1. Introduction to QQ Voice Call
This tutorial is intended solely for professional fields such as HVV, red-blue team exercises, etc., and should not be used for illegal purposes, including the context of QQ Voice Call.
2. Download Links for QQ Voice Call
Chengtong Cloud Disk: )
Tianyi Cloud Disk: (Access Code: p4ff)
Lanzou Cloud Disk: Password: biu1
Baidu Cloud Disk: Extraction Code: byia
3. Step-by-Step Tutorial for QQ Voice Call
First, we open Wireshark, and here we should be attentive to
In our scenario, we are in the second case, so we select WLAN
Method 1: Use CTRL+F String Search
Press Ctrl F, choose Packet Details, String, and then enter the code (this is the characteristic corresponding to QQ Voice)
Next, use QQ on the computer to make a voice call to the other person’s number. Once the call is answered, we click search to see the other person’s IP address.
Method 2: Enter Code in the Filter and Press Enter
Enter the code in the filter for a more intuitive filtration compared to the first method
Why 020048?
Many may wonder why this is the case. QQ Voice Call uses the UDP protocol for direct connections, which means the call is connected directly between the two parties without other servers. 020048 is the header of the protocol packet.
It is also why we can use it for filtering. The UDP protocol includes a header, but Wireshark does not offer a direct filtration method. So we use a formula to achieve this, relying on udp[8:x] for offset acquisition (note: 8 is the fixed byte count). Given that QQ’s header is invariant, we can locate packets containing the real IP using these two methods.
Process for Identifying WeChat Voice IP Characteristics
If we do not know the characteristics, how do we attempt to find them? It’s quite simple. Connect your computer to a WiFi network, make a call with another WeChat account, and then open Wireshark. In the filter, enter the IP address we know (you can quickly find your IP on Baidu, and we have already obtained it, so enter it in the filter).
Then, we expand the details to see if the Data section contains similar characteristics.
Here we find that WeChat differs from QQ, as its packet header follows a different pattern. Following principles previously mentioned, filtering can be used.
Filter with data.len
This capture method is not as accurate as the first one (though it does not lack data, the outcome is filtered), inspired by a paper shared at a public conference by three researchers in September 2020. It mentioned techniques for judgment based on three dimensions and resulted in a command that filters packets by Length between 120 and 150.
Are There Characteristics for Other Clients?
Do WeChat, DingTalk, and similar voice applications have characteristics?
The answer is yes, and we will share their characteristics here: