A powerful Open Source Intelligence (OSINT) toolkit for WhatsApp reconnaissance and metadata collection during authorized penetration testing engagements.
A powerful Open Source Intelligence (OSINT) toolkit for WhatsApp reconnaissance and metadata collection during authorized penetration testing engagements.
FOR AUTHORIZED PENETRATION TESTING ONLY
This toolkit is designed exclusively for:
- Authorized penetration testing engagements with written permission
- Security research with proper authorization
- Educational purposes in controlled environments
- Defensive security operations
You MUST have:
- Written authorization from the target organization
- Documented scope of testing
- Compliance with all applicable laws and regulations
Unauthorized use may violate:
- Computer Fraud and Abuse Act (CFAA)
- WhatsApp Terms of Service
- Privacy laws (GDPR, CCPA, etc.)
- Local and international laws
The authors assume no liability for misuse of this tool.
- β Check if phone numbers are registered on WhatsApp
- β Bulk validation from file
- β Extract basic profile information
- β Export results (JSON, CSV)
- β Extract profile pictures
- β Scrape "About" sections
- β Collect status messages
- β Gather profile metadata
- β Bulk profile scraping
- β Real-time online/offline monitoring
- β Activity pattern analysis
- β Typing status detection
- β Last seen information
- β Duration-based tracking with statistics
- β Live dashboard display
- β List all groups
- β Extract group member lists
- β Identify group administrators
- β Scrape group descriptions
- β Analyze group invite links
- β Comprehensive HTML reports
- β JSON export for automation
- β CSV export for spreadsheet analysis
- β Visual activity timelines
- β Statistical analysis
- β Random delays between actions
- β User agent rotation
- β Rate limiting
- β Persistent sessions
- β Headless mode support
- Python 3.8+
- Google Chrome browser
- ChromeDriver (automatically managed)
- WhatsApp account for Web access
cd Darkapp
pip install -r requirements.txt
chmod +x darkapp.py# Install Python dependencies
pip install selenium webdriver-manager requests beautifulsoup4 pandas
pip install openpyxl python-dotenv colorama rich pillow phonenumbers
pip install aiohttp qrcode pyfiglet tqdm
# Install Chrome (if not already installed)
# Ubuntu/Debian:
sudo apt update && sudo apt install -y google-chrome-stable
# Arch Linux:
sudo pacman -S chromium# Start the toolkit
python3 darkapp.py
# Run in headless mode (no GUI)
python3 darkapp.py --headless
# Specify engagement name
python3 darkapp.py --engagement "ClientName Pentest 2025"-
Launch the toolkit:
python3 darkapp.py
-
Scan QR Code:
- WhatsApp Web will open in Chrome
- Scan the QR code with your phone
- The session will be saved for future use
-
Navigate the menu:
- Select operations from the interactive menu
- Follow on-screen prompts
1. Select "Phone Validator" from main menu
2. Choose single or bulk validation
3. For bulk: prepare a text file with numbers (one per line)
Example format:
+1234567890
+447700900000
+919876543210
4. Export results in JSON or CSV format
1. Select "Profile Scraper"
2. Enter target phone number(s)
3. Tool will extract:
- Profile name
- Profile picture (saved to data/)
- About/Status
- Metadata
4. Export scraped profiles
1. Select "Activity Tracker"
2. Enter target phone number
3. Specify:
- Duration (minutes)
- Check interval (seconds)
4. Monitor real-time activity:
- Online/Offline status
- Typing indicators
- Last seen times
5. View statistical analysis
6. Export activity log
1. Select "Group Intelligence"
2. Options:
- List all groups you're part of
- Get detailed info on specific group
- Analyze group invite links
3. Extract:
- Member lists
- Admin identities
- Group metadata
4. Export group data
1. Collect data using various modules
2. Select "Generate Report"
3. Choose format:
- JSON: For automation/parsing
- CSV: For spreadsheet analysis
- HTML: Professional presentation report
