View Issue Details

IDProjectCategoryView StatusLast Update
0004797Kali LinuxQueued Tool Additionpublic2021-02-23 12:36
Reporterrzepsky Assigned Tosbrun  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version2021.1 
Summary0004797: DumpsterDiver - Tool to search secrets in various filetypes.
Description

I'd like to make a request to add the tool the DumpsterDiver (https://github.com/securing/DumpsterDiver) to Kali.

Basically, the goal of this tool is to find key leaks in various filetypes. If you know the TruffleHog, then the DumpsterDiver is an enhanced version, because it can not only find key leaks in github repositories, but also in any readable filetype or in any archive. It also allows for defining multiple greps in advanced search module. I believe this tool is quite effective because it can be easily customized, so it would be nice to have it in Kali's arsenal.

Here's the demo of the basic usage of it https://vimeo.com/272944858.

If you need anything more from me, then please let me know.

Relationships

duplicate of 0004803 closed DumpsterDiver 
related to 0005777 closed Adding OSINT tools to Kali Linux 

Activities

g0tmi1k

g0tmi1k

2018-06-13 10:17

administrator   ~0009242

To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):

  • [Name] - The name of the tool
  • [Version] - What version of the tool should be added?
    --- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
  • [Homepage] - Where can the tool be found online? Where to go to get more information?
  • [Download] - Where to go to get the tool? either a download page or a link to the latest version
  • [Author] - Who made the tool?
  • [Licence] - How is the software distributed? What conditions does it come with?
  • [Description] - What is the tool about? What does it do?
  • [Dependencies] - What is needed for the tool to work?
  • [Similar tools] - What other tools are out there?
  • [Activity] - When did the project start? Is is still actively being deployed?
  • [How to install] - How do you compile it?
    --- Note, using source code to acquire (e.g. git clone/svn checkout) can't be used - Also downloading from the head. Please use a "tag" or "release" version.
  • [How to use] - What are some basic commands/functions to demonstrate it?
rzepsky

rzepsky

2018-06-13 15:23

reporter   ~0009244

Sure thing! Info is below. If anything more is needed just let me know ;)

  • [Name] - DumpsterDiver
  • [Version] - it doesn't uses versioning so far as it is quite little project and I'm working on it alone. However if versioning is important for you, then I can add it.
  • [Homepage] - https://github.com/securing/DumpsterDiver
  • [Download] - https://github.com/securing/DumpsterDiver
  • [Author] - Pawel Rzepa (https://twitter.com/Rzepsky)
  • [Licence] - it uses MIT license only requiring preservation of copyright and license notices.
  • [Description] - DumpsterDiver is a tool used to analyze big volumes of various file types in search of hardcoded secret keys (e.g. AWS Access Key, Azure Share Key or SSH keys) based on counting the entropy. Additionally, it allows creating a simple search rules with basic conditions (e.g. reports only csv file including at least 10 email addresses).
    So basically it opens any text file (e.g. .sql, .config etc), any archive (.zip, .tgz etc.) or git object (look into git logs if there is git repository) and analyze any word in search of finding a string with fixed (configurable) length and count its entropy. If the entropy is high then it is a potential key (e.g. AWS secret key). Additionally it allows for multiple greps in those analyzed.
  • [Dependencies] - Python 3 (tested on 3.6.5) and additional libraries: termcolor==1.1.0, PyYAML==3.12
  • [Similar tools] - It works similar to TruffleHog (https://github.com/dxa4481/truffleHog) but the DumpsterDiver can do much more: analyze not only git logs, but any kind of text file and git objects too. What is more, the DumpsterDiver is customizable so you can define what legth of key you're searching (e.g. AWS secret key is always 40 byte long so there's no point to analyze longer strings). Thanks to this you can significantly limit false positives, what unfortunately you cannot do in TruffleHog.
  • [Activity] - The project has been released 2 weeks ago. It's quite small project, but if any new feature requests appear, then of course I will add them.
  • [How to install] - It doesn't require compiling as it is Python script.
  • [How to use] - The most basic usage is the following:

    python3 DumpsterDiver.py -p ./path_to_folder_containing_files_to_analyze

It can be really handy for pentesters and researchers so I believe it is worth adding it to Kali. Let me know what do you think about it

rzepsky

rzepsky

2018-07-09 11:46

reporter   ~0009350

Just would like to notify you, I've added an option to search for hardcoded passwords, writing the output to the JSON file and some options to ease customization. I described how the tool and its feature works in the following article: https://medium.com/@rzepsky/hunting-for-secrets-with-the-dumpsterdiver-93d38a9cd4c1.

g0tmi1k

g0tmi1k

2020-01-13 13:45

administrator   ~0011900

@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging

sbrun

sbrun

2020-12-01 14:53

manager   ~0013932

package version 0~git20200911-0kali1 is in kali-rolling

Issue History

Date Modified Username Field Change
2018-06-13 09:21 rzepsky New Issue
2018-06-13 10:17 g0tmi1k Category Queued Tool Addition => New Tool Requests
2018-06-13 10:17 g0tmi1k Note Added: 0009242
2018-06-13 10:18 g0tmi1k Summary Add the new tool the DumpsterDiver => DumpsterDiver
2018-06-13 13:50 elwood Status new => acknowledged
2018-06-13 15:23 rzepsky Note Added: 0009244
2018-06-16 14:26 ron47ron1 Issue cloned: 0004803
2018-06-16 14:38 elwood Relationship added duplicate of 0004803
2018-07-09 11:46 rzepsky Note Added: 0009350
2019-12-09 13:30 g0tmi1k Severity minor => feature
2019-12-09 13:30 g0tmi1k Status acknowledged => new
2020-01-13 13:44 g0tmi1k Status new => closed
2020-01-13 13:44 g0tmi1k Resolution open => won't fix
2020-01-13 13:45 g0tmi1k Note Added: 0011900
2020-01-13 13:45 g0tmi1k Status closed => acknowledged
2020-01-13 13:45 g0tmi1k Category New Tool Requests => Queued Tool Addition
2020-06-17 12:38 g0tmi1k Relationship added related to 0005777
2020-06-17 14:57 g0tmi1k Severity feature => minor
2020-12-01 11:06 g0tmi1k Summary DumpsterDiver => DumpsterDiver - Tool to search secrets in various filetypes.
2020-12-01 14:53 sbrun Assigned To => sbrun
2020-12-01 14:53 sbrun Status acknowledged => resolved
2020-12-01 14:53 sbrun Resolution won't fix => fixed
2020-12-01 14:53 sbrun Note Added: 0013932
2021-02-23 12:36 g0tmi1k Fixed in Version => 2021.1