Facebook Hacking Using WireShark Tutorial|Cookie Stealing



This is an advanced level facebook hacking tutorial where we’ll be using a packet sniffing tool called wireshark. We’ll use this tool to capture Cookies of our victim. But first, let’s get familiar with cookies.

A cookie is a small piece of data sent from a website and stored in the user’s web browser while the user is browsing it. Every time a user loads a website, the browser sends the cookie back to the server to notify the user’s previous activity.

Think of it as a Pass you need to enter a party. Without the pass you can’t enter the party. That pass is an identity of who you are. Every time you enter in and out of the party (connect to the facebook server) you need to show the pass (cookie). Now, what we’re gonna do is, Steal that pass(Cookie) and visit the party(Facebook). This way the bouncers/party owner (Facebook Server) will have no idea if it’s the real owner of the facebook account or not. And to steal that pass(Cookie), we’ll be using a tool called WIRESHARK.


Keep in mind that to perform this attack, you’ll need to be connected to the same network as the victim.


However, there is big problem here. Facebook connects to its server with an HTTPS protocol. Which means the cookies are encrypted and even though we capture the traffic with wireshark, we won’t be able to get the cookie.

Few years ago this wasn’t a problem as you could browse Facebook in an HTTP connection.

But, no worries because we’ve got another tool called SSL STRIP which can make our victim connect to Facebook with an HTTP connection instead of HTTPS connection.

SSL STRIP is available only on Linux

Let’s Get Started

1. SSL Strip


Before we run SSL Strip the following tools must be installed.

a. Python >= 2.5 (apt-get install python)
b. The python “twisted-web” module (apt-get install python-twisted-web)


Download SSL Strip from here and save it in your system. Browse to the folder where you saved SSL Strip, right click on it and open Terminal. Run the following commands.

a. tar zxvf sslstrip-0.9.tar.gz
b. cd sslstrip-0.9

Running sslstrip

a. Flip your machine into forwarding mode.
echo “1” > /proc/sys/net/ipv4/ip_forward

b. Setup iptables to redirect HTTP traffic to sslstrip.
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>

Run sslstrip.
sslstrip.py -l <listenPort>

Run arpspoof to convince a network they should send their traffic to you.
arpspoof -i <interface> -t <targetIP> <gatewayIP>

Here’s a great tutorial on SSL Strip

2. Packet Sniffing With WireShark

First, download Wireshark from here and install it. Once you’ve installed it, run wireshark. From to toolbar menu, select Capture and click on Interfaces.

start wireshark

Choose the interface through which you are using the internet. If you don’t know which interface you’re using then simply select the one which has packet transfers going on. Select it and click on start. Now we’re starting to capture all the traffics.

wireshark capture

Make sure you’re on capturing in promiscuous mode. To check, Capture on the toolbar menu and click on Options. Select Use promiscuous mode on all interfaces and click on start.

wireshark - use promiscuous mode

Keep the wireshark running and capture as many packets as possible. I recommend capturing for about 10-15 minutes. Then go to wireshark and on the search bar type “http.cookie“.

Watch this video to make yourself more clear

3. Injecting Cookies on our browser

Now that we’ve successfully captured our victim’s facebook cookies, we’ll now inject it in our browser. For that we’ll need some browser extension. In this tutorial, I’ll be using Firefox and an extension called FIREBUG.

You can install Firebug from here.


Now that we’ve firebug installed on our browser, we’ll visit www.facebook.com and run Firebug. Click on cookies and create cookies.


Create two cookies “xs” and “c_user” and enter their value.

creating cookies 2creating cookies 1

Finally, Refresh the browser and there you have it !

Once the user logs out, the cookie we stole will no longer work.