• Stars
    star
    197
  • Rank 197,722 (Top 4 %)
  • Language
    Python
  • License
    MIT License
  • Created about 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Benchmarking repo for secrets scanning

Leaky Repo 🚿

Table of contents

FAQ

What is this?

This is a repo full of mistakes. I will include several of the secrets I've seen commonly leaking from real projects. It will be useful for testing scanning tools such as github-dorks and truffleHog.

Where did you get these?

It's worth noting that none of the secrets here are real. They are all things I've seen before, but I've randomized or redacted all of the actual data. The vast majority of secrets will likely be taken from patterns created for github-dorks, which are primarily taken from config files for popular services. I've also worked on several scanning tools in the past. Most notably, github-dorks, PasteHunter, github-dorks, as well as GHScraper, and several other non-public or unreleased scanners. Essentially, I've seen a lot of whoopsies on git, which will also be included.

Why did you make this repo?

This repo was made to serve as a benchmark for secrets scanners. Repo scanning tools have varying levels of coverage, and so far the go-to option has been "slam a bunch together". This repo is also partially to test my theory that this technique still isn't really sufficient. Regardless, you can't just scan for high entropy, and you can't just scan for patterns, you need to do both!

How can I avoid uploading these secrets?

I've written a blog post on Why We Fail at Keeping Git Secrets. If you truly want to keep your secrets safe, seperate them from your repo. If that's a config file, that's fine. If it's a secrets management/storage system, that's even better. As long as you can stop git from adding that information by default, you're unlikely to hit any problems.

Secrets

Filename Description
.npmrc NPM registry authentication data
.dockercfg Docker registry authentication data
misc-keys/cert-key.pem PEM Private key
misc-keys/putty-example.ppk PuTTYgen private key
.ssh/id_rsa Private ssh key
.ssh/id_rsa.pub Public ssh key (might still not be ideal)
db/dump.sql MySQL dump w/ bcrypt hashes
cloud/.credentials S3 Credentials file
cloud/.s3cfg S3 Credentials file
cloud/.tugboat Digital Ocean tugboat config
cloud/heroku.json Heroku config
web/var/www/public_html/wp-config.php WordPress config file
web/var/www/public_html/.htpasswd htpasswd file
web/var/www/public_html/config.php PHP application config file
web/var/www/.env Laravel .env (CI, various ruby based frameworks too)
.git-credentials Git credentials store
.bashrc .bashrc file (contains several secrets as environment variables)
.bash_profile .bash_profile file (contains several secrets as environment variables)
db/robomongo.json Mongolab credentials for robomongo
db/mongoid.yml Mongoid config file
web/js/salesforce.js Salesforce credentials in a nodejs project
.netrc netrc with SMTP credentials
hub Hub config that stores github tokens
filezilla/filezilla.xml Filezilla config file
filezilla/recentservers.xml Filezilla recent servers file
.docker/config.json Docker registry authentication file
config IRC config
db/.pgpass PostgreSQL file which contains passwords
/proftpdpasswd Usernames and passwords of proftpd created by cpanel
ventrilo_srv.ini Ventrilo configuration
etc/shadow Linux /etc/shadow file
db/dbeaver-data-sources.xml DBeaver config containing MySQL Credentials
/.esmtprc esmtp configuration
.mozilla/firefox/logins.json Firefox saved password collection (can be decrypted using keys4.db)
web/django/settings.py Django setup.py, contains valid secret key
web/ruby/secrets.yml Ruby on rails secrets.yml file (contains passwords)
ruby/config/master.key Rails master key (used for decrypting credentials.yml.enc for Rails 5.2+)
deployment-config.json Created by sftp-deployment for Atom, contains server details and credentials
.ftpconfig Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials
.remote-sync.json Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials
.vscode/sftp.json Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentials
sftp-config.json Created by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials
.idea/WebServers.xml Created by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!)
high-entropy-misc.txt Misc high entropy strings (HES1 is plain, HES2 is base64)

Results

We've tested a few tools and generated metrics for it. You can see how the tools tested so far stack up in Benchmarking
If there's a tool you'd like tested, please file an issue with details on it or create a PR. We are focused primarily on command-line based tools, but are also happy to accept results from web or GUI-based tools, as long as you include the full results and details about the tool.

Changelog

You can see recent changes made in our CHANGELOG.md file or under Releases. We use semantic versioning for releases.

Contact

Got a question? Found something worth adding?
File an issue
Have another reason to contact me? You can find me on Twitter:
@Plazmaz

It's also worth noting that many of the original patterns used to find the filenames and examples of several secrets came from github-dorks, which is under tha Apache 2.0 License. Also, for the sake of full disclosure, I am a maintainer on that project.

More Repositories

1

LNKUp

Generates malicious LNK file payloads for data exfiltration
Python
249
star
2

MongoDB-HoneyProxy

A honeypot proxy for mongodb. When run, this will proxy and log all traffic to a dummy mongodb server.
JavaScript
83
star
3

Duckuino

A basic Duckyscript to Arduino converter
JavaScript
59
star
4

CVE-2019-18634

A functional exploit for CVE-2019-18634, a BSS overflow in sudo's pwfeedback feature that allows for for privesc
Shell
57
star
5

JSBN

An experimental implementation of a bot client which interprets commands through Twitter, thus requiring no hosting of servers from the command issuer
JavaScript
43
star
6

LiquidHoney

A small, fluid, low-interaction honeypot
Python
19
star
7

Agent7

An open source penetration testing tool
Java
14
star
8

CapeGiver

ProtocolLib is required! A proof of concept for an exploit in recent all Minecraft versions that allows servers to give users capes.
Java
13
star
9

GHScraper

A tool for gathering potentially sensitive data from github's public stream
JavaScript
11
star
10

every-chrome-extension

Collect ALL the crx files
Shell
10
star
11

CVEStack

Scan products in your stack for known vulnerabilities
Python
10
star
12

ShortStats

An OSINT/data gathering tool for extracting details from shortened bitlinks
Python
9
star
13

Twitter-Bots-List

A list of accounts that auto-retweet or like certain keywords
8
star
14

awful-gitposts

💩 Bad memes and shitposts
7
star
15

bluekeep-pcap

Capture of Metaploit BlueKeep <--> OpenCanary
5
star
16

CVE-2020-1350-poc

A basic proof of concept for CVE-2020-1350
Python
5
star
17

wsl-dotfiles

My dotfiles for Bash on Windows/Windows Subsytem for Linux
Shell
5
star
18

JHoneypot

A simple java SSH Honeypot
Java
5
star
19

HoneyMesh

A centralized honeypot logging system for nodejs
JavaScript
4
star
20

FileJuice

C#
4
star
21

basic-python-skeleton

Because I've typed this way too many times
Python
3
star
22

dotfiles

My dotfiles. Very minimalist at the moment.
Shell
2
star
23

DiscordUI

Provides reaction-based UI components for using with Discord
Python
2
star
24

unlock-hero

Ludum Dare 45
JavaScript
2
star
25

threat-actor-names

Providing valuable information on the latest threat actors before they even exist
JavaScript
2
star
26

go-home

Research into Go's default random.Source PRNG
Go
1
star
27

GitRacoon

JavaScript
1
star
28

terminal-profiles

My personal profiles for Windows Terminal
PowerShell
1
star
29

PRFuzzer

Really stupid simple BitBucket PR fuzzing. Probably won't work for anyone else, not actively maintained.
Python
1
star
30

Neuroticz

A basic webpage summarizing framework
Java
1
star