|
|
To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):
- [Name] - The name of the tool
- [Version] - What version of the tool should be added?
--- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
- [Homepage] - Where can the tool be found online? Where to go to get more information?
- [Download] - Where to go to get the tool? either a download page or a link to the latest version
- [Author] - Who made the tool?
- [Licence] - How is the software distributed? What conditions does it come with?
- [Description] - What is the tool about? What does it do?
- [Dependencies] - What is needed for the tool to work?
- [Similar tools] - What other tools are out there?
- [Activity] - When did the project start? Is is still actively being deployed?
- [How to install] - How do you compile it?
--- Note, using source code to acquire (e.g. git clone/svn checkout) can't be used - Also downloading from the head. Please use a "tag" or "release" version.
- [How to use] - What are some basic commands/functions to demonstrate it?
|
|
|
Sure thing! Info is below. If anything more is needed just let me know ;)
- [Name] - DumpsterDiver
- [Version] - it doesn't uses versioning so far as it is quite little project and I'm working on it alone. However if versioning is important for you, then I can add it.
- [Homepage] - https://github.com/securing/DumpsterDiver
- [Download] - https://github.com/securing/DumpsterDiver
- [Author] - Pawel Rzepa (https://twitter.com/Rzepsky)
- [Licence] - it uses MIT license only requiring preservation of copyright and license notices.
- [Description] - DumpsterDiver is a tool used to analyze big volumes of various file types in search of hardcoded secret keys (e.g. AWS Access Key, Azure Share Key or SSH keys) based on counting the entropy. Additionally, it allows creating a simple search rules with basic conditions (e.g. reports only csv file including at least 10 email addresses).
So basically it opens any text file (e.g. .sql, .config etc), any archive (.zip, .tgz etc.) or git object (look into git logs if there is git repository) and analyze any word in search of finding a string with fixed (configurable) length and count its entropy. If the entropy is high then it is a potential key (e.g. AWS secret key). Additionally it allows for multiple greps in those analyzed.
- [Dependencies] - Python 3 (tested on 3.6.5) and additional libraries: termcolor==1.1.0, PyYAML==3.12
- [Similar tools] - It works similar to TruffleHog (https://github.com/dxa4481/truffleHog) but the DumpsterDiver can do much more: analyze not only git logs, but any kind of text file and git objects too. What is more, the DumpsterDiver is customizable so you can define what legth of key you're searching (e.g. AWS secret key is always 40 byte long so there's no point to analyze longer strings). Thanks to this you can significantly limit false positives, what unfortunately you cannot do in TruffleHog.
- [Activity] - The project has been released 2 weeks ago. It's quite small project, but if any new feature requests appear, then of course I will add them.
- [How to install] - It doesn't require compiling as it is Python script.
- [How to use] - The most basic usage is the following:
python3 DumpsterDiver.py -p ./path_to_folder_containing_files_to_analyze
It can be really handy for pentesters and researchers so I believe it is worth adding it to Kali. Let me know what do you think about it |
