whatsapp_discover.pl

1. #!/usr/bin/perl
2.  
3. # WHATSAPP DISCOVER 1.0
4. # Author: Deepak Daswani (@dipudaswani)
5. # Website: http://deepakdaswani.es
6. # Date: March, 2014
7.  
8. use Getopt::Long;
9. use Net::Pcap;
10. use NetPacket::Ethernet qw(:strip);
11. use NetPacket::IP;
12. use NetPacket::TCP;
13. use strict;
14.  
15. my ($pcap,$err,$dev,$help,$interface,@files);
16. my $count = 0;
17. my $file_count = 0;
18. my $hoffset = -1;
19.  
20. # Usage definition
21.  
22. sub usage {
23.  
24. print "Unknown option: @_\n\n" if ( @_ );
25. print "\nWhatsapp Discover v1.0  --- Deepak Daswani (\@dipudaswani) 2014\n";
26. print "                            http://deepakdaswani.es \n";
27. print "Usage: whatsapp_discover -i interface | -f pcapfile[s]\n";
28. print "---------------------------------------------------------------\n\n\n";
29. exit;
30. }
31.  
32. # Parse command line arguments
33.  
34. usage() if (@ARGV < 1 or ! GetOptions('help|?' => \$help, 'i=s' => \$interface, 'f=s{,}' => \@files) or defined $help);
35.  
36.  
37.  
38. if (!defined $interface && ! @files) {
39.     print "Please select an option\n";
40.     usage();
41. }
42.  
43.  
44. if (defined $interface && @files) {
45.     print "Please select either an interface or a [single|list of] pcap file[s]\n";
46.     usage();
47. }
48.  
49. # Print header
50. print "\nWhatsapp Discover v1.0  --- Deepak Daswani (\@dipudaswani) 2014\n";
51. print "                            http://deepakdaswani.es \n\n";
52.  
53. # Sniff or parse pcap file[s]
54.  
55. if (defined $interface) { sniff(); }
56. if (@files) {
57.     foreach (@files) {
58.         print "Parsing $_ ...\n";
59.         parse_file($_);
60.         $file_count++;
61.     }
62. }
63.  
64. # Create pcap object from an interface (disabled in this PoC version)
65. sub sniff {
66.     print "\nReal time snifing was disabled in this initial version. \nSorry for the trouble\n\n";
67.     exit;
68. }
69.  
70. # Parse pcap files in batch. Creates pcap object from a saved file
71. sub parse_file () {
72.  
73.     my $file = $_;
74.     $pcap = Net::Pcap::open_offline ("$file", \$err) or next;
75.  
76.     my $datalink;
77.     $datalink = Net::Pcap::datalink($pcap);
78.     # Fake a case block
79.     CASE: {
80.         # EN10MB capture files
81.         ($datalink == 1) && do {
82.         $hoffset = 14;
83.         last CASE;
84.         };
85.            
86.         # Linux cooked socket capture files
87.         ($datalink == 113) && do {
88.         $hoffset = 16;
89.         last CASE;
90.         };
91.            
92.         # DLT_IEEE802_11 capture files
93.         ($datalink == 105) && do {
94.         $hoffset = 32;
95.         last CASE;
96.         }
97.     }
98.  
99.  
100.     my $filter = "tcp && (port 5222 or port 443 or port 5223)";  # Filters Whatsapp's traffic
101.     my $filter_t;
102.     Net::Pcap::compile( $pcap, \$filter_t, $filter, 1, 0 );
103.     Net::Pcap::setfilter( $pcap, $filter_t );
104.     Net::Pcap::loop( $pcap, 0, \&process_pkt, '' ); # Loop to process pcap file
105.     Net::Pcap::close($pcap); # Close pcap object
106.  
107. }
108.  
109. # Function for printing a packet. Only for debug purposes
110. sub print_pkt {
111.     my ($packet) = @_;  
112. my $i;
113.     $i=0;
114.     while ($i < length($packet)) {
115.         print (substr($packet, $i, 4) . " ");
116.         $i = $i + 4;
117.         # mod 32 since we are dealing with ascii values, not hex values
118.         # (two characters instead of one byte)
119.         if (($i % 32) == 0) { print "\n"; };
120.     }
121.     print "\n\n";
122. }
123.  
124.  
125.  
126. # Callback function that is applied to every packet processed in the loop
127. sub process_pkt {
128.  
129.     my ($data, $header, $packet) = @_;
130.     my $unpacket = unpack('H*', substr($packet, 0,1));
131.     if (($hoffset == 32) && ($unpacket == 88)) {
132.         $hoffset = 34;   # Add 2 bytes to the header is it is an IEEE 802.11 QOS frame
133.     }  
134.  
135.     my $paquete = substr($packet, $hoffset); # Hack to parse not only Ethernet but also IEEE 802.11 frames
136.     my $ip_obj  = NetPacket::IP->decode( $paquete );
137.     my $tcp_obj = NetPacket::TCP->decode( $ip_obj->{data} );
138.    
139.     if ($tcp_obj->{data} =~ /^WA.*?([a-zA-Z\-\.0-9]+).*?([0-9]{6,})/) {  # RegEx used to parse packet
140.         my $version = $1;
141.         my $telefono = $2;
142.         print "Got 1 number! S.O: $version Mobile number: +$telefono\n";
143.         $count++;
144.     }
145.  
146. }
147. print "\n$file_count files parsed. $count phone numbers using Whatsapp found...\n\n";
148. # End of file