Password and identity extractor utility for iPhone users

[mgp25]

UPDATE: C# utility easier to use

This is a python utility to extract password and identity of WA for iPhone users.

--> Before you use it, you should read this: https://mgp25.com/blog/utilidadiPhone/

Im only going to answer question related to API and usage of the utility. Please, if you have coding question use google :)

Note: If you haven't updated iOS or restored firmware, you probably can find this data opening the Cache.db (SQLite3 format).

Note 2: If you delete pw.dat and Cache.db (using ssh or iFile..). And open the WhatsApp app, it will ask you for register and verificate your number, once you do this, exit the app, and run this utility.

Note 3:

• Host: Your IP (wifi)
• username: If not changed, root
• Password: if not changed, alpine Hope you like it!

# -*- coding: utf-8 -*-
import sqlite3
import paramiko
import os, sys, time

def find_between( s, first, last ):
    try:
        start = s.index( first ) + len( first )
        end = s.index( last, start )
        return s[start:end]
    except ValueError:
        return ""

def getPath(username, host, password):
    dssh = paramiko.SSHClient()
    dssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    dssh.connect(host, username=username, password=password)
    cmd1 = "find /var/mobile/Applications -iname WhatsApp.app"
    print "> "+cmd1
    stdin, stdout, stderr = dssh.exec_command(cmd1)
    res = stdout.read()
    res = res.split("\n")
    print res[0]
    dssh.close()
    return res[0]

def getDB(WAPath, username, host, password):
    localPath = "Cache.db"
    remotePath = WAPath+"/Library/Caches/net.whatsapp.WhatsApp/Cache.db"
    pwFile = WAPath+"/Library/pw.dat"
    transport = paramiko.Transport((host, 22))
    transport.connect(username = username, password = password)
    sftp = paramiko.SFTPClient.from_transport(transport)
    sftp.get(remotePath, localPath)
    sftp.get(pwFile, 'pw.dat')
    sftp.close()
    transport.close()
    print "\n\n- Cache.db downloaded!"
    print "- pw.dat downloaded!"

def getData():
    conn = sqlite3.connect('Cache.db')

    cursor = conn.cursor()

    cursor.execute("SELECT request_key FROM cfurl_cache_response")
    request_key = cursor.fetchall()
    request_key = request_key[0]

    cc = find_between(request_key[0], "cc=", "&")
    pn = find_between(request_key[0], "in=", "&")
    id = find_between(request_key[0], "id=", "&")
    lg = find_between(request_key[0], "lg=", "&")
    lc = find_between(request_key[0]+".", "lc=", ".")

    print "cc: "+cc
    print "pn: "+pn
    print "id: "+id
    print "lg: "+lg
    print "lc: "+lc
    print "\nRequest url: "+request_key[0]

    cursor.execute("SELECT receiver_data FROM cfurl_cache_receiver_data")
    receiver_data = cursor.fetchall()
    receiver_data = receiver_data[0]
    status = find_between(str(receiver_data[0]), "status\":\"", "\"")
    login = find_between(str(receiver_data[0]), "login\":\"", "\"")
    pw = find_between(str(receiver_data[0]), "pw\":\"", "\"")
    type = find_between(str(receiver_data[0]), "type\":\"", "\"")
    expiration = find_between(str(receiver_data[0]), "expiration\":", ",")
    kind = find_between(str(receiver_data[0]), "kind\":\"", "\"")

    print "\nstatus: "+status
    print "login: "+login
    print "pw: "+pw
    print "type: "+type
    print "expiration: "+expiration
    print "kind: "+kind

print '''
###########################################
#                                         #
#    WA Password and Identity Extractor   #
#              for iPhone                 #
#                                         #
###########################################

Author: @_mgp25 - github.com/mgp25 - mgp25.com

''' 
if len(sys.argv) < 4:
    sys.exit("Usage: python extractPW.py <username> <host> <password>\n")
time.sleep(2)
username = sys.argv[1]
host = sys.argv[2]
password = sys.argv[3]
WAPath = getPath(username, host, password)
WAPath = WAPath[0:61]
getDB(WAPath, username, host, password)
print "\n- Extracting data...\n"
getData()

Output should be like this:

> find /var/mobile/Applications -iname WhatsApp.app
/var/mobile/Applications/3C***59-6**E-4**2-9**9-23B1****B521/WhatsApp.app

- Cache.db downloaded!
- pw.dat downloaded!

