Hacking Into My Own Twitter Account Cause Why Not?
By the time I wrote this article, around 5.4 million Twitter accounts were posted on a hacker forum for sale. It was specifically happening on July 21st 2022. The ‘devil’ as the threat actor itself said on a stolen data market that the database contains information about various accounts, including celebrities, companies, and random users. Now, the database is up around $30,000 for sale.
I don’t do social media that much. I don’t even have a Twitter account. I feel like that I’m more engaging in my everyday life when I’m deciding to become mindful enough about it. Stay away from social media as I could, stick with books, marinated under the sun, do sport, meditate, and at the end of the day if things go wrong, I’ll just accept it as the way it is (yup I’m pretty much into stoicism).
Now that I’m having this second thought, I think I’ll create an account for Twitter. I’m not going to using it for tweets of course. Bringing up the topic of accounts sale, I’ll try to use my account to testify the Twitter’s vulnerability. It sounds weird is it, you create an account only for hacking it. Yeah but, Hunter Thompson ever said that “When the going gets weird, the weird turn pro!”.
Prerequisites
This tutorial will be focusing on testing Twitter Vulnerability on scope of Brute Forcing attack. Below some requirements needed to complete the tutorial.
1. Burp Suite
Burp Suite is the most popular tool among professional web app security researchers and bug bounty hunters. Burp Suite offered several tools like spider, intruder, proxy, decoder, sequencer, repeater, etc. Burp Suite will help you do brute force even if you are unfamiliar with Linux Distro and CLI (Command Line Interface). It’s all set in GUI (Graphical User Interface) so surely, it’s a beginner friendly.
2. Twitter Account
Get your target!!!! No, I mean you don’t bid your target on a real Twitter Account, of course, that’s illegal. Becoming white-hat hackers mean we have to do our job ethically. For doing this tutorial just simply use a dummy account or your account. Attacking someone that doesn’t have the same capability as you it’s like an archer who battled the swordsman, they’ll never be equal. Manners maketh man and that is what every gentleman on Kingsman said, just be one my friends.
3. Basic Knowledge on Brute forcing
Alright, if you new to this, I’ll make a quick word with you. Basically, a brute force attack involves guessing username and passwords to gain unauthorized access to a system. Brute force definitely one of simple attack that has a high success rate. Brute force attacks come into many forms and type, it could be simple brute force attack, hybrid one, dictionary attacks, rainbow table attacks, reverse brute force attack and credential stuffing.
To begin with, I’ll start informing you that the attack we’re going to use today is Hybrid Brute Force Attacks. Why is it called hybrid? Well, this attack combines a dictionary attack method with a simple brute force attack. It’s all begins with the hacker knowing a username, then carrying out a dictionary attack and simple brute force methods to discover an accounts login combination. Okay, let’s get started. Happy brute forcing and may the force be with you *insert any Star Wars emoji related.
This is my account, dummy account @maryceleste123. For this account, I’ve changed the password from nine character (including combination of numbers and letters) into eight character. I just want to make it clear that when we succeeded in gaining the password it should be an eight-character combination.
Alright, as I said before when we want to do Hybrid Brute Force Attacks, we need a username. When talking about Twitter, it’s all displayed well in Profile, you can see your target’s username as if Twitter make it public. No need email, phone number, you can do hacking while sipping on your morning coffee.
In this bar I’ll show you how we can configure proxy on our chosen browser and how to intercept request with Burp Suite. Actually, Burp Suite has their own browser, if you go to Proxy and then going to Intercept, turned it on, you’ll see in the red square Open browser option.
If you click that button, you’ll see the blue chrome kind of thing. I used this browser, cause it’s effective. In that browser you just type the web address you need to intercept. The intercept is used to stall the requests made by the browser until we either forward them or deny them. Below I try to open Twitter login page.
The idea is this, first I put on the username of the target which is mine @maryceleste123. Then I’ll input the wrong password, after I click the Log in button and after the request has made, I’ll send it into intruder.
Before sending it into intruder, please look at this picture. Still in the Proxy bar, click the HTTP history to see all the request logged by burp. See that, you got both GET and POST request. The GET request is basically a request that recently made by the browser. Hold up there, instead focusing on that, I want you to keep eye on the POST request. Click that and it said that we put the wrong password, of course we are.
We’ll use the burp suite to modify request, yup the POST request. Why? Well HTTP (Hypertext Transfer Protocol) Request Methods is designed to enable communications between clients and servers. In our case, we had two most common HTTP methods, GET and POST. Comparing the two, the GET request is less secure than POST request. That is because the data sent is part of the URL, the URL length itself is limited (max 2048 characters). When it comes to POST request it has no restrictions in both data length and type. POST is a little safer than GET, because the parameters are not stored in browser history or in web server logs. The lesson is, never ever use GET while sending passwords or other sensitive information. Since we’re in the same page now, do right click to the request and send it to intruder.
The intruder tab will help us to automate customized attacks against the web app. Meaning we can specify various payload and positions. The intruder, especially for each payload it will send a request to the server by replacing payload in the request and log all HTTP responses. This scenario is very useful where we need to brute force some specific headers or parameters. To specify that, first thing first, click the button in a red square.
Now, select the position and then click on Add from the right panel. Once this job done, the position will be shown highlighted. For me it’s the wrong password part.
After the positions are specified, we need to select the payload to use.
This is the most famous and useful Seclist I’ve known so far. Actually, you can make it on your own, but for me I’m too lazy for that mate so GitHub is definitely my bestie. Seclist includes various types of wordlists ranging from directories to username and passwords and so on. I’m mostly get in here SecLists/Passwords/Common-Credentials at master · danielmiessler/SecLists · GitHub
This is the best1050.txt, I open it, copy it and back to burp suite.
Now, paste it in the payload bar.
Then still in Intruder, click the Options button. The Grep-Extract options will help you to extract useful information to the attack result table. All you need to do is simply click the Add button and highlighted the part that I’ve marked in red square.
Now, all is set. You can start the attack. Click that button in the top right corner. This will open a popup window showing all the requests that were sent along with the responses.
Fact: it takes patience to do brute force, you know what, I spend almost 1 hour only for these payloads. Maybe it is because I need to pause it in the middle of my activities in my Uni, but still, it takes a lot of time. This is the part where I found the right password, you can see the status though. The HTTP status code “200” means the request is successfully handled by the Server. If you see the payloads, the right password of @maryceleste123 was sister12, now not anymore *LOL because I’ve changed it since the day I published this article hahaha. You better trying to brute force it, that’s fine for me, I’m not kind of into social media anymore, I guess. Privacy over everything mate.
Conclusion
Make sure you have a strong password combination, that nobody or any machine or seclist could guess yours. Trust me, even though they do brute force you, a strong-unique-unbreakable password did make a huge different. Till next time mate, stay authentic, and — cheerio 🤙
References
[1] SecLists Passwords. Retrieved September 6, 2022, from https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials
[2] How to send a post request? — Burp Suite User Forum. Retrieved September 6, 2022, from https://forum.portswigger.net/thread/how-to-send-a-post-request-603512b10
