A complete GhostPairing attack simulation lab with real browser automation that demonstrates actual WhatsApp account hijacking techniques.
This lab simulates a real GhostPairing attack using browser automation:
- Victim enters phone number on phishing page
- Firefox automation opens to real web.whatsapp.com
- Automation enters victim's phone number in WhatsApp Web
- WhatsApp sends REAL verification code to victim's phone
- Victim enters code on phishing page
- Automation captures code and enters it in WhatsApp Web
- Account hijacked - Attacker's browser is now paired with victim's WhatsApp
FOR AUTHORIZED SECURITY RESEARCH AND EDUCATION ONLY
- ONLY test with phone numbers YOU OWN
- NEVER use against non-consenting individuals
- This performs REAL WhatsApp pairing - actual account access
- Violation of computer fraud laws is a serious crime
- Use only in controlled, authorized environments
# Clone repository
git clone https://github.com/valITino/ghostpairing-lab
# go to the cloned directory
cd ghostpairing-lab
# Make scripts executable
chmod +x *.sh
# Run setup (installs Firefox, Playwright, dependencies)
./setup.sh
# Wait for installation./run.shChoose mode:
- Local Only: Test on localhost:8000
- Public Tunnel: Expose via cloudflared (for authorized testing only)
Access the admin dashboard at http://localhost:8000/admin to see real-time attack monitoring.
Remember: This is a live attack tool. Use responsibly and only on systems you own.