WhatsTrapp is a tool for analyzing and dumping WhatsApp accounts.

WhatsTrapp uses a Man In the Middle (MITM) attack to establish a session with the WhatsApp's target: once the session has been established, actions for retrieving and collecting the data are executed in the browser context by using the very same WhatsApp Web's APIs (thank to a bit of reverse engineering).

Finally, the collected data are indexed in Elasticsearch in order to allow you to search for a specific text and sort the messages by time.

• Docker
• Docker Compose

Clone the repository:

$ git clone git@github.com:Wicker25/whatstrapp.git
$ cd whatstrapp/

Launch the WhatsTrapp server with:

$ docker-compose up

Then open your browser at http://127.0.0.1:8025/ and wait until the QR code has been loaded.

Launch the target's WhatsApp and, from the main menu, select "WhatsApp Web".

Finally, take a picture of the QR code and enjoy it!

Open Kibana's Discover page at http://127.0.0.1:5601/app/kibana#/discover.

You can start a new Search or open one of the default ones from the menu on the right.

The WhatsTrapp's architecture consists of a Puppeteer, Puppets, and Clients:

• The Puppeteer launches the browser instance by using Google Puppeteer and injects a Puppet into it;
• The Puppet is a JavaScript that performs actions in the WhatsApp Web page;
• The Client is the user interface used by the attacker for performing the hack.

All of the components communicate with each other via WebSocket.

If you are trying to use WhatsTrapp on a GNU/Linux operating system you might need to increase the kernel parameter max_map_count by running:

# sysctl -w vm.max_map_count=262144

See the Elasticsearch Reference for more details.

If you are trying to use WhatsTrapp on Windows but you get the error Windows named pipe error: ... check this discussion: #1.

• Giacomo Trudu - @Wicker25

This project is licensed under the GNU General Public License - see the LICENSE.md file for details.