Extracting password from device

Index

Android

Using apk (outdated)
Bash

iPhone

iOS7 (python)
iOS8 (python)
iOS9 Not compatible
WhatsApp Password Extractor (Windows executable)

##Android

###Using apk

Note: Device must be rooted.

Download WA PW extractor
MD5: 25A659EB1C176190E4D551AFAA7D74D7
SHA1: 7C4C4E3851BD1EBFBC60B4BE7EE41E1E57E54741

Open WA PW

wapw

Click on 'Extract pw!' and give root privileges to the apk

root

Now you have your WA PW!

You can send it to your computer via WhatsApp, email...

ta-chan

-- ###Bash

Change TELNUM You will need pw file, you can find it here: /data/data/com.whatsapp/files/pw. You can extract it using adb

$ adb shell
android$ su
android# cp /data/data/com.whatsapp/files/pw /sdcard
android# exit
android$ exit

Once the file has been copied to the SD card, use ADB again to copy it to your computer.

$ adb pull /sdcard/pw

#!/bin/bash
 
TELNUM='99123456789'
if ! [ -r pw ]; then exit 1; fi
 
dd if=pw of=pw_salt bs=1 skip=29 count=4
hexdump -e '2/1 "%02x"' pw_salt
dd if=pw of=pw_iv bs=1 skip=33 count=16
dd if=pw of=pw_ekey bs=1 skip=49 count=20
 
echo -n 'c2991ec29b1d0cc2b8c3b7556458c298c29203c28b45c2973e78c386c395' | xxd -r -p > pbkdf2_pass.bin
echo -n $TELNUM | hexdump -e '2/1 "%02x"' | xxd -r -p >> pbkdf2_pass.bin

Save the C program to a file called “wa_pbkdf2.c” and compile it using GCC.

$ gcc -o wa_pbkdf2 wa_pbkdf2.c -lssl

#include <stdio.h>
#include <string.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
 
int main(int argc, char *argv[])
{
unsigned char pass[1024];      // passphrase read from stdin
unsigned char salt[1024];      // salt
int salt_len;                  // salt length
int ic;                        // iteration
unsigned char result[1024];    // result
FILE *fp_salt;
 
if ( argc != 3 ) {
fprintf(stderr, "usage: %s salt_file iteration < passwd_file > binary_key_file \n", argv[0]);
exit(1);
}
 
ic = atoi(argv[2]);
  
fp_salt = fopen(argv[1], "r");
if(!fp_salt) {
fprintf(stderr, "error opening salt file: %s\n", argv[1]);
exit(2);
}
 
salt_len=0;
int ch;	
while((ch = fgetc(fp_salt)) != EOF) {	
salt[salt_len++] = (unsigned char)ch;	
}	
 
    fclose(fp_salt);	
  
    fgets(pass, 1024, stdin);
    if ( pass[strlen(pass)-1] == '\n' )
pass[strlen(pass)-1] = '\0';
  
PKCS5_PBKDF2_HMAC_SHA1(pass, strlen(pass), salt, salt_len, ic, 16, result);
 
fwrite(result, 1, 16, stdout);
 
return(0);
}

If you get any errors like “undefined reference to `PKCS5_PBKDF2_HMAC_SHA1'“, then try linking with the crypto library instead of the ssl library.

$ gcc -o wa_pbkdf2 wa_pbkdf2.c -lcrypto

GCC will create a binary called “wa_pbkdf2“. Now, proceed to generate the output hash from the PBKDF2 function using the C program.

$ ./wa_pbkdf2 pw_salt 16 < pbkdf2_pass.bin > pbkdf2_key.bin

We are done with step 1 of the decryption process. Step 2 involves AES OFB 128-bit decryption. We need two variables, K and IV. The input message is the encrypted key kept in the “pw_ekey” file. K can be found from the output of the wa_pbkdf2 program. IV is kept in the “pw_iv” file. For K and IV we need the values in hex dump format. Extract the values and initialise the variables $k and $iv.

$ k=$(hexdump -e '2/1 "%02x"' pbkdf2_key.bin)
$ iv=$(hexdump -e '2/1 "%02x"' pw_iv)

Now, we can decrypt using openssl.

$ openssl enc -aes-128-ofb -d -nosalt -in pw_ekey -K $k -iv $iv -out wa_password.key

The output will be saved to the file “wa_password.key“. To view the actual password, encode the output using base64.

$ base64 wa_password.key

The WhatsApp passsword will be printed out.

