• Open up wireshark
  • Goto capture – > Interfaces in the top menu and select your interface. It’s usually the one which has an IP address and  a certain number of packets flowing through it.
  • Next goto capture and click on start.. It should look something like this

This window has all the packets sent from the victim’s/victims’ computer to the router and all the packets sent from the router to the victim.
Next in the filter type  “http.cookie contains datr”.  You ask why? Because, when a user logs in to facebook, he is given some cookies which is unique to him. If we replace our cookies with the victim’s cookies, we can login to his account as then facebook wont know the difference.

You now have the cookies. To get the information stored in the cookies,  right-click on any one of the cookie and click on Follow TCP stream.

In the TCP stream look for the line  Cookie: ( and all cookie names). If it doesn’t come, select some other packet in wireshark and click on follow tcp stream for that. You can see the source IP and destination IP in wireshark. So if you have more than one source IP , then you know you have the cookies of more than one account on your LAN. This is what I got when I did it.

So now you have it :D . The datr cookie, c_user cookie, lu cookie, sct cookie, w cookie and xs cookie. These are the main cookies you need.
Now open firefox and goto http://www.facebook.com. Once there, click on cookies in the web developer add on which you had installed in the last post. Then do the following
  • ·         Clear session cookies
  • ·         Delete domain cookies
  • ·         Delete path cookies.

IMPORTANT: Once you do this, again type http://www.facebook.com in the URL and click enter. Basically you are reloading facebook after deleting all cookies.
Now login to your account with your username and password. After logging in , click on cookies in web developer add-on and click on “view cookie information”.
And there you have all your cookies :p. Now what to do?! I guess you know it by now. !
Click on “edit cookie” for each cookie there and replace the cookie value with the value you got through wireshark.
If you did not get all the  cookies in wireshark its OK! But mainly, you should look to replace the datr cookie, c_user cookie, lu cookie, sct cookie, w cookie and xs cookie.



After replacing all the  cookie values with the ones you got in wireshark, just refresh the facebook page. And thats it! You are in to the victim’s account! You have HACKED a facebook account on LAN.:D
  +