InstaBrute - Instagram bruteforce exploit module.

[xpl0it]

nikupe id yangu ya insta uihack?

Nashukuru kaka!

Vyovyote vile utakavoniita.. Sihitaji kuexpose much of my Capabilities & Limits to 'random people'...

Have a nice day!

 

[faru joni]

Nimeupenda huu uzi

 

[oblac]

 

[Graph]

Ni tool nzuri ya kuandika kama programming assignment ya kujifunza kutuma requests, kusoma file na labda kutumia loops. Ila zaidi ya hapo hamna kingine, it doesn't work. Brute forcing kuretrieve password siku hizi ni useless, hii ingekua valuable sana miaka ya 2001 hadi labda 2006 huko ambapo watu bado walikua wanatumia neno love kwenye passwords, siku hizi wanaforce uchanganye capital letters, namba na special character, no way you would brute force that. Na to make things worse, all top networks siku hizi wanatumia two factor authentication. Unless una simu ya huyo unayetaka kumchakachua then sahau kuingia kwenye account yake.

The only way inayowork siku hizi ni social engineering, ninainclude phishing kwenye hii category maana you must get the page to the person. Hii bado inafanya kazi like 90% of the time.

 

[Kurt godel]

Tatizo wengi wanapenda kuwa Hackers ila wanafikiri katika kuhack watafanya tu first trial na kufanikiwa kupenetrate apo apo, hiyo ndo shida.. It will take time, it depends on the length of the target's password - jinsi password yake ilivo ndefu na kucombine characters mbalimbali .. ndivyo nawewe utakavyo chukuwa muda mrefu mpaka kuicrack account yake.

So yea, ukiwa hacker jifunze kuwa PATIENT.

Unaweza kusubiria kweli miaka 292 ku brute force 128 bit key ??

 

[elmagnifico]

Tatizo wengi wanapenda kuwa Hackers ila wanafikiri katika kuhack watafanya tu first trial na kufanikiwa kupenetrate apo apo, hiyo ndo shida.. It will take time, it depends on the length of the target's password - jinsi password yake ilivo ndefu na kucombine characters mbalimbali .. ndivyo nawewe utakavyo chukuwa muda mrefu mpaka kuicrack account yake.

So yea, ukiwa hacker jifunze kuwa PATIENT.

Brute force mwaka 2017.
Umeijaribu au ume copy ukapaste hapa mkuu.
This thing cannot work at all brute force kwa sasa ngumu na hiyo computer mpaka ije kuotea password inabidi iwe na uwezo mkubwa sana na itaichukua siku kadhaa.

 

[xpl0it]

Brute force mwaka 2017.
Umeijaribu au ume copy ukapaste hapa mkuu.
This thing cannot work at all brute force kwa sasa ngumu na hiyo computer mpaka ije kuotea password inabidi iwe na uwezo mkubwa sana na itaichukua siku kadhaa.

Bro, don't be silly, hmm? Bruteforce stills works especially in this world where still people prefer easily guessed and simple password patterns. For Your Information, bruteforce is the last resort to a hacker/pentester when all other hacking tactics have failed. So, please could you learn and practice more on this tactic to see how you can use it effectively in day to day penetration activities (if you are a pentester maybe).

Looks like you really don't have enough experience (if not necessary knowledge) with bruteforce and exploits writing.

 

[xpl0it]

Brute forcing kuretrieve password siku hizi ni useless, hii ingekua valuable sana miaka ya 2001 hadi labda 2006 huko ambapo watu bado walikua wanatumia neno love kwenye passwords, siku hizi wanaforce uchanganye capital letters, namba na special character, no way you would brute force that

Bro, bruteforcing is still possible no matter how much measures will be put. Yes, I do agree with you that bruteforcing it's nearly useless in this era, but the point still stands that it's not that way you say that all social network users use strong password of combination of AlphaNumerals and special characters, i want to assure you that not all users care about any of those silly combinations, some use barely alpha passwords - Example I, this year had a fake facebook account with just simple plain password. So, it's not that every user in those huge Socio-networks is aware of that policy and risks if they aren't implemented.

