#!/usr/bin/env python3 """ Extract credentials, API keys, and sensitive data from mitmproxy traffic """ import json import sys from mitmproxy import io as mio from mitmproxy.test import tflow def analyze_traffic(filename): print("=" * 80) print(" MITMPROXY TRAFFIC ANALYSIS") print("=" * 80) print() flows = [] try: with open(filename, "rb") as f: freader = mio.FlowReader(f) flows = list(freader.stream()) except Exception as e: print(f"[!] Error reading file: {e}") return print(f"[*] Loaded {len(flows)} HTTP flows") print() # Extract key information credentials = [] api_endpoints = [] firebase_data = [] for flow in flows: try: # Get request info url = flow.request.url method = flow.request.method headers = dict(flow.request.headers) # Look for Authorization headers if "Authorization" in headers: credentials.append({ "url": url, "method": method, "authorization": headers["Authorization"], "host": flow.request.pretty_host }) # Look for Bearer tokens in cookies if "Cookie" in headers: credentials.append({ "url": url, "cookies": headers["Cookie"], "host": flow.request.pretty_host }) # Look for API keys in URL or headers for key, value in headers.items(): if any(keyword in key.lower() for keyword in ["key", "token", "secret", "auth"]): credentials.append({ "url": url, "header": f"{key}: {value}" }) # Collect API endpoints if "canadapost" in url or "api" in url: api_endpoints.append({ "method": method, "url": url, "status": flow.response.status_code if flow.response else "N/A", }) # Firebase traffic if "firebase" in url: firebase_data.append({ "url": url, "method": method, "status": flow.response.status_code if flow.response else "N/A", }) # Look for tracking or auth endpoints if any(keyword in url.lower() for keyword in ["/auth", "/login", "/token", "/track"]): try: if flow.response and flow.response.content: try: body = flow.response.content.decode('utf-8', errors='ignore') if len(body) < 1000: # Only print small responses print(f"\n[📍] {method} {url}") print(f" Status: {flow.response.status_code}") print(f" Response: {body[:200]}") except: pass except: pass except Exception as e: continue # Print found credentials print("\n" + "=" * 80) print(" AUTHORIZATION & CREDENTIALS") print("=" * 80) if credentials: for i, cred in enumerate(credentials, 1): print(f"\n[{i}] {cred.get('host', 'Unknown')}") if "authorization" in cred: print(f" Authorization: {cred['authorization'][:80]}...") if "header" in cred: print(f" {cred['header'][:80]}...") if "cookies" in cred: print(f" Cookies: {cred['cookies'][:80]}...") else: print("\n[!] No credentials found in headers") # Print API endpoints print("\n" + "=" * 80) print(" CANADA POST API ENDPOINTS") print("=" * 80) if api_endpoints: seen = set() for endpoint in api_endpoints: # Only show unique endpoints key = f"{endpoint['method']} {endpoint['url'].split('?')[0]}" if key not in seen: seen.add(key) print(f"\n{endpoint['method']:6} {endpoint['url'][:70]}") print(f" Status: {endpoint['status']}") else: print("\n[!] No API endpoints found") # Print Firebase traffic print("\n" + "=" * 80) print(" FIREBASE TRAFFIC") print("=" * 80) if firebase_data: for item in firebase_data[:10]: # Show first 10 print(f"\n{item['method']:6} {item['url'][:70]}") print(f" Status: {item['status']}") else: print("\n[!] No Firebase traffic found") print("\n" + "=" * 80) print(" NEXT STEPS") print("=" * 80) print("\n1. Look for /track/ endpoints - these are the tracking APIs") print("2. Find the Authorization bearer tokens above") print("3. Use mitmproxy to inspect request bodies: mitmproxy -r canadapost_traffic.mitm") print("4. Look for patterns in Authorization headers (may contain userID)") print("\n" + "=" * 80) if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python extract_creds.py ") print("Example: python extract_creds.py canadapost_traffic.mitm") sys.exit(1) analyze_traffic(sys.argv[1])