whatsapp sniffing ssl traffic with wireshark

networking ssl reverse-engineering wireshark whatsapp
69,731

Solution 1

You can try a Man-in-the-middle attack using a proxy software that can generate a fake SSL cert, but it won't always work. Some of these apps using certificate pinning to prevent exactly this type of attack.

HTTP proxy:
http://fiddler2.com/get-fiddler
This software generates a obvious fake cert that you are able to accept if the app will allow.

Certificate Pinning:
https://security.stackexchange.com/questions/29988/what-is-certificate-pinning

Solution 2

You cannot decrypt the messages unless you control either the server (privkey for RSA auth suites, server app or program memory) or client (app or memory) (well, or both negotiate weak ciphers but thats a different topic)

Easiest way but most invasive and easy to spot for both server and client: ssl/tls man-in-the-middle with fake certs. Since this is changing the server cert that the client app sees the client app might just reject the connection (certificate pinning, hard-pins). If it does not, good for you, you control the server, you have access to the negotiated keys.

Why? client and server both negotiate a shared master secret which they derive a set of client and server session keys from (using tls prf specified in the according rfc e.g. rfc2246 - tls1.0).

That said, if you do not want to or cannot mess with the server and you have access to the client process you could somehow find a way to extract the master secret from memory and re-calculate the client/server session keys as specified in the rfc. Extraction can either be done by debugging the application, searching for memory artifacts or patching it and subsequently decrypt the protocol messages. Note that the master secret is regenerated every now and then therefore you'll also have to keep track of the client hellos (client random) that lead to the master secret negotiation or the exact time in order to allow wireshark to match keys to renegotiations. The keys are only valid for this client session and you can decrypt ciphers not limited to RSA auth as the master secret is the ultimate secret both partys agree upon after tls key negotiation finished.

Once you have the master secret and mapped it to the client hellos you can just feed it into wireshark in the nss keylog format.

Here's an example of how to find the master_key in memory: pymemscrape is a PoC that demonstrates how to find the master_key from a process memory image.

Solution 3

Using the session key logging, you could reach the keys for the sessions. After that wireshark can resolve the packets with it.

  1. Enable session logging on the machine.

    For Windows: "Advance system settings" -> "Environment Variables"

    Add new variable with name: "SSLKEYLOGFILE" and a file /path/to/sslkeylog.log specified.

    Linux, MAC OS:

    $ export SSLKEYLOGFILE=~/path/to/sslkeylog.log

  2. Add session log file to the Wireshark

    Edit -> Preferences -> Protocols -> Select SSL

    Browse the " sslkeylog.log" file to the (Pre) -Master-Secret log filename then save.

Detailed steps here: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Solution 4

It's not possible. Although everyone has the server certificate and public key, to decrypt the information you need the private key. Private key only exist on the server (whatsapp).

The only way you can decrypt this information is to hack into whatsapp server and steal their private key (please don't do this)

Solution 5

If you have the keys maybe this plugin can help you! Take a look

https://github.com/davidgfnet/wireshark-whatsapp

Share:
69,731
thiagoh
Author by

thiagoh

coding.. that's it

Updated on November 23, 2020

Comments

  • thiagoh
    thiagoh over 3 years

    I've been reading a lot of things about sniffing whatsapp traffic and I already know is over ssl. But I need to know if is there any way to decrypt this ssl traffic once I dont know what is the private key that whatsapp is using for encrypting.

    So how could I discover which certificate is being used or whether exists another way to decrypt those messages?

    I dont want to read anybody's chats, my intention is really se the protocols messages through the network. To understand, make a reverse engineering and elaborate a simple JAVA api to personal job purposes.

    I'm using wireshark to read the ssl traffic.

    screenshot of a capture of a whatsapp chat

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL (imap) doesn't work from some machines - ssl handshake failure - how to narrow down further?
How to read ocsp package content in wireshark
Can you check/monitor the client certificates sent in requests using Wireshark?
TCP Server sends [ACK] followed by [PSH,ACK]
How to decrypt https
How to see full HTTPS URL in wireShark
what does this wireshark info refer to
Wireshark Decryption of TLS V1.2
Can Wireshark be used to change the content of packets
SSL Certificate for multiple servers