# CREDENTIAL EXTRACTION TOOLKIT ## Summary You now have a complete toolkit to extract credentials and test APIs from the Canada Post Android app. Here's what's available: --- ## 🎯 Quick Start (3 Steps) ### Step 1: Start Traffic Capture ```bash # Terminal 1: Start mitmproxy mitmproxy -p 8080 -w canadapost_traffic.mitm ``` ### Step 2: Run App with Frida ```bash # Terminal 2: Launch app with bypass + credential capture frida -U -f com.canadapost.android -l frida_simple_bypass.js -l extract_live_credentials.js ``` ### Step 3: Generate Traffic In the app: - Wait for login screen - Try to login (if you have test credentials) - Navigate to Tracking - Enter a package number - Watch for API calls --- ## 📚 Available Tools ### 1. **FULL_CAPTURE_AND_ANALYZE.bat** ⭐ RECOMMENDED - Automated workflow combining everything - Starts mitmproxy if not running - Launches app with Frida - Automatically analyzes captured traffic - **USE THIS** if you want the simplest approach ```bash .\FULL_CAPTURE_AND_ANALYZE.bat ``` ### 2. **extract_creds.py** Extracts all credentials from captured mitmproxy traffic ```bash python extract_creds.py canadapost_traffic.mitm ``` **Output shows:** - Authorization headers (Bearer tokens) - API keys and tokens - Session cookies - All API endpoints called - Firebase traffic ### 3. **extract_live_credentials.js** Frida script to intercept credentials in real-time ```bash frida -U -f com.canadapost.android -l extract_live_credentials.js ``` **Intercepts:** - Token injection (when Authorization header is added) - HTTP requests/responses - SharedPreferences writes - Firebase API calls ### 4. **decode_jwt.py** Decodes JWT tokens to see what data they contain ```bash python decode_jwt.py "eyJhbGc..." # OR extract tokens from mitmproxy dump: python decode_jwt.py --file canadapost_traffic.mitm --list ``` **Shows:** - Token expiration time - User ID (if present) - All claims in the token - Token type (User/App/Firebase) ### 5. **test_apis.py** Tests Canada Post APIs with extracted credentials ```bash # Test tracking API python test_apis.py --track 1234567890 --token "your_bearer_token" # Test auth endpoints python test_apis.py --auth --token "your_bearer_token" # Test mobile integration API python test_apis.py --integration --token "your_bearer_token" ``` ### 6. **frida_simple_bypass.js** The main security bypass script (already proven working) - ✅ Bypasses SSL pinning - ✅ Hides root/emulator detection - ✅ Prevents license check crash - ✅ Blocks System.exit() --- ## 🔄 Complete Workflow ### Scenario 1: Quick Traffic Capture (Recommended) ```bash # One command does everything: .\FULL_CAPTURE_AND_ANALYZE.bat # Then: # 1. In the app, perform actions (login, track) # 2. Wait for analysis # 3. Check output for tokens ``` ### Scenario 2: Manual Traffic Analysis ```bash # Terminal 1 - Start capture mitmproxy -p 8080 -w canadapost_traffic.mitm # Terminal 2 - Run app frida -U -f com.canadapost.android -l frida_simple_bypass.js -l extract_live_credentials.js # Terminal 3 (after app session ends) - Analyze python extract_creds.py canadapost_traffic.mitm # If you captured a Bearer token: python decode_jwt.py --file canadapost_traffic.mitm --list ``` ### Scenario 3: API Testing with Captured Token ```bash # 1. Capture traffic and extract token (see above) # 2. Find the Bearer token in output # 3. Test the tracking API: python test_apis.py --track 1234567890 --token "eyJhbGc..." # Results saved to: api_test_results.json ``` --- ## 🔑 What You're Looking For ### High Value Findings 1. **User Session Token** (Bearer Token) ``` Authorization: Bearer eyJhbGc... ``` - Can access that user's data - Usually expires after 1-24 hours - **Most valuable finding** 2. **Firebase App Check Token** - Returned from firebaseappcheck.googleapis.com - Can be reused for other Firebase requests - Format: `{"token": "..."}` 3. **Tracking API Endpoint** - URL pattern: `/track/{package_id}` or similar - Shows the tracking query structure - May reveal user data exposure 4. **AWS Credentials** - If returned in API responses - Temporary (15-60 minutes) - Format: `AccessKeyId`, `SecretAccessKey`, `SessionToken` 5. **User ID** - In JWT tokens or API responses - Useful for enumeration attacks - Check if IDs are sequential/predictable --- ## 📊 Understanding the Output ### From extract_creds.py: ``` [Authorization & Credentials] [1] firebase-app-check-endpoint Authorization: Bearer eyJhbGc... [2] mobile-integration-api Authorization: Bearer eyJ... [Canada Post API Endpoints] GET https://mobileintegration.1eqh5zpddmks.us-east.codeengine.appdomain.cloud/api/v1/track/... Status: 200 ``` ### From decode_jwt.py: ``` [JWT Token Analysis] [📋] Header: alg: RS256 kid: ... [📊] Payload: user_id: 12345 [⭐ USER ID] email: user@example.com exp: 1700000000 (2024-11-15 10:00:00) [⏰] Token expires in: 0:58:30 [🔍] Token Type: User Session Token ``` ### From test_apis.py: ``` [*] Testing: GET https://.../track/1234567890 Status: 200 Response: {"tracking_number": "1234567890", "status": "In Transit", ...