Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Need help with password cracking

Tad | Last updated: Aug 24, 2016 05:05AM UTC

So my friend gave me permission to try and hack his instagram So first I intercept while tring to login to his account and i get POST /accounts/login/ajax/ HTTP/1.1 Host: www.instagram.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-CSRFToken: up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb X-Instagram-AJAX: 1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: https://www.instagram.com/accounts/login/ Content-Length: 34 Cookie: csrftoken=up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb; mid=V7vI7AAEAAEWW-CS9KkNjbm3HR0v; ig_pr=1; ig_vw=1366 Connection: keep-alive username=faulted_boy&password=pass then I do crtl-i to put into intruder and i set it up to do a sniper attack then I load rockyou.txt as a payload then i start it and i get this for every password tried request: POST /accounts/login/ajax/ HTTP/1.1 Host: www.instagram.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-CSRFToken: up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb X-Instagram-AJAX: 1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: https://www.instagram.com/accounts/login/ Content-Length: 39 Cookie: csrftoken=up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb; mid=V7vI7AAEAAEWW-CS9KkNjbm3HR0v; ig_pr=1; ig_vw=1366 Connection: close username=faulted_boy&password=123456789 then the servers response response: HTTP/1.1 200 OK Strict-Transport-Security: max-age=86400 Content-Language: en Expires: Sat, 01 Jan 2000 00:00:00 GMT Vary: Cookie, Accept-Language Pragma: no-cache Cache-Control: private, no-cache, no-store, must-revalidate Date: Wed, 24 Aug 2016 05:03:38 GMT Content-Type: application/json Set-Cookie: csrftoken=up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb; expires=Wed, 23-Aug-2017 05:03:38 GMT; Max-Age=31449600; Path=/; secure Connection: close Content-Length: 88 {"status": "ok", "errors": {"error": ["Sorry, there was a problem with your request."]}} sorry for long post but i have been trying for days to fix this myself and havent got a clue what else to try

Liam, PortSwigger Agent | Last updated: Aug 24, 2016 08:37AM UTC

Hi Tad Thanks for your message. Although you have permission from your friend to try and "hack his Instagram" account, it's likely you would also need permission from Instagram to test / use automated tools on their applications. Do they have a bug bounty program? With regards your brute force attack, you should investigate why you are receiving this error message in the response: "errors": {"error": ["Sorry, there was a problem with your request."]}}

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.