CRACKING WPA/WPA2 – PSK ENCRYPTION

CRACKING WPA/WPA2 – PSK ENCRYPTION

• A little Disclaimer – The contents of this post are solely for ethical and educational purposes. You may not use it for unethical purposes. The Author or the Website is not responsible for any damage to yourself, your network, or the computers in you network, should something go wrong. (Basically guys, be careful where you use this and please don’t do anything stupid.)

We’re going to start with a little introduction to Kali Linux, because that is the OS I prefer, is the easiest for this task and comes with all the tools we need. “Kali” is a Linux distribution and is the successor to the much acclaimed Backtrack, which many of you reading this article will probably know of. Now, there are many ways of installing and using Kali, if anyone needs any help, leave in the comments, and I will probably write another post about installing and its basics in the future.

In this tutorial, I’m going to hack into a Wi-Fi hotspot that I just set up, named – Anonymus.
Now, given that we have Kail Linux, open up a terminal window, type in “ifconfig “. This is going to list all the networking interfaces connected to your device.

Here, we only need (wlan0) which is our Wi-Fi card, so we can disable the others by doing “ifconfig <name of the interface> down”.
(“lo” does no matter)…

Now, we type “airmon-ng start wlan0”

(airmon-ng is just a tool for monitoring air traffic, “start” basically starts the tool, and “wlan0” specifies the interface we are using for monitoring)
It’ll probably show “some processes that could cause trouble”, we’ll simply kill those processes by entering “kill <process ID>”.

Now if we do “ifconfig”, it should show us the newly made monitoring interface “mon0”.

Then, put in, “airodump-ng mon0”.
In the screenshot below, the highlighted bssid is our target (and it is my own), named “Anonymus”, the channel is 13 as we can see under the “CH” column.

For our next step we type in, “airodump-ng –c <channel> -w <name> –bssid <bssid> mon0”.

Let me explain a few things here, “airodump-ng” is a tool for capturing Wi-Fi packets, “<channel>” means the channel your target is running on, “-w” basically writes a file by the name that succeeds it in “<name>”, (I did “handshake” just for the convenience of it) bssid is a string of numbers specific to a hotspot.

Now, open up a new terminal and type in “aireply-ng -0 0 –a <bssid> mon0”, this command send a deauthentication signal (usually called a deauth packet) to all the devices connected to that hotspot. Then after a few seconds we stop it by “Ctrl+C”. Now, as we can see, the other terminal shows that the WPA Handshake was successfully captured.

We can close both windows at this point, and open a new one. Type “ls”; that should list the files in the current directory. We can clearly see that the files from the above operation are present. But we only need the file ending with “-01.cap”.

Then we do, “aircrack-ng –w <full location of the wordlist> <the file name>”.

You may be asking what wordlist? What is that sh*t?
A Wordlist is a file containing thousands of known and possible passwords, which you can download from the internet (“specifying from the internet” – We ain’t dumb, boy! :P). The one I used can be found here. The list contains 982,963,904 words exactly all optimized for WPA/WPA2. Would also just like to point out that this is not my work, I got it from forums.hak5.org. It was a guy who compiled a whole load of useful lists, including his own to come up with 2 lists (one is 11gb and one is 2gb) I will be seeding this torrent indefinitely since it is shareware and awesome!

It will then start searching for matching keys in the word list. Now the time that this will take is solely dependent on the strength of the password. The stronger the password the more time will it take. For very strong passwords, check thisout. For tips on creating your own strong password – Top 10 Tips to Create a Strong Password
After completion it looks something like the screenshot below. In it, you can see that it tested 45688 keys and my key was the 45689th. I purposely put futurama because frankly, futurama is awesome! Also it is a very weak password (People reading this, if your password is “futurama”, you’re cool! The Hell? Change it right now!)

Now that we know the password, lets test it…

Annnnd… Voila! it works!

Knowing this you will be…

But beware, don’t use it on a Lannister… (Because a Lannister always pays his debts :P)
For those of you who didn’t understand that reference, #GameOfThrones!

Credits:latesthackingnews

Superfish adware preinstalled on Lenovo PCs

• lenovo,
• security,
• malware

How to remove the dangerous Superfish adware preinstalled on Lenovo PCs

Lenovo’s been caught going a bit too far in its quest for bloatware money, and the results have put its users at risk. The company has been preloading Superfish, a "visual search" tool that includes adware that fakes the encryption certificates for every HTTPS-protected site you visit, on its PCs since at least the middle of 2014. Essentially, the software conducts a man-in-the-middle attack to fill the websites you visit with ads, and leaves you vulnerable to hackers in its wake.

You can read all the sordid details here. This article is dedicated to helping you discover whether your Lenovo PC is infected with Superfish, and how to eradicate it if you are.

Which Lenovo PCs have Superfish preinstalled?

Lenovo isn’t saying specifically. A representative would only say that the adware was loaded on select consumer-grade machines.

Lenovo forum posts indicate that Superfish has been preinstalled on PCs since at least mid-2014. A report by Myce in January claims that at least the Lenovo Y50, Z40, Z50, G50 and Yoga 2 Pro laptops are affected. For safety’s sake, if you’ve bought a new Lenovo PC any time in the past year, you should assume your PC may have Superfish preinstalled.

How do I know if my Lenovo PC has Superfish preinstalled?

It should be easy to discover if your PC came with Superfish preloaded. The adware intrinsic to Superfish is designed to inject visual price-comparison ads into the web pages you visit, in a “Visual Search results” section “powered by VisualDiscovery.” If you see that, you’re affected (though maybe “infected” is the better word to use).

MILLS BAKER

Superfish injected ads in action on the Apple website.

Update: Browsing to this website will quickly let you know if you have Superfish installed. Thanks, Filippo Valsorda! Lastpass also tossed up a website that can check for Superfish.

Even if you haven’t seen weird ads pop up in your browsing, you should check and see if Superfish is installed on your Lenovo PC. Doing so is easy: Just head to Control Panel > Programs > Uninstall a Program and look for VisualDiscovery. If you see it, uninstall it!

Once that’s done, run a virus scan. Apparently, many antivirus engines flag Superfish as adware—since it is—or a potentially unwanted program. Conducting a scan can help ensure that the Superfish software is truly gone.

But…

Ditch that troublesome root certificate

The biggest problem with Superfish isn’t the adware itself so much as the way it hijacks legitimate SSL traffic. It does so by installing a self-generated root certificate in the Windows certificate store—a hallowed area usually reserved for trusted certificates from major companies like Microsoft and VeriSign—and then resigns all SSL certificates presented by HTTPS sites with its own certificate.

In other words, Superfish conducts a man-in-the-middle attack and breaks the sanctity of HTTPS encryption. And simply removing the adware itself doesn’t remove the rogue root certificate.

You can revoke that certificate manually, however. Here’s how, as told to PCWorld by Chris Boyd, a malware intelligence analyst at Malwarebytes.

First, press Windows key + R on your keyboard to bring up the Run tool, then search forcertmgr.msc to open your PC’s certificate manager.

CHRIS PALMER

The rogue Superfish certificate preinstalled in the trusted root store on some new Lenovo PCs.

Once that opens, click on “Trusted root certificate authorities” in the left-hand navigation pane, then double-click “Certificates” in the main pane. A list of all trusted root certificates will appear. Find the Superfish entry, then right-click on it and select “Delete.”

That should do it. This Microsoft support article outlines a different way of deleting trusted root certificates, though it hasn’t been updated in years.

Update: There have been reports of Superfish potentially worming into Firefox's separate certificate manager, as well. If you use Firefox, open the browser, then head to Options > Advanced > Certificates > View Certificates. If you see a listing for Superfish, click on it and select "Delete or Distrust."

With that, your new PC should be free of all of Superfish’s nasty tentacles. Shame on Lenovo for letting this happen to begin with.

IDG News Service's Lucian Constantin provided additional reporting for this article.

Credits:pcworld.com

SECURITY

• security,
• malware

Destroying your hard drive is the only way to stop this super-advanced malware

A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia, utilizing a startlingly advanced form of malware that is impossible to remove once it's infected your PC.

Kaspersky Lab released a report Monday that said the tools were created by the “Equation” group, which it stopped short of linking to the U.S. National Security Agency.

