whatsmap – Mapping WhatsApp via Go API and CLI

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/Cfomodz/whatsmap
• Blog Title: whatsmap – Mapping WhatsApp via Go API and CLI
• Suggested Section: generic-hacking/exfiltration or pentesting-web/web-recon-methodology (new subsection on abusing reverse-engineered messaging/web protocols and media decryption patterns)

🎯 Content Summary

whatsmap is a Go-based fork of the whatsmeow library that exposes WhatsApp’s multi-device protocol via an automation-friendly API and a CLI. It is intended to “map WhatsApp via API”, i.e., provide structured, programmatic access to WhatsApp accounts (messages, media, groups, calls, app state) without using the official client. This makes it useful for bots, integrations, monitoring, or offensive automation, though the repository itself do...

🔧 Technical Details

Programmatic control over WhatsApp multi-device protocol
The core technique is to wrap WhatsApp Web’s multi-device protocol in a Go client that maintains a long-lived WebSocket/TLS session plus local state. By implementing QR-based pairing, storing identity and session keys, and exposing methods like SendMessage, SendPresence, and group/broadcast management, an operator can fully control a WhatsApp account programmatically. This pattern applies to any reverse-engineered web client where you can replicate the login flow, maintain keys, and model the protocol in code.

Mapping proprietary events into normalized JSON schemas
The mapper and types packages show a general integration pattern: subscribe to low-level protocol events (protobufs/binary nodes), convert them into stable domain-specific structs (e.g., JSON with fields like from, to, message_id, times...

🤖 Agent Actions

Summary:

• Added a new “Reverse-engineered Messaging APIs (WhatsApp multi-device mapping)” section to src/generic-hacking/exfiltration.md detailing how to build/pair the whatsmap client, normalize WhatsApp events via whatsmeow handlers, decrypt encrypted media blobs, and weaponize RTT-based probing for stealthy device-state reconnaissance, including OPSEC considerations.
• Expanded the references list with citations to the whatsmap repository and the Careless Whisper research paper supporting the new techniques.

Testing:

• Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/Cfomodz/whatsmap

Content Categories: Based on the analysis, this content was categorized under "generic-hacking/exfiltration or pentesting-web/web-recon-methodology (new subsection on abusing reverse-engineered messaging/web protocols and media decryption patterns)".

Repository Maintenance:

• MD Files Formatting: 915 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0