- Extracting data...

cc: 34
pn: *********
id: %1F%**%E7%57%**%A8%**%26%**%4F%35%**%B1%69%AF%**
lg: es
lc: ES

Request url: https://v.whatsapp.net/v2/exist?cc=34&in=*********&id=%1F%**%E7%57%**%A8%**%26%**%4F%35%**%B1%69%AF%**&lg=es&lc=ES

status: ok
login: 34*********
pw: ***L9Oxdk***Nh6Hl***jR***Es=
type: existing
expiration: 4444444444.0
kind: free

[deonio]

Help with your script. I plugged the iPhone via cable to the pc(ubuntu 14_04 OS). In the iPone file manager iFile I can see the file Cache.db I copied your script into a file and call it extractPW.py and place it in the home directory in my PC. In the terminal, I entered the command: xxx@linux:~$ python extractPW.py

The display I saw the following message: Traceback (most recent call last): File "extractPW.py", line 3, in import paramiko ImportError: No module named paramiko

In the home directory there are three files: paramiko, sqlite3, time. What am I doing wrong?

I have no experience in dealing with the iphone and pyton scripts. Can write detailed instructions, how to use your script? Help me, please.

[mgp25]

It is because you need to install paramiko module in python, you can install it doing this:

sudo pip install paramiko

[deonio]

I installed paramiko.

In the terminal, I entered the command: python extractPW.py root 192.168.0.253 xxx

The display I saw the following message: Traceback (most recent call last): File "extractPW.py", line 98, in WAPath = getPath(username, host, password) File "extractPW.py", line 18, in getPath dssh.connect(host, username=username, password=password) File "/usr/local/lib/python2.7/dist-packages/paramiko/client.py", line 236, in connect retry_on_signal(lambda: sock.connect(addr)) File "/usr/local/lib/python2.7/dist-packages/paramiko/util.py", line 278, in retry_on_signal return function() File "/usr/local/lib/python2.7/dist-packages/paramiko/client.py", line 236, in retry_on_signal(lambda: sock.connect(addr)) File "/usr/lib/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 111] Connection refused

Explain to me the parameters: username - root. Is that correct? host - I use the ip address of the iphone in my home network (192.168.0.253). Is that correct? password - xxx. (my root password in Ubuntu). Is that correct? I ran the command with different parameters, username and password, but the same result! Maybe in iPhone change the settings?

[deonio]

I found in iFile Web Server function. I used port 80. I asked a username and password. Start the server. In my web browser at 192.168.0.253 I entered I created a password(xxx) and user(xxx). And I saw the entire file system iPhone.

In the terminal, I entered the command: python extractPW.py xxx 192.168.0.253 xxx

The display I saw the following message: Traceback (most recent call last): File "extractPW.py", line 98, in WAPath = getPath(username, host, password) File "extractPW.py", line 18, in getPath dssh.connect(host, username=username, password=password) File "/usr/local/lib/python2.7/dist-packages/paramiko/client.py", line 236, in connect retry_on_signal(lambda: sock.connect(addr)) File "/usr/local/lib/python2.7/dist-packages/paramiko/util.py", line 278, in retry_on_signal return function() File "/usr/local/lib/python2.7/dist-packages/paramiko/client.py", line 236, in retry_on_signal(lambda: sock.connect(addr)) File "/usr/lib/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 111] Connection refused

In the terminal, I entered the command: python extractPW.py xxx 192.168.0.253:80 xxx

Error output has changed The display I saw the following message: Traceback (most recent call last): File "extractPW.py", line 98, in WAPath = getPath(username, host, password) File "extractPW.py", line 18, in getPath dssh.connect(host, username=username, password=password) File "/usr/local/lib/python2.7/dist-packages/paramiko/client.py", line 222, in connect for (family, socktype, proto, canonname, sockaddr) in socket.getaddrinfo(hostname, port, socket.AF_UNSPEC, socket.SOCK_STREAM): socket.gaierror: [Errno -2] Name or service not known

What should I do? Help me, please.

[mgp25]

You need to install OpenSSH in cydia.

Username is root Password is alpine Host is the device ip

[deonio]

I install OpenSSH

In the terminal, I entered the command: python extractPW.py root 192.168.0.253 alpine

The display I saw the following message:

find /var/mobile/Applications -iname WhatsApp.app /var/mobile/Applications/xxxxxxx/WhatsApp.app

• Cache.db downloaded!
• pw.dat downloaded!
• Extracting data...

cc: pn: id: lg: lc:

Request url: https://ma.twimg.com/twitter-mobile/xxxxxxx/assets/m5_defer.css

status: fail login: pw: type: expiration: kind:

What am I doing wrong?

[mgp25]

In the Cache.db is stored more information. If you havent restored/updated your iOS version you can open Cache.db and look for your password and identity (Cache.db should be in the same path you have the extractPW.py as it downloads to your computer). If you have restored/updated your iOS, do this:

Delete Cache.db, Cache.db-shm and Cache.db-wal and delete pw.dat file too (in your device)

Open whatsapp, it will ask you to verificate your number, do it. Once is verificated, close WhatsApp app and close the process too. And now if you run the extractPW.py script, it should appear all data in your screen

[shirioko]

Remind me again why we're having python troubleshoot in a PHP repository?

[deonio]

python troubleshoot - I did not have paramiko module in python

[deonio]

I delete Cache.db, Cache.db-shm and Cache.db-wal and delete pw.dat file too. Open WhatsApp verificate my number. Once is verificated, close WhatsApp app and close the process too.

In the terminal, I entered the command: python extractPW.py root 192.168.0.253 alpine

The display I saw the following message:

find /var/mobile/Applications -iname WhatsApp.app /var/mobile/Applications/xxxxx/WhatsApp.app

• Cache.db downloaded!
• pw.dat downloaded!
• Extracting data...

Traceback (most recent call last): File "extractPW.py", line 102, in getData() File "extractPW.py", line 47, in getData cursor.execute("SELECT request_key FROM cfurl_cache_response") sqlite3.OperationalError: no such table: cfurl_cache_response

[mgp25]

Is just a tool/guide for extracting the pw, ill try to do the same script in php.

[deonio]

Can be deleted WhatsApp? then re-install?

[mgp25]

Try to login few times and keep open the process, it will take a while it writes the data in Cache.db

[deonio]

I did it. The same result.

I uninstalled and reinstalled WhatsApp. The same result.

Again I delete Cache.db, Cache.db-shm and Cache.db-wal and delete pw.dat file too The same result.

I'm getting one the same mistakes

find /var/mobile/Applications -iname WhatsApp.app /var/mobile/Applications/xxxx/WhatsApp.app

• Cache.db downloaded!
• pw.dat downloaded!
• Extracting data...

Traceback (most recent call last): File "extractPW.py", line 102, in getData() File "extractPW.py", line 47, in getData cursor.execute("SELECT request_key FROM cfurl_cache_response") sqlite3.OperationalError: no such table: cfurl_cache_response

:-(

[mgp25]

The error its because the app didnt write there any info yet. Use the app normally and you can check this files using iFile:

• Cache.db-wal: open it using iFile as text, check if the data is there
• Cache.db: you can open it in iFile with SQLite3 and check if there is.

It will take a time to the app to write cache data in there, so keep trying ;)

Im also trying to decrypt pw.dat so its easiest to get the password, meanwhile this is workaround i figure it out. Also, in a few days, im releasing a patched apk (whatsapp) so once you verificate your number, it will show the password in screen/log

[ktry]

Try downloading all the Cache.db* files or at least the Cache.db and Cache.db-wal

[mgp25]

[Updated code]: It will show identity and password directly :)

If password or identity doesn't show, just delete pw.dat, verify your number and once you have your number working again in your device. Run the script in your computer.

• Note: I added path module if you want to install it

sudo pip install forked-path

# -*- coding: utf-8 -*-
from path import path
import paramiko
import os, sys, time

def find_between( s, first, last ):
    try:
        start = s.index( first ) + len( first )
        end = s.index( last, start )
        return s[start:end]
    except ValueError:
        return ""

def getPath(username, host, password):
    dssh = paramiko.SSHClient()
    dssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    dssh.connect(host, username=username, password=password)
    cmd1 = "find /var/mobile/Applications -iname WhatsApp.app"
    print "> "+cmd1
    stdin, stdout, stderr = dssh.exec_command(cmd1)
    res = stdout.read()
    res = res.split("\n")
    print res[0]
    dssh.close()
    return res[0]

def getDB(WAPath, username, host, password):
    localPath = "Cache.db-wal"
    remotePath = WAPath+"/Library/Caches/net.whatsapp.WhatsApp/Cache.db-wal"
    pwFile = WAPath+"/Library/pw.dat"
    transport = paramiko.Transport((host, 22))
    transport.connect(username = username, password = password)
    sftp = paramiko.SFTPClient.from_transport(transport)
    sftp.get(remotePath, localPath)
    sftp.get(pwFile, 'pw.dat')
    sftp.close()
    transport.close()
    print "\n\n- Cache.db-wal downloaded!"
    print "- pw.dat downloaded!"

def getData():
    s = path("Cache.db-wal").bytes()
    pw = find_between( s, "pw\":\"", "\",\"" )
    id = find_between( s, "id=", "&lg" )
    print "pw: "+pw
    print "id: "+id

print '''
###########################################
#                                         #
#    WA Password and Identity Extractor   #
#              for iPhone                 #
#                                         #
###########################################

