Pentest Tools

Published on December 10th, 2017 📆 | 8148 Views ⚑

0

WhatsPwn: extract sensitive data, inject backdoor or drop remote shells on android devices


https://www.ispeech.org

WhatsPwn

Linux tool used to extract sensitive data, inject backdoor or drop remote shells on Android devices.

There may be some bugs on devices running Android 6.* Marshmallow because of new Android security policies. AndĀ keypadĀ injection may not work depending on processing speed of device and version.

CHANGELOG

WHATSPWN 2.0

The first version was full of awfull bugs that in some systems it was just ā€œunrunnableā€. So thatā€™s why I decided to rebuild the tool from scratch.

ADDED
  • New payload features: Inject meterpreter into legitimate apk, create hidden or visible payloads.
  • Constant connection status.
IMPROVED
  • UI
  • Fixed a lot of major and minor bugs
  • Only ask for connection when it needs it
  • Autodetect local or wireless extraction
REMOVED
  • Command line arguments

INSTALLATION

The first thing you need to do is clone theĀ repository

REQUIREMENTS

By default, if the program finds that youā€™re missing a dependency it will install it automatically. But if youā€™re curious these are the dependencies;

  • Metasploit-Framework: If you are using Kali Linux 2.0 and for any mysterious reason you are missing this framework the program will install it automatically. Otherwise you will have to install it manually. You can followĀ this, orĀ this, orĀ this, or any other guide for the installation and configuration.
  • SSH &Ā SSHPass
  • Ruby: For injection as bash was not made for parsing xml files.
  • Apktool
  • Java 7: This is just for apktool to work.

Once you have done that we can proceed.

CONFIGURATION

There are two files that you might want to edit first, theĀ configĀ file and theĀ serverĀ file.

MAIN CONFIGURATION

TheĀ configĀ file is where you put all the main variables corresponding to your system. This is how the file looks like:

##############################################################################
#                              PAYLOAD OPTIONS                               #
##############################################################################
PAYLOAD=""
PAYLOAD_NAME=""
PAYLOAD_PORT=""
PAYLOAD_IP=""
LEGITIMATE_APK=""
##############################################################################
#                                MAIN OPTIONS                                #
##############################################################################
PATHEXT="~/"
BACKUPZIPNAME="filesystem_linux"
USER="--user 0"
AUTOMODE=1

Here is the list of all the configuration variables:

  • PAYLOAD: It specifies the payload to use. If you already have your own you can put it in here with the full path and ending withĀ .apk.
  • PAYLOAD_NAME: This is the name of the output payload nameĀ without.apk. When you want to generate multiples payloads you might want to set the default payload name so that the process became more efficient as the program would not ask you for the name every time you want to generate one.
  • PAYLOAD_PORT: The port to use for payload reverse connections. You may want to specefiy the default for the same reason as the above.
  • PAYLOAD_IP: This is the IP the payload will connect back to. This is your external or internal ip or even your dynamic DNS address.
  • LEGITIMATE_IP: This is the path of the legitimate app the programm will inject meterpreter to with full path. This is just for injection.
  • PATHEXT: This is the the path where all the extracted data is going to be. ByĀ defaultĀ this is the root directory.
  • BACKUPZIPNAME: This is the name of theĀ .zipĀ file containing all the extracted data. ByĀ defaultĀ this isĀ filesystem_linux.
  • USER: This is how the payloadā€™s service will launch. You donā€™t have to worry about this as this is just for compatibility for some android devices.
  • AUTOMODE: This boolean tells the program to ask for every variable that is missing in theĀ FULL ATTACKĀ at the beginning so once it has started you donā€™t have to worry about typing names or paths.
SERVER CONFIGURATION

If you have set up a server where you want to be all your extracted files you can place your configuration in theĀ serverĀ file. This is how the server file looks like:

SERV=""
USRSERV=""
OUTPUTDIRSERV="~/extracted/"

This is very easy you just need to change the variables to suit your server configuration.

  • SERV: This is the ip to connect, this can be external or dynamic DNS name.
  • USRSERV: This is the username of the server, i.e,Ā root.
  • OUTPUTDIRSERV: The path to put the extracted de data.

Just to clarify things, the program will try to connect toĀ USRSERV@SERV/OUTPUTDIRSERV.





HOW TO USE IT

As this is a CLI Framework there are no arguments to parse, that means that you can just run it by;

./whatspwn

Or from any directory. For example, if you cloned the repository toĀ ~/Downloads/, you can run it as;

This will take you to the license agreement prompt where you have some options, you can typeĀ yĀ to agree and continue.

Next, it will take you to the main interface where all the fun begins.

This is how it looks:

[adsense size='1' ]

ATTACKS

When entering attacks menu you will need to connect your device via USB cable, so you will have to enable ADB Debugging on your Android device, to do so you can follow this steps;

  1. Go to Settings > About > Software
  2. Tap 7 times onĀ Build NumberĀ to enableĀ Developer Options
  3. Go back to Settings
  4. Tap on Developer Settings
  5. Turn on USB Debugging

After ADB Debugging has been enabled and you have connected your device you will be taken to theĀ attacksmain menu. Here you can choose;

  • Full Attack:
    1. Get the device main info like model, verison, manufacturer, etc.
    2. Install backdoor payload you have specified in theĀ configĀ file.
    3. Extract the WhatsApp Database, decrypt it and save it. To do this, WhatsApp on the device will suffer a temporary downgrade, but donā€™t worry, the programm will restore the version that was installed and keep all the data. Only in case of error or uncompatibility you will have toĀ Emergency restore WhatsApp.
    4. Extract sensitive data
    • WhatsApp images, sounds, etc.
    • DCIM images.
    • Telegram images.
  • Shell: Launch a shell to the device.
  • Emergency restore WhatsApp: This is only in case of error or incompatibility. This will restore downgraded whatsapp to the last version, but sadly it wonā€™t restore conversations or user data.
  • Only extract sensitive data: This will skip the payload installation, WhatsApp Database extraction and decryption. It will only extract photos and sensitive info.
  • Install or relaunch payload: This will install the payload specified in the config file or created in the payloads menu, and start the service.
NOTE: IF THE CONNECTION WAS SUCCESSFULL IT WILL DO ALL THE PROCESSES WIRELESSLY, OTHERWISE, YOU WILL HAVE TO KEEP THE PHONE CONNECTED.
PAYLOADS

TypingĀ 2Ā in the main menu will take you to theĀ payloadsĀ main interface. Here you can choose;

  • Injection: This will inject a meterpreter code into a legitimate app.
  • Create hidden payload: This option will create aĀ hiddenĀ meterpreter payload, in other words, this will not show up in the applications drawer on your device.
  • Create visible payload: This is the opposite of the above.
UPLOAD

This option will try to upload all extracted files to the server specified in theĀ serverĀ file.

Demo

https://www.youtube.com/watch?v=F2QX0yGDzgw

Source:Ā https://github.com/jlrodriguezf/WhatsPwn



Comments are closed.






Ā© Torchsec Ā Privacy PolicyĀ Disclaimer Ā T&C



Back to Top ↑