Nord Stream is a tool that allows you to list the secrets stored inside CI/CD environments and extract them by deploying malicious pipelines.
It currently supports Azure DevOps and GitHub.
$ pip3 install -r requirements.txt
git is also required (see https://git-scm.com/download/) and must exist in your PATH.
More information in our article: https://www.synacktiv.com/publications/cicd-secrets-extraction-tips-and-tricks
By default, the tool will attempt to extract all secrets from all accessible projects or repositories. Several options are available to restrict the extraction of secrets.
$ python3 nord-stream.py devops -h
CICD pipeline exploitation tool
Usage:
nord-stream.py devops [options] --token <pat> --org <org> [--project <project> --no-vg --no-gh --no-az --write-filter --no-clean]
nord-stream.py devops [options] --token <pat> --org <org> --yaml <yaml> --project <project> [--write-filter]
nord-stream.py devops [options] --token <pat> --org <org> --build-yaml <output> --build-type <type>
nord-stream.py devops [options] --token <pat> --org <org> --clean-logs [--repo <repo>]
nord-stream.py devops [options] --token <pat> --org <org> --list-projects [--write-filter]
nord-stream.py devops [options] --token <pat> --org <org> --list-secrets [--project <project> --write-filter]
Options:
-h --help Show this screen.
--version Show version.
-v, --verbose Verbose mode
-d, --debug Debug mode
args
--token <pat> Azure DevOps personal token
--org <org> Org name
-p, --project <project> Run on selected project (can be a file)
-y, --yaml <yaml> Run arbitrary job
--clean-logs Delete all pipeline created by this tool. This operation is done by default but can be manually triggered.
--no-vg Don't extract variable groups secrets
--no-sf Don't extract secure files
--no-gh Don't extract GitHub service connection secrets
--no-az Don't extract Azure service connection secrets
--list-projects List all projects.
--list-secrets List all secrets.
--write-filter Filter projects where current user has write or admin access.
--build-yaml <output> Create a pipeline yaml file with default configuration.
--build-type <type> Type used to generate the yaml file can be: default, azurerm, github
Examples:
Dump all secrets from all projects
$ nord-stream.py devops --token "$PAT" --org myorg
Authors: @hugow @0hexit
$ python3 nord-stream.py github -h
CICD pipeline exploitation tool
Usage:
nord-stream.py github [options] --token <ghp> --org <org> [--repo <repo> --no-repo --no-env --env <env> --disable-protections --write-filter --branch-name <name>]
nord-stream.py github [options] --token <ghp> --org <org> --yaml <yaml> --repo <repo> [--env <env> --disable-protections --write-filter --branch-name <name>]
nord-stream.py github [options] --token <ghp> --org <org> ([--clean-logs] [--clean-branch-policy]) [--repo <repo> --branch-name <name>]
nord-stream.py github [options] --token <ghp> --org <org> --build-yaml <filename> --repo <repo> [--env <env> --write-filter]
nord-stream.py github [options] --token <ghp> --org <org> --exploit-oidc --azure-tenant-id <tenant> --azure-subscription-id <subscription> --azure-client-id <client> [--repo <repo> --env <env> --branch-name <name>]
nord-stream.py github [options] --token <ghp> --org <org> --list-protections [--repo <repo> --write-filter --branch-name <name> --disable-protections]
nord-stream.py github [options] --token <ghp> --org <org> --list-secrets [--repo <repo>]
nord-stream.py github [options] --token <ghp> [--org <org>] --list-repos [--write-filter]
Options:
-h --help Show this screen.
--version Show version.
-v, --verbose Verbose mode
-d, --debug Debug mode
--output-dir <dir> Output directory for logs
args
--token <ghp> Github personal token
--org <org> Org name
-r, --repo <repo> Run on selected repo (can be a file)
-y, --yaml <yaml> Run arbitrary job
--clean-logs Delete all logs created by this tool. This operation is done by default but can be manually triggered.
--clean-branch-policy Remove branch policy, can be used with --repo. This operation is done by default but can be manually triggered.
--build-yaml <filename> Create a pipeline yaml file with all secrets.
--env <env> Specify env for the yaml file creation.
--no-repo Don't extract repo secrets.
--no-env Don't extract environnments secrets.
--exploit-oidc Generate an access token for a cloud provider using an existing OIDC trust between a cloud role and a GitHub workflow (supports only Azure for now).
--azure-tenant-id <tenant> Identifier of the Azure tenant associated with the application having federated credentials.
--azure-subscription-id <subscription> Identifier of the Azure subscription associated with the application having federated credentials.
--azure-client-id <client> Identifier of the Azure application (client) associated with the application having federated credentials.
--list-protections List all protections.
--list-repos List all repos.
--list-secrets List all secrets.
--disable-protections Disable the branch protection rules (needs admin rights)
--write-filter Filter repo where current user has write or admin access.
--force Don't check environment and branch protections.
--branch-name <name> Use specific branch name for deployment.
Examples:
Dump all secrets from all repositories and try to disable branch protections
$ nord-stream.py github --token "$GHP" --org myorg --disable-protections
Authors: @hugow @0hexit
- Add support of URLs corresponding to Azure DevOps Server instances (on-premises solutions)
- Add an option to extract secrets via Windows hosts
- Add support of other CI/CD environments (GitLab/Jenkins/Bitbucket)
- Implement the extraction of organization secrets on GitHub
- Use the GitHub GraphQL API instead of the REST one to list the branch protection rules and temporarily disable them if they match the malicious branch about to be pushed
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent