WhatsPwn: extract sensitive data, inject backdoor or drop remote shells on android devices
Linux tool used to extract sensitive data, inject backdoor or drop remote shells on Android devices.
There may be some bugs on devices running Android 6.* Marshmallow because of new Android security policies. And keypad injection may not work depending on processing speed of device and version.
The first version was full of awfull bugs that in some systems it was just “unrunnable”. So that’s why I decided to rebuild the tool from scratch.
- New payload features: Inject meterpreter into legitimate apk, create hidden or visible payloads.
- Constant connection status.
- Fixed a lot of major and minor bugs
- Only ask for connection when it needs it
- Autodetect local or wireless extraction
- Command line arguments
The first thing you need to do is clone the repository
By default, if the program finds that you’re missing a dependency it will install it automatically. But if you’re curious these are the dependencies;
- Metasploit-Framework: If you are using Kali Linux 2.0 and for any mysterious reason you are missing this framework the program will install it automatically. Otherwise you will have to install it manually. You can follow this, or this, or this, or any other guide for the installation and configuration.
- SSH & SSHPass
- Ruby: For injection as bash was not made for parsing xml files.
- Java 7: This is just for apktool to work.
Once you have done that we can proceed.
There are two files that you might want to edit first, the config file and the server file.
The config file is where you put all the main variables corresponding to your system. This is how the file looks like:
Here is the list of all the configuration variables:
- PAYLOAD: It specifies the payload to use. If you already have your own you can put it in here with the full path and ending with .apk.
- PAYLOAD_NAME: This is the name of the output payload name without.apk. When you want to generate multiples payloads you might want to set the default payload name so that the process became more efficient as the program would not ask you for the name every time you want to generate one.
- PAYLOAD_PORT: The port to use for payload reverse connections. You may want to specefiy the default for the same reason as the above.
- PAYLOAD_IP: This is the IP the payload will connect back to. This is your external or internal ip or even your dynamic DNS address.
- LEGITIMATE_IP: This is the path of the legitimate app the programm will inject meterpreter to with full path. This is just for injection.
- PATHEXT: This is the the path where all the extracted data is going to be. By default this is the root directory.
- BACKUPZIPNAME: This is the name of the .zip file containing all the extracted data. By default this is filesystem_linux.
- USER: This is how the payload’s service will launch. You don’t have to worry about this as this is just for compatibility for some android devices.
- AUTOMODE: This boolean tells the program to ask for every variable that is missing in the FULL ATTACK at the beginning so once it has started you don’t have to worry about typing names or paths.
If you have set up a server where you want to be all your extracted files you can place your configuration in the server file. This is how the server file looks like:
This is very easy you just need to change the variables to suit your server configuration.
- SERV: This is the ip to connect, this can be external or dynamic DNS name.
- USRSERV: This is the username of the server, i.e, root.
- OUTPUTDIRSERV: The path to put the extracted de data.
Just to clarify things, the program will try to connect to
HOW TO USE IT
As this is a CLI Framework there are no arguments to parse, that means that you can just run it by;
Or from any directory. For example, if you cloned the repository to ~/Downloads/, you can run it as;
This will take you to the license agreement prompt where you have some options, you can type y to agree and continue.
Next, it will take you to the main interface where all the fun begins.
This is how it looks:
When entering attacks menu you will need to connect your device via USB cable, so you will have to enable ADB Debugging on your Android device, to do so you can follow this steps;
- Go to Settings > About > Software
- Tap 7 times on Build Number to enable Developer Options
- Go back to Settings
- Tap on Developer Settings
- Turn on USB Debugging
After ADB Debugging has been enabled and you have connected your device you will be taken to the attacksmain menu. Here you can choose;
- Full Attack:
- Get the device main info like model, verison, manufacturer, etc.
- Install backdoor payload you have specified in the config file.
- Extract the WhatsApp Database, decrypt it and save it. To do this, WhatsApp on the device will suffer a temporary downgrade, but don’t worry, the programm will restore the version that was installed and keep all the data. Only in case of error or uncompatibility you will have to Emergency restore WhatsApp.
- Extract sensitive data
- WhatsApp images, sounds, etc.
- DCIM images.
- Telegram images.
- Shell: Launch a shell to the device.
- Emergency restore WhatsApp: This is only in case of error or incompatibility. This will restore downgraded whatsapp to the last version, but sadly it won’t restore conversations or user data.
- Only extract sensitive data: This will skip the payload installation, WhatsApp Database extraction and decryption. It will only extract photos and sensitive info.
- Install or relaunch payload: This will install the payload specified in the config file or created in the payloads menu, and start the service.
NOTE: IF THE CONNECTION WAS SUCCESSFULL IT WILL DO ALL THE PROCESSES WIRELESSLY, OTHERWISE, YOU WILL HAVE TO KEEP THE PHONE CONNECTED.
Typing 2 in the main menu will take you to the payloads main interface. Here you can choose;
- Injection: This will inject a meterpreter code into a legitimate app.
- Create hidden payload: This option will create a hidden meterpreter payload, in other words, this will not show up in the applications drawer on your device.
- Create visible payload: This is the opposite of the above.
This option will try to upload all extracted files to the server specified in the server file.