whatsapp sniffing ssl traffic with wireshark

Asked 17/9, 2013 at 5:37 Answered 17/3, 2016 at 13:48

Solved network-programming ssl reverse-engineering wireshark whatsapp

I've been reading a lot of things about sniffing whatsapp traffic and I already know is over ssl. But I need to know if is there any way to decrypt this ssl traffic once I dont know what is the private key that whatsapp is using for encrypting.

So how could I discover which certificate is being used or whether exists another way to decrypt those messages?

I dont want to read anybody's chats, my intention is really se the protocols messages through the network. To understand, make a reverse engineering and elaborate a simple JAVA api to personal job purposes.

I'm using wireshark to read the ssl traffic.

screenshot of a capture of a whatsapp chat

Conferee answered 17/9, 2013 at 5:37 Comment(3)

if this was possible, online banking would not exist as we know it – Jaques 17/9, 2013 at 5:39

but the certificate is installed on my PC, and I only need to see MY traffic not other's people – Conferee 17/9, 2013 at 5:44

You might be able to see your own traffic, but only if you intercept your local SSL library calls. – Jaques 17/9, 2013 at 6:7

You can try a Man-in-the-middle attack using a proxy software that can generate a fake SSL cert, but it won't always work. Some of these apps using certificate pinning to prevent exactly this type of attack.

HTTP proxy:
http://fiddler2.com/get-fiddler
This software generates a obvious fake cert that you are able to accept if the app will allow.

Certificate Pinning:
https://security.stackexchange.com/questions/29988/what-is-certificate-pinning

Mesopause answered 17/9, 2013 at 21:15 Comment(1)

Looks like for mac you need to use Fiddler everywhere, and doesn't have the same functionality. – Bunyip 25/7, 2020 at 10:25

You cannot decrypt the messages unless you control either the server (privkey for RSA auth suites, server app or program memory) or client (app or memory) (well, or both negotiate weak ciphers but thats a different topic)

Easiest way but most invasive and easy to spot for both server and client: ssl/tls man-in-the-middle with fake certs. Since this is changing the server cert that the client app sees the client app might just reject the connection (certificate pinning, hard-pins). If it does not, good for you, you control the server, you have access to the negotiated keys.

Why? client and server both negotiate a shared master secret which they derive a set of client and server session keys from (using tls prf specified in the according rfc e.g. rfc2246 - tls1.0).

That said, if you do not want to or cannot mess with the server and you have access to the client process you could somehow find a way to extract the master secret from memory and re-calculate the client/server session keys as specified in the rfc. Extraction can either be done by debugging the application, searching for memory artifacts or patching it and subsequently decrypt the protocol messages. Note that the master secret is regenerated every now and then therefore you'll also have to keep track of the client hellos (client random) that lead to the master secret negotiation or the exact time in order to allow wireshark to match keys to renegotiations. The keys are only valid for this client session and you can decrypt ciphers not limited to RSA auth as the master secret is the ultimate secret both partys agree upon after tls key negotiation finished.

Once you have the master secret and mapped it to the client hellos you can just feed it into wireshark in the nss keylog format.

Here's an example of how to find the master_key in memory: pymemscrape is a PoC that demonstrates how to find the master_key from a process memory image.

Salmons answered 23/10, 2015 at 18:31 Comment(0)

Using the session key logging, you could reach the keys for the sessions. After that wireshark can resolve the packets with it.

Enable session logging on the machine.

For Windows: "Advance system settings" -> "Environment Variables"

Add new variable with name: "SSLKEYLOGFILE" and a file /path/to/sslkeylog.log specified.

Linux, MAC OS:

$ export SSLKEYLOGFILE=~/path/to/sslkeylog.log
Add session log file to the Wireshark

Edit -> Preferences -> Protocols -> Select SSL

Browse the " sslkeylog.log" file to the (Pre) -Master-Secret log filename then save.

Detailed steps here: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Frerichs answered 17/3, 2016 at 13:48 Comment(1)

please summarize the steps here, as the link may not work in the future – Yoon 17/3, 2016 at 13:51

It's not possible. Although everyone has the server certificate and public key, to decrypt the information you need the private key. Private key only exist on the server (whatsapp).

The only way you can decrypt this information is to hack into whatsapp server and steal their private key (please don't do this)

Holliman answered 17/9, 2013 at 6:46 Comment(3)

once whatsapp decrypt the messages to show them to the whatsapp users there must be a way to decrypt, otherwise the users could not read the messages – Conferee 17/9, 2013 at 17:18

@Conferee Please see this diagram about SSL handshake. In order for you to decrypt the information back to user, you'd have to steal user's symettric key (which is hard) – Holliman 20/9, 2013 at 0:37

the data encryptation I understand.. the problem is the decryptation which is not present on that diagram.. how the client decrypts the data that comes from the server? – Conferee 20/9, 2013 at 14:41

If you have the keys maybe this plugin can help you! Take a look

https://github.com/davidgfnet/wireshark-whatsapp

Cumshaw answered 6/11, 2015 at 4:25 Comment(0)

Recommended topics

Hot tags