Then secondly, is that in the case of 2FA, same applies to 'password strength choice'. 2FA is a feature which not every user would be happy to use, especially if one knows that it always requires (MUST) one to be close with their phones that right moment when they want to login when they'll send you a OTP for you to incorporate it within your login session. Therefore, most users do not apply/prefer this method.

So it's unlucky for someone who uses a fairly weak password and yet do not use 2FA login.

Well, in addition to that is that the password hashing algorithm used by a particular web app matters, the more complex and infamous it is, the more hard to crack it's hashes. For example if a site uses an AES 128 bit encryption scheme it would take you a huge considerable amount of time to crack it's hash. Unlikely to MD5, SHA1, and the likes hashing algorithm which everyone knows there are plenty of crackers and rainbow tables spread all across the cyberspace.

So bro, don't underestimate the power of bruteforce attacks as in their is no system which is 100% secure. So if a hacker succeeds to penetrate the other way round and get the passwords be it in hash or plaintext, what follows is that he would try to crack it to see if they are prone to successful bruteforce attack.

 

[xpl0it]

Unaweza kusubiria kweli miaka 292 ku brute force 128 bit key ??

For sure, it's very tough to crack an AES 128 bit hash! It would take you nearly million years to crack one with even th most expensive GPU powered Computers or Supercomputers.. especially when you encounter a password of this combination a-zA-Z0-9 , pretty tough!

 

[ISO M.CodD]

I've glanced at the code (2 years ago last modified?)

Mnaosema unahitaji computer yenye nguvu kutumia hii tool aliyoleta mleta mada mnakosea. The python script only sends your username and password combo to instagram servers halafu inaparse response kugundua kama login imekuwa successfull. So basically the target does the computation for you. You don't need huge computing power (tofauti na kwa mfano ukibruteforce WPA WiFi passwords where the computation is within your computer).
You might need computing power to generate the dictionary lakini you could also just download dictionaries.

Kwa mtazamo wangu hapa unachohitaji ni crazy patience na bandwidth ya hizo requests zote.

In practicality, as a developer it is trivially easy to prevent this type of attack. Basically implement throttling (delay flani) kila mara incorrect username/password combination inapokuwa submitted na hiyo delay iendelee kuongezeka as attempts zinapoongezeka. Ila script inaweza kucircumvent hili kwa kutumia timeout na pia kwa kufanya multiple attempts over various sessions and IPs. So the last trivial resort ni kumonitor all login attempts on a user centrally e.g. a database na zikifikia idadi fulani user awe locked out kwa muda.

My take: not practical kwa site kama instagram. Ila on a less well built site this could actually work. And it is easy to just modify the code to point to a different site.

Combine it with social engineering where you know some of the characters the victim could have used to create the password and generate a dictionary based on them and you might have a very simple tool that works - on an unsecured site.

 

[Graph]

Bro, bruteforcing is still possible no matter how much measures will be put. Yes, I do agree with you that bruteforcing it's nearly useless in this era, but the point still stands that it's not that way you say that all social network users use strong password of combination of AlphaNumerals and special characters, i want to assure you that not all users care about any of those silly combinations, some use barely alpha passwords - Example I, this year had a fake facebook account with just simple plain password. So, it's not that every user in those huge Socio-networks is aware of that policy and risks if they aren't implemented.

Then secondly, is that in the case of 2FA, same applies to 'password strength choice'. 2FA is a feature which not every user would be happy to use, especially if one knows that it always requires (MUST) one to be close with their phones that right moment when they want to login when they'll send you a OTP for you to incorporate it within your login session. Therefore, most users do not apply/prefer this method.

So it's unlucky for someone who uses a fairly weak password and yet do not use 2FA login.

Well, in addition to that is that the password hashing algorithm used by a particular web app matters, the more complex and infamous it is, the more hard to crack it's hashes. For example if a site uses an AES 128 bit encryption scheme it would take you a huge considerable amount of time to crack it's hash. Unlikely to MD5, SHA1, and the likes hashing algorithm which everyone knows there are plenty of crackers and rainbow tables spread all across the cyberspace.

