From aac366724744b14e15dbd06671acdaf6e88aa347 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Sun, 25 May 2025 08:15:48 +0200 Subject: [PATCH] f l --- build_lists/regexes.yaml | 1343 ++++++++++++++++- .../11_Internet_access.sh | 14 +- .../linpeas_parts/functions/check_dns.sh | 18 +- .../linpeas_parts/functions/check_icmp.sh | 13 +- .../linpeas_parts/functions/check_tcp_443.sh | 21 +- .../functions/check_tcp_443_bin.sh | 7 +- .../linpeas_parts/functions/check_tcp_80.sh | 18 +- 7 files changed, 1381 insertions(+), 53 deletions(-) diff --git a/build_lists/regexes.yaml b/build_lists/regexes.yaml index f7cb429..5419050 100644 --- a/build_lists/regexes.yaml +++ b/build_lists/regexes.yaml @@ -1,3 +1,1340 @@ -# This is a placeholder -# It will be replaced by the actual regexes.yaml file -# generated by download-regexes.py or download-regexes.ps1 (execute it before building the tools) \ No newline at end of file +regular_expresions: + # Hashes passwords + - name: Hashed Passwords + regexes: + - name: Apr1 MD5 + regex: '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}' + example: $apr1$wfw75FKf$WnUqyuLbiqq6.SFF8xJ4h. + + - name: Apache SHA + regex: '\{SHA\}[0-9a-zA-Z/_=]{10,}' + example: > + {SHA}sMt=Yjm=Z_90ysdabtRhxjZXYNMcMt5SF8cfEcsFinq/f=gItL/yStd4PpXIE62nGWW9zEAX6W7OnJRt + + - name: Blowfish + regex: '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*' + example: $2$56$/HL_61V6F0cJMmfms7cu/3qzNx6OeHSRfNqiPzwizC_Se/BVNW0/opOha0AP6UZCPOySjOY + + - name: Drupal + regex: '\$S\$[a-zA-Z0-9_/\.]{52}' + example: $S$oYgf2/JoUwxprWYrbPOXShF7gdb9OBkQ85k6vxgffmwR34hdAseI + + - name: Joomlavbulletin + regex: '[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}' + example: l3SRau7fy20zuc3NBaFB7x13Fp5q3sWr:AoD4BojyIiXv0bCdTTyYC + + - name: Linux MD5 + regex: '\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}' + example: $1$pm184XyU$BSwp2.eFChH_IYZlUrgTlz + + - name: phpbb3 + regex: '\$H\$[a-zA-Z0-9_/\.]{31}' + example: $H$Yl90nWKFGs/KmYA9KKa5BCpK7cC3PAd + + - name: sha512crypt + regex: '\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}' + example: $6$Ce1ild5UdTmRIM/N$CMDumnYFdiAlQAvbcaZ7YqX8hTyhFvQbBZ/6TgmPgfZAuqago5mXDdIMrtkS2GA1iWuSMSpqqEu1nuz6P.7A2e + + - name: Wordpress + regex: '\$P\$[a-zA-Z0-9_/\.]{31}' + example: $P$3kreQHPdsLC_2_4_eLtjWPlmk33mlix + + + # Raw Hashes + - name: Raw Hashes + regexes: + - name: md5 #Too many false positives + regex: '(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)' + example: '129aF9e0aFD4537EF7cBEfdD48Bd2E5B' + falsePositives: True + + - name: sha1 #Too many false positives + regex: '(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)' + example: 'CbD3EDA0f6B83BF12Dc263a75211cB967fCeDeD6' + falsePositives: True + + - name: sha256 #Too many false positives + regex: '(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)' + example: 'Ba99CcF0dfDe6eAC6fE9Bcf37aEEAEd5292D3Bd37cc9d0638687EF3Ab7ED7e15+' + falsePositives: True + + - name: sha512 + regex: '(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)' + example: '#961EfAbD2fa0FFF57F5e0Ffae75EEDc1c3E16fD9A597eDAde7ADcEb0DDa19eF92798B9C47f2ebbