I recently decided to start capturing the break-in attempts submitted to my wp-login.php file. I am going to capture the top credentials used by these scripts/attackers and add them to the SecLists project.

Anyway, that requires that I be able to see the POST data for incoming requests, but unfortunately this was non-trivial to enable. Here’s how to do it.

Compile in the echo module for Nginx

You can get the header code here.

./configure --add-module=./echo-nginx-module-0.54
make
make install

Capture the data

This is a modified version of the well-accepted combined log format, with the important addition of $request_body added to the end.

log_format custom '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$request_body"';

Send to your log file

access_log /var/log/nginx/access.log custom;

Now you’ll be able to pull usernames and passwords for break-in attempts right out of your logs.

Enjoy.

Notes

1. Note that you’ll also get your own username and password. That should be obvious, but it’s worth mentioning in case you have many admins who might be sensitive to you capturing credentials.