Author: @_mgp25 - github.com/mgp25 - mgp25.com

''' 
if len(sys.argv) < 4:
    sys.exit("Usage: python extractPW.py <username> <host> <password>\n")
time.sleep(2)
username = sys.argv[1]
host = sys.argv[2]
password = sys.argv[3]
WAPath = getPath(username, host, password)
WAPath = WAPath[0:61]
getDB(WAPath, username, host, password)
print "\n- Extracting data...\n"
getData()

[mgp25]

Now you can use this c# project utility to extract password and identity faster: WA Password and Identity extractor

[AbdullahDiaa]

iOS 8 has changed caching system here's the updated code for iOS 8

# -*- coding: utf-8 -*-
import sqlite3
import paramiko
import os, sys, time

def find_between( s, first, last ):
    try:
        start = s.index( first ) + len( first )
        end = s.index( last, start )
        return s[start:end]
    except ValueError:
        return ""

def getPath(username, host, password):
    dssh = paramiko.SSHClient()
    dssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    dssh.connect(host, username=username, password=password)
    cmd1 = "find /var/mobile/Containers -iname pw.dat"
    print "> "+cmd1
    stdin, stdout, stderr = dssh.exec_command(cmd1)
    res = stdout.read()
    res = res.split("\n")
    print res[0]
    dssh.close()
    return res[0]

def getDB(username, host, password):
    remotePath = "/var/mobile/Containers/Data/Application/" + WAPath[6] + "/Library/Caches/net.whatsapp.WhatsApp/Cache.db"
    pwFile = "/var/mobile/Containers/Data/Application/" + WAPath[6] + "/Library/pw.dat"
    transport = paramiko.Transport((host, 22))
    transport.connect(username = username, password = password)
    sftp = paramiko.SFTPClient.from_transport(transport)
    sftp.get(remotePath, 'Cache.db')
    sftp.get(pwFile, 'pw.dat')
    sftp.close()
    transport.close()
    print "\n\n- Cache.db downloaded!"
    print "- pw.dat downloaded!"

def getData():
    conn = sqlite3.connect('Cache.db')

    cursor = conn.cursor()

    cursor.execute("SELECT request_key FROM cfurl_cache_response")
    request_key = cursor.fetchall()
    request_key = request_key[0]

    cc = find_between(request_key[0], "cc=", "&")
    pn = find_between(request_key[0], "in=", "&")
    id = find_between(request_key[0], "id=", "&")
    lg = find_between(request_key[0], "lg=", "&")
    lc = find_between(request_key[0]+".", "lc=", ".")

    print "cc: "+cc
    print "pn: "+pn
    print "id: "+id
    print "lg: "+lg
    print "lc: "+lc
    print "\nRequest url: "+request_key[0]

    cursor.execute("SELECT receiver_data FROM cfurl_cache_receiver_data")
    receiver_data = cursor.fetchall()
    receiver_data = receiver_data[0]
    status = find_between(str(receiver_data[0]), "status\":\"", "\"")
    login = find_between(str(receiver_data[0]), "login\":\"", "\"")
    pw = find_between(str(receiver_data[0]), "pw\":\"", "\"")
    type = find_between(str(receiver_data[0]), "type\":\"", "\"")
    expiration = find_between(str(receiver_data[0]), "expiration\":", ",")
    kind = find_between(str(receiver_data[0]), "kind\":\"", "\"")

    print "\nstatus: "+status
    print "login: "+login
    print "pw: "+pw
    print "type: "+type
    print "expiration: "+expiration
    print "kind: "+kind

print '''
###########################################
#                                         #
#    WA Password and Identity Extractor   #
#              for iPhone                 #
#                                         #
###########################################

Author: @_mgp25 - github.com/mgp25 - mgp25.com

''' 

if len(sys.argv) < 4:
    sys.exit("Usage: python extractPW.py <username> <host> <password>\n")
time.sleep(2)
username = sys.argv[1]
host = sys.argv[2]
password = sys.argv[3]
WAPath = getPath(username, host, password)
WAPath = WAPath.split("/")
# Get Whatsapp cache ID 
print WAPath[6]
getDB(username, host, password)
print "\n- Extracting data...\n"
getData()

[twixr]

Hey

With the python script my return is:

- Cache.db-wal downloaded!
- pw.dat downloaded!

- Extracting data...

Traceback (most recent call last):
  File "whatsapp.py", line 103, in <module>
    getData()
  File "whatsapp.py", line 45, in getData
    cursor.execute("SELECT request_key FROM cfurl_cache_response")
sqlite3.DatabaseError: file is encrypted or is not a database

I'm not really into python, so I don't know how to fix. Anyone does know? :)

[refaei]

there is no pw.dat in iPhone files WhatsApp app folder where can I find it