So bro, don't underestimate the power of bruteforce attacks as in their is no system which is 100% secure. So if a hacker succeeds to penetrate the other way round and get the passwords be it in hash or plaintext, what follows is that he would try to crack it to see if they are prone to successful bruteforce attack.

Dude you have no idea what you are talking about.
Huwezi bruteforce top websites, sahau, hata kama mtu ana weak passwords. The moment you start your script watadetect, unless your first password iwe the correct guess. Thinking unaweza tuma a thousand requests kwenye site kama instagram is pure stupidity. They'll detect and block your IP and Mac address all together as soon as you hit the 20th request.

Swala sio 2FA wala encryption algorithm wanayotumia, swala ni they will know you are trying to bruteforce the password na watakublock hapohapo, na ukilazimisha hata kama mwenye account hana 2FA wanailock wanalazimisha 2FA maana wameona mtu anajaribu sana kupenetrate. Jaribu hiyo tool yako kwenye account yako mwenyewe uone. Its completely useless. Tafuta njia nyingine sio bruteforcing passwords. Bruteforcing inafanya kazi kwenye mambo mengine ila hili la password kajaribu vistartup vya kijinga, hata JF tu hupiti.

 

[Rahabu]

Sasa lugha

 

[elmagnifico]

Bro, don't be silly, hmm? Bruteforce stills works especially in this world where still people prefer easily guessed and simple password patterns. For Your Information, bruteforce is the last resort to a hacker/pentester when all other hacking tactics have failed. So, please could you learn and practice more on this tactic to see how you can use it effectively in day to day penetration activities (if you are a pentester maybe).

Looks like you really don't have enough experience (if not necessary knowledge) with bruteforce and exploits writing.

Kwanza siku hizi system zimetengenezwa zikikuforce uchanganye characters na numbers au uppercases na small cases.
Man that thing cannot work

 

[ISO M.CodD]

Sasa lugha

Twende taratibu utaelewa...

 

[Kurt godel]

Bro, bruteforcing is still possible no matter how much measures will be put. Yes, I do agree with you that bruteforcing it's nearly useless in this era, but the point still stands that it's not that way you say that all social network users use strong password of combination of AlphaNumerals and special characters, i want to assure you that not all users care about any of those silly combinations, some use barely alpha passwords - Example I, this year had a fake facebook account with just simple plain password. So, it's not that every user in those huge Socio-networks is aware of that policy and risks if they aren't implemented.

Then secondly, is that in the case of 2FA, same applies to 'password strength choice'. 2FA is a feature which not every user would be happy to use, especially if one knows that it always requires (MUST) one to be close with their phones that right moment when they want to login when they'll send you a OTP for you to incorporate it within your login session. Therefore, most users do not apply/prefer this method.

So it's unlucky for someone who uses a fairly weak password and yet do not use 2FA login.

Well, in addition to that is that the password hashing algorithm used by a particular web app matters, the more complex and infamous it is, the more hard to crack it's hashes. For example if a site uses an AES 128 bit encryption scheme it would take you a huge considerable amount of time to crack it's hash. Unlikely to MD5, SHA1, and the likes hashing algorithm which everyone knows there are plenty of crackers and rainbow tables spread all across the cyberspace.

So bro, don't underestimate the power of bruteforce attacks as in their is no system which is 100% secure. So if a hacker succeeds to penetrate the other way round and get the passwords be it in hash or plaintext, what follows is that he would try to crack it to see if they are prone to successful bruteforce attack.

Uko vzuri bro.Developer wanasahau ya kuwa unaweza program system na security measures kama delaying making you can never program the user to be secure.Watu wanatumia password mmoja account zote na isitoshe password zao mostly ni majina yao au watoto au mwanamziki au vitu knowable making it possible to perform a smart brute forcing attack

 

[dronedrake]

nilikua na play around na huu ujinga miaka flani, crunch tool ya kali linux, natengeneza wordfile ya upto 5GB, za possible passwords, haha, ujinga ki ukweli Andy, hamna maana labda uwe na mnyama wa 80cores@10GHz ivi, na kama alivyosema Chief, wanafunga account ukifanya trial/error kijanjajanja

 

[xpl0it]

Dude you have no idea what you are talking about.
Huwezi bruteforce top websites, sahau, hata kama mtu ana weak passwords. The moment you start your script watadetect, unless your first password iwe the correct guess. Thinking unaweza tuma a thousand requests kwenye site kama instagram is pure stupidity. They'll detect and block your IP and Mac address all together as soon as you hit the 20th request.

