Who’s behind that Whatsapp!

s0cia1D3m0n
May 16 · 5 min read

Has anyone of you ever come across a fishy and suspicious situation wherein you don’t know anything about the person except their virtual personality that they portray in front of you? In this article, I will try to find the whereabouts a person through a mere WhatsApp and how anyone can go about revealing the person cloaked under the “virtual media”.

Image for post
Image for postImage for post

This article is divided into four parts:

3. What do we learn

4. A glimpse of part 2

What happened?

It all started when I returned after attending a technical seminar and got a whats app message from a girl. She said that she is one of the organizers of the seminar and need the feedback of the same. I happily replied and answered all of her questions. Things started getting fishy when she asked me about my interests and personal life like relationship status etc. I searched about her all over the net and for her digital footprints(i.e insta,FB,Linkedin) but could not find her anywhere. I asked the other organizer about her, and they said there’s no one with this number or name on the team.

Image for post
Image for postImage for post

Now, I knew that someone is trying to mess with me. I had two options i.e., either to block her and move on or find out who’s behind all this the hacker way. As you all know its, quarantine time and we don’t have much to do all day. So I decided and started social engineering her. For the record, let’s name her as SHIZUKA.

Preparation for Battle

Lets put on a hoodie, dim some lights and find who’s behind all this.

Image for post
Image for postImage for post

Step1: We chatted for two days to gain some trust. We both had lots of time to waste. 😂

Step2: Make notes about each detailed information given to her (in my case name, college, location, and job)


Battle Begins

One thing to note, I will only perform passive recon(no hacking).

1. Find Shizuka’s location

I asked her about her interests and one of them was java. So I started asking her easy questions via screenshots.

Weapon 1: There’s a website https://iplogger.org/ which provides you an image URL that can be pasted in any forum’s posts, and as soon as someone sees that post his/her IP gets logged into the web site’s database which can be reviewed later.

I did same I took a less-visited hackerank’s forum page, pasted the image in the comments section and sent the link to Shizuka, and asked her to solve it.

Image for post
Image for postImage for post

WHAT I GOT: IP address, location, information about her mobile, and at what time she visited the site.

2. Find Shizuka’s college

She shared some random picture of her cafeteria and pets which can’t be used for anything as they are compressed and have their location tagging(EXEF data) is stripped of so I asked her to send one of the image as document on Whatsapp.

Weapon 2: There’s a website https://www.pic2map.com/ which gives you the location where that picture was clicked.

So, with this, I got her college’s name. I got deeper (that’s what she said🤣) and downloaded the timetable(“TT”) of the college, and asked her which subjects she studied today.

Image for post
Image for postImage for post

And as expected they were not the same as mentioned in the TT so she was lying about the college.

3. Check her Whatsapp DP

She used to update her Whatsapp picture daily like other girls😅. She was blatantly lying that it made me think if she was using her own Whatsapp DP or not. She could be using someone’s picture from Instagram. Now, its time for another weapon for this task.

This can be done in two ways one is a lot simpler and user friendly but less effective and the other is a bit techie and needs Linux. I will brief you all about both.😎

Simpler: These are some website which takes image and input and gives their source as output.

You can upload the image of someone and it will search for it everywhere except social media platform but will try to search for familiar faces.

Harder: This tool can search Instagram(not a private account), Youtube, Facebook, and Twitter for the person. It just needs one image and the name of the person. Isn’t it great? but it comes as a cost you need to set it up on the machine and give some time to search.

https://github.com/ThoughtfulDev/EagleEye

Here’s the tool link, all the setup instruction and how to use it is given in the link. So I just took the whats app DP and name. Voila I got a link of a shady Blogspot website with some pictures that she used. The owner of the website had an Instagram account.


What do we learn

A glimpse of part 2

Here’s the end of part one.

Thanks for reading! If you enjoyed this story, please click the 👏 button and share it to help others! Feel free to leave a comment 💬 below. Have feedback?

FIN!

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

s0cia1D3m0n

Written by

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

s0cia1D3m0n

Written by

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store