3

I have been asked to do a paper on Whatsapp for Networks (college class). As far as I know, it is based on XMPP. But I can't find any of its packages on the WireShark process (using whatsapp web), only TCP protocols.

I have downloaded the Packet Tracer for Android and it has given me some TCP packages on hex.

How can I analyze it? Is it XMPP? Is it TCP? How can I have the ACK or the SYN ACK bits on the tracer? what about the RTT?

Is there any better program for this analysis?

peterh
  • 3,023
  • 6
  • 27
  • 34
Luis Filipe
  • 31
  • 1
  • 1
  • 2
  • 4
    Are you trying to analyze how TCP handshake works? How TCP works in general? How WhatsApp security works? How to see messages being sent? Some clarification needed, please. – sysfiend Feb 07 '17 at 16:55
  • Hi! Actually I have been asked to simuate a scenario with the Whatsapp Service. I was trying to use the Cisco Packet Tracer(which includes DHCP , DNS , SMTP etc) but it doesn't have the XMPP service. Therefore I cannot simulate it. So, after running Wireshark and acessing Whatsapp web i could only see the TCP communication but no XMPP , I guess because it is encrypted , right?

    So the only alternative that is left is for me to analyze the TCP packets between the whatsapp server and my computer right?Or is there any other way to analyze whatsapp packets or simulate it?

     – Luis Filipe Feb 07 '17 at 17:40
  • How to see messages being sent would be great too. It is hard to understand those hexdecimal on the wireshark. – Luis Filipe Feb 07 '17 at 17:58
  • Without continuous working and learning, you won't be ever a successful programmer. What you don't want to start now, this is what you will do in your whole life. – peterh Feb 09 '17 at 21:55

2 Answers2

2

You won't see anything relevant in Wireshark because the communications between WhatsApp users happen using private and public keys. Here's how it works in practice:

  • A wants to send a message to B.
  • A firstly asks B for his public key (every user generates around 100 public keys attached to one single private key).
  • A then encrypts the message using B's public key and sends it.
  • B recieves it and, using his private key, decrypts it.

So, without breaking this scheme, you won't be able to read those packet's data.

In case you are just analyzing TCP, you will be able to see the handshake as usual with it's ACKs, FINs, etc.

sysfiend
  • 2,394
  • 4
  • 15
  • 22
  • So what you are saying is that with Wireshark i can only reach and analyze the TCP right? Is there any other program that i can capture the whatsapp packets? – Luis Filipe Feb 07 '17 at 18:29
  • @LuisFilipe the problem here is not capturing them, but seeing it's data. In order to do so, you'd have to break the encryption system faking B's private key (pro tip: you will need some billion years to do so, don't try it at home :d) – sysfiend Feb 07 '17 at 18:32
  • Hahaha , well that is just not much encouraging! Hope the professor understand that. Thank you very much! Btw, about 5 years ago it was possible to break the encryption right? There was an extesion for the wireshark. – Luis Filipe Feb 07 '17 at 18:37
  • @LuisFilipe you can always break it if it's not strong enough, it's a matter of time and using vulnerabilities found on the algorithms used. – sysfiend Feb 07 '17 at 18:39
  • The image of my attempt to reach the whatsapp server i have few questions(https://scontent.fplu9-2.fna.fbcdn.net/v/t1.0-9/16473317_1255471484537612_8559584372116639936_n.jpg?oh=7608686a7eaf6672748efe6d21a3c7ca&oe=593D2503) 1)What is the TCP SYN segment sequency number used to start the TCP connection? 2)What is the sequency number and the ACK number of the SYN ACK package? How do you identify a SYN ACK package? 3)What is the sequency number of the first TCP segment which contains the HTTP POST command?

    Is it possible to answer those question with the WireShark Whatsapp TCP analysis??

     – Luis Filipe Feb 07 '17 at 18:48
  • @LuisFilipe yes. – sysfiend Feb 08 '17 at 11:21
  • In case I have the 2 phones (both mine in same room), can I then decrypt the messages ? I want to know what's transferred in whatup protocol. – ransh Nov 19 '17 at 16:47
1

Whatsapp Web works in the browser, it requires only a browser, without any add-ons. Thus, it uses obviously https or at most some of its extensions (websockets, etc).

The application-level protocol is embedded into this. It is possible, but not probable, that it uses also an intermediate XMPP layer.

To analyze them, first you have to break the https (or any other browser-supported) encryption layer.

peterh
  • 3,023
  • 6
  • 27
  • 34
  • Hi, what do you mean by break the https encryption layer?(I'm really new at this). Thanks! – Luis Filipe Feb 07 '17 at 18:18
  • @LuisFilipe It is https. Https is the encrypted protocol on which the browsers mostly communicate. It doesn't use XMPP (although it is possible that it uses XMPP communication embedded into the https traffic). To do this, first you have to crack the https and see, what is in it. – peterh Feb 07 '17 at 18:43
  • Well , after reviewing my attempt of connection on whatsapp web the only services i can relate to are:

    Ethernet TCP IPv4 SSL

    I don't see any http services on the list

     – Luis Filipe Feb 07 '17 at 19:09
  • @LuisFilipe On which tcp ports is it working? 443? – peterh Feb 07 '17 at 19:51
  • Yes , it is working on 443. As you can see on this image: https://scontent.fplu9-2.fna.fbcdn.net/v/t1.0-9/16473317_1255471484537612_8559584372116639936_n.jpg?oh=7608686a7eaf6672748efe6d21a3c7ca&oe=593D2503

    This was my attempt to reach the Whatsapp server on whatsapp Web

     – Luis Filipe Feb 07 '17 at 20:13
  • @LuisFilipe Now you need to use the public key of the server side, and the private and public keys of your browser to decrypt the traffic. You have to follow the whole connection with the wireshark, somehow extract the keys from your browser and give it to the wireshark. – peterh Feb 07 '17 at 20:52
  • Do you have any material that can explain these keys to me? I have never heard of it nor I understand what those are. For my understanding it won't be possible to decrypt because i won't have the private key to the server, right? – Luis Filipe Feb 07 '17 at 21:59
  • @LuisFilipe You don't need the private key of the server, also the browser doesn't have it. Also I don't know, how can it be done. But I could, if I would need it. The most important task in programming, to find and learn things from google quickly. Google for: wireshark https . You will find problems, find them on further googling. If you don't, ask them here, or on the stackoverflow. Yes, it is work. But if you don't do it, nobody will instead you. Well, and if here an answer answered your question (not your further questions in the comments, but your original question), you can accept it by – peterh Feb 08 '17 at 00:58
  • @LuisFilipe clicking the pipe icon on the left side. It is a reward to the answerer. With time, these google-learn-stackoverflow-learn loops will be faster and faster. Only the begin is hard. – peterh Feb 08 '17 at 01:03
  • @peterh quite interesting information . +1 for sharing it. – Tejas Pandya Dec 26 '17 at 06:41