2 may 2014

WhatsApp: The Spy Who Shagged It (meterpreter > load android)

WhatsApp has been in the news lately for many reasons, such as Facebook purchasing it, but for us the bombshell is its database decryption. Right after seeing the following post on Twitter talking about the new plugin that brings new features to Android’s Meterpreter, I began to analyze the ruby code and understand what new things they could contribute with. The star feature is the dump and decryption of the WhatsApp’s database, but there are also other things that call for attention, and we will talk about them later. Before that, we want to show you the news published on twitter by author Mohamed Anwar.


By getting the Android extension and visualizing its code and tlv we can understand the new features provided for the Android Meterpreter. These new features bring greater wealth to the post-exploitation. Where to install the extension? In the following path:


Analyzing the code we can see the features provided by the module or plugin once loaded into the Meterpreter session, using the load command. Features such as SMS dumping, with which the attacker can get the messages that are inside the compromised device, are especially attractive. From the messages you can get both the message content, the date it was sent or received, to whom it was sent or from whom it was received, etc. This functionality facilitates the retrieval of this information, and which is really interesting.


Similar to this feature we can find the contacts dumping using the dump_contacts command, with which we get the contact name, email and telephone number. Other type of dumping you get with this extension is called dump_calllog, with which a call log of the device is obtained, getting information like call duration, phone number of incoming or outgoing calls, contact name, date, etc.

Before focusing on WhatsApp features we first have to talk about two interesting features that attracted my attention. After giving some Metasploit lectures ;) ;) I ended up noticing that many people are still interested in remotely shutting down a device. We can do that thanks to the implementation of the device_shutdown feature in this module, with which, as you can imagine, we are able to turn off the remote device. The other one I’m also referring to is check_root, with which we can check if the device is rooted or not, a boolean feature par excellence.

The final part of the plugin code contains features related to WhatsApp and with which the module was announced on Twitter. This is what we can find there:

dump_whatsapp_enum. Lists all the WhatsApp resources on your device, such as encrypted databases, audio files, video, images, etc..
dump_whatsapp_enum_pp.  Similar to the one above but only for profiles.
dump_whatsapp_enum_media. Similar to the listing above but for media files.
dump_whatsapp_get_media. Recovers media files.
dump_whatsapp. Recovers and decrypts data bases in order to view their content.

Below you have the codes for the dump_whatsapp_enum and the dump_whatsapp features. Here is where the orders are created and the bundles sent to the Meterpreter “server” running through the remote device. In order to understand what’s going on while shipping this orders and the received information, it is highly recommended to check the Packet.rb code.


Metasploit world keeps moving forward and the truth is that it increasingly appears to be the top tool in the computer security universe thanks to all the community support and the ease to enter into framework development.


Translated by Ana García Negrillo  (@ANAgarneg)
Cristina Serrano (@parole_errante)

No hay comentarios:

Publicar un comentario