View Issue Details

IDProjectCategoryView StatusLast Update
0004797Kali Linux[All Projects] New Tool Requestspublic2018-07-09 11:46
ReporterrzepskyAssigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status acknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0004797: DumpsterDiver
DescriptionI'd like to make a request to add the tool the DumpsterDiver (https://github.com/securing/DumpsterDiver) to Kali.

Basically, the goal of this tool is to find key leaks in various filetypes. If you know the TruffleHog, then the DumpsterDiver is an enhanced version, because it can not only find key leaks in github repositories, but also in any readable filetype or in any archive. It also allows for defining multiple greps in advanced search module. I believe this tool is quite effective because it can be easily customized, so it would be nice to have it in Kali's arsenal.

Here's the demo of the basic usage of it https://vimeo.com/272944858.

If you need anything more from me, then please let me know.

Relationships

duplicate of 0004803 closed DumpsterDiver 

Activities

g0tmi1k

2018-06-13 10:17

administrator   ~0009242

To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):

- [Name] - The name of the tool
- [Version] - What version of the tool should be added?
--- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
- [Homepage] - Where can the tool be found online? Where to go to get more information?
- [Download] - Where to go to get the tool? either a download page or a link to the latest version
- [Author] - Who made the tool?
- [Licence] - How is the software distributed? What conditions does it come with?
- [Description] - What is the tool about? What does it do?
- [Dependencies] - What is needed for the tool to work?
- [Similar tools] - What other tools are out there?
- [Activity] - When did the project start? Is is still actively being deployed?
- [How to install] - How do you compile it?
--- Note, using source code to acquire (e.g. git clone/svn checkout) can't be used - Also downloading from the head. Please use a "tag" or "release" version.
- [How to use] - What are some basic commands/functions to demonstrate it?

rzepsky

2018-06-13 15:23

reporter   ~0009244

Sure thing! Info is below. If anything more is needed just let me know ;)
- [Name] - DumpsterDiver
- [Version] - it doesn't uses versioning so far as it is quite little project and I'm working on it alone. However if versioning is important for you, then I can add it.
- [Homepage] - https://github.com/securing/DumpsterDiver
- [Download] - https://github.com/securing/DumpsterDiver
- [Author] - Pawel Rzepa (https://twitter.com/Rzepsky)
- [Licence] - it uses MIT license only requiring preservation of copyright and license notices.
- [Description] - DumpsterDiver is a tool used to analyze big volumes of various file types in search of hardcoded secret keys (e.g. AWS Access Key, Azure Share Key or SSH keys) based on counting the entropy. Additionally, it allows creating a simple search rules with basic conditions (e.g. reports only csv file including at least 10 email addresses).
So basically it opens any text file (e.g. .sql, .config etc), any archive (.zip, .tgz etc.) or git object (look into git logs if there is git repository) and analyze any word in search of finding a string with fixed (configurable) length and count its entropy. If the entropy is high then it is a potential key (e.g. AWS secret key). Additionally it allows for multiple greps in those analyzed.
- [Dependencies] - Python 3 (tested on 3.6.5) and additional libraries: termcolor==1.1.0, PyYAML==3.12
- [Similar tools] - It works similar to TruffleHog (https://github.com/dxa4481/truffleHog) but the DumpsterDiver can do much more: analyze not only git logs, but any kind of text file and git objects too. What is more, the DumpsterDiver is customizable so you can define what legth of key you're searching (e.g. AWS secret key is always 40 byte long so there's no point to analyze longer strings). Thanks to this you can significantly limit false positives, what unfortunately you cannot do in TruffleHog.
- [Activity] - The project has been released 2 weeks ago. It's quite small project, but if any new feature requests appear, then of course I will add them.
- [How to install] - It doesn't require compiling as it is Python script.
- [How to use] - The most basic usage is the following:
> python3 DumpsterDiver.py -p ./path_to_folder_containing_files_to_analyze

It can be really handy for pentesters and researchers so I believe it is worth adding it to Kali. Let me know what do you think about it

rzepsky

2018-07-09 11:46

reporter   ~0009350

Just would like to notify you, I've added an option to search for hardcoded passwords, writing the output to the JSON file and some options to ease customization. I described how the tool and its feature works in the following article: https://medium.com/@rzepsky/hunting-for-secrets-with-the-dumpsterdiver-93d38a9cd4c1.

Issue History

Date Modified Username Field Change
2018-06-13 09:21 rzepsky New Issue
2018-06-13 10:17 g0tmi1k Category Queued Tool Addition => New Tool Requests
2018-06-13 10:17 g0tmi1k Note Added: 0009242
2018-06-13 10:18 g0tmi1k Summary Add the new tool the DumpsterDiver => DumpsterDiver
2018-06-13 13:50 elwood Status new => acknowledged
2018-06-13 15:23 rzepsky Note Added: 0009244
2018-06-16 14:26 ron47ron1 Issue cloned: 0004803
2018-06-16 14:38 elwood Relationship added duplicate of 0004803
2018-07-09 11:46 rzepsky Note Added: 0009350