blacklanternsecurity / badsecrets Goto Github PK
View Code? Open in Web Editor NEWA library for detecting known secrets across many web frameworks
License: GNU General Public License v3.0
A library for detecting known secrets across many web frameworks
License: GNU General Public License v3.0
Some versions of sitecore include a slightly different dll (like ones that exist at sitecore/shell/Controls/RichTextEditor/Telerik.Web.UI.DialogHandler.aspx
which telerik_knownkey doesn't like. Need to track this dll down, likely there's just a slightly different error message.
https://www.graa.nl/articles/2010.html
Unofficial code which was widely distributed instruments an alternate viewstate using the "vstate" parameter which is automatically vulnerable to RCE.
Make assumptions about the page when we hit the root directory or an MVC type endpoint. Further testing.
Some modules, like jsf_viewstate, produce several options because there are multiple algorithm possibilities
We should be able to narrow these down by looking at the length of the signature
By hitting the various except statements intentionally with tests, code coverage will continue to improve
Traceback (most recent call last):
File "/usr/lib/python3.10/concurrent/futures/process.py", line 246, in _process_worker
r = call_item.fn(*call_item.args, **call_item.kwargs)
File "/home/user/..cache/pypoetry/virtualenvs/bbot-IFSyk-JB-py3.10/lib/python3.10/site-packages/badsecrets/base.py", line 188, in carve_all_modules
r_list = x.carve(**kwargs)
File "/home/user/.cache/pypoetry/virtualenvs/bbot-IFSyk-JB-py3.10/lib/python3.10/site-packages/badsecrets/base.py", line 92, in carve
r = self.check_secret(v)
File "/home/user/.cache/pypoetry/virtualenvs/bbot-IFSyk-JB-py3.10/lib/python3.10/site-packages/badsecrets/modules/rails_secretkeybase.py", line 70, in check_secret
r = self.rails(rails_cookie, secret_key_base)
File "/home/user/.cache/pypoetry/virtualenvs/bbot-IFSyk-JB-py3.10/lib/python3.10/site-packages/badsecrets/modules/rails_secretkeybase.py", line 36, in rails
encrypted_data = base64.b64decode(data).decode()
File "/usr/lib/python3.10/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
Also same line:
binascii.Error: Invalid base64-encoded string: number of data characters (73) cannot be 1 more than a multiple of 4
Traceback (most recent call last):
File "/home/liquid/.local/bin/badsecrets", line 8, in <module>
sys.exit(main())
^^^^^^
File "/home/liquid/.local/lib/python3.11/site-packages/badsecrets/examples/cli.py", line 233, in main
hashcat_candidates = hashcat_all_modules(*args.product)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: hashcat_all_modules() takes 1 positional argument but 2 were given
input: badsecrets zzzz KLox5XeGYfb7Lo8zFzr1YepUagXuixcxX55lpFht+rrW6VGheZi831vdusH6DCMfxIhsLG1EPU3OuPvqN2XBc/fj0ew15TQ1zBmmKWJVns4=
Currently, modules have to opt in to the identity check. This check should be present automatically and have to be explicitly opted-out-of.
I had trouble getting this to run on my system with the dependencies, so I Dockerized it, and now it's working.
It's on Docker Hub: https://hub.docker.com/r/pensivesecurity/badsecrets
It can be run with
docker run pensivesecurity/badsecrets -h
If you have a custom secrets file, place the file "decryptionkeys.txt" in your current directory, then run
docker run -v $PWD:/tmp/ pensivesecurity/badsecrets -c /tmp/decryptionkeys.txt [rest_of_command]
The docker file is
FROM python:3
RUN python -m pip install badsecrets
ENTRYPOINT ["badsecrets"]
Please feel free to push an official container and add it to the installation instructions if you want. I figured I'd share this information in case it was helpful to anyone else.
