefox and when I tried to get the value of document.cookie , everything was there except “xs”, “datr”, “lu” and “sct” cookies values. However, I found them at request headers which means that they get sent to the server, but the are hidden or excluded somehow from document.cookie
    So, my question is, is this really possible?? I mean is it possible to hide an active cookie from document.cookie??
    Thanks in advance

  16. Adel Ali says:

    Never mind about my previous question. I figured it out after some search. Microsoft added httponly option to cookies since IE 6 sp1 and it’s available in all modern browsers and cross site tracing which was discovered in 2003 is blocked by almost all modern browsers.
    Now my dumb question (as usual xD) is … is there a way to get “httponly” cookies??? any way??

  17. [...] roat mig med Wireshark och Facebook-hacking ett tag nu. Hittade en guide som jag tittade lite på. Tyvärr (eller som tur är) har jag ingen möjlighet att kontrollera [...]

  18. cookie bread says:

    If I wanted to log back into a facebook acct that I used cookie injector on, I can’t. I only get the username,but no password. I followed the exact procedure the first time,but this time I can’t get into the account. Why is that?

  19. froglets says:

    i want to check if my husband is doing something wrong and would like to catch this flirty bitch of him. he usually signs in to facebook using my computer. and i wanted to be able to get into his account. i have all of his previous sessions in my history, please, please, please tell me what should i do to be able to enter his account.

    -leah

  20. kashan says:

    Thanks i have hacked one of my friend in lan thanksssss!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  21. George says:

    very intersting and useful this post

  22. sumon says:

    good

  23. Treeva says:

    I am needing some help on hacking into a fb profile can some one help me please

  24. jared says:

    so i cant do this over the internet? they have to use the same network?

  25. Dan Tentler says:

    No.

  26. Dan Tentler says:

    this is a lan style attack, so you’d have to be on the same network – unless you control the uplink – in which case “you control their internet”..

  27. Malishka says:

    CAN YOU HELP ME PLEASEEE!!!!
    When i copy an paste it an click ok,a message comes saying “All cookies have been written” what am i doing wrong plss help asap!!!!!

  28. Dan Tentler says:

    That’s whats supposed to happen.

  29. anahi says:

    help me please.. I’m following all stps but when I write “http.cookie contains “datr”” the filter bar turns red and it wont let me continue, why is that happening?

  30. Dan Tentler says:

    if the filter bar turns red it means your syntax is incorrect.
    One way to proceed is to use tcpick instead of tcpdump or wireshark, the syntax for pulling out cookies is much simpler.

    Another approach would be to try to use network miner, I’m pretty sure that can do it.
    If you’re on windows, you can just install firesheep and that will work as well.

    This blogpost was written BEFORE firesheep existed, so things have gotten far far easier.

  31. [...] techniques. However these cookies can be stolen using advanced hacking techniques (for example see this with Facebook and this with [...]

  32. kareem says:

    Question : how to sniff ( wireshark ) another PC’s packets and is not on the same LAN ?

  33. JamesBond says:

    One way to execute this attack is to not use wireshark, use a combination of javascript injection and php to collect the cookie. Say if you type this javascript injection, it will say Hello. Put alert(“Hello”); and load the cookie stealing script. I will have a site that does this automatically: sz7c39.x10.mx, but it will be password protected.

  34. Dan Tentler says:

    You have to be on the same lan for this style of attack to work.

  35. anyonymous says:

    IMPORTANT: be aware that you cannot access his account if your victim clicked the “LOGOUT”, be aware that we are just hacking the sessions and once the user logout it destroy the sessions… to test this.. don’t click “logout”! just clear your cookies on the browser :D

  36. carrumba says:

    maybe you are interested in AyCarrumba (http://www.megapanzer.com/2012/06/07/fishing-passwords-with-aycarrumba/).
    does ARP MITM, packet forwarding, session cookie sniffing, sniffing user credentials …

  37. freeEL says:

    Thanks. Great work!

  38. Josh says:

    I hope that this works

  39. Shanzid says:

    Why do you need greasemonkey?
    i mean you are not changing any source code or somethin

  40. CountryGirl says:

    Would stealing the cookies still work if they’re connected to the wifi network on their phone?

  41. Shanzid says:

    This trick won’t work anymore…
    it only works with HTTP connections, Facebook now uses Secure connection(HTTPS)_.

  42. bross says:

    Hi I capture wireshark program distributes cookies. I think the issue is related to packet filtering. I am using the version of wireshark 1.10.2. But I can not find my search http.cookie distributes contains all the packages listed.and edit> preferences> under the filter expression is not limited to, the long packets. Please help those who set the matter.and advice for network monitoring. tupsoft bigmother (arconsole) program. pop accurate reading e-mails. log records and the internet. goodbye

  43. kiran says:

    how can we steal cookie of particular person

  44. TN says:

    Why i cant capture any cookies with wireshark now? 18/10/2013. did they patched it or sth? Thanks.

  45. Pentester says:

    Congratulations, you’ve just figured out how to hijack your own Facebook!

    FYI, if you’re thinking you’re going to hijack someone elses account through this method, think again..
    (Of course, unless if you can run Wireshark on their computer without them knowing)

  46. Dan Tentler says:

    You’ve heard of tools like ‘ettercap’, right? Or other man in the middle tools?

  47. […] , programmmer phishing is used but is not too effective cookie grabbing works just like magichttp://atenlabs.com/blog/how-to-…Embed QuoteAnswered in forty-five minutes.Upvote • Comment Loading… • Just now Add your […]

Leave a Reply