How To Steal Facebook Password Using Cain and Abel and SSL Strip



This is an advanced level Facebook Hacking tutorial where we’ll be using a tool called Cain & Abel along with another Linux tool called SSL STRIP. We’ll use these tools to Steal Password of our victim when he or she tries to login.

This type of method is similar to the one I demonstrated in the previous article where we stole our victim’s Facebook cookies and hijacked their Facebook session. But instead of stealing cookies, in this tutorial, we’ll steal facebook password itself!

Stealing Facebook cookies and hijacking the session will only last as long as the user is logged in. The moment the user logs out we won’t be able to access the victim’s facebook account. But if we steal facebook password itself then we have a complete control over the victim’s Facebook account.

The only bad side of this attack is we need to keep capturing the victim’s traffic until and unless he/she logs in to Facebook. Whenever the victim logs in to his or her Facebook account, we’ll steal facebook password with Cain & Abel. We cannot capture their password if they are just browsing facebook.


Methodology Summary

In this Facebook hacking attack, we’ll be performing a Man In the Middle Attack using Cain & Abel and ARP spoofing with SSL Strip. Which means every request the victim sends or receive from the Facebook server will go through our computer. And hence, we can capture every data like Facebook password, cookies etc.


However, there is big problem here. Facebook connects to its server with an HTTPS protocol which means the password is encrypted. And even though we’ll be listening to every request between our victim and Facebook server we won’t be able to understand the traffic. Think of it like listening to two Japanese speaking, you can here every bit of conversation but you don’t understand a thing (of course if you aren’t Japanese).

Few years ago this wasn’t a problem as you could browse Facebook in an HTTP connection.

But, no worries because we’ve got another tool called SSL STRIP which can make our victim connect to Facebook with an HTTP connection instead of HTTPS connection.

Let’s Get Started

1. SSL Strip

SSL Strip is a great tool which we can use to force our victim to communicate in http connection. However, it’s only available on Linux OS! Before we get on installing SSL Strip, we first need to download the following. I have listed the Linux command to download along side them.

a. Python (apt-get install python)
b. The python “twisted-web” module (apt-get install python-twisted-web)


Great! Now download SSL Strip from here and save it on your system. Browse to the folder where you saved SSL Strip, right click on it and open Terminal. Run the following commands.

a. tar zxvf sslstrip-0.9.tar.gz
b. cd sslstrip-0.9

Running SSL Strip

a. Flip your machine into forwarding mode.
echo “1” > /proc/sys/net/ipv4/ip_forward

b. Setup iptables to redirect HTTP traffic to sslstrip.
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>

c. Run sslstrip. -l <listenPort>

d. Run arpspoof to convince a network they should send their traffic to you.
arpspoof -i <interface> -t <targetIP> <gatewayIP>

Here’s a very good tutorial on SSL Strip

2. Cain & Abel To Steal Facebook Password

1. Download Cain and Abel from here and run the application. Don’t worry if it shows any warning about windows firewall.

2. Now, turn on the sniffer by clicking on the Green button at the top.


3. Now go to sniffer tab and click on the big blue plus sign to scan all the Mac Addresses and IP addresses on your network. A new dialogue box will pop – choose “All hosts on my subnet” and select “OK”.


4. It’s time to perform the Man In the middle attack. For that, Click on the APR tab at the bottom and then click on the white area in the top frame. This will activate the blue “+” sign.

5. Next click on the “+” sign which will show the list of hosts on your network. Select the host(s) whose traffic you want to intercept and on the right table choose the default gateway.


In example below, let’s suppose is the host whose traffic I want to intercept. Then I will click on at the left table and on the right I will choose my default gateway ( You can choose to intercept traffic of multiple hosts.

5. Finally, click the Yellow Button beside the sniffer button. Now it will start poisoning the routes in a short span of time and you would start to see traffic being captured by Cain and Abel.


6. After some time, if the victim has logged into facebook from the computer whose traffic we are intercepting (, then you can see his/her facebook username and password on the passwords tab at the bottom.


That’s it! If the victim logs in while you’re capturing his traffic then you’ll be able to steal facebook password from Cain & Abel.