Tuesday, January 26, 2010

Twitter Bruteforcers Released

Well, turns out there's a reason I've been doing so much blogging about how bruteforcers work and whatnot! I've written three for the popular (and my favorite) social networking website Twitter!

For those just tuning in, a bruteforcer is a program which cracks passwords by trying every possible password combination until it tries the correct one. Thus, these Twitter bruteforcing programs can figure out the password to any Twitter account eventually.

The first bruteforcer is the sequential ascending bruteforcer which tries every possible password from the bottom up. The second brutefrocer is the sequential descending bruteforcer which tries every possible password from the top down. The third bruteforcer is the randomized bruteforcer which tries every possible password combination in a random order.

Unfortunately, these bruteforcers do not work as well as I would like them to. There is a major bug present in each of them. All of these bruteforcers are based upon the twitcurl library which the bug lies therein. Basically, once the bruteforcer finds the correct password it doesnt stop bruteforcing because the twitcurl library does not correctly distinguish between failed and successful password login attempts. To combat this bug, I have the bruteforcer tweet if the login is after it logs in. If the tweet is made under the account being bruteforced, then you know that the bruteforcer has hit the correct password. I have each bruteforcer log all of the passwrods tried and the output returned from Twitter. So after you see your tweet made under the account being bruteforced, you should stop the bruteforcers and check the log to find out which was the successful password. Yes, it's extremely annoying, but at least it is possible to get the successful password without too much pain.

These were written in C++ using the twitcurl library. The source should be entirely cross-compatible so it should be able to be compiled on MAC, Linux, or Windows. I am only releasing Windows binaries in this post. The source to each of these bruteforcers will be released (this post will be updated with the links) in no more then 72 hours. I have no intention of making Linux or MAC binaries on my own but if anyone does let me know and I will add the links to them to this post.

Regarding the legality of these programs: These bruteforcers are NOT illegal. But they can be used illegally. Do NOT use them illegally. I do NOT support or condone using them to obtain passwords you do not have permission to get (which is again illegal).


Sequential Ascending Bruteforcer: Mediafire
Sequential Descending Bruteforcer: Mediafire
Randomized Bruteforcer: Mediafire

If you have any questions regarding the content of this post, feel free to leave a comment, join me in #arikadosblog on EFNET, post in our forums, tweet to me, or send me an e-mail at castlevania7689@yahoo.com


  1. ooh, lets see how long it takes it to crack my account

  2. Pretty much any use of this will violate twitter ToS. Even if you just try this on your own account, spamming login attempts will probably get your IP banned.

    Also: support dictionary attacks plx.

  3. Actually, that's a problem in Twitter's security system. I was able to run these for over 2 weeks without any problems. This flaw has been pointed out before. Hopefully, if anything, this release will get Twitter to fix their security system (notice I'm holding off on releasing the sources for a bit).

    Dictionary Attacks. I'm actually working on writing one up. I'm just haveing a little troublew parsing the word list. But yeah, it's coming (assuming twitter doesnt patch their security system by the time Im done).

  4. so how do you know if it worked?