The topic of Instagram hacking is a widely-discussed issue on the internet, with numerous personal messages and DMs I’ve received on the matter. Due to the high level of interest, I’ve decided to write an article about it
To gain access to someone’s Instagram account, it’s essential to have their username, and conducting some reconnaissance can be useful. However, it’s important not to go overboard with the information gathering, as it can be easy to get lost in the process.
Numerous tools are available for reconnaissance purposes. The initial step is to search for the user on Instagram and obtain their username. I came across a useful tool called “Slash” that can also uncover other accounts associated with the user, provided they use a consistent username.
I tested Slash on my own account and was surprised by the results. Some of the listed accounts were from years ago.
Slash is a command-line interface (CLI) tool. Alternatively, you can also use other tools like: WhatsMyName Web, This tool is accessible through your web browser and is entirely free of charge.
I used WhatsMyName on my own account, with the username “shahidkapoor”.
With the information we’ve gathered about the user, we can take advantage of their vulnerabilities by using phishing links for targeted hacking.
1 Clone Repository.
git clone –depth=1 https://github.com/htr-tech/zphisher.git
2 Run the zphisher.sh file.
cd zphisher && ./zphisher.sh
When launched for the first time, Zphisher will install its dependencies, and upon completion, it will indicate that the installation is complete. To proceed, navigate to the zphisher directory and run the zphisher.sh command again. The resulting output should resemble the image below.
./zphisher
As you can observe, there are several options and website templates available for phishing purposes. However, for our current objective of hacking Instagram, we will concentrate on that. To proceed, type in “2” as the option and hit the enter key.
The following step is entirely at your discretion, so feel free to choose any of the available options. Upon selecting your preferred option, the page will redirect to a template selection. Personally, I find the third option to be the most suitable for creating tutorial articles due to its minimalistic and straightforward design, but there are several more visually appealing choices available.
To maintain simplicity, I will omit the custom port configuration. However, if you are already using port 8080, you may change it to port 8000. Otherwise, the default port should suffice. It’s crucial to mask the URL to avoid suspicion, and I suggest using something similar to the following format:
Once completed, Zphisher will generate a phishing link, which you can then send to your target. As soon as the target clicks on the link, you will begin to receive information such as their IP address, usernames, passwords, and more. Furthermore, you can also utilize IP reverse lookup to determine the target’s location and obtain additional details.
There we go, here are our phishing links.
When clicked, the link will open a page that closely resembles the official Instagram login page.
Upon entering the login credentials on this page, a plethora of information will become available to us on the hacker’s side of the terminal.
And with that, ladies and gentlemen, we have successfully phished an Instagram account. However, it’s essential to exercise caution and refrain from clicking on links that seem untrustworthy. Additionally, I would like to emphasize that using these techniques with malicious intent can result in legal repercussions. While OSINT is legal, phishing for illicit purposes is a criminal offense, so please avoid engaging in such activities.
Stay safe, stay secure, and happy ethical hacking!