Skip to content

gRPC

Identify gRPC services via reflection

Another way is described in this write up if reflection is not enabled.

The tool grpcurl will be used for this operation.

# List available services exposed on host "fc.xlm-box.com:443"
$ grpcurl fc.xlm-box.com:443 list
grpc.reflection.v1alpha.ServerReflection
identity.Auth

# List available methods for the service named "identity.Auth" 
$ grpcurl fc.xlm-box.com:443 list identity.Auth
identity.Auth.GetSalt
identity.Auth.GetUser
identity.Auth.GetUsers

# Get the signature of the method named "identity.Auth.GetUsers"
$ grpcurl fc.xlm-box.com:443 describe identity.Auth.GetUsers
identity.Auth.GetUsers is a method:
rpc GetUsers ( .identity.UsersRequest ) returns ( stream .identity.UserReply );

# Get the structure of the parameter named ".identity.UsersRequest"
$ grpcurl fc.xlm-box.com:443 describe .identity.UsersRequest
identity.UsersRequest is a message:
message UsersRequest {
  int32 limit = 1;
}

MITM

bradleyjkemp/grpc-tools: A suite of gRPC debugging tools. Like Fiddler/Charles but for gRPC. (github.com)

References

toolbox-pentest-web/README.md at master ยท righettod/toolbox-pentest-web (github.com) Pentesting gRPC / Protobuf : Decoding First steps โ€“ David Vassallo's Blog

Tools

bradleyjkemp/grpc-tools: A suite of gRPC debugging tools. Like Fiddler/Charles but for gRPC. (github.com) fullstorydev/grpcurl: Like cURL, but for gRPC: Command-line tool for interacting with gRPC servers (github.com)