Hack Any Facebook Password using Bruteforce

Hacking a Facebook password is not that difficult. However, it is not as easy as some might think. Yes, you can use the “forgot my password” option to get into someone’s account but that will only work once. The second time they will know someone has accessed their account and they will change the password to something harder for you to guess. What we are going to do in this article is show you how to hack a Facebook password with brute force by exploiting weaknesses in their login procedure.

1. What is Bruteforce?

Bruteforce is a type of attack that attempts to gain access to a network or computer system by trying every possible combination of username and password. It is a form of guessing attack that can be used to guess passwords. These attacks are a good way to guess a forgotten or poorly protected password. For example, if you find a strong password that you used many years ago but forgot about or enabled two-factor authentication on Facebook then you can use brute force to guess your forgotten or poorly protected password. However, a fast attack on this type of password will reveal your username and make it easy for you to detect that someone has accessed your account.

Background:

In October 2017, The Shadow and The New York Times published articles reporting on Facebook’s struggles to roll out two-factor authentication for new users. As a result, “a botnet of infected PCs is harvesting log-in credentials from username and password-protected accounts,” and “the mechanism for providing such verification, known as log-in through Facebook, was largely inadequate to thwart attacks.” [1] The most likely culprits were Facebook account holders who did not update their passwords frequently enough but also those who created weak passwords with easy-to-guess numeric characters. [1]

Bruteforcing Facebook’s passwords are hard because there are two factors for how Facebook chooses a valid log-in: the “time-limited” expires to date and the “unique phrase.” These two factors are too hard to guess and are used to generate a “unique” password that will be difficult to guess based on your browser history. Therefore, the only way to differentiate legit Facebook logins from the bots is to look at the number and characters in the chosen password.

2. The process of hacking a Facebook password using Bruteforce

What is hacking? Hacking is a process in which you find vulnerabilities in the target system and take advantage of them. In this article, we are going to be talking about how to hack a Facebook account using Brute-force. Brute-force is a trial-and-error method used for the decryption of encrypted data. This type of attack attempts to break the system without successful authentication. If you attempt brute-force attacks, you are trying to access the target system without a security token. Your only way of knowing if an attack succeeded is if the password resulted in successful access.

It is assumed you already know how to use the Facebook login. Now you only need to know how to hack it and use Brute-force to change it.

On your phone, download and install MonoDevelop from here. In case you don’t have it already, you can download the latest version directly from here. On Linux, the easiest way to install Mono is via apt-get. Type in:

Once it is done, you may have to restart your computer to see the changes.

Now that you have Mono installed, run it once more and right-click on the project in solution explorer, and select “Properties”. In the left pane of the solution explorer, click on the “Hacks” tab. Ensure the “Hide Known Projects” checkbox is selected. This will hide all the unused solutions to your project in solution explorer. Ensure the “All Projects” tab is selected and then right-click again on the project’s root folder inside the Solution Explorer to open it. You should now see an extra folder here called “Specs”. Inside it is. h and. CPP files from your project. Pull them up and run whatever. ctor files you have in your project.

Congrats! You have started to hack your Facebook account using brute force. Convert your password into lower case. Credit goes to code with me.

What’s this “md5” bit?! This bit is getting us from MD5 to digest (base64 representation of a byte).

3. How to create the automated script to attempt to crack a Facebook password

I'm going to show you how to create an automated script to attempt to crack a Facebook password. Please note, this is not a tutorial on how to hack Facebook accounts. It is simply an example of how to automate the process of trying to crack a password.

You can find a bunch of information on how Facebook’s password cracking works from this post by Bobby, a guy who might not be much older than I am but has a pretty impressive Twitter history. He’s also the author of the fantastic article “How to use w0nkey to crack a Facebook password”. We are going to leverage both of these to attack Facebook accounts.

We first need to stop Facebook from automatically predicting our passwords using a KDF (Keyed time generator). This is done by including the “forgot my password” functionality in the “forgot my password” function of a Facebook account.

The easiest way to prevent this is to change all inputted passwords to lower case before they are saved in the browser. But that gives you more work to do and you have to remember to update your passwords on the site every single time you log in.

Fortunately, there is another way which is to generate a fake password with a dictionary word and then update it often. This is very easy to do by running a program that generates words of a few words using your Facebook password. For example:

Note that you now have a word list or fake password. We need to split it into small chunks of words and then collect them into a list. This is what we are going to do.

This will give us a source of words, that we can search for.

Let’s start with the longest word we can find in this list. However, we are not searching for words. We are going to use Facebook’s loss function to try and find the word corresponding to this word.

4. How easy it is for companies to secure their websites from attacks like this

It’s easy for companies to secure and protect themselves from attacks like these.

Password managers like 1Password, LastPass, or 1Password Express help you save passwords permanently within your account. With a password manager, you don’t have to remember as many of your passwords. It is also a good idea to use these for securing other sites, like job applications, password security while creating accounts on social media sites, or passwords on web applications. In general, I’d say when it comes to using a password manager when in doubt, use it and if you have a choice, go for a free one.

If you don’t have a password manager, you can generate and store passwords on paper. If you need to reuse passwords on multiple sites then this may be a better option. The passwords you’ll have can be far more secure than passwords stored in a password manager.

“The process involves performing a brute-force attack on a username entered in a cleartext field, and seeing if you get a related random password which has a lower difficulty (i.e. the password is easier to guess worse characters) if it matches one of the salts that is provided in the URL.”

An attacker has a list of a million account names linked to their email address and can easily find someone’s password if their communication methods are not secure.

According to Wikipedia:

‘Brute force is a type of computer operation that attempts to use mathematical problems to find a password, base case and all, from a password database without using any techniques other than brute-force guessing.’

A password cracker is a computer program that attempts to find a password by simulating the complexity of each password.