Instagram OSINT & Hacking — Phishing at its best.
Instagram hacking is one of the most notoriously question asked on the internet. I have received so many personal messages and DMs regarding this, that I can’t even remember. It’s only obvious that I am writing an article about this.
Anyways, let’s begin!
Before getting access to Instagram, you must know the username of the person, you’re trying to hack. So, a little reconnaissance will be very helpful. Don’t over do it though. You may get lost in the matrix.
There are various tools for recon purpose, first and foremost search the user on Instagram, and find out the username. I found this great tool called “Slash”, which can be used to found other accounts of the user as well; if he is consistent with his username.
Installing Slash.
git clone https://github.com/theahmadov/slash
cd slash
pip install -r requirements.txt
python slash.py helpI tried to use slash on myself, and look at these results. Some of the accounts listed here, are from years ago.
Slash is a CLI based tool, you can also user tools such as WhatsMyName Web, which is available on your browser and is completely free.
Here, I used WhatsMyName on myself. My username being “earthtoyash”.
Now, that we know more about our user, we can do some specific hacking by exploiting their weakness aka, by sending phishing links.
Let’s create our payload using Zphisher.
Installing Zphisher from GitHub.
- Clone the Repository.
git clone --depth=1 https://github.com/htr-tech/zphisher.git2. Run the zphisher.sh file.
cd zphisher && ./zphisher.shOn first launch, it’ll install the dependencies and that’s it, it’ll say that Zphisher is installed. After the installation, you’ll have to run zphisher.sh again in the zphisher directory from the command below, and then you’ll get something like in the image below.
./zphisher
You can see here, that there are a lot of options and website templates so that we can do phishing, but we are mainly going to focus on Instagram here. So, type option “2” in there and press enter.
Now, the next part is completely up to you, choose any of them. After, this it will redirect you here, I prefer the third option, since it’s minimalist and simple for making tutorial-article, but you can get fancy here too.
Again, in order to keep it simple, I will skip custom port, but if you are already using port 8080, then you can change it to port 8000, otherwise it’s fine. Now, masking URL is important, it is used to prevent suspicion, preferably use something like this.
Now, it will give you the phishing link, which you can send to your target, and as soon as the target will click on the link, you’ll start getting information like IPs, usernames, passwords and such. You can also use IP reverse lookup to identify the location of your target and much more.
There we go, here are our phishing links.
When, clicked upon, it opens a page similar to the official Instagram login page.
When credentials are entered here, we get a whole lot of information on our-side (hackers’-side) of the terminal.
There we go gentlemen and ladies, we have successfully phished an Instagram account, the important part here is don’t click on links you don’t trust. And, this goes without saying that, please don’t use this with intent to harm anyone. You can go to jail for phishing someone. OSINT is legal but, phishing for illicit purposes is a criminal offense, so don’t do that.
Be safe, be secure and happy hacking :)
