S3cret Scanner tool designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets. Can be executed as scheduled task or On-Demand Automation workflow The automation will perform the following actions: List the public buckets in the account (Set with ACL of Public or objectsRead More
An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and “loot” secrets out of the client-facing code of sites. Usage To use the tool, you can grab any one of the pre-built binaries from the Releases section of the repository. If you want to build the source code yourself, you will needRead More
Dismember is a command-line toolkit for Linux that can be used to scan the memory of all processes (or particular ones) for common secrets and custom regular expressions, among other things. It will eventually become a full /proc toolkit. Using the grep command, it can match a regular expression across all memory for all (accessible)Read More
JSubFinder is a tool writtin in golang to search webpages & javascript for hidden subdomains and secrets in the given URL. Developed with BugBounty hunters in mind JSubFinder takes advantage of Go’s amazing performance allowing it to utilize large data sets & be easily chained with other tools. Install Install the application and download theRead More
Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3. Features x509 Public and Private key (PKCS #8/PKCS #1) parsing SymCrypt parsing Supported structures SYMCRYPT_RSAKEY – Determines if the key structure also has a private key Matching to public certificates found inRead More
Zed Attack Proxy Scripts for finding CVEs and Secrets. Building This project uses Gradle to build the ZAP add-on, simply run: ./gradlew build in the main directory of the project, the add-on will be placed in the directory build/zapAddOn/bin/. Usage The easiest way to use this repo in ZAP is to add the directory toRead More
Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques. Can you solve all theRead More
Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed. Join The Slack Have questions? Feedback? Jump in slack and hang out with me https://join.slack.com/t/trufflehog-community/shared_invite/zt-pw2qbi43-Aa86hkiimstfdKH9UCpPzQ NEW truffleHog previously functioned by running entropy checks on git diffs. This functionality still exists, but high signal regexRead More
Searches an AWS environment looking for secrets, by enumerating environment variables and source code. This tool allows quick enumeration over large sets of AWS instances and services. Install pip install -r requirements.txt An AWS credential file (.aws/credentials) is required for authentication to the target environment Access Key Access Key Secret How it works Awsloot worksRead More
“My little birds are everywhere, even in the North, they whisper to me the strangest stories.” – Lord Varys Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CDRead More
