Skip Navigation
BlackBerry Blog

How to Hack into an Instagram Account

CYBERSECURITY / 02.20.18 / Pete Herzog

When I’m not studying videos of raccoons online (know your enemy!), I’m fielding requests from wannabe hackers all around the world because I work for Hacker Highschool. So, wannabe hackers tend to think our curriculum is there as a checklist of scriptkiddie tools that lets them DoS your online competition of Banjo Hero or creep into private Instagram accounts.

And it is. But it isn’t.

First, I recognize that hacking an Instagram password is wrong. I get it. Even if it’s their brother’s Instagram account they want to get into. Because it’s family that makes it okay, I guess. So yes, it's illegal, but being illegal doesn't make it wrong. But it’s wrong because guessing a password isn’t hacking, and not because it’s their brother. And this is why so many nascent hacker-wannabes who want to learn hacking don’t really want to learn hacking. They want to learn computer magic, and it doesn’t really work like that.

How it works is actual work. And it’s a grind sometimes. What’s strange is that so many people today can spend actual days virtually cutting virtual trees in a virtual world to get to level three tree warrior, but won’t spend an hour trying requests through Tamper Data to understand how Instagram on the web is authenticating people differently than the app. Strange because both are really not much more than pushing a cursor around a screen.

So, teaching you hacking is partly about teaching you how to set up and execute a kind of work grind. Then there’s the mindset thing too. But you know what, you need a mindset to get out of bed and go to work too, and that trumps the hacker mindset in the mornings. So, let’s leave the hacker mindset for those who already have the will to do the work grind mindset, because you won’t have one without the other.

The last part of teaching you to hack an Instagram account is that by the time I teach you what you need to know with OS, protocols, services, daemons, applications, authentication, and encryption, and what you need to do with hiding, relaying, bouncing, testing, fuzzing, tracing, trying, retrying, and learning from your frequent failures, you’ll know too much about how little you really know and how you could get caught doing it. So, you probably won’t be doing anything illegal. They say a little knowledge is a dangerous thing, but when we’re talking about a skill like hacking that focuses on knowledge-gettin’ then you can expect to quickly have more than enough knowledge to see your own foolishness.

Unless you want me to just tell you to use the instacrack tool for Windows available on the ISECOM website to just put in an account name and view private account pictures. But that’s telling, not teaching, and it’s running a tool and not hacking. Also, don’t ask me how to cook if you want me to show you how to warm up a TV dinner.

But if that’s really what you want, then you never wanted to be a hacker, which means your life is about only having enough knowledge to be dangerous. Which is okay if you want to be an amateur assassin or a cashier in a natural foods store for the rest of your life. Not judging. We all have our dreams. But then you’re looking in the wrong place.

Next thing to understand: hacking isn't a tool, it's a methodology. You likely won't be able to hack an established service without considerable time spent learning its operations and interactions. Which isn’t necessarily hard. It’s actually pretty straight-forward.

The fact of this is that there's only two ways to steal anything: either you take it, or someone gives it to you. You need to trick Instagram to give you their credentials. Or you need to trick the person whose credentials you want to steal into giving it to you. Or you need to take it from them, or Instagram. But it's likely you won't be able to take it from Instagram. Not impossible, just not likely because they have a lot more people with a lot more experience working on securing it then you have for breaking it. Supposedly. Who knows? Maybe you’ll get lucky. People win the lottery all the time. That’s why so many people play it.

Then those two ways actually expand into four tactics that you try against both the target sender and target receiver. These four:

  • Induction – analyzing the target environment where the interactions happen (OS, app type, app development language, etc.). The environment is completely under the target’s control, so it’s important to figure out how they set up their applications to live there.

  • Inquest – capturing and reading emanations from the target (domain services, errors, heat signatures, power spikes, info leaks in packet padding, etc.). As any family will tell you, from bath tubs to babies, everything leaks. It’s the same with computers. The Internet exists because protocols play nice, communicate, and share, or else you’d never get online and go anywhere. So, ask and find out what’s sharing what. And the better you listen, the more you know.

  • Interaction – triggering responses from the target by sending all possible types of interactions in all possible ways (TCP flag mutations, ICMP type and code mutations, etc.). Systems are designed to communicate with each other but it’s a needs-based, mono-thematic language similar to that as found in snow monkeys and teenage boys. Tell them the wrong things and you’ve lost them. But lose them the right way and they might give you a surprise, like access.

  • Intervention – determining the resources the target needs and either starving them, or flooding them and forcing them to behave in a way that is outside their designed response (DNS, power, cooling, unsanitized inputs, ARP replies, etc.). Do the thing the designers didn’t anticipate to ever happen and you’ll force the system into doing something insecure.

So there. Use those four. Now you know where your targets are and the tactics to try. That leaves you with a few options in your grind. If you need more specific examples on you how you would apply these four tactics to real-world, how would you take over your brother’s Instagram account, here's five common ones to get you started:

  • Use Inquest and take it from him using shoulder surfing. Just watch him type in his password without him knowing.  

  • Use Intervention and take it from him by sniffing the WiFi he uses- but again, man-in-the-middle attacks are work to set up if it's not your WiFi. Same with setting up a website that looks like Instagram for him to log into and then captures the password instead and then forwards him onto the real Instagram site so he doesn't know you took it.

  • Use Induction by having him use your phone or computer to log into Instagram. Since you control the device you can control the environment and capture anything typed into it.

  • Use Interaction and have Instagram give it to you by exploiting their process of lost passwords. That takes a little thinking, but if he's really your brother then you may have access to his email or computer or something else where you can exploit that vector.

  • Finally, put all four tactics together and mount a multi-stage attack by putting malware on his system. You need a RAT - a remote access Trojan - to take over his computer. You'll also need to know how to get it on his system without his antivirus finding it. If it's a mobile device you have even more work ahead of you. And if the malware goes rogue and infects other systems or doesn't respond the way you want it to, then you have way bigger problems.

Now I’d like to tell you don’t do things that have worked before because system designers learn from their mistakes and the mistakes made by others. Unfortunately, they don’t. It’s not like Engineering students are forced to take a competency exam in all the mistakes previously done in engineering. Oh, if only! I would totally take that class just for fun! But they don’t, so feel free to try things that worked in the past.

So that's it. No matter what you do, it will require more than just a tool. Because if was a tool that does some magic and then you get in, then you probably can’t afford that tool. Good magic isn’t cheap. Think about it: anyone who went through all the hard work to figure out how to do that wouldn't release a tool, as that info is way too profitable.

So, there’s no Windows-based instacrack tool either. Just kidding! I’m sure you already checked though. 

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.