View Issue Details

IDProjectCategoryView StatusLast Update
0004803Kali LinuxNew Tool Requestspublic2018-06-16 14:38
Reporterron47ron1 Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionduplicate 
Product Version2018.2 
Summary0004803: DumpsterDiver
Description

I'd like to make a request to add the tool the DumpsterDiver (https://github.com/securing/DumpsterDiver) to Kali.

Basically, the goal of this tool is to find key leaks in various filetypes. If you know the TruffleHog, then the DumpsterDiver is an enhanced version, because it can not only find key leaks in github repositories, but also in any readable filetype or in any archive. It also allows for defining multiple greps in advanced search module. I believe this tool is quite effective because it can be easily customized, so it would be nice to have it in Kali's arsenal.

Here's the demo of the basic usage of it https://vimeo.com/272944858.

If you need anything more from me, then please let me know.

Relationships

has duplicate 0004797 resolvedsbrun DumpsterDiver - Tool to search secrets in various filetypes. 

Activities

g0tmi1k

g0tmi1k

2018-06-16 14:26

administrator   ~0009262

To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):

  • [Name] - The name of the tool
  • [Version] - What version of the tool should be added?
    --- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
  • [Homepage] - Where can the tool be found online? Where to go to get more information?
  • [Download] - Where to go to get the tool? either a download page or a link to the latest version
  • [Author] - Who made the tool?
  • [Licence] - How is the software distributed? What conditions does it come with?
  • [Description] - What is the tool about? What does it do?
  • [Dependencies] - What is needed for the tool to work?
  • [Similar tools] - What other tools are out there?
  • [Activity] - When did the project start? Is is still actively being deployed?
  • [How to install] - How do you compile it?
    --- Note, using source code to acquire (e.g. git clone/svn checkout) can't be used - Also downloading from the head. Please use a "tag" or "release" version.
  • [How to use] - What are some basic commands/functions to demonstrate it?
rzepsky

rzepsky

2018-06-16 14:26

reporter   ~0009263

Sure thing! Info is below. If anything more is needed just let me know ;)

  • [Name] - DumpsterDiver
  • [Version] - it doesn't uses versioning so far as it is quite little project and I'm working on it alone. However if versioning is important for you, then I can add it.
  • [Homepage] - https://github.com/securing/DumpsterDiver
  • [Download] - https://github.com/securing/DumpsterDiver
  • [Author] - Pawel Rzepa (https://twitter.com/Rzepsky)
  • [Licence] - it uses MIT license only requiring preservation of copyright and license notices.
  • [Description] - DumpsterDiver is a tool used to analyze big volumes of various file types in search of hardcoded secret keys (e.g. AWS Access Key, Azure Share Key or SSH keys) based on counting the entropy. Additionally, it allows creating a simple search rules with basic conditions (e.g. reports only csv file including at least 10 email addresses).
    So basically it opens any text file (e.g. .sql, .config etc), any archive (.zip, .tgz etc.) or git object (look into git logs if there is git repository) and analyze any word in search of finding a string with fixed (configurable) length and count its entropy. If the entropy is high then it is a potential key (e.g. AWS secret key). Additionally it allows for multiple greps in those analyzed.
  • [Dependencies] - Python 3 (tested on 3.6.5) and additional libraries: termcolor==1.1.0, PyYAML==3.12
  • [Similar tools] - It works similar to TruffleHog (https://github.com/dxa4481/truffleHog) but the DumpsterDiver can do much more: analyze not only git logs, but any kind of text file and git objects too. What is more, the DumpsterDiver is customizable so you can define what legth of key you're searching (e.g. AWS secret key is always 40 byte long so there's no point to analyze longer strings). Thanks to this you can significantly limit false positives, what unfortunately you cannot do in TruffleHog.
  • [Activity] - The project has been released 2 weeks ago. It's quite small project, but if any new feature requests appear, then of course I will add them.
  • [How to install] - It doesn't require compiling as it is Python script.
  • [How to use] - The most basic usage is the following:

    python3 DumpsterDiver.py -p ./path_to_folder_containing_files_to_analyze

It can be really handy for pentesters and researchers so I believe it is worth adding it to Kali. Let me know what do you think about it

elwood

elwood

2018-06-16 14:38

administrator   ~0009264

Dupe. Closing.

Issue History

Date Modified Username Field Change
2018-06-16 14:26 ron47ron1 New Issue
2018-06-16 14:26 ron47ron1 Issue generated from: 0004797
2018-06-16 14:26 ron47ron1 Note Added: 0009262
2018-06-16 14:26 ron47ron1 Note Added: 0009263
2018-06-16 14:38 elwood Relationship added has duplicate 0004797
2018-06-16 14:38 elwood Note Added: 0009264
2018-06-16 14:38 elwood Status new => closed
2018-06-16 14:38 elwood Resolution open => duplicate