We need to report as a list since there could be multiple matches
{"description": "Cryptographic Product identified. Product Type: [Java Server Faces Viewstate] Product: [Ly8gp+FZKt9XsaxT5gZu41DDxO74k029z88gNBOru2jXW0g1Og+RUPdf2d8hGNTiofkD1VvmQTZAfeV+5qijOoD+SPzw6K72Y1H0sxfx5mFcfFtmqX7iN6Gq0fwLM+9PKQz88f+e7KImJqG1cz5KYhcrgT87c5Ayl03wEHvWwktTq9TcBJc4f1VnNHXVZgALGqQuETU8hYwZ1VilDmQ7J4pZbv+pvPUvzk+/e2oNeybso6TXqUrbT2Mz3k7yfe92q3pRjdxRlGxmkO9bPqNOtETlLPE5dDiZYo1U9gr8BBD=] Detecting Module: [Jsf_viewstate]",
(from bbot scan)
Add an example CLI capable of both check_secret and python request-based carve functions
add an optional severity level for each module (low, medium, high, critical)
create a module to exploit known org.apache.myfaces.SECRET and/or org.apache.myfaces.MAC_SECRET as tested via javax.faces.viewstate value
Currently, only the express-session middleware is supported by the expressjs module, however the cookie-session middleware (which uses a two-cookie format) should also be checked.
Example FP:
s%3A777e09e%22%3A%7B%22%7B%7D%22%3A%7B%22viewLayout%22%3A%7B%22id%22%3A%22viewLayout%22%2C%22homepageFaqs%22%3A%7B%22id%22%3A%22homepage_faqs%3A6689855e%22%2C%22faqs%22%3A%7B%22id%22%3A%22homepage_faqs%3A9fffd7f5%3Afaqs%22%2C%22headerString%22%3A%22Common%20questions%22%2C%22faqsItems%22%3A%5B%7B%22id%22%3A%22homepage_faqs%3A939764f6%3Afaqs%3Afaqs_item%3Ae960175f%22%2C%22questionString%22%3A%22How%20does%20Instacart%20delivery%20and%20curbside%20pickup%20work%3F%22%2C%22faqsItemAnswers%22%3A%5B%7B%22id%22%3A%22homepage_faqs%3Afb0ec3d4%3Afaqs%3Afaqs_item%3Abd312aff%3Afaqs_item_answer%3Aa97f58ca%22%2C%22answerString%22%3A%22Instacart%20makes%20it%20easy%20to%20order%20from%20your%20favorite%20stores.%20Shop%20for%20items%20from%20stores%20near%20you%2C%20with%20a%20selection%20of%20more%2
jsf_viewstate module complains when laravel keys are used, as it is trying to base64 decode the entire value. Laravel keys are in the format base64:
This was intentional, due to there being too many false positives. However, we should implement a solutions where the carve_regex can still get a crack at it.
The default behavior should be to not follow redirects with an option to follow them if desired.
It looks like README.md got overwritten with that of another project in d08738b. This is a repo for badsecrets
tool, but the file describes baddns
.
File "/jwt/api_jws.py", line 88, in get_algorithm_by_name
return self._algorithms[alg_name]
KeyError: 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/jwt/api_jws.py", line 295, in _verify_signature
alg_obj = self.get_algorithm_by_name(alg)
File "/jwt/api_jws.py", line 94, in get_algorithm_by_name
raise NotImplementedError("Algorithm not supported") from e
NotImplementedError: Algorithm not supported
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/root/bbot/bbot/scanner/manager.py", line 306, in catch
ret = callback(args, **kwargs)
File "/root/bbot/bbot/modules/badsecrets.py", line 30, in handle_event
r_list = carve_all_modules(body=resp_body, cookies=resp_cookies)
File "/badsecrets/base.py", line 136, in carve_all_modules
r_list = x.carve(**kwargs)
File "/badsecrets/base.py", line 97, in carve
r = self.carve_to_check_secret(s)
File "/badsecrets/base.py", line 59, in carve_to_check_secret
r = self.check_secret(s.groups()[0])
I find difficulty in installing and using the package in Windows machine, please refer to the below command history for reference.
