Sunday, May 23, 2010

Done Hacking Twitter - Source Released to all Twitter Hacks

If you've been reading this blog for a bit then I'm sure you know I was able to successfully write bruteforcers and a dictionary attack for Twitter allowing anyone to be able to retrieve the password of any Twitter account. While they were not perfect (you'd have to read the output LOG file to see when it hit the correct password, the programs couldn't stop themselves) they worked and were to my knowledge used to successfully retrieve the passwords of more than a few Twitter accounts.

However, Twitter eventually took action (I actually find this to be a good thing and am disappointed it took so long) by blocking an IP that unsuccessfully logs into an account 10 times in succession from attempting to log into said account for 60 minutes. I was able to come up with a workaround to this. My workaround was to, after 10 logins, connect to a proxy, try to login in 10 more times, connect to another proxy, try to login 10 more times, and so on and so forth. This actually works.

To get my Twitter password grabbers working again I would have to retrieve create a list of roughly 2,000 different proxies to log into. This is extremely tedious to say the least and I was not able to find any pre-compiled list. So rather then waste my time continuing working on my Twitter attackers (I think we all know I have better things to do ;-) ) I'm releasing making them open source.

They are written in C++ and set-up to compile under Dev-C++ under cygwin in my environment. However, they should be able to compile under any OS and under any IDE with a little bit of rearranging. The libraries I used (libcurl and twitcurl) all claim to be completely platform independent. I also neglected to use any platform dependent code of my own beyond what I hope would be completely cross-platform calls to the C++ Standard Library.

Here are the Download Links:

Sequential Ascending Bruteforcer
Sequential Descending Bruteforcer
Randomized Bruteforcer
Dictionary Attack

If you have any questions regarding the content of this post, feel free to leave a comment, join me in #arikadosblog on EFNET, post in our forums, tweet to me, or send me an e-mail at

No comments:

Post a Comment