The ability to hack Instagram password has never been easier. This service is a universal tool to hack password and get access to another person’s Instagram account online. No need to have proficient computer skills – This software will do everything you need.
Newer version available (2.0.7)Last released:
Slick Instagram brute force command line tool writen in python.
Project description
Instagram-Py
Instagram-py performs slick brute force attack on Instagram without any type of password limiting
—DeathSec
Why?
I Actually started this project for proof of concept that we can brute force Instagram forever.
When I created the prototype and posted on Twitter , I got a lot of people who wanted a simple slick tool to execute
brute force attack on Instagram , So I thought why reinvent the wheel?….
So I searched Github and found nothing worth value , some were fake or poorly engineered!
And here it is a Authentic brute force tool for Instagram
How?
We use , tor to change our ip once blocked for many tries and continue attack.
Since the official api is not a hacker wants, So we use the InstagramAPK signature to stay anonymous!
And we also save the progress so that even in network interuption we can avoid breaking the computer!
See the ‘Algorimthm’ section down below for more hackery!
What?
Instagram-Py is a simple python script to perform basic brute force attack against Instagram ,
this script can bypass login limiting on wrong passwords , so basically it can test infinite number of passwords.
Instagram-Py is proved and can test over 6M passwords on a single instagram account with less resource as possible
This script mimics the activities of the official instagram android app and sends request over tor so you are secure ,
but if your tor installation is misconfigured then the blame is on you.
Depends on: python3 , tor , requests , requests[socks] , stem
Installation
using pip to get Instagram-py
Make sure you have got the latest version of pip(>= 9.0 and python(>= 3.6)
Configuring Instagram-Py
Open your configuration file found in your home directory , this file is very importantlocated at ~/instapy-config.json , do not change anything except tor configuration
The configuration file looks like this
api-url : do not change this unless you know what you are doing
user-agent : do not change this unless you know your stuff
ig-sig_key : never change this unless new release, this is extracted from the instagram apk file
tor : change everything according to your tor server configuration , do not mess up!
Configuring Tor server to open control port
open your tor configuration file usually located at /etc/tor/torrc
search for the file for this specific section
uncomment ‘ControlPort’ by deleting the # before ‘ControlPort’ , now save the file and restart your tor server
now you are ready to crack any instagram account , make sure your tor configuration matched ~/instapy-config.json
Algorithm
Instagram-Py uses a very simple algorimthm for checking passwords efficiently , this section is dedicated for those whowish to recreate this program in any other language.
What we do
Step 1: Get the magic cookie , which is used to verify device integrity!
Getting the magic cookie is the simplest job , all we need to do is send a get request to https://i.instagram.com/api/v1/si/fetch_headers/?challenge_type=signup&guid= , where the guid get parameter is a random 32 character string.The random 32 character string can be generator using python’s simple uuid library , to be specific v4 of UUID.So finally we just have to request the url https://i.instagram.com/api/v1/si/fetch_headers/?challenge_type=signup&guid=800e88b931bf491fa3b4a7afa4e679eb and get the cookie named csrftoken , if we observe the response header wecould see that our cookie only expires next year the same day. So by this we only have to make this request onceand can use it for a year! How vulnerable is that?…
Step 2: Build a post request with Instagram’s signature.
This part is simple but may be difficult to setup , first i need to get instagram’s signaturewhich is only present in their free apk from google play , Remember our Strength can be our Weakness, All i have to do reverse engineer the apk and find the signature, lets call it ig_sig.
Instagram uses HMAC Authentication for login stuff, so lets use python’s hmac library.But first we have to build our body which will be encoded in json for it to actually sign withig_sig , So the post body looks likes this…
![Hackear instagram sin verificar Hackear instagram sin verificar](https://i.ytimg.com/vi/B7Pb_qpGSOs/maxresdefault.jpg)
The above will be encoded to JSON , So to test the password we have to post the data to this urlhttps://i.instagram.com/api/v1/accounts/login/ig_sig_key_version=4&signed_body=<SIGNED BODY>.<URL ENCODED JSON DATA> .
<SIGNED BODY>: using HMAC , sign our json encoded data with ig_sig and return a hexa value.
<URL ENCODED JSON DATA>: the same data in json but we url encode so that it goes properly to insta!
So to test a account with username as USERNAME and password with PASSWORD we simply request thisurl https://i.instagram.com/api/v1/accounts/login/ig_sig_key_version=4&signed_body=bc90e1b7d430f39152e92b4e7d517bfb231dbe0515ed2071dc784cf876e301c3.%7B%22phone_id%22%3A%20%2232abb45c-f605-4fd7-9b5e-674115516b90%22%2C%20%22_csrftoken%22%3A%20%22PyMH2niVQrk41UIBW0lKilleG7GylluQ%22%2C%20%22username%22%3A%20%22USERNAME%22%2C%20%22guid%22%3A%20%2267ca220c-a9eb-4240-b173-2d253808904d%22%2C%20%22device_id%22%3A%20%22android-283abce46cb0a0bcef4%22%2C%20%22password%22%3A%20%22PASSWORD%22%2C%20%22login_attempt_count%22%3A%20%220%22%7D
Take a look how I did it…
Step 3: With the json response and response code , we determine the password is correct or wrong.
if We get response 200 then the login is success but if we get response 400 , We inspect thejson data for clues if it is the correct password or invalid request or too many tries.So we inspect the message from instagram json response!
Message = Challenge Required , then the password is correct but instagram got some questions sowe must wait until the user logs in and answer the question and if we are lucky they will not changethe password and we could login in later(Most of the time people won’t change the password!)
Message = The password you entered is incorrect. , then the password is incorrect for sure , tryanother.
Message as something like word invalid in it then , some other error so just try again, can happenbecause of wordlist encoding error which i ignored because all the worldlist have encoding error!
Message = Too many tries , Time to change our ip and loop but we don’t want to change our magic cookie
Thats it you just hacked instagram with a very simple algorithm!
License
The MIT License,
Copyright (C) 2017 The Future Shell , DeathSec
Release historyRelease notifications
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.3.3
1.3.2
0.3.2
0.3.1
0.2.1
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Filename, size & hash | File type | Python version | Upload date |
---|---|---|---|
instagram-py-1.3.3.tar.gz (22.0 kB) | Source | None |