WhatsPwn: extract sensitive data, inject backdoor or drop remote shells on android devices

by do son · Published July 16, 2017 · Updated August 4, 2017

WhatsPwn

Linux tool used to extract sensitive data, inject backdoor or drop remote shells on Android devices.

There may be some bugs on devices running Android 6.* Marshmallow because of new Android security policies. And keypad injection may not work depending on processing speed of device and version.

CHANGELOG

WHATSPWN 2.0

The first version was full of awfull bugs that in some systems it was just “unrunnable”. So that’s why I decided to rebuild the tool from scratch.

ADDED

New payload features: Inject meterpreter into legitimate apk, create hidden or visible payloads.
Constant connection status.

IMPROVED

UI
Fixed a lot of major and minor bugs
Only ask for connection when it needs it
Autodetect local or wireless extraction

REMOVED

Command line arguments

INSTALLATION

The first thing you need to do is clone the repository

REQUIREMENTS

By default, if the program finds that you’re missing a dependency it will install it automatically. But if you’re curious these are the dependencies;

Metasploit-Framework: If you are using Kali Linux 2.0 and for any mysterious reason you are missing this framework the program will install it automatically. Otherwise you will have to install it manually. You can follow this, or this, or this, or any other guide for the installation and configuration.
SSH & SSHPass
Ruby: For injection as bash was not made for parsing xml files.
Apktool
Java 7: This is just for apktool to work.

Once you have done that we can proceed.

CONFIGURATION

There are two files that you might want to edit first, the config file and the server file.

MAIN CONFIGURATION

The config file is where you put all the main variables corresponding to your system. This is how the file looks like:

##############################################################################

#                              PAYLOAD OPTIONS                               #

##############################################################################

PAYLOAD=""

PAYLOAD_NAME=""

PAYLOAD_PORT=""

PAYLOAD_IP=""

LEGITIMATE_APK=""

##############################################################################

#                                MAIN OPTIONS                                #

##############################################################################

PATHEXT="~/"

BACKUPZIPNAME="filesystem_linux"

USER="--user 0"

AUTOMODE=1

Here is the list of all the configuration variables:

PAYLOAD: It specifies the payload to use. If you already have your own you can put it in here with the full path and ending with .apk.
PAYLOAD_NAME: This is the name of the output payload name without.apk. When you want to generate multiples payloads you might want to set the default payload name so that the process became more efficient as the program would not ask you for the name every time you want to generate one.
PAYLOAD_PORT: The port to use for payload reverse connections. You may want to specefiy the default for the same reason as the above.
PAYLOAD_IP: This is the IP the payload will connect back to. This is your external or internal ip or even your dynamic DNS address.
LEGITIMATE_IP: This is the path of the legitimate app the programm will inject meterpreter to with full path. This is just for injection.
PATHEXT: This is the the path where all the extracted data is going to be. By default this is the root directory.
BACKUPZIPNAME: This is the name of the .zip file containing all the extracted data. By default this is filesystem_linux.
USER: This is how the payload’s service will launch. You don’t have to worry about this as this is just for compatibility for some android devices.
AUTOMODE: This boolean tells the program to ask for every variable that is missing in the FULL ATTACK at the beginning so once it has started you don’t have to worry about typing names or paths.

SERVER CONFIGURATION

If you have set up a server where you want to be all your extracted files you can place your configuration in the server file. This is how the server file looks like:

SERV=""

USRSERV=""

OUTPUTDIRSERV="~/extracted/"

This is very easy you just need to change the variables to suit your server configuration.

SERV: This is the ip to connect, this can be external or dynamic DNS name.
USRSERV: This is the username of the server, i.e, root.
OUTPUTDIRSERV: The path to put the extracted de data.

Just to clarify things, the program will try to connect to USRSERV@SERV/OUTPUTDIRSERV.

HOW TO USE IT

As this is a CLI Framework there are no arguments to parse, that means that you can just run it by;

./whatspwn

Or from any directory. For example, if you cloned the repository to ~/Downloads/, you can run it as;

This will take you to the license agreement prompt where you have some options, you can type y to agree and continue.

Next, it will take you to the main interface where all the fun begins.

This is how it looks:

ATTACKS

When entering attacks menu you will need to connect your device via USB cable, so you will have to enable ADB Debugging on your Android device, to do so you can follow this steps;

Go to Settings > About > Software
Tap 7 times on Build Number to enable Developer Options
Go back to Settings
Tap on Developer Settings
Turn on USB Debugging

After ADB Debugging has been enabled and you have connected your device you will be taken to the attacksmain menu. Here you can choose;

Full Attack:
1. Get the device main info like model, verison, manufacturer, etc.
2. Install backdoor payload you have specified in the config file.
3. Extract the WhatsApp Database, decrypt it and save it. To do this, WhatsApp on the device will suffer a temporary downgrade, but don’t worry, the programm will restore the version that was installed and keep all the data. Only in case of error or uncompatibility you will have to Emergency restore WhatsApp.
4. Extract sensitive data
- WhatsApp images, sounds, etc.
- DCIM images.
- Telegram images.
Shell: Launch a shell to the device.
Emergency restore WhatsApp: This is only in case of error or incompatibility. This will restore downgraded whatsapp to the last version, but sadly it won’t restore conversations or user data.
Only extract sensitive data: This will skip the payload installation, WhatsApp Database extraction and decryption. It will only extract photos and sensitive info.
Install or relaunch payload: This will install the payload specified in the config file or created in the payloads menu, and start the service.

NOTE: IF THE CONNECTION WAS SUCCESSFULL IT WILL DO ALL THE PROCESSES WIRELESSLY, OTHERWISE, YOU WILL HAVE TO KEEP THE PHONE CONNECTED.

PAYLOADS

Typing 2 in the main menu will take you to the payloads main interface. Here you can choose;

Injection: This will inject a meterpreter code into a legitimate app.
Create hidden payload: This option will create a hidden meterpreter payload, in other words, this will not show up in the applications drawer on your device.
Create visible payload: This is the opposite of the above.

UPLOAD

This option will try to upload all extracted files to the server specified in the server file.

Demo

https://www.youtube.com/watch?v=F2QX0yGDzgw

WhatsPwn: extract sensitive data, inject backdoor or drop remote shells on android devices

Search

Brilliantly

Content & Links

WhatsPwn: extract sensitive data, inject backdoor or drop remote shells on android devices

WhatsPwn

CHANGELOG

WHATSPWN 2.0

ADDED

IMPROVED

REMOVED

INSTALLATION

REQUIREMENTS

CONFIGURATION

MAIN CONFIGURATION

SERVER CONFIGURATION

HOW TO USE IT

ATTACKS

NOTE: IF THE CONNECTION WAS SUCCESSFULL IT WILL DO ALL THE PROCESSES WIRELESSLY, OTHERWISE, YOU WILL HAVE TO KEEP THE PHONE CONNECTED.

PAYLOADS

UPLOAD

Demo

Source: https://github.com/jlrodriguezf/WhatsPwn

Search

Brilliantly

Content & Links