The tools, exploits and malware used by the group—named after its penchant for encryption—have strong similarities with NSA techniques described in top-secret documents leaked in 2013.

Countries hit the most by Equation include Iran, Russia, Pakistan, Afghanistan, India and China. Targets in those countries included the military, telecommunications, embassies, government, research institutions and Islamic scholars, Kaspersky said.

Infirm firmware

Kaspersky’s most striking finding is Equation’s ability to infect the firmware of a hard drive, or the low-level code that acts as an interface between hardware and software.

The malware reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains.

“Theoretically, we were aware of this possibility, but as far as I know this is the only case ever that we have seen of an attacker having such an incredibly advanced capability,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, in a phone interview Monday.

A group of cyberspies called Equation that uses similar techniques as the NSA has struck at least 30 countries using never-before-seen malware that infects hard disk drives.

Drives made by Seagate Technology, Western Digital Technologies, Hitachi, Samsung Electronics and Toshiba can be modified by two of Equation’s hard disk drive malware platforms, “Equationdrug” and “Grayfish.”

The report said Equation has knowledge of the drives that goes way beyond public documentation released by vendors.

Equation knows sets of unique ATA commands used by hard drive vendors to format their products. Most ATA commands are public, as they comprise a standard that ensures a hard drive is compatible with just about any kind of computer.

But there are undocumented ATA commands used by vendors for functions such as internal storage and error correction, Raiu said. “In essence, they are a closed operating system,” he said.

Obtaining such specific ATA codes would likely require access to that documentation, which could cost a lot of money, Raiu said.

The ability to reprogram the firmware of just one kind of drive would be “incredibly complex,” Raiu. Being able to do that for many kinds of drives from many brands is “close to impossible,” he said.

“To be honest, I don’t think there’s any other group in the world that has this capability,” Raiu said.

It appears Equation has been far, far ahead of the security industry. It’s almost impossible to detect this kind of tampering, Raiu said. Reflashing the drive, or replacing its firmware, is also not foolproof, since some types of modules in some types of firmware are persistent and can’t be reformatted, he said.

Given the high value of this exploitation technique, Equation very selectively deployed it.

“During our research, we’ve only identified a few victims who were targeted by this,” Kaspersky’s report said. “This indicates that it is probably only kept for the most valuable victims or for some very unusual circumstances.”

Fanny worm

Another of Kaspersky’s intriguing findings is Fanny, a computer worm created in 2008 that was used against targets in the Middle East and Asia.

To infect computers, Fanny used two zero-day exploits—the term for a software attack that uses an unknown software vulnerability—that were also coded into Stuxnet, Kaspersky said. Stuxnet, also a Windows worm, was used to sabotage Iran’s uranium enrichment operations. It is thought to be a joint project between the U.S. and Israel.

It’s unlikely the use of the same zero-days was a coincidence. Kaspersky wrote that the similar use of the vulnerabilities means that the Equation group and the Stuxnet developers are “either the same or working closely together.”

“They are definitely connected,” Raiu said.

Both Stuxnet and Fanny were designed to penetrate “air-gapped” networks, or those isolated from the Internet, Kaspersky said.

Man in the middle

The Equation group also used “interdiction” techniques similar to those used by the NSA in order to deliver malicious software to targets.

Kaspersky described how some participants of a scientific conference held in Houston later received a CD-ROM of materials. The CD contained two zero-day exploits and a rarely-seen malware doorstop nicknamed “Doublefantasy.”

It is unknown how the CDs were tampered with or replaced. “We do not believe the conference organizers did this on purpose,” Kaspersky said. But such a combination of exploits and malware “don’t end up on a CD by accident,” it said.

The NSA’s Office of Tailored Access Operations (TAO) specializes in intercepting deliveries of new computer equipment, one of the most successful methods of tapping into computers, wrote Der Spiegel in December 2013, citing a top secret document.

The German publication was one of several that had access to tens of thousands of spy agency documents leaked by former NSA contractor Edward Snowden.

Kaspersky uncovered the trail of the Equation group after investigating a computer belonging to a research institute in the Middle East that appeared to be the Typhoid Mary for advanced malware.