} ``` --- ## ⚠️ Important Notes 1. **Token Expiration**: Session tokens expire (usually 1 hour) - Capture fresh traffic each time - Check expiration in decoded JWT 2. **Rate Limiting**: Test APIs responsibly - Don't send thousands of requests - Watch for 429 (Too Many Requests) responses 3. **User Privacy**: Extracted tokens contain user data - Don't share publicly - Be careful when testing with real accounts 4. **Firefox Certificate**: Required for HTTPS interception - Already installed on emulator - Makes mitmproxy work correctly 5. **Frida Bypass**: All security measures disabled - App thinks it's on real device - Safe to use without worrying about root detection --- ## 🐛 Troubleshooting ### Issue: No Bearer tokens found **Solution:** - Make sure you logged in within the app - Check that Authorization header was actually sent - Try tracking a package or accessing user data - Use `mitmproxy -r canadapost_traffic.mitm` to manually inspect ### Issue: mitmproxy not intercepting HTTPS **Solution:** - Check certificate is installed: `adb shell ls /data/misc/user/0/cacerts-added/` - Reinstall Firefox with certificate - Make sure Firefox is the default browser ### Issue: Frida script errors **Solution:** - Check frida-server is running: `adb shell "ps | grep frida"` - Verify app package name: `adb shell pm list packages | grep canada` - Use `-l` flag to load script: `frida -U -f com.canadapost.android -l script.js` ### Issue: "Extract_creds.py not found" **Solution:** - Make sure you're in the same directory as the script - Check Python is installed: `python --version` - Use full path: `python C:\path\to\extract_creds.py canadapost_traffic.mitm` --- ## 📈 Next Phases ### Phase 1: Initial Extraction (Current) - ✅ Capture traffic - ✅ Extract tokens - ✅ Decode JWT to see token claims - ✅ Get API endpoints ### Phase 2: API Testing - Test extracted tokens against APIs - Map all endpoints - Check for authorization vulnerabilities - Try user enumeration ### Phase 3: Credential Validation - Use extracted AWS credentials - Test Firebase APIs - Check if tokens are reusable - Find token refresh patterns ### Phase 4: Deeper Analysis (Optional) - Check for hardcoded secrets - Analyze encryption keys - Test for time-based TOTP/OTP - Look for backup API keys --- ## 🎬 Running the Complete Workflow **Easiest way (all-in-one):** ```bash .\FULL_CAPTURE_AND_ANALYZE.bat ``` **Then in the app, perform these actions:** 1. Wait 2 seconds for login screen 2. Try logging in (use test account if available) 3. Try tracking a package (any package number) 4. Wait 10 seconds 5. Exit the app or close the terminal **Automatic analysis will show:** - All captured API endpoints - Authorization headers and tokens - Firebase traffic - Recommendations for next steps --- ## 📞 Commands Reference ```bash # Start mitmproxy only mitmproxy -p 8080 -w canadapost_traffic.mitm # Start app with bypass only frida -U -f com.canadapost.android -l frida_simple_bypass.js # Start app with bypass + credential capture frida -U -f com.canadapost.android -l frida_simple_bypass.js -l extract_live_credentials.js # Analyze captured traffic python extract_creds.py canadapost_traffic.mitm # Find and list all tokens in traffic python decode_jwt.py --file canadapost_traffic.mitm --list # Decode a specific token python decode_jwt.py "eyJhbGciOiJSUzI1NiIs..." # Test tracking API with token python test_apis.py --track 1234567890 --token "your_token_here" # View traffic interactively mitmproxy -r canadapost_traffic.mitm # Connect to running emulator adb connect 192.168.226.101:5555 # Check if frida-server is running adb shell "ps | grep frida" ``` --- ## ✅ Checklist Before running traffic capture: - [ ] Emulator running and reachable - [ ] Frida server installed: `adb shell "ps | grep frida"` - [ ] mitmproxy installed: `pip install mitmproxy` - [ ] Python 3.6+ installed: `python --version` - [ ] All .js files in same directory as .bat files - [ ] All .py files ready to use Ready to start? Run: `.\FULL_CAPTURE_AND_ANALYZE.bat`