S3Crets_Scanner – Hunting For Secrets Uploaded To Public S3 Buckets

S3cret Scanner tool designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets. Can be executed as scheduled task or On-Demand Automation workflow The automation will perform the following actions: List the public buckets in the account (Set with ACL of Public or objectsRead More

HTTPLoot – An Automated Tool Which Can Simultaneously Crawl, Fill Forms, Trigger Error/Debug Pages And "Loot" Secrets Out Of The Client-Facing Code Of Sites

An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and “loot” secrets out of the client-facing code of sites. Usage To use the tool, you can grab any one of the pre-built binaries from the Releases section of the repository. If you want to build the source code yourself, you will needRead More

Dismember – Scan Memory For Secrets And More

Dismember is a command-line toolkit for Linux that can be used to scan the memory of all processes (or particular ones) for common secrets and custom regular expressions, among other things. It will eventually become a full /proc toolkit. Using the grep command, it can match a regular expression across all memory for all (accessible)Read More

JSubFinder – Searches Webpages For Javascript And Analyzes Them For Hidden Subdomains And Secrets

JSubFinder is a tool writtin in golang to search webpages & javascript for hidden subdomains and secrets in the given URL. Developed with BugBounty hunters in mind JSubFinder takes advantage of Go’s amazing performance allowing it to utilize large data sets & be easily chained with other tools. Install Install the application and download theRead More

Dumpscan – Tool To Extract And Dump Secrets From Kernel And Windows Minidump Formats

Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3. Features x509 Public and Private key (PKCS #8/PKCS #1) parsing SymCrypt parsing Supported structures SYMCRYPT_RSAKEY – Determines if the key structure also has a private key Matching to public certificates found inRead More

Zap-Scripts – Zed Attack Proxy Scripts For Finding CVEs And Secrets

Zed Attack Proxy Scripts for finding CVEs and Secrets. Building This project uses Gradle to build the ZAP add-on, simply run: ./gradlew build in the main directory of the project, the add-on will be placed in the directory build/zapAddOn/bin/. Usage The easiest way to use this repo in ZAP is to add the directory toRead More

truffleHog – Searches Through Git Repositories For High Entropy Strings And Secrets, Digging Deep Into Commit History

Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed. Join The Slack Have questions? Feedback? Jump in slack and hang out with me https://join.slack.com/t/trufflehog-community/shared_invite/zt-pw2qbi43-Aa86hkiimstfdKH9UCpPzQ NEW truffleHog previously functioned by running entropy checks on git diffs. This functionality still exists, but high signal regexRead More

AWS-Loot – Pull Secrets From An AWS Environment

Searches an AWS environment looking for secrets, by enumerating environment variables and source code. This tool allows quick enumeration over large sets of AWS instances and services. Install pip install -r requirements.txt An AWS credential file (.aws/credentials) is required for authentication to the target environment Access Key Access Key Secret How it works Awsloot worksRead More

Whispers – Identify Hardcoded Secrets In Static Structured Text

“My little birds are everywhere, even in the North, they whisper to me the strangest stories.” – Lord Varys Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CDRead More