Raiu said the machine had French, Russian and Spanish APT (advanced persistent threat) samples on it among others, showing it had been targeted by many groups. It also had a strange malicious driver, Raiu said, which upon investigation lead to the extensive command-and-control infrastructure used by Equation.

Kaspersky analysts found more than 300 domains connected with Equation, with the oldest one registered in 1996. Some of the domain name registrations were due to expire, so Kaspersky registered around 20 of them, Raiu said.

Most of the domain names aren’t used by Equation anymore, he said. But three are still active. The activity, however, doesn’t lend much of a clue as to what Equation is up to these days, as the group changed its tactics in late 2013.

“Those three [domains] are very interesting,” Raiu said. “We just don’t know what malware is being used.”
Credits:Pcworld

Kaspersky Labs reports at least $300 million in a 2 year sophisticated heist

             

           

     

Kaspersky Labs reports at least $300 million in a 2 year sophisticated heist was stolen from a variety of banks world wide.

The surface of the heist was presumably started in late 2013 when a A.T.M. in Kiev was exhibiting some strange behavior when it started dispensing cash at seemingly random times of day. No card or button on the A.T.M. was touched and the security cameras only showed piles of money being taken by lucky customers who were at the right place at the right time.

Kaspersky labs, a Russian cyber-security firm was called to investigate the A.T.M. anomaly and through its investigation discovered this was just the tip of the iceberg of the real hack that was taking place.

The bank’s very own internal computers, the ones used by the bank employees who processed daily transfers, conducted daily bookkeeping, had been unwittingly infected with sophisticated malware that allowed cyber criminals to record their every move. It was suspected that the malicious software had been in their systems for several months, sending back video feeds and images that told a story to the criminal group patiently watching on the other side how exactly the bank conducted its daily routines.

With that inside information on the daily habits and procedures of bank employees the criminal hacking group was able to impersonate bank officers enabling them to, not only turning on various cash machines, but also be able to transfer millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.

According to reports from Kaspersky Labs the scope of this attack was on more than 100 banks and other financial institutions in 30 nations which could very well make it one of the largest bank thefts ever and one conducted without the usual signs of robbery.

Kaspersky Labs has a gag order from nondisclosure agreements with the banks that were hit, it cannot name them. It goes without saying Officials at the White House and the F.B.I. have been briefed on the Kaspersky’s findings, but say that it will take time to confirm them and assess the losses (otherwise meaning those who know will not say).

What Kaspersky Labs is telling is that the thefts were limited to $10 million a transaction, and some banks were hit several times. In a vast majority of cases the takes were more modest, possibly in an attempt to avoid setting off alarms. The totals they are telling is upwards of $300 million with a high probability of triple that amount with the majority of known targets in Russia, with a smaller amount in in Japan, the United States and Europe.

Of course no bank has come forward acknowledging the theft which is such a common problem in this type of industry that even President Obama during his first White House summit meeting on cybersecurity and consumer protection at Stanford University is urging a passage of a law that would mandate public disclosure of any breach that compromised personal or financial information.

Douglas Johnson, from the American Bankers Association stated, Investigators at Interpol said their digital crimes specialists in Singapore were coordinating an investigation with law enforcement in affected countries. In the Netherlands, the Dutch High Tech Crime Unit, a division of the Dutch National Police that investigates some of the world’s most advanced financial cybercrime, has also been briefed. There was no other comments from the American Bankers Association.

The silence surrounding the investigation is partly because of the reluctance of banks to concede that their systems were so easily penetrated, and also in part of the fact that the attacks appear to be continuing.

Chris Doggett, the managing director of the Kaspersky North America office in Boston stated that the

“Carbanak cybergang (named for the malware it deployed), is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cyber criminals have used to remain covert,”

The intruders in the bank thefts were enormously patient, first placing surveillance software in the computers of system administrators and watching their moves for several months. It is suspected that this was not a nation state, but rather a specialized group of cyber criminals.

It is uncertain how the subterfuge on this scale could have proceeded for nearly two years without banks, regulators or law enforcement catching on.

But the basics of this hack began like many others, sending their targeted victims infected emails with a news clip or message that was forged to appear to come from a colleague. When the targeted bank employee clicked on the email, they inadvertently downloaded malicious code. From there with the malicious code on the system that allowed the hackers to crawl across a bank’s network until they found employees who administered the cash transfer systems or remotely connected A.T.M.s.

Then, the cyber criminals installed a “RAT”— remote access tool — that could capture video and screen shots of the employees’ computers to learn and mimic everyday activities of the bank and the bank employees. In doing this they could stage everything to look like a normal, everyday transaction.

With patience and persistence, the attackers took great pains to learn each bank’s particular system, while they set up fake accounts at banks in the United States and China that could serve as the destination point for money transfers.

It is known that these fake accounts were set up at J.P. Morgan Chase and the Agricultural Bank of China.

A period of several months and the creation of multiple routes for the money transfers were set up including online transfers as well as A.T.M. cash dispensing to terminals where the associates would be waiting.

With the largest sums stolen by hacking into a bank’s accounting systems and briefly manipulating account balances and temporarily inflating the balance an example provided was an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. Their was a reported 10 hour window where the banks did not check or audit these balances allowing the illicit transaction to take place during that time.

Some of the numbers reported by Kaspersky on the effectiveness of the hacks were $7.3 million through A.T.M. withdrawals alone and $10 million from the exploitation of its accounting system.

The level of the sophistication of this heist was Ocean’s 11 on steroids.

Windows 10 can be bypassed with a single bit

Windows operating systems security from XP to current version Windows operating systems security from XP to current version Window 10 can be bypassed with a single bit

Microsoft on Tuesday released privilege escalation vulnerability in its security bulletins which according to researchers, can be exploited by malicious actors to bypass all the security measures in Windows operating system by modifying a single bit.

Microsoft says that an attacker who manages to log in to the targeted system can “gain elevated privileges and read arbitrary amounts of kernel memory,” which would allow them to install software, view and change data, and create new accounts with full administrative rights.

Udi Yavo, the chief technology officer at the security firm Ensile says that “The vulnerability (CVE-2015-0057) is rated as “important,” which could give attackers total control of the victims’ machines.”

Yavo further said that “A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization.”

Yavo continued, “Interestingly, the exploit requires modifying only a single bit of the Windows operating system.”

The flaw existed in the graphical user interface (GUI) component of the Win32k.sys module within the Windows Kernel which, among other things, manages vertical and horizontal Windows’ scroll bars. The flaw actually resides in the xxxEnableWndSBArrows function which could alter the state of both scroll bars through a call.
The exploit works on all versions of the operating system, from Windows XP to the 64-bit version of the latest Windows 10 Technical Preview (with protections enabled). The attack method can be used to bypass kernel protections such as Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), and NULL deference protection, the researcher said.“We have shown that even a minor bug can be used to gain complete control over any Windows Operating System,” Yavo said. He also commented that Microsoft efforts to make the its operating system more secure has raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these methods are not going to stop attackers. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable.”

Th researchers have also published a PoC video demonstrating the vulnerability, though it doesn’t actually disclose any sensitive code, but shows the privilege escalation exploitation on a machine running 64-bit Windows 10 Technical Preview.

Microsoft’s patch issues are nothing new,before this, In January, Bromium security researcher Jared DeMott demonstrated that the Heap Isolation and Delay Free mitigations can be bypassed.

CVE-2015-0057 is not the only interesting vulnerability patched by Microsoft on Tuesday. The company has also released updates for a critical remote code execution flaw (CVE-2015-0008) caused due to the way Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. On the other hand, Microsoft still hasn’t addressed a recently disclosed universal cross-site scripting (UXSS) vulnerability affecting Internet Explorer.
Credits:Techworm

New credit cards with embedded RFID chips can pose a problem with security and identity theft

Hackers can use RFID readers to steal payment card numbers while you are in public..

   New credit cards with embedded RFID chips can pose a problem with security and identity theft

A team of cyber security researchers have revealed that hackers can mobile technology to use to steal credit and debit numbers from you while you’re in public. The cards at risk are enabled with radio technology that allows you to “wave and pay.”

Its as though while you are ‘waving and paying’ a hacker lurking in vicinity is secretly reading your payment card numbers and storing them. While you are unaware of such a risk, you may receive a 440 volts shock to see unknown payments at the end of the payment cycle in your billing statement.

