:::: MENU ::::

Dawit's Tech Blog

My name is Dawit and I write about Technology stuffs.

WeChat Android Application Traffic Analysis and Pattern/Signature Extraction

InfoSec, Security, Social Media, Traffic Analysis

WeChat Android Application Traffic Analysis and Pattern/Signature Extraction

Nowadays, many media-rich entertainment and Communication applications have emerged on the Internet, which often use obfuscation techniques such as encrypted data transmission, random/changing ports, or proprietary communication protocols to prevent detection or filtering by network or content owners who believe the traffic is threatening their (infrastructural, service availability or intellectual) property and as a norm many of the application adopt Open Source based application development i.e. the protocols, libraries, databases and platforms they use are almost similar, widely used and few features proprietary. For example, WeChat they have tried to use standard ports (TCP & UDP) but the packet structure is different from the actual HTTP and HTTPS, and Random Ports.

Instant messaging (IM) has become one of the main applications of mobile phones, with plenty of “apps” available and literally billions of messages exchanged every day. With the widespread diffusion of mobile Internet traffic plans, IM and VoIP applications are rapidly replacing other forms of mobile communication, such as text messages, voice data/calls and, in some situations, even e-mails. As conversations are rapidly converging to IM applications, it is natural to start asking how secure this communication channel actually is, and if users can really trust IM apps and their back-end infrastructure. I decided to pick one of these applications and look “under the hood”, in order to see how the developers tried to ensure the confidentiality of in-transit communications.

WeChat is a feature-rich and sophisticated mobile application, which allows users to communicate via text messages, video and voice calls, to share photos and attach recorded voice/videos Msgs, and much more. The app is available for several mobile platforms. Why WeChat? According to Google Play Store as of Sept 2016, WeChat for Android alone has more than 500 million downloads. and it has been advertised on International TV Channels (DStv and others).

WeChat Version 6.3.22 (Latest Version)

  • Signaling VoIP
    • Udp port == 8080, 80
      • Offset[0] ==0xa1
      • Offset[1] ==0x08
      • Offset[7] ==0x10
      • Offset[9] ==0x18
      • Offset[10] ==0x28
      • Offset[11] ==0x22
      • Offset[12] ==0x28
    • Udp port == 32780, 34003, 40768, 42410, 40049
      • Offset[0] ==0xa3
      • Offset[5] ==0x08
      • Offset[11] ==0x10
      • Offset[13] ==0x18
      • Offset[14] ==0x28
      • Offset[15] ==0x22
      • Offset[16] ==0x28

  • Wechat Uplink and Downlink Traffics opcodes
    • Udp port == 16285, 8080, 80 (Uplink Traffic)
      • Offset[5] ==0x0a
      • Offset[7] ==0x0a
      • Offset[8] ==0x06
      • Offset[9] ==0x08
      • Offset[11] ==0x10
      • Offset[12] ==0x03
    • Udp port == 16285, 8080, 80 (Downlink Traffic)
      • Offset[5] ==0x0a
      • Offset[7] ==0x0a
      • Offset[8] ==0x07
      • Offset[9] ==0x08
      • Offset[11] ==0x10
      • Offset[12] ==0x03
  • WeChat Data Payload Opcodes (Real time Communication; Text Chat, Audio calls, video calls, and Recorded and Attached Files)
    • Tcp Port == 8080, 80, 443, 5000
      • Packet Length: 70bytes
      • Offset[4] ==0x00
      • Offset[5] ==0x10
      • Offset[6] ==0x00
      • Offset[7] ==0x01
    • WeChat Server Names
      • HTTP POST Method
        • (Full Request URI: weixin.qq.com/mmtls/”>8digitcodes”)
      • Tcp Port == 80
        • String 1 == qq.com (File Attachments)
          • weixin.qq.com
        • String 2 == qpic.cn (picture attachment and emoji)
          • qpic.cn
        • User-Agent: MicroMessenger Client

WeChat Version 5.2.1 (Older Versions)

  • Signaling VoIP
    • Udp port == 8080, 80???
      • Offset[0] ==0xa1
      • Offset[1] ==0x08
      • Offset[7] ==0x10
      • Offset[9] ==0x18
      • Offset[10] ==0x30
      • Offset[11] ==0x22
      • Offset[12] ==0x30
    • Udp port == 16043, 16050
      • Offset[0] ==0xa0
      • Offset[1] ==0x08
      • Offset[7] ==0x10
      • Offset[9] ==0x18
      • Offset[10] ==0x30
      • Offset[11] ==0x22
      • Offset[12] ==0x30
  • WeChat Data Payload Opcodes (Real time Communication; Text Chat, Audio calls, video calls, and Recorded and Attached Files)
    • Tcp Port == 8080, 80, 443, 5000
      • Offset[4] ==0x00
      • Offset[5] ==0x10
      • Offset[6] ==0x00
      • Offset[7] ==0x01
    • WeChat Uplink and Downlink Traffics opcodes
      • Udp port == 8080, 80 (Uplink Traffic)
        • Offset[1] ==0x0a
        • Offset[3] ==0x0a
        • Offset[4] ==0x06
        • Offset[5] ==0x08
        • Offset[7] ==0x10
        • Offset[8] ==0x03
      • Udp port == 8080, 80 (Downlink Traffic)
        • Offset[1] ==0x0a
        • Offset[3] ==0x0a
        • Offset[4] ==0x07
        • Offset[5] ==0x08
        • Offset[7] ==0x10
        • Offset[8] ==0x03

WeChat Ip Addresses

Shenzhen Tencent Computer Systems Company Limited

  • 205.176.0/22
  • 205.176.0/24
  • 205.128.0/19
  • 205.147.0/24
  • 205.151.0/24
  • qpic.wechatos.net????
  • 105.66.87????

My Next Posts will be on Whatsapp or Viber. Visit it back

Leave a comment