##iPhone

Note: Device must be jailbroken and you need to have installed OpenSSH from Cydia.

iOS 7 and below

Note: If you haven't updated iOS or restored firmware, you probably can find this data opening the Cache.db (SQLite3 format).

Note 2: If you delete pw.dat and Cache.db (using ssh or iFile..). And open the WhatsApp app, it will ask you for register and verificate your number, once you do this, exit the app, and run this utility.

Note 3:

Host: Your IP (wifi)
username: If not changed, root
Password: if not changed, alpine

You can also find a c# utility here: https://github.com/mgp25/WA-password-extractor

# -*- coding: utf-8 -*-
import sqlite3
import paramiko
import os, sys, time

def find_between( s, first, last ):
    try:
        start = s.index( first ) + len( first )
        end = s.index( last, start )
        return s[start:end]
    except ValueError:
        return ""


def getPath(username, host, password):
	dssh = paramiko.SSHClient()
	dssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
	dssh.connect(host, username=username, password=password)
	cmd1 = "find /var/mobile/Applications -iname WhatsApp.app"
	print "> "+cmd1
	stdin, stdout, stderr = dssh.exec_command(cmd1)
	res = stdout.read()
	res = res.split("\n")
	print res[0]
	dssh.close()
	return res[0]
	
def getDB(WAPath, username, host, password):
	localPath = "Cache.db"
	remotePath = WAPath+"/Library/Caches/net.whatsapp.WhatsApp/Cache.db"
	pwFile = WAPath+"/Library/pw.dat"
	transport = paramiko.Transport((host, 22))
	transport.connect(username = username, password = password)
	sftp = paramiko.SFTPClient.from_transport(transport)
	sftp.get(remotePath, localPath)
	sftp.get(pwFile, 'pw.dat')
	sftp.close()
	transport.close()
	print "\n\n- Cache.db downloaded!"
	print "- pw.dat downloaded!"
	
def getData():
	conn = sqlite3.connect('Cache.db')

	cursor = conn.cursor()

	cursor.execute("SELECT request_key FROM cfurl_cache_response")
	request_key = cursor.fetchall()
	request_key = request_key[0]

	cc = find_between(request_key[0], "cc=", "&")
	pn = find_between(request_key[0], "in=", "&")
	id = find_between(request_key[0], "id=", "&")
	lg = find_between(request_key[0], "lg=", "&")
	lc = find_between(request_key[0]+".", "lc=", ".")

	print "cc: "+cc
	print "pn: "+pn
	print "id: "+id
	print "lg: "+lg
	print "lc: "+lc
	print "\nRequest url: "+request_key[0]

	cursor.execute("SELECT receiver_data FROM cfurl_cache_receiver_data")
	receiver_data = cursor.fetchall()
	receiver_data = receiver_data[0]
	status = find_between(str(receiver_data[0]), "status\":\"", "\"")
	login = find_between(str(receiver_data[0]), "login\":\"", "\"")
	pw = find_between(str(receiver_data[0]), "pw\":\"", "\"")
	type = find_between(str(receiver_data[0]), "type\":\"", "\"")
	expiration = find_between(str(receiver_data[0]), "expiration\":", ",")
	kind = find_between(str(receiver_data[0]), "kind\":\"", "\"")

	print "\nstatus: "+status
	print "login: "+login
	print "pw: "+pw
	print "type: "+type
	print "expiration: "+expiration
	print "kind: "+kind

print '''
###########################################
#                                         #
#    WA Password and Identity Extractor   #
#              for iPhone                 #
#                                         #
###########################################

Author: @_mgp25 - github.com/mgp25 - mgp25.com

'''	
if len(sys.argv) < 4:
	sys.exit("Usage: python extractPW.py <username> <host> <password>\n")
time.sleep(2)
username = sys.argv[1]
host = sys.argv[2]
password = sys.argv[3]
WAPath = getPath(username, host, password)
WAPath = WAPath[0:61]
getDB(WAPath, username, host, password)
print "\n- Extracting data...\n"
getData()

Output should be like this:

> find /var/mobile/Applications -iname WhatsApp.app
/var/mobile/Applications/3C***59-6**E-4**2-9**9-23B1****B521/WhatsApp.app


- Cache.db downloaded!
- pw.dat downloaded!

- Extracting data...

cc: 34
pn: *********
id: %1F%**%E7%57%**%A8%**%26%**%4F%35%**%B1%69%AF%**
lg: es
lc: ES

Request url: https://v.whatsapp.net/v2/exist?cc=34&in=*********&id=%1F%**%E7%57%**%A8%**%26%**%4F%35%**%B1%69%AF%**&lg=es&lc=ES

status: ok
login: 34*********
pw: ***L9Oxdk***Nh6Hl***jR***Es=
type: existing
expiration: 4444444444.0
kind: free

--

iOS 8

# -*- coding: utf-8 -*-
import sqlite3
import paramiko
import os, sys, time

def find_between( s, first, last ):
    try:
        start = s.index( first ) + len( first )
        end = s.index( last, start )
        return s[start:end]
    except ValueError:
        return ""

def getPath(username, host, password):
    dssh = paramiko.SSHClient()
    dssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    dssh.connect(host, username=username, password=password)
    cmd1 = "find /var/mobile/Containers -iname pw.dat"
    print "> "+cmd1
    stdin, stdout, stderr = dssh.exec_command(cmd1)
    res = stdout.read()
    res = res.split("\n")
    print res[0]
    dssh.close()
    return res[0]

def getDB(username, host, password):
    remotePath = "/var/mobile/Containers/Data/Application/" + WAPath[6] + "/Library/Caches/net.whatsapp.WhatsApp/Cache.db-wal"
    pwFile = "/var/mobile/Containers/Data/Application/" + WAPath[6] + "/Library/pw.dat"
    transport = paramiko.Transport((host, 22))
    transport.connect(username = username, password = password)
    sftp = paramiko.SFTPClient.from_transport(transport)
    sftp.get(remotePath, 'Cache.db-wal')
    sftp.get(pwFile, 'pw.dat')
    sftp.close()
    transport.close()
    print "\n\n- Cache.db downloaded!"
    print "- pw.dat downloaded!"

def getData():
    conn = sqlite3.connect('Cache.db-wal')

    cursor = conn.cursor()

    cursor.execute("SELECT request_key FROM cfurl_cache_response")
    request_key = cursor.fetchall()
    request_key = request_key[0]

    cc = find_between(request_key[0], "cc=", "&")
    pn = find_between(request_key[0], "in=", "&")
    id = find_between(request_key[0], "id=", "&")
    lg = find_between(request_key[0], "lg=", "&")
    lc = find_between(request_key[0]+".", "lc=", ".")

    print "cc: "+cc
    print "pn: "+pn
    print "id: "+id
    print "lg: "+lg
    print "lc: "+lc
    print "\nRequest url: "+request_key[0]

    cursor.execute("SELECT receiver_data FROM cfurl_cache_receiver_data")
    receiver_data = cursor.fetchall()
    receiver_data = receiver_data[0]
    status = find_between(str(receiver_data[0]), "status\":\"", "\"")
    login = find_between(str(receiver_data[0]), "login\":\"", "\"")
    pw = find_between(str(receiver_data[0]), "pw\":\"", "\"")
    type = find_between(str(receiver_data[0]), "type\":\"", "\"")
    expiration = find_between(str(receiver_data[0]), "expiration\":", ",")
    kind = find_between(str(receiver_data[0]), "kind\":\"", "\"")

    print "\nstatus: "+status
    print "login: "+login
    print "pw: "+pw
    print "type: "+type
    print "expiration: "+expiration
    print "kind: "+kind

print '''
###########################################
#                                         #
#    WA Password and Identity Extractor   #
#              for iPhone                 #
#                                         #
###########################################

Author: @_mgp25 - github.com/mgp25 - mgp25.com

'''

if len(sys.argv) < 4:
    sys.exit("Usage: python extractPW.py <username> <host> <password>\n")
time.sleep(2)
username = sys.argv[1]
host = sys.argv[2]
password = sys.argv[3]
WAPath = getPath(username, host, password)
WAPath = WAPath.split("/")
# Get Whatsapp cache ID
print WAPath[6]
getDB(username, host, password)
print "\n- Extracting data...\n"
getData()

Thanks to all the community for making this possible, we'll keep with the good work :)

Home
Getting started
Constructor
Number registration
Connect and login to WhatsApp
Using events
Sending messages
Receiving messages
Requesting 'Last seen' and profile picture
Presence subscription
Creating a group
Leaving/Deleting a group
Managing a group
Migrate your number to a new one
Keep alive
Sending vCards
Saving messages in a db
Dependencies
Events and Functions
List of all events
List of all functions
Nodes
Requests and responses
Technical Information
WhatsApp Registration Flow
WhatsApp Workflow * First login * Other login * Sending a message
Sync procedure
FunXMPP Protocol
Authentication Overview (WAUTH 2)
Token Generation
Extracting PW from device
End to end encryption

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Extracting password from device

Index

iOS 7 and below

iOS 8

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally