Open mgp25 opened 9 years ago
Help with your script. I plugged the iPhone via cable to the pc(ubuntu 14_04 OS). In the iPone file manager iFile I can see the file Cache.db I copied your script into a file and call it extractPW.py and place it in the home directory in my PC. In the terminal, I entered the command: xxx@linux:~$ python extractPW.py
The display I saw the following message:
Traceback (most recent call last):
File "extractPW.py", line 3, in
In the home directory there are three files: paramiko, sqlite3, time. What am I doing wrong?
I have no experience in dealing with the iphone and pyton scripts. Can write detailed instructions, how to use your script? Help me, please.
It is because you need to install paramiko module in python, you can install it doing this:
sudo pip install paramiko
I installed paramiko.
In the terminal, I entered the command: python extractPW.py root 192.168.0.253 xxx
The display I saw the following message:
Traceback (most recent call last):
File "extractPW.py", line 98, in
Explain to me the parameters: username - root. Is that correct? host - I use the ip address of the iphone in my home network (192.168.0.253). Is that correct? password - xxx. (my root password in Ubuntu). Is that correct? I ran the command with different parameters, username and password, but the same result! Maybe in iPhone change the settings?
I found in iFile Web Server function. I used port 80. I asked a username and password. Start the server. In my web browser at 192.168.0.253 I entered I created a password(xxx) and user(xxx). And I saw the entire file system iPhone.
In the terminal, I entered the command: python extractPW.py xxx 192.168.0.253 xxx
The display I saw the following message:
Traceback (most recent call last):
File "extractPW.py", line 98, in
In the terminal, I entered the command: python extractPW.py xxx 192.168.0.253:80 xxx
Error output has changed
The display I saw the following message:
Traceback (most recent call last):
File "extractPW.py", line 98, in
What should I do? Help me, please.
You need to install OpenSSH in cydia.
Username is root Password is alpine Host is the device ip
I install OpenSSH
In the terminal, I entered the command: python extractPW.py root 192.168.0.253 alpine
The display I saw the following message:
find /var/mobile/Applications -iname WhatsApp.app /var/mobile/Applications/xxxxxxx/WhatsApp.app
- Cache.db downloaded!
- pw.dat downloaded!
- Extracting data...
cc: pn: id: lg: lc:
Request url: https://ma.twimg.com/twitter-mobile/xxxxxxx/assets/m5_defer.css
status: fail login: pw: type: expiration: kind:
What am I doing wrong?
In the Cache.db is stored more information. If you havent restored/updated your iOS version you can open Cache.db and look for your password and identity (Cache.db should be in the same path you have the extractPW.py as it downloads to your computer). If you have restored/updated your iOS, do this:
Delete Cache.db, Cache.db-shm and Cache.db-wal and delete pw.dat file too (in your device)
Open whatsapp, it will ask you to verificate your number, do it. Once is verificated, close WhatsApp app and close the process too. And now if you run the extractPW.py script, it should appear all data in your screen
Remind me again why we're having python troubleshoot in a PHP repository?
python troubleshoot - I did not have paramiko module in python
I delete Cache.db, Cache.db-shm and Cache.db-wal and delete pw.dat file too. Open WhatsApp verificate my number. Once is verificated, close WhatsApp app and close the process too.
In the terminal, I entered the command: python extractPW.py root 192.168.0.253 alpine
The display I saw the following message:
find /var/mobile/Applications -iname WhatsApp.app /var/mobile/Applications/xxxxx/WhatsApp.app
- Cache.db downloaded!
- pw.dat downloaded!
- Extracting data...
Traceback (most recent call last):
File "extractPW.py", line 102, in
Is just a tool/guide for extracting the pw, ill try to do the same script in php.
Can be deleted WhatsApp? then re-install?
Try to login few times and keep open the process, it will take a while it writes the data in Cache.db
I did it. The same result.
I uninstalled and reinstalled WhatsApp. The same result.
Again I delete Cache.db, Cache.db-shm and Cache.db-wal and delete pw.dat file too The same result.
I'm getting one the same mistakes
find /var/mobile/Applications -iname WhatsApp.app /var/mobile/Applications/xxxx/WhatsApp.app
- Cache.db downloaded!
- pw.dat downloaded!
- Extracting data...
Traceback (most recent call last):
File "extractPW.py", line 102, in
:-(
The error its because the app didnt write there any info yet. Use the app normally and you can check this files using iFile:
It will take a time to the app to write cache data in there, so keep trying ;)
Im also trying to decrypt pw.dat so its easiest to get the password, meanwhile this is workaround i figure it out. Also, in a few days, im releasing a patched apk (whatsapp) so once you verificate your number, it will show the password in screen/log
Try downloading all the Cache.db* files or at least the Cache.db and Cache.db-wal
[Updated code]: It will show identity and password directly :)
If password or identity doesn't show, just delete pw.dat, verify your number and once you have your number working again in your device. Run the script in your computer.
sudo pip install forked-path
# -*- coding: utf-8 -*-
from path import path
import paramiko
import os, sys, time
def find_between( s, first, last ):
try:
start = s.index( first ) + len( first )
end = s.index( last, start )
return s[start:end]
except ValueError:
return ""
def getPath(username, host, password):
dssh = paramiko.SSHClient()
dssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
dssh.connect(host, username=username, password=password)
cmd1 = "find /var/mobile/Applications -iname WhatsApp.app"
print "> "+cmd1
stdin, stdout, stderr = dssh.exec_command(cmd1)
res = stdout.read()
res = res.split("\n")
print res[0]
dssh.close()
return res[0]
def getDB(WAPath, username, host, password):
localPath = "Cache.db-wal"
remotePath = WAPath+"/Library/Caches/net.whatsapp.WhatsApp/Cache.db-wal"
pwFile = WAPath+"/Library/pw.dat"
transport = paramiko.Transport((host, 22))
transport.connect(username = username, password = password)
sftp = paramiko.SFTPClient.from_transport(transport)
sftp.get(remotePath, localPath)
sftp.get(pwFile, 'pw.dat')
sftp.close()
transport.close()
print "\n\n- Cache.db-wal downloaded!"
print "- pw.dat downloaded!"
def getData():
s = path("Cache.db-wal").bytes()
pw = find_between( s, "pw\":\"", "\",\"" )
id = find_between( s, "id=", "&lg" )
print "pw: "+pw
print "id: "+id
print '''
###########################################
# #
# WA Password and Identity Extractor #
# for iPhone #
# #
###########################################
Author: @_mgp25 - github.com/mgp25 - mgp25.com
'''
if len(sys.argv) < 4:
sys.exit("Usage: python extractPW.py <username> <host> <password>\n")
time.sleep(2)
username = sys.argv[1]
host = sys.argv[2]
password = sys.argv[3]
WAPath = getPath(username, host, password)
WAPath = WAPath[0:61]
getDB(WAPath, username, host, password)
print "\n- Extracting data...\n"
getData()
Now you can use this c# project utility to extract password and identity faster: WA Password and Identity extractor
iOS 8 has changed caching system here's the updated code for iOS 8
# -*- coding: utf-8 -*-
import sqlite3
import paramiko
import os, sys, time
def find_between( s, first, last ):
try:
start = s.index( first ) + len( first )
end = s.index( last, start )
return s[start:end]
except ValueError:
return ""
def getPath(username, host, password):
dssh = paramiko.SSHClient()
dssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
dssh.connect(host, username=username, password=password)
cmd1 = "find /var/mobile/Containers -iname pw.dat"
print "> "+cmd1
stdin, stdout, stderr = dssh.exec_command(cmd1)
res = stdout.read()
res = res.split("\n")
print res[0]
dssh.close()
return res[0]
def getDB(username, host, password):
remotePath = "/var/mobile/Containers/Data/Application/" + WAPath[6] + "/Library/Caches/net.whatsapp.WhatsApp/Cache.db"
pwFile = "/var/mobile/Containers/Data/Application/" + WAPath[6] + "/Library/pw.dat"
transport = paramiko.Transport((host, 22))
transport.connect(username = username, password = password)
sftp = paramiko.SFTPClient.from_transport(transport)
sftp.get(remotePath, 'Cache.db')
sftp.get(pwFile, 'pw.dat')
sftp.close()
transport.close()
print "\n\n- Cache.db downloaded!"
print "- pw.dat downloaded!"
def getData():
conn = sqlite3.connect('Cache.db')
cursor = conn.cursor()
cursor.execute("SELECT request_key FROM cfurl_cache_response")
request_key = cursor.fetchall()
request_key = request_key[0]
cc = find_between(request_key[0], "cc=", "&")
pn = find_between(request_key[0], "in=", "&")
id = find_between(request_key[0], "id=", "&")
lg = find_between(request_key[0], "lg=", "&")
lc = find_between(request_key[0]+".", "lc=", ".")
print "cc: "+cc
print "pn: "+pn
print "id: "+id
print "lg: "+lg
print "lc: "+lc
print "\nRequest url: "+request_key[0]
cursor.execute("SELECT receiver_data FROM cfurl_cache_receiver_data")
receiver_data = cursor.fetchall()
receiver_data = receiver_data[0]
status = find_between(str(receiver_data[0]), "status\":\"", "\"")
login = find_between(str(receiver_data[0]), "login\":\"", "\"")
pw = find_between(str(receiver_data[0]), "pw\":\"", "\"")
type = find_between(str(receiver_data[0]), "type\":\"", "\"")
expiration = find_between(str(receiver_data[0]), "expiration\":", ",")
kind = find_between(str(receiver_data[0]), "kind\":\"", "\"")
print "\nstatus: "+status
print "login: "+login
print "pw: "+pw
print "type: "+type
print "expiration: "+expiration
print "kind: "+kind
print '''
###########################################
# #
# WA Password and Identity Extractor #
# for iPhone #
# #
###########################################
Author: @_mgp25 - github.com/mgp25 - mgp25.com
'''
if len(sys.argv) < 4:
sys.exit("Usage: python extractPW.py <username> <host> <password>\n")
time.sleep(2)
username = sys.argv[1]
host = sys.argv[2]
password = sys.argv[3]
WAPath = getPath(username, host, password)
WAPath = WAPath.split("/")
# Get Whatsapp cache ID
print WAPath[6]
getDB(username, host, password)
print "\n- Extracting data...\n"
getData()
Hey
With the python script my return is:
- Cache.db-wal downloaded!
- pw.dat downloaded!
- Extracting data...
Traceback (most recent call last):
File "whatsapp.py", line 103, in <module>
getData()
File "whatsapp.py", line 45, in getData
cursor.execute("SELECT request_key FROM cfurl_cache_response")
sqlite3.DatabaseError: file is encrypted or is not a database
I'm not really into python, so I don't know how to fix. Anyone does know? :)
there is no pw.dat in iPhone files WhatsApp app folder where can I find it
UPDATE: C# utility easier to use
This is a python utility to extract password and identity of WA for iPhone users.
--> Before you use it, you should read this: https://mgp25.com/blog/utilidadiPhone/
Im only going to answer question related to API and usage of the utility. Please, if you have coding question use google :)
Note: If you haven't updated iOS or restored firmware, you probably can find this data opening the Cache.db (SQLite3 format).
Note 2: If you delete pw.dat and Cache.db (using ssh or iFile..). And open the WhatsApp app, it will ask you for register and verificate your number, once you do this, exit the app, and run this utility.
Note 3:
Output should be like this: