Thanos Stantzouris Industrial Engineer & Web Developer

Hello to all the Duthcoders out there!!! It has been a long time since my last article/tutorial writeup and I feel sorry for that... You see... I was bored! :) It happens to me a lot, you will get used to it!

But worry not! I am back with an article/tutorial about the most frequent noob question in Hacking history! Can you hack a <insert social media of your choosing> account man?
The Answer: Yes... Yes, I can! But... it's a difficult process as it is not only just command typing and boom you are in! You need human interaction in a way or another, you will get what I am saying in a while! Keep reading, don't be bored!

In this artictorial (article/tutorial get it?) I'm gonna give you all the essential knowledge and tools you need to know in order to perform a social account hack! Please don't hack another person's account. It is illegal! Unless you are the NSA, then it's cool! 

WHAT YOU NEED BEFORE WE START :

You are all set! Let's begin the artictorial!

 

Social media hacking needs social engineering

You see, hacking social media accounts is a violation of the Computer Fraud and Abuse Act, and not only that it also breaches a fair amount of state impersonation, privacy, and internet law statutes. Do you know what that means in simple terms? You will go to prison, plain and simple.
So, imagine if hacking social media accounts were just a few basic keystrokes away? The prisons would be a huge LAN party! LOL!

Actually... A few years back hacking social media WAS a few keystrokes away, because the login forms where bruteforcable, that means that you could try guessing a user's password just like we guessed the WPA2 password in Crack WPA2 with Kali Linux , and it worked! Because apparently, your best friend's ex Nicole thought that nicole1996123 is a strong password.
Unfortunately, guessing a social media password is not possible anymore, they have attempts now! 3 Strikes and you are out!

...Wait a minute... there are a lot of websites out there that don't have this type of mechanism, and a lot of people who reuse their passwords. What I am trying to tell you is that you could easily try bruteforcing a target's password on some other, less defensive, website login form and then try re-using the same email/password combination on any of your targets Social Media accounts. But that is another tutorial on its own, less fun in my opinion!

Now is the time to ask you. Why guess one's password when you can make him give it to you?
This is where social engineering comes to play. In information security, social engineering is an act of psychological manipulation of people into performing actions or divulging of confidential information. In plain English, you make people give you their password without them knowing. Social engineering is one of the core skills a person must master before he starts calling himself a hacker.

 

Phishing for credentials

Phishing is a cyber social engineering attack that uses email as a weapon. The goal is to trick the email recipient into believing that the message containing a link is a legit email from the social media company that you want to acquire access to.
Here is a real-life scenario, let's say that your best-friend challenged you to hack his Instagram account, and also gave you his consent (because hacking without consent is ILLEGAL). You now have to start gathering information about your friend's internet activity (I'll call him John). Since he is your best friend in the whole entire world you tend to know almost everything about him. For example, you know that John is addicted to playing League of Legends and he would do anything to acquire a free skin for his favourite character. Now that is a great start!

What do we do now that we have gathered all this information?

In order to strategize a successful phishing attack, you have to do the following:

  1. Create a Website that looks believable
  2. Setup a local server (don't get discouraged I'll show you how to do that)
  3. Make that local server available throughout the whole entire internet
  4. aaaaand WAIT!!! (Being patient is a virtue for a master hacker)

 

The following diagram pretty much sums up the attack I am going to be demonstrating in a few paragraphs from now.

 

Phishing Attack Diagram


WARNING! Some pretty illegal stuff is about to be taught! DANGER DANGER!!! Unless you are NSA that is.

 

STEP 1 | Constructing the evil website

For this part of the attack I am going to :

  • Copy the league of legends website and download it to my machine
  • Change its Front End in order to promote a Free Skin

In case you are all like "Oh shit I hate Web Dev this shit is boring", I am going to leave a GitHub link with all the constructed code for you to download.

For the website copying, we will be using the excellent website cloning tool HTTrack that comes pre-installed with our Kali Linux Distribution.
HTTrack takes any website on the internet and saves a replica on your hard drive, It is that simple.

We will be cloning the following website: https://eune.leagueoflegends.com/en/
I chose this link for a reason, in this section of the League of Legends website you can find the news, therefore I can add a new news-card and make it look absolutely legit! The website right now (May/03/2019) looks like this:

 

league of legends website

 

Let's clone this.

