Como pegar a senha do Whatsapp de um Android ou Iphone


WhatsApp is a very popular SMS-like messenger for smartphones, but it’s unfortunately only available for smartphones right now. If you want to use other tools or write web applications that send or receive WhatsApp messages (e.g. WhatsAPI), you have to find a way to sniff the WhatsApp password from your smartphone. Until recently, this password was just an MD5 hash of your IMEI (or MAC address), but that has changed when that was uncovered. Since then, the WhatsApp server assigns a password to each device/account when it first registers.
This tutorial demonstrates how to capture the WhatsApp password of your WhatsApp account using the SSL/TLS proxy mitmproxy. Once you have this password, you can use it to communicate with the WhatsApp servers directly or via a framework. This is the first part of a two-part tutorial. The second part demonstrates how to send and receive WhatsApp messages via PHP.

Contents
  1. Updates
  2. 1. Introduction
    1. 1.1. Please note: Linux only tutorial!
    2. 1.2. How it works
    3. 1.3. More about mitmproxy
  3. 2. Let’s do it!
    1. 2.1. Set up and run mitmproxy and prep your phone
    2. 2.2. Close WhatsApp and clear user data
    3. 2.3 Sniff WhatsApp password and restore user data
    4. 2.4. Examine mitmproxy results
    5. 2.5. Use the password in scripts
  4. 3. What this cannot do

Updates

August 2013: I just tried to activate another number from a Samsung Galaxy S3 device with Android 4.1.2 installed. For some reason, WhatsApp traffic is not showing up on neither mitmproxy nor SSLsplit. Although I suspected that the new WhatsApp client is checking the certificate fingerprints (thus making forgery impossible, see github conversation), it might also be an Android issue. I’ll keep you posted.

1. Introduction

1.1. Please note: Linux only tutorial!

Please note that this is a tutorial for Linux users. It uses the TLS/SSL proxy mitmproxy to capture the secure connection between your phone and the WhatsApp servers. If you are a Windows user, please check out MissVenom, a tool made just to sniff on WhatsApp passwords. All the stuff that’s done with mitmproxy in this tutorial is basically what MissVenom does for Windows users.

1.2. How it works

This tutorial uses a man-in-the-middle attack to intercept the communication between your phone and the WhatsApp servers. To do so, you have to redirect all the traffic from your phone to your Linux machine running mitmproxy (by changing your phone’s default gateway). Mitmproxy, a man-in-the-middle proxy application will then display all of your phone’s HTTP(S) request/responses. While mitmproxy is running, you then need to wipe all of your WhatsApp user data from your phone and set it up as if you were a new user, so that you can sniff into the conversation of your phone and the WhatsApp servers while the WhatsApp account password is exchanged.
Don’t worry. It sounds more complicated than it is and your WhatsApp will just look the same afterwards. Here’s a step-by-step:
  1. Set up and run mitmproxy and prep you phone (as described in this tutorial)
  2. Stop WhatsApp and wipe the WhatsApp user data
  3. Open WhatsApp and re-setup your account
  4. Sniff the password by monitoring the HTTP(S) traffic

1.3. More about mitmproxy

The tutorial does not include a lot of information about how to set up mitmproxy and what it actually does. If you want to read more, please check out my previous blog post about how to use mitmproxy in general, or of course go to the mitmproxy website and read the manual.
Advertisement

2. Let’s do it!

The following steps correspond to the short step-by-step above. Since I do not have an iPhone, the WhatsApp screens are from the Android version, but it should work equally on an iPhone.

2.1. Set up and run mitmproxy and prep your phone

First you need to set up mitmproxy as described in chapter 2 of the mitmproxy howto. In a nutshell, this tutorial shows you how to enable IP forwarding, set up iptables to redirect all traffic from port 80 and 443 to 8080 as well as how to install and run mitmproxy.
Please note: Explanations on this step are kept to a minimum. Check out the post about mitmproxy to read more.
On your phone, you need to install the mitmproxy CA certificate:
And then change your standard gateway:
If you’ve done everything correctly, you should be able to see all the traffic that your phone sends, like this:

2.2. Close WhatsApp and clear user data

WhatsApp only negotiates a new password with the server when it first communicates with it. If you already have WhatsApp up and running on your iPhone or Android device, you need to wipe the user data, so that WhatsApp can negotiate a new password — which you can then sniff using mitmproxy.
Clearing the existing user data is really simply. Simply go to Settings, Application manager and scroll down to WhatsApp. In the WhatsApp screen, click “Force stop” and then “Clear data”.
And don’t worry, WhatsApp makes a backup copy on its servers and restores all of your messages and conversations once you have re-setup your account. Update August 2013: Please note that according to Adtc’s comment, WhatsApp does not backup the messages on their servers, but on the local device at 4am each night. I have not yet double-checked this, but I just wanted to be sure that you might be losing some older messages.