`
C:\Users\test\Downloads\badsecrets-main\badsecrets\examples>pip install badsecrets
Collecting badsecrets
Downloading badsecrets-0.3.375-py3-none-any.whl (1.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.6/1.6 MB 34.7 MB/s eta 0:00:00
Collecting Django<5.0.0,>=4.1.2
Downloading Django-4.2.3-py3-none-any.whl (8.0 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.0/8.0 MB 57.0 MB/s eta 0:00:00
Collecting requests<3.0.0,>=2.28.1
Downloading requests-2.31.0-py3-none-any.whl (62 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.6/62.6 kB 3.5 MB/s eta 0:00:00
Collecting viewstate<0.6.0,>=0.5.3
Downloading viewstate-0.5.3.tar.gz (8.4 kB)
Preparing metadata (setup.py) ... done
Collecting pycryptodome<4.0.0,>=3.15.0
Downloading pycryptodome-3.18.0-cp35-abi3-win_amd64.whl (1.7 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.7/1.7 MB 37.5 MB/s eta 0:00:00
Collecting pytest<8.0.0,>=7.1.3
Downloading pytest-7.4.0-py3-none-any.whl (323 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 323.6/323.6 kB 19.6 MB/s eta 0:00:00
Collecting colorama<0.5.0,>=0.4.6
Downloading colorama-0.4.6-py2.py3-none-any.whl (25 kB)
Collecting pyjwt[crypto]<3.0.0,>=2.6.0
Downloading PyJWT-2.8.0-py3-none-any.whl (22 kB)
Collecting flask-unsign<2.0.0,>=1.2.0
Downloading flask-unsign-1.2.0.tar.gz (14 kB)
Preparing metadata (setup.py) ... done
Collecting asgiref<4,>=3.6.0
Downloading asgiref-3.7.2-py3-none-any.whl (24 kB)
Collecting tzdata
Downloading tzdata-2023.3-py2.py3-none-any.whl (341 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 341.8/341.8 kB ? eta 0:00:00
Collecting sqlparse>=0.3.1
Downloading sqlparse-0.4.4-py3-none-any.whl (41 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 41.2/41.2 kB 1.9 MB/s eta 0:00:00
Collecting flask
Downloading Flask-2.3.2-py3-none-any.whl (96 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 96.9/96.9 kB ? eta 0:00:00
Collecting itsdangerous
Downloading itsdangerous-2.1.2-py3-none-any.whl (15 kB)
Collecting markupsafe
Downloading MarkupSafe-2.1.3-cp310-cp310-win_amd64.whl (17 kB)
Collecting werkzeug
Downloading Werkzeug-2.3.6-py3-none-any.whl (242 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 242.5/242.5 kB ? eta 0:00:00
Collecting cryptography>=3.4.0
Downloading cryptography-41.0.2-cp37-abi3-win_amd64.whl (2.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.6/2.6 MB 42.2 MB/s eta 0:00:00
Collecting tomli>=1.0.0
Downloading tomli-2.0.1-py3-none-any.whl (12 kB)
Collecting exceptiongroup>=1.0.0rc8
Downloading exceptiongroup-1.1.2-py3-none-any.whl (14 kB)
Collecting pluggy<2.0,>=0.12
Downloading pluggy-1.2.0-py3-none-any.whl (17 kB)
Collecting packaging
Downloading packaging-23.1-py3-none-any.whl (48 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.9/48.9 kB 2.4 MB/s eta 0:00:00
Collecting iniconfig
Downloading iniconfig-2.0.0-py3-none-any.whl (5.9 kB)
Collecting idna<4,>=2.5
Downloading idna-3.4-py3-none-any.whl (61 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.5/61.5 kB ? eta 0:00:00
Collecting urllib3<3,>=1.21.1
Downloading urllib3-2.0.4-py3-none-any.whl (123 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 123.9/123.9 kB ? eta 0:00:00
Collecting charset-normalizer<4,>=2
Downloading charset_normalizer-3.2.0-cp310-cp310-win_amd64.whl (96 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 96.9/96.9 kB 5.4 MB/s eta 0:00:00
Collecting certifi>=2017.4.17