Open up a Kali Linux terminal and write this command :

root@kali:~# httrack --help

HTTrack version 3.49-2
	usage: httrack <URLs> [-option] [+<URL_FILTER>] [-<URL_FILTER>] [+<mime:MIME_FILTER>] [-<mime:MIME_FILTER>]
	with options listed below: (* is the default value)

General options:
  O  path for mirror/logfiles+cache (-O path_mirror[,path_cache_and_logfiles]) (--path <param>)

Action options:
  w *mirror web sites (--mirror)
  W  mirror web sites, semi-automatic (asks questions) (--mirror-wizard)
  g  just get files (saved in the current directory) (--get-files)
  i  continue an interrupted mirror using the cache (--continue)
  Y   mirror ALL links located in the first level pages (mirror links) (--mirrorlinks)

Proxy options:
  P  proxy use (-P proxy:port or -P user:pass@proxy:port) (--proxy <param>)
 %f *use proxy for ftp (f0 don't use) (--httpproxy-ftp[=N])
 %b  use this local hostname to make/send requests (-%b hostname) (--bind <param>)

Limits options:
... more help options

 

If you get the upper result that means you are ready to go! The command we will need next is:

root@kali:~# httrack https://eune.leagueoflegends.com/en/ -O Desktop/evil_LOL

WARNING! You are running this program as root!
It might be a good idea to run as a different user
Mirror launched on Fri, 03 May 2019 11:50:07 by HTTrack Website Copier/3.49-2 [XR&CO'2014]
mirroring https://eune.leagueoflegends.com/en/ with the wizard help..
* https://eune.leagueoflegends.com/en/news/game-updates/special-event/learn-more-trials-event (76099 byte* https://eune.leagueoflegends.com/en/news/game-updates/special-event/welcome-mid-season-trials (73666 by* https://eune.leagueoflegends.com/en/news/game-updates/special-event/trials-animated-trailer (0 bytes) -* https://eune.leagueoflegends.com/en/news/game-updates/special-event/trials-animated-trailer (0 bytes) -^A* https://eune.leagueoflegends.com/en/news/esports/esports-editorial/2019-mid-season-invitational (0 by* https://eune.leagueoflegends.com/en/news/esports/esports-editorial/2019-mid-season-invitational (0 byte* https://eune.leagueoflegends.com/en/news/riot-games/editorial/latest-little-demon-tristana (0 bytes)... ... ... MORE OF THIS NON-STOP HACKY TEXT

 

This command begins the cloning process and it will not stop until it has completely cloned the entire website! The -O Desktop/evil_LOL command says to the HTTrack to save the results to the Desktop inside a folder called evil_LOL.
Since we only want the news.html file we don't have to wait for the entire Website cloning process. Imagine trying to download the entire Facebook Website content while only needing the Log-In page...Not wise.

My results:

I opened the :

/Desktop/evil_LOL/eune.leagueoflegends.com/en

directory and I found the news.html file that I wanted. Everything else is kinda useless to me at the moment.
 

Kali linux HTTrack result folder
 

By opening the news.html we witness the greatness!
 

League of Legends Clone

 

If you have successfully followed every single step you have every right to feel proud about yourself because you have cloned a website with a click of a keyboard key!

Unfortunately... For this tutorial the cloning was the easy step :) Now we need to code inside the website a fake news post and create a catchy link ready to redirect the user to an Instagram page clone ready to steal credentials!
Of course, I am not expecting from you to know any web development and this is not a WebDev tutorial, therefore you can find any code you need in this cool named GitHub Repository

 

Setting up the Apache2 server

Since we are already to a Kali Linux machine we don't really need to do anything extra for the Apache2 Server configuration as it is already configured! But to be sure run the following command:

service apache2 start

Now if you open a Firefox window and type localhost in the URL you should be redirected to the Apache2 Debian Default Page.
I'm pretty sure that, so far, every step has stuck together just perfectly!

For my next trick!!! I will be opening my evil coded clone to your firefox tabs! STEPS AHEAD:

  • Go to the Apache2 home directory and git clone the directory
cd /var/www/html 
git clone https://github.com/athanstan/Duthcode-LOL_insta_theft-artictorial.git
  • Check the directory
root@kali:/var/www/html# ls Duthcode-LOL_insta_theft-artictorial/

custom-includes  index.php  main.css  news.html  README.md

What we did was take the GitHub repository and save it on the Apache2 server local directory! Now by opening a firefox tab and typing localhost/Duthcode-LOL_insta_theft-artictorial/index.php you should see this :


League of Legends HTTrack Clone with Kali Linux


A mobile-friendly masterpiece, I know! Yes, this is a GIF of the Ezreal Pulsefire Skin. If you want to sell something to someone it must be at perfect condition, doesn't it? This is going to be our main bait for the Instagram account we want to steal!
If you click on the LOGIN WITH INSTAGRAM link a login box will be slid down beautifully asking your target to fill in his/hers Instagram credentials to claim the free skin!

But he is in for a big surprise! The form that appears is coded in such a way that when submitted it logs the credentials on our project folder inside a .txt file called creds.txt. The file will be created on its own, don't panic if you do not find it! 

Here is a live example of the attack working perfectly in my machine.


Instagram Stealer Project Gif


As you can see (not very clearly, but I am working on it I promise) a login form is slid open when I click the LOGIN WITH INSTAGRAM link. This is where the victim will fill in his credentials. Once he has successfully filled in the form he will submit it! This is where it gets cool! Once he clicks the Log In Button a PHP script is being triggered where it creates a file called creds.txt and stores the victim's credentials but also redirects our victim to the real Instagram page, just to confuse him and make him think that he probably entered his creds wrongly or something like that.
A Warning: sometimes kali linux won't let you write to a file. if that happens Change permissions of your creds.txt file and you will be set.
I am not going to dive into the code, as I have aforementioned, because this is not a programming tutorial. But i am going to leave the repository link for all of you to download and play with it.

Github Link of the C O D E

Before you get all judgy and be like "Oh my god what a shitty code nahnahnah" Remember!!!

Honest work Meme

 

FINAL STEP | Make your website available online

Let's recap! So far we have successfully constructed a website-clone containing a tasty bite for our victim, we also have set up our local server. But there is a problem. Since the website is stored in our local machine by default it is only available to our LAN network. Our Victim is in his house chilling and playing lol... How on earth could we easily make our website available online and send it to him?

Introducing the star of our show: Ngrok - secure introspectable tunnels to localhost

How it works: You download and run a program on your machine and provide it with the port of a network service, usually a web server.
It connects to the ngrok cloud service which accepts traffic on a public address and relays that traffic through to the ngrok process running on your machine and then on to the local address you specified.

In plain words, you specify the port of your local server and make it available online through a secure tunnel! THAT COOL!
Once you have downloaded the ngrok.exe well... open it and type

ngrok http 80

ngrok by @inconshreveable   
(Ctrl+C to quit)                                                                            
Session Status        online
Session Expires       7 hours, 55 minutes
Update                update available (version 2.3.29, Ctrl-U to update
Version               2.2.8
Region                United States (us)
Web Interface         http://127.0.0.1:4040
Forwarding            http://1fd8b1dc.ngrok.io -> localhost:80
Forwarding            https://1fd8b1dc.ngrok.io -> localhost:80

 

As you can see our online link of our localhost is https://1fd8b1dc.ngrok.io and since we want to access our League of Legends clone project it's https://1fd8b1dc.ngrok.io/Duthcode-LOL_insta_theft-artictorial/ that is a bit sketchy.
With a little help from TinyURL.com, we finally are left with https://tinyurl.com/y29a5yfv that is a lot better.

Now you can easily send a cool URL to your friend and steal his Instagram account credentials.

 

Final Thoughts

This is what it takes guys. No less! Sometimes maybe more even. When you want to hack a Social media account you need to be clever, learn about the victim's everyday life, try to understand him and most importantly find out what he desires the most. This arctictorial was just a single case! It changes from person to person but with what I gave to you, you get the basic idea along with some very powerful tools!  Sometimes hacking can be very time consuming, it takes patience I'll never stop saying that. No one has ever woken up being a hacker. A true hacker works his ass off every day thinking about smart ways to get around the System and like a professional chess player see all the possible outcomes before he makes a move!

I hope you loved it and that you already have thought of a way to make the attack better!


That was it! Thank you for reading! If you liked that article here are some other articles that you will most definetely love:

 

You can show your support by liking our Facebook Page ! Support our efforts on Ko-Fi ! And you can get in contact with us either by sending us a message on Facebook or via the e-mail on the footer of the Page!

Thanks again! Have a lovely day... Or night!