Swala sio 2FA wala encryption algorithm wanayotumia, swala ni they will know you are trying to bruteforce the password na watakublock hapohapo, na ukilazimisha hata kama mwenye account hana 2FA wanailock wanalazimisha 2FA maana wameona mtu anajaribu sana kupenetrate. Jaribu hiyo tool yako kwenye account yako mwenyewe uone. Its completely useless. Tafuta njia nyingine sio bruteforcing passwords. Bruteforcing inafanya kazi kwenye mambo mengine ila hili la password kajaribu vistartup vya kijinga, hata JF tu hupiti.

Okay, maybe I don't know what I'm talking about (According to how you said), but you might find yourself that you don't have enough proof and concrete evidence that how can bruteforce attack fail - Which is less of Cyber Security knowledge & skills.

The reasons are as follows:

(i) You don't know the idea of proxy IPs and so you don't know the power of using proxy IPs with a payload which changes the system IP address after a certain duration of time.

(ii) You are not even aware that how this password attempt policies are implemented in a web application, as you said,

"The moment you start your script watadetect, unless your first password iwe the correct guess."

What's detecting in this nasty world of Advanced Web App Hacking, hmm?

For your information if it's for the case of password attempts, most of the web applications developers make password attempt policies which lie on a certain number of failed login attempts tried by a user. For example a developer may code that if a user exceeds a maximum of 3 failed login attempts, the system should lock him out.

So my dear bro, by taking the idea of proxy IPs (gather them and list them in a chain) and the payload (which if you can code it) that can help in changing the IP of the system lets say after every 3 seconds each time you make an HTTP request to the server, that could work out (think of how it may work given the explanations I enlisted above).

Also, if you are a good developer, you may find out that locking IP address isn't a good idea, as you might lock out legitimate users as well. Hence causing so much inconvenience for example, resetting passwords every now and then.

I've been using brute-forcing, in most of my penetration testing attempts yet it has never let me down as you claim. So, make your mind, learn something worthy and move on.

Thanks.

 

[xpl0it]

nilikua na play around na huu ujinga miaka flani, crunch tool ya kali linux, natengeneza wordfile ya upto 5GB, za possible passwords, haha, ujinga ki ukweli Andy, hamna maana labda uwe na mnyama wa 80cores@10GHz ivi, na kama alivyosema Chief, wanafunga account ukifanya trial/error kijanjajanja

Bro, I suggest you learn Advanced Cyber Security, and familiarize with current hacking tactics and skills. There is so much worthy to learn if you wanna be a competent hacker!

 

[xpl0it]

Uko vzuri bro.Developer wanasahau ya kuwa unaweza program system na security measures kama delaying making you can never program the user to be secure.Watu wanatumia password mmoja account zote na isitoshe password zao mostly ni majina yao au watoto au mwanamziki au vitu knowable making it possible to perform a smart brute forcing attack

Sure bro! I guess you might be among of the underground hackers in TZ. Very few people have the idea of security in their minds in Tanzania, even for those renown developers.

Pia zaidi zaidi, wanatumia sana password list/wordlist zinazotumiwa mambele huku wakisahau kwamba, kila nchi inaaina za passwords ambazo wananchi wake hupenda kutumia, kulingana na lugha wanayotumia. Mfano unatumia wordlist ya kiingereza tupu kubrute-force user-accounts za TZ, huo ni uwaki.

Watanzania tukitaka tuadvance katika hili game la Cyber Security vizuri inabidi tuwe tayari kujifunza na bila kukata tamaa kupigika na practice zisizokuwa na mwisho.

 

[xpl0it]

Sasa lugha

Nini shida sasa?