A Cobalt Strike BOF and DB decrypter script to retrieve the WhatsApp DB decryption key for WhatsApp Desktop via beacon.
Warning
Only works on Windows hosts with WhatsApp Desktop installed.
- A Cobalt Strike beacon on a compromised host
- python3 on PATH
- Python packages (which I haven't kept track of, requirements.txt to come). Please ensure you have the packages required by first_decrypt.py and second_decrypt.py before running the BOF.
make all
WhatsAppKeyBOF
You will then need to exfiltrate the messages.db, messages.db-wal files from the compromised host and run the whatsapp_db_exporter.py to decrypt the DB with the returned key.
- Kraftdenker's ZAPiXDESK Tool, which inspired this tool and process.
GPLv3
- This tool does not extract information from the DB owing to this BOF already taking far longer than expected. Feel free to contribute a tool to extract, however you can open the decrypted DB with a DB viewer.
This tool was created by 0xRedpoll.