Downloading certifi-2023.5.7-py3-none-any.whl (156 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 157.0/157.0 kB 9.2 MB/s eta 0:00:00
Collecting typing-extensions>=4
Downloading typing_extensions-4.7.1-py3-none-any.whl (33 kB)
Collecting cffi>=1.12
Downloading cffi-1.15.1-cp310-cp310-win_amd64.whl (179 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 179.1/179.1 kB 10.6 MB/s eta 0:00:00
Collecting blinker>=1.6.2
Downloading blinker-1.6.2-py3-none-any.whl (13 kB)
Collecting click>=8.1.3
Downloading click-8.1.6-py3-none-any.whl (97 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 97.9/97.9 kB ? eta 0:00:00
Collecting Jinja2>=3.1.2
Downloading Jinja2-3.1.2-py3-none-any.whl (133 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 133.1/133.1 kB ? eta 0:00:00
Collecting pycparser
Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 118.7/118.7 kB ? eta 0:00:00
Installing collected packages: viewstate, urllib3, tzdata, typing-extensions, tomli, sqlparse, pyjwt, pycryptodome, pycparser, pluggy, packaging, markupsafe, itsdangerous, iniconfig, idna, exceptiongroup, colorama, charset-normalizer, certifi, blinker, werkzeug, requests, pytest, Jinja2, click, cffi, asgiref, flask, Django, cryptography, flask-unsign, badsecrets
DEPRECATION: viewstate is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at pypa/pip#8559
Running setup.py install for viewstate ... done
WARNING: The script sqlformat.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script normalizer.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The scripts py.test.exe and pytest.exe are installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script flask.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script django-admin.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
DEPRECATION: flask-unsign is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at pypa/pip#8559
Running setup.py install for flask-unsign ... done
WARNING: The script badsecrets.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed Django-4.2.3 Jinja2-3.1.2 asgiref-3.7.2 badsecrets-0.3.375 blinker-1.6.2 certifi-2023.5.7 cffi-1.15.1 charset-normalizer-3.2.0 click-8.1.6 colorama-0.4.6 cryptography-41.0.2 exceptiongroup-1.1.2 flask-2.3.2 flask-unsign-1.2.0 idna-3.4 iniconfig-2.0.0 itsdangerous-2.1.2 markupsafe-2.1.3 packaging-23.1 pluggy-1.2.0 pycparser-2.21 pycryptodome-3.18.0 pyjwt-2.8.0 pytest-7.4.0 requests-2.31.0 sqlparse-0.4.4 tomli-2.0.1 typing-extensions-4.7.1 tzdata-2023.3 urllib3-2.0.4 viewstate-0.5.3 werkzeug-2.3.6
[notice] A new release of pip is available: 23.0.1 -> 23.2
[notice] To update, run: C:\Users\test\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\python.exe -m pip install --upgrade pip
C:\Users\test\Downloads\badsecrets-main\badsecrets\examples>badsecrets eyJhbGciOiJIUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.ovqRikAo_0kKJ0GVrAwQlezymxrLGjcEiW_s3UJMMCo
'badsecrets' is not recognized as an internal or external command,
operable program or batch file.
`
Add hashcat support + carve regex to ensure identify_only will works for rails cookies
investigate whether this will cause a double report via header carve + cookie check_secret()
Need a standard method for each module to optionally implement that outputs the secret in a format that can be cracked by hashcat
Need a way to optionally pass in a file path to be used instead of the default list associated with that module
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.