|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004797||Kali Linux||[All Projects] New Tool Requests||public||2018-06-13 09:21||2018-07-09 11:46|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Target Version||Fixed in Version|
|Description||I'd like to make a request to add the tool the DumpsterDiver (https://github.com/securing/DumpsterDiver) to Kali. |
Basically, the goal of this tool is to find key leaks in various filetypes. If you know the TruffleHog, then the DumpsterDiver is an enhanced version, because it can not only find key leaks in github repositories, but also in any readable filetype or in any archive. It also allows for defining multiple greps in advanced search module. I believe this tool is quite effective because it can be easily customized, so it would be nice to have it in Kali's arsenal.
Here's the demo of the basic usage of it https://vimeo.com/272944858.
If you need anything more from me, then please let me know.
To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):
- [Name] - The name of the tool
- [Version] - What version of the tool should be added?
--- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
- [Homepage] - Where can the tool be found online? Where to go to get more information?
- [Download] - Where to go to get the tool? either a download page or a link to the latest version
- [Author] - Who made the tool?
- [Licence] - How is the software distributed? What conditions does it come with?
- [Description] - What is the tool about? What does it do?
- [Dependencies] - What is needed for the tool to work?
- [Similar tools] - What other tools are out there?
- [Activity] - When did the project start? Is is still actively being deployed?
- [How to install] - How do you compile it?
--- Note, using source code to acquire (e.g. git clone/svn checkout) can't be used - Also downloading from the head. Please use a "tag" or "release" version.
- [How to use] - What are some basic commands/functions to demonstrate it?
Sure thing! Info is below. If anything more is needed just let me know ;)
- [Name] - DumpsterDiver
- [Version] - it doesn't uses versioning so far as it is quite little project and I'm working on it alone. However if versioning is important for you, then I can add it.
- [Homepage] - https://github.com/securing/DumpsterDiver
- [Download] - https://github.com/securing/DumpsterDiver
- [Author] - Pawel Rzepa (https://twitter.com/Rzepsky)
- [Licence] - it uses MIT license only requiring preservation of copyright and license notices.
- [Description] - DumpsterDiver is a tool used to analyze big volumes of various file types in search of hardcoded secret keys (e.g. AWS Access Key, Azure Share Key or SSH keys) based on counting the entropy. Additionally, it allows creating a simple search rules with basic conditions (e.g. reports only csv file including at least 10 email addresses).
So basically it opens any text file (e.g. .sql, .config etc), any archive (.zip, .tgz etc.) or git object (look into git logs if there is git repository) and analyze any word in search of finding a string with fixed (configurable) length and count its entropy. If the entropy is high then it is a potential key (e.g. AWS secret key). Additionally it allows for multiple greps in those analyzed.
- [Dependencies] - Python 3 (tested on 3.6.5) and additional libraries: termcolor==1.1.0, PyYAML==3.12
- [Similar tools] - It works similar to TruffleHog (https://github.com/dxa4481/truffleHog) but the DumpsterDiver can do much more: analyze not only git logs, but any kind of text file and git objects too. What is more, the DumpsterDiver is customizable so you can define what legth of key you're searching (e.g. AWS secret key is always 40 byte long so there's no point to analyze longer strings). Thanks to this you can significantly limit false positives, what unfortunately you cannot do in TruffleHog.
- [Activity] - The project has been released 2 weeks ago. It's quite small project, but if any new feature requests appear, then of course I will add them.
- [How to install] - It doesn't require compiling as it is Python script.
- [How to use] - The most basic usage is the following:
> python3 DumpsterDiver.py -p ./path_to_folder_containing_files_to_analyze
It can be really handy for pentesters and researchers so I believe it is worth adding it to Kali. Let me know what do you think about it
|Just would like to notify you, I've added an option to search for hardcoded passwords, writing the output to the JSON file and some options to ease customization. I described how the tool and its feature works in the following article: https://medium.com/@rzepsky/hunting-for-secrets-with-the-dumpsterdiver-93d38a9cd4c1.|
|2018-06-13 09:21||rzepsky||New Issue|
|2018-06-13 10:17||g0tmi1k||Category||Queued Tool Addition => New Tool Requests|
|2018-06-13 10:17||g0tmi1k||Note Added: 0009242|
|2018-06-13 10:18||g0tmi1k||Summary||Add the new tool the DumpsterDiver => DumpsterDiver|
|2018-06-13 13:50||elwood||Status||new => acknowledged|
|2018-06-13 15:23||rzepsky||Note Added: 0009244|
|2018-06-16 14:26||ron47ron1||Issue cloned: 0004803|
|2018-06-16 14:38||elwood||Relationship added||duplicate of 0004803|
|2018-07-09 11:46||rzepsky||Note Added: 0009350|