Is that possible to hack whatsapp or anything that login with QR code ??. The answer is YES. You can hijack login sessions with QRLJacking, this tool is use QR code to hijack any applications login sessions. A lot of applications use QR code to login on their account (whatsapp, line and many more).
QRLJacking Exploitation Framework
QRLJacker is a highly customizable exploitation framework to demonstrate “QRLJacking Attack Vector” to show how it is easy to hijack services that depend on QR Code as an authentication and login method, Mainly it aims to raise the security awareness regarding all the services using the QR Code as a main way to login users to different services!
Prerequisites before installing:
- Linux or MacOS. (Not working on windows)
- Python 3.7+
Note: Don’t install QRLJacker and Firefox as root in a regular user’s session because it’s not supported by Firefox which would give error on running modules in framework.
Important note: If you have multiple python version, use
python3.7 command instead of
python3 in the following steps and use
python3.7 -m pip instead of
pip3 or even
python3 -m pip because that’s the reason of 95% of the issues opened here. I think people often skip the important parts
- Update Firefox browser to the latest version
- Install the latest geckodriver from https://github.com/mozilla/geckodriver/releases and extract the file then do :
chmod +x geckodriver
sudo mv -f geckodriver /usr/local/share/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver
- Clone the repo with
git clone https://github.com/OWASP/QRLJackingthen do
- Install all the requirements with
pip install -r requirements.txt
- Now you can run the framework with
python3 QrlJacker.py --help
- Ubuntu 18.04 Bionic Beaver
- Kali Linux 2018.x and up
Main menu help
Module menu help
Sessions command help menu
Jobs command help menu
Taking advantage of the core
The autocomplete feature that has been implemented in this framework is not the usual one you always see, here are some highlights:
- It’s designed to fix typos in typed commands to the most similar command with just one tab click so
searchand so on, even if you typed any random word similar to an command in this framework.
- For you lazy-ones out there like me, it can predict what module you are trying to use by typing any part of it. For example if you typed
use whand clicked tab, it would be replaced with
use grabber/whatsappand so on. I can see your smile, You are welcome!
- If you typed any wrong command then pressed enter, the framework will tell you what is the nearest command to what you have typed which could be the one you really wanted.
- Some less impressive things like autocomplete for options of the current module after
setcommand, autocomplete for modules after
infocommands and finally it converts all uppercase to lowercase automatically just-in-case you switched cases by mistake while typing.
- Finally, you’ll find your normal autocopmletion things you were using before, like commands autocompletion and persistent history, etc…
- As you may noticed, you can use a resource file from command-line arguments before starting the framework itself or send commands directly.
- Inside the framework you can use
makerccommand like in Metasploit but this time it only saves the correct important commands.
- There are
resourcecommands so you don’t need to exit the framework.
- You can execute as many commands as you want at the same time by splitting them with semi-colon and many more left to be discovered by yourself.
- Searching for modules in QRLJacker is so easy, you can search for a module by its name, something written in its description or even the author name.
- Before reporting an issue, activate the debug mode by using the
debugcommand or the debug commandline argument and once the error happens again, the framework will print the error trace-back. Also debug mode activates some hidden commands which will help us in debugging the error and fix the problem for you.
- Finally, make sure when reporting the issue to provide the very basic info like your system, python version and the output from the debugging mode.
If you want to write your own module, read the development docs from here
- Write modules for other websites and services.
- Write post-exploitation modules for the framework.