- All: Generate all formats
4. Reports saved to exports/ directory
Darkapp/
βββ darkapp.py # Main CLI interface
βββ config.py # Configuration settings
βββ utils.py # Utility functions
βββ requirements.txt # Python dependencies
βββ README.md # Documentation
βββ modules/
β βββ phone_validator.py # Phone validation module
β βββ profile_scraper.py # Profile scraping module
β βββ activity_tracker.py # Activity monitoring module
β βββ group_intel.py # Group intelligence module
β βββ report_generator.py # Report generation module
βββ data/ # Profile pictures and data
βββ logs/ # Activity logs
βββ exports/ # Generated reports
βββ chrome_profile/ # Persistent Chrome session
Edit config.py to customize:
# Rate limiting (seconds)
MIN_DELAY = 2
MAX_DELAY = 5
# Tracking settings
TRACKING_INTERVAL = 30
MAX_TRACKING_DURATION = 3600
# Browser settings
HEADLESS_MODE = False
IMPLICIT_WAIT = 10
# Export format
EXPORT_FORMAT = "all" # json, csv, html, all- Enumerate employee WhatsApp accounts
- Map organizational communication channels
- Identify key personnel and hierarchies
- Test social engineering attack surfaces
- Demonstrate OSINT capabilities
- Show metadata exposure risks
- Educate on privacy settings
- Reconnaissance phase intelligence gathering
- Target profiling and behavior analysis
- Communication pattern mapping
Best Practices:
- Use a dedicated phone number for OSINT operations
- Create a separate WhatsApp account not linked to personal identity
- Use VPN to mask IP address
- Enable headless mode to reduce fingerprinting
- Respect rate limits to avoid detection
- Document all activities for engagement reporting
- Delete sensitive data after engagement completion
{
"engagement": "Assessment Name",
"generated": "2025-01-15 14:30:00",
"phone_validation": [...],
"profiles": [...],
"activity_logs": [...],
"groups": [...]
}Separate CSV files for each data type:
phone_validation_20250115.csvprofiles_20250115.csvactivity_log_20250115.csvgroups_20250115.csv
Professional HTML report with:
- Executive summary
- Visual timelines
- Statistical analysis
- Detailed findings
- Recommendations
Solution: Update Chrome and ChromeDriver to latest versions
Solution: Increase IMPLICIT_WAIT in config.py
Solution: Increase delays in config.py, use headless mode
Solution: Check permissions on data/ directory
Solution: Ensure chrome_profile/ directory is persistent
from modules.phone_validator import PhoneValidator
from modules.profile_scraper import ProfileScraper
# Initialize
validator = PhoneValidator(headless=True)
validator.start()
# Check numbers
result = validator.check_number("+1234567890")
print(result)
# Scrape profile
scraper = ProfileScraper(driver=validator.driver)
profile = scraper.scrape_profile("+1234567890")
# Cleanup
validator.stop()#!/usr/bin/env python3
import sys
from modules.phone_validator import PhoneValidator
from modules.report_generator import ReportGenerator
# Load targets
targets = open("targets.txt").read().splitlines()
# Run validation
validator = PhoneValidator(headless=True)
validator.start()
results = validator.check_bulk(targets)
validator.stop()
# Generate report
report = ReportGenerator("Automated Scan")
report.add_data("phone_validation", results)
report.generate_html_report()This is a security research tool. Contributions welcome:
- Bug fixes
- New OSINT modules
- Improved stealth techniques
- Better reporting features
DO NOT contribute features that:
- Bypass WhatsApp security controls
- Enable mass surveillance
- Facilitate harassment or stalking
This tool is provided for educational and authorized security testing purposes only.
Developed for the penetration testing community.
Built with:
- Selenium WebDriver
- Rich CLI framework
- Pandas data analysis
- Beautiful Soup parsing
For issues and questions:
- Check troubleshooting section
- Review logs in
logs/directory - Ensure proper authorization before use
Remember: With great power comes great responsibility. Use ethically and legally.