When you do penetration testing it is useful to become “friends” with the employees of the target organization to gather information and perhaps slip a spiked link or two to the employee in hopes that the user clicks and executes its content. However, it is quite tedious to manually clone a Facebook profile (a lot of copy and paste, downloading and re-uploading of images etc.) and become one of the target organization employees. Luckily there is now a tool available to automate the task.

FBPwn (Facebook Pwn (slang for owning [taking control over] a resource)) is a application written in Java that downloads a target profile and, if one so chooses, clones the acquired information into a new Facebook profile.

First you need to create a Facebook profile which will be used to access the data and, if chosen, updates the profile information with the targets including pictures. You can also make FBPwn to send friend requests to the cloned profile’s Facebook friends, and more often then not the friends will accept the friend requests because it is from someone they “know” (has the same name and picture of someone they know). The tool has, even at this early stage of development, quite a few tricks up its sleeve and I will go through each of them here.

Getting FBPwn

You can download FBPwn from the Google code project site. As it is written in Java is will run practically everywhere Java can run. Here I will go through version beta-0.1.6, which is the latest release at this moment.

First off we download it:

Then we unpack and execute the “run.sh” script (OSX, Linux) or “run.bat” (Windows). You will be greeted with the following screen:

Using FBPwn

First you need to configure one or more Facebook profiles to be used to access the profile you want to attack. The Facebook profile needs to be created separately from this tool and the profile language needs to be set to English for FBPwn to work at this stage.

Select one of the accounts you want to use for the next step and click on the “Attack !” button.

Friend URL: The URL of the Facebook profile you want to target. For an example: http://www.facebook.com/profile.php?id=100001638343979

At the moment FBPwn has following attack methods (plugins):

• Add Victims Friends
  Add the target profile’s friends to the configured profile.
• Check Friend Request Task
  Ask to become friend with the targeted profile.
• Dump Friends Task
  Download the target profile’s list of Facebook friends.
• Dump Images Task
  Download the images from the target profile.
• Dump Info Task
  Download the target profile’s information.
• Dump Thumbnail Images Task
  Download the target profile’s thumbnail images.
• Dump Wall Task
  Download the target profile’s wall postings.
• Profile Cloner Task
  Clone the target profile into the configured account.

Once you have selected the modules you want to use click on the “Lunch Attack” button.

The “Monitor Submitted Tasks” tab will show the progress of the selected tasks.

Do note that Facebook’s Terms of Use actually forbids many of the things FBPwn is performing. For an example, under section 4 (Registration and Account Security)  section 1 and section 2. You have been warned.