2.3 Sniff WhatsApp password and restore user data

After wiping all your WhatsApp user data, it’s like you just bought a new phone or reset your smartphone’s operating system. The next time you open WhatsApp, it has to reconnect to your WhatsApp account and exchange a new login password. Given that you now have a sniffer in place and can capture all of your phone’s communication, you can simply read the password off the air.
Make sure mitmproxy is running. Then simply open up WhatsApp and follow the screens:

2.4. Examine mitmproxy results

If everything went according to plan, you should now see a couple of requests to the domain v.whatsapp.net — particularly something like this:
  • https://v.whatsapp.net:443/v2/exist?cc=49&in=<<your login>>&…
  • https://v.whatsapp.net:443/v2/code?cc=49&in=<<your login>>&…
  • https://v.whatsapp.net:443/v2/register?cc=49&in=<<your login>>&…
Mitmproxy should show a screen that looks very similar to this:
You can find your WhatsApp account password in the last of those three requests (https://v.whatsapp.net:443/v2/register?…). Use the arrow keys to navigate to this entry and hit the RETURN key. Then hit TAB to switch to the ‘Response’ overview. And there it is — a JSON reply of the WhatsApp server as a response to the register-request. Your WhatsApp username is indicated by the “login” key, your password by the “pw” key.
Copy the password and save the conversation with the WhatsApp server by using mitmproxy’s save function: Go back to the main screen by hitting q, then hit s and enter a file name (e.g. /home/user/WhatsApp-password.mitmproxy). You can later load this conversation with L.

2.5. Use the password in scripts

So what’s the password good for? You can use this password in scripts or web applications to send and receive WhatsApp messages. I use the PHP framework WhatsAPI to receive notifications from my server and HTPC. As of now, I only use it to receive alerts and warnings from my monitoring service (Nagios) and to get notifications from my podcast download scripts.
If you’re interested to see how this works, please check out my blog post about how to send and receive WhatsApp messages using PHP.

3. What this cannot do

One additional comment to what this method does not achieve: Unfortunately, the above described method does not allow reading or altering WhatsApp messages sent from your phone or received by your phone. The WhatsApp application only performs administrative tasks over HTTPS (such as status changes or the login). It does not, however, send or receive messages over HTTPS.
Instead, WhatsApp uses a derivate of the Jabber/XMPP protocol to communicate. It communicates on port 5222 over a secure TLS/SSL connection. In theory, and probably also in practice, these connections can also be intercepted like described above. However, I have at the moment not found any transparent TLS/SSL proxy tool for non-HTTP(S) connections/traffic. As soon as I find one, I’ll write another blog post about it. Please let me know if you have any suggestions.
Update (July 2013): WhatsApp does not use TLS/SSL on port 5222 as I wrongfully stated above. Instead, it uses its own proprietary protocol to exchange and encrypt messages. That makes sniffing into the connection a little more cumbersome, because simply listening to the socket is not enough. While the individual WhatsApp messages (“nodes”) can be extracted using tcpdump (try: tcpdump -X -vv -i eth0 'port 5222'), the results are quite disappointing at first:

The actual message starts right after the TCP header, so in this example after 52 bytes (8000 5e54 18d1 a86c 8e70 …). Each message can contain multiple nodes, each of which has a tag name, and can have attributes and content (data) — much like in XML. However, because XML is chatty, WhatsApp encodes tag names an attributes with a dictionary, so that certain numbers correspond to certain tags. The snippet above is an encrypted and encoded representation of the following XML-tags:
Nodes can be either encrypted or unencrypted: In an initial “handshake” with the WhatsApp server, the client is authenticated using its username and password (see above). After that, the server provides a challenge which — in combination with the password — is used to encrypt the rest of the communication. The actual encryption is based on a RC4 cipher with 256-bit key size, and the key is derived from the password and the challenge (as a salt) using PBKDF2.
All of these things make it more complex to sniff messages from the wire. However, the guys of WhatsAPI already successfully implemented this protocol, so that a lot of their code can be reused to read WhatsApp messages off the network interface.
I am currently working on a script to do just that. My current approach is to use tcpdump to listen to eth0 and pipe the output to a PHP script that parses the TCP packets and uses WhatsAPI to decode/decrypt the communication. Not the most elegant solution, but so far it works quite well. I will update this post as soon as I have something worth sharing.

Comentários

Postar um comentário

Postagens mais visitadas deste blog

Rails CanCan

CanCan is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the Ability class) and not duplicated across controllers, views, and database queries. Installation In Rails 3 , add this to your Gemfile and run the bundle command. gem "cancan" In Rails 2 , add this to your environment.rb file. config.gem "cancan" Alternatively, you can install it as a plugin. rails plugin install git://github.com/ryanb/cancan.git Getting Started CanCan expects a current_user method to exist in the controller. First, set up some authentication (such as Authlogic or Devise ). See Changing Defaults if you need different behavior. 1. Define Abilities User permissions are defined in an Ability class. CanCan 1.5 includes a Rails 3 generator for creating this class. rails g cancan:ability In Rails 2.3, just add a new class in `app/models/ability.rb` with
Leia mais

Meus insights mais valiosos sobre criptomoedas para 2018 e além

Since I started to study the crypto world, I spent hundreds and hundreds of hours — if not thousands — collecting, assimilating, and reflecting on everything I could in order to better understand this market (virus?) that fascinates me more everyday. I found extremely valuable information that I would like to share with you today.  Whether you are a newbie or a veteran in the crypto space, I hope that by the end of this post you will get new perspectives,   and ideas you’ve never heard or thought about before . “The most valuable type of economists are cryptoeconomists, as they can actually create, manage, and analyze economies.” — Naval Ravikant In case you want to directly jump to a section, the post is composed of 8 parts: Decentralized Exchange Protocols Will Be Game Changers Coinbase (and The Other Centralized Exchanges) Have HUGE Opportunities To Evolve Protocols and Scalability: In Progress… But Still Waiting For The Killer Apps Crypto Geopolitics: Why The Crypto W
Leia mais