OSINT or “Open Source INTeligence” plays a critical role in the field of cybersecurity. It can be used by your company to boost your company’s defenses or as a method during the information-gathering phase of a penetration testing engagement.
Gathering Information From Instagram
Social media platforms can betray a considerable amount of information on a person or organization, whether it is through a seemingly innocent picture, which could be the answer to a secret question, or a colleague wishing someone happy birthday and thereby inadvertently disclosing their date of birth.
You can also gather information on the interests of a person so you can run a phishing campaign that matches the person’s interests and have higher chance of succeeding.
Remember that running phishing campaigns even during a penetration testing engagement, without the consent of the company/user is illegal.
There are a number of open-source free tools out there you can use to gather information on a person’s Instagram profile.
Today we will look into OSINTgram, developed by Giuseppe Criscione.
What is OSINTgram?
OSINTgram is a powerful Instagram OSINT tool with many functions. You can use it to retrieve many types of a person’s information through his/her profile.
- Get all registered addresses by target photos
- Get target’s photo captions
- Get a list of all the comments on the target’s posts
- Get a list of the users following the target on Instagram along with their emails!
- Get a list of emails of users followed by the target
- Get a list of phone numbers of the target’s followers and of the users followed by the target
- Get a list of hashtags used by the target
- Get the total likes of a target’s posts
- Get the target’s post types (photo or video)
- Get the description of a target’s photos
- Download the target’s photos, profile picture, and stories in an output folder
- Get a list of users tagged by the target
- Get a list of users who commented and tagged your target
How to Install and Configure OSINTgram
Download from git and install the requirements:
git clone https://github.com/Datalux/Osintgram.git cd Osintgram pip3 install -r requirements.txt
Configure your Credentials
You will need to enter your Instagram’s credentials to allow the tool to gather the necessary information. So go to the config folder and edit the “credentials.ini” file. Enter the username and password and save the file.
You should now be able to start using this awesome tool!
How to Use OSINTgram
To run the tool go to the directory you have downloaded it and run:
python3 main.py USERNAME
Replace USERNAME with the actual username of your target.
I will choose Cristiano Ronaldo’s account as an example.
NOTE: If you run these commands against a target with a huge amount of comments and posts, you may experience issues with Instagram’s API. It will detect that something suspicious is going on with your account and may log you out, or require you to change your password. For most user accounts that don’t have millions of comments, followers and posts you shouldn’t have any issues.
Type “list” to see all available commands:
Let’s be a little creepy and deep dive into more searches with some examples.
These are public information anyway so we are not breaking any laws here.
Output Result to a file
Since you will be collecting a lot of information, it is wise to output them to a file so you can search through them later on
This will output all result to a ‘<target_username>_<command>.txt‘ file in the “output” folder.
Target’s Comment Data and Comments
You can gather all comment data and actual comments from the posts of the target. This will take a moment…
If you have chosen a target that will probably have a lot of comments on his account like a very famous person, you may be throttled by Instagram’s API.
So Cristiano has 75,146,633 comments in 3201 posts!
Download All Photos from the Target Account
All photos will be downloaded in the “output” folder. Easy-peasy.
Troubleshooting Login Issues
If you find yourself not being able to login again and you are getting a “You’ve been logged out” error you should clear the previous cookies with the -C switch:
python3 main.py USERNAME -C
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.