Hacking into Whatsapp Series, Part 2: Phishing.

Aug 17, 2017 03:04 AM
636341898598011629.jpg

Whatsapp web has been out for a while now

it gives you the ability to use whatsapp on your computer, you simply need to scan a QR code with your phone from whatsapp and you'll gain access

1-QR code?

a QR code(short for quick response code) stores a bunch of code inside it and is widely used because of how fast it can be read by smartphones.

this is a QR code:

636341898598011629.jpg

How are we supposed to use phishing in this scenario if there's no credentials?

Well, theoretically, if we can come up with something that can extract the qr code from the web.whatsapp.com page open on our browser, and display it on a website we made,then send that link to the victim to scan the QR code on it, the whatsapp session should be open on the original whatsapp web page on our browser.

Now, you must be asking, you expect beginners to code that?

No, I'm well aware you can't

fortunately, the work has already been done, all you have to do is follow the steps.

OWASP created a tool, capable of doing all that

this attack has been out for so long, but to my surprise not many people know about it, so i thought about shedding some light on it.

Okay so how do we use it?

Let's start by opening a new terminal

and type in git clone https://github.com/OWASP/QRLJacking.git

636385057101646800.jpg

side note:There's two ways to use this, either manually or automatically by using the QrlJacker

For the sake of keeping this tutorial short, and for it to be beginner friendly, I'll demonstrate how to do this with the QrlJacker.

now we need to enter the directory that contains the frame work, to check if we have all of the requirements

to do that we will use CD

type in your terminal cd QRLJacking/QrlJacking-Framework

if you're using kali linux, usually the requirements are already met, but as a matter of caution we'll run the requirements installation script anyway.

to do that type in pip install -r requirements.txt

636385061782740422.jpg

Now that that is done, we're ready to start

To use the QrlJacker type in the following:

python QRLJacker.py

636385063773365672.jpg

As you can see, many options are available, but for our tutorial we're only interested in whatsapp

type in 1 and click enter

then type in 1 another time

you'll be asked to choose a port, leave it empty if you would like to use the default port(1337)

A new window of mozilla firefox will be opened and the server will be started at yourIpAdress:portYouChose

for me it's 192.168.1.103:1337

636385066495866297.jpg

As you can see, The qr code is displayed on this local website that we will send to the victim

but who would scan that? Too suspicious

Let's edit it.

go to QRLJacking/QrlJacking-Framework/

right click on index.html

open with other application, choose a text editor

then edit it to be like this code







Whatsapp









Scan me!

Scan the code with whatsapp







Kept that code as simple as possible, that way even beginners have a chance in understanding and editing the code to their liking

this is script kiddie level code

To be able to do this attack easily over wan, go to your router configuration page and forward the port 1337 on your private ip

(in my case it's 192.168.1.103)

then

the link will be yourPublicIpAdress:portYouForwarded

example: 93.176.88.82:1337

send that link to the victim if he's outside of your network

and he'll be able to access our fake website

create a lie to make them scan the code

and you'll be able to access their whatsapp.

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!