Radio frequencies are all over the place but the frequency most smart cards (i.e. newer debit and credit cards) are in the range of 13.56 MHz (HF) the range can be detected between 10 centimeters – 1 meter (around 2 feet max).

If you have these newer cards, currently an attacker can only obtain the card number and the expiration date, not the three digit CVV security number which are required for some purchases. However it should be noted that a card number and expiration date could be put onto dummy cards and used at certain point of sale terminals that only require you to pass the card over the terminal for a payment (without the CVV requirement).

More and more of these RFID radio tags are placed into other documents including passports, employee badges which may hold more information and create potentially more problems when cloned especially in the case of employee badges which will allow access to secure buildings and the like.

So far the only known defense against these types of attacks are to create a “Faraday Cage” around the card (usually in the form of aluminum foil, or lining your pocket or wallet with a similar substance).

If you are victimized most cards like MasterCard, Visa, and debit cards have policies that say you’re not liable for any fraudulent transactions and you can be made whole, however this can take several days or weeks sometimes to get money back which has been stolen from your checking or debit card.

If you like the idea of mobile payments for now Apple Pay or Paypal can be viable alternatives since your actual card numbers are not stored on your iPhone or smart device and do not have any RFID.

Thanks:techworm

10 Million Password Release?

How to Check if You Were Exposed in the 10 Million Password Release?

What is the news?

A security researcher has released 10 million usernames and passwords in public domain. Mark Burnett has collected this data from various data breaches for his research purpose over the past ten years. He has also written an entire article justifying the release and fearing the prosecution as a consequence of this release. 

“This is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution.”

These 10 million usernames and passwords were already available on the internet and he has created a collective database of these leaked records. Mark Burnett is a reputed security expert and he is willing to share the data for the sake of helping the security researchers.

Why is he releasing the passwords?

“Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world.

A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain.”

Why FBI shouldn’t arrest him?

Mark says that he has released the usernames and passwords to give researchers an access to a clean and consistent data. He says:

“Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone. Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature.

If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.”

This release can definitely help other security experts and researchers to determine one basic fact that how often a user uses a part of his username in his/her password. Defying the risk of prosecution, Mark has released these 10 million passwords and defended its release.

How to check if you were exposed in the 10 million password dump?

Here is an easy way developed by the developer Luke Rehmann. This is a simple web interface to search for your credentials. It’s recommended that you only search the first four characters of a password due to security concerns.

Check here.

Read the whole article written by Mark Burnett here. Via- xanto.net

Thanks:fossbytes

What is WhatsSpy Public?

Installling WhatsSpy Public on your Raspberry Pi/Server/VPS

WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that Whatsapp is broken in terms of privacy. Once you've setup this application you can track users that you want to follow on Whatsapp. Once it's running it keeps track of the following activities:

• Online/Offline status (even with privacy options set to "nobody")
• Profile pictures
• Privacy settings
• Status messages

Screenshots

Overview page:

• 

Getting started

This guide requires knowledge of Linux, PHP, PostgreSQL. There is no proper error reporting. I'm not responsible in any way if you screw it up! WhatsApp might even block your account, I can't tell.

Requirements

Shortlist requirements:

• Secondary Whatsapp account (phonenumber that doesn't actively uses Whatsapp)
• Rooted Android phone OR Jailbroken iPhone OR PHP knowledge
• Server/RPi that runs 24/7
• Nginx or Apache with PHP with PDO (php5-pgsql installed) (you can't host on simple webhoster, you need bash)
• Postgresql

Notice

WhatsSpy Public requires an secondary Whatsapp account. Once the tracker is started, you will not be able to recieve any messages over Whatsapp for this phonenumber. You can either try to register an non-Whatsapp used phonenumber with for example this script or just buy an 5 euro SIM Card and use this phonenumber for the tracker.

For the tracker to work you need an secret which is retrieved from either your Phone or the register script mentioned above. In case of phone registration you need an jailbroken iPhone or rooted Android device in order to retrieve the secret.

• Jailbroken iPhone users: You can retrieve using this script.
• Rooted Android phones can use the following APK to retrieve the secret.

In order to retrieve the scecret you need to follow these steps:

• Insert your (new) secondary SIM card in your phone and boot it up.
• Re-install Whatsapp on your phone and activate it using the new phonenumber.
• Use either the APK (Android) or the script (iPhone) to retrieve the WhatsApp secret. Write this secret down, which is required later.
• Insert your normal SIM card and re-install WhatsApp for normal use.

Do not use the WhatsApp application with the same phonenumber as the tracker, this will reset the connection creating an dead tracker.

Installation

Troubleshooting

1. Download the repository and unpack these files on your server at for example /whatsspy/ in your web directory (for nginx in debian this is /var/www/). note that the git clone does not work for SSH. You can only use HTTP on this gitlab server
2. Log in your PostgreSQL database and create an new DB and user for WhatsSpy Public (Insert password for DB user):

   -- Execute command by command!
   -- cmd 1
   CREATE ROLE whatsspy LOGIN
   PASSWORD ''
   NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
   -- cmd 2
   CREATE DATABASE whatsspy
   WITH OWNER = whatsspy
      ENCODING = 'UTF8'
      TABLESPACE = pg_default
      CONNECTION LIMIT = -1;
   -- cmd 3
   GRANT ALL ON DATABASE whatsspy TO whatsspy;
   

3. Open api/whatsspy-db.sql and execute these SQL commands in your whatsspy database (with PgAdmin or step 4).
4. Update: You can use the commmand

   cd <location of whatsspy>/api/
   psql -U whatsspy -d whatsspy -f whatsspy-db.sql
   

   to insert these SQL statements in the correct database.
5. rename config.example.php to config.php located at api/ and fill in the following details:
6. Postgresql host/port/dbname/user and password correctly in $dbAuth.
7. Insert your 'number' and 'secret' in $whatsappAuth.
8. 'number' needs to be without any prefix 0's. 0031 06 xxx becomes 31 6 xxx (no 0's prefix for both the country code and phonenumber itself).
9. 'number' may only contain digits. Spaces, plus or any other special character are NOT accepted. Example: 316732174
10. Set the absolute path correct in $whatsspyProfilePath. If you've installed WhatsSpy Public in for example /var/www/whatsspy the correct directory would be /var/www/whatsspy/images/profilepicture/ (including /)
11. You can set an Optional NotifyMyAndroid key for notifications about the tracker (startup,shutdown,errors etc) in $whatsspyNMAKey.
12. Check folder rights: the tracker needs read/write acces in both the folder $whatsspyProfilePath and api/!

Webserver

You need to restrict access to Whatsspy and the api of Whatsspy from unauthorised web access.

Nginx

For Nginx add the following:

location /whatsspy/ {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd; 
    }

    location /whatsspy/api/whatsapp/ {
        deny all;
        return 404;
    }

    location ~ /whatsspy/api/ {
        rewrite ^ /whatsspy/api/index.php last;
    }

assuming you installed whatsspy in a subdirectory called /whatsspy in the web directory /var/www/ (default setup)

You can create an .htpasswd here. Make sure you reload the configuration by executing service nginx reload.

Apache

create an .htaccess in the whatsspy folder and add the following:

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/.htpasswd
Require valid-user

Do not place the .htpasswd in the /var/www folder. You can create an .htpasswd here. The api/ folder is protected by default.

Importing users

If everything went well you can now access the WhatsSpy Public interface through your webserver. At this point you need to import users that you want to track (Troubleshooting):

• Either add any contact manually by using "Add contact by phonenumber".
• Or use "import google Contacts" which is an script that retrieves all your Google Contacts and gives an SQL statement which insert all users into the database.

Once you have inserted these users they won't show up automatically. They need to be verified by the tracker which is not running yet.

Starting the tracker

Once you have populated your database with some users, you can start the tracker.

1. start a new screen (if you do not have screen: sudo apt-get install screen or similar for other distro's)
2. cd to the install of the Whatsspy (for example /var/www/whatsspy/) and execute `which php` api/tracker.php.
3. If all runs well it starts spamming information about privacy options and polls.
4. It keeps polling every 2 seconds and outputs any statusses on the screen.
5. You can exit the screen by using Ctrl+a and after that Ctrl+d (detaching the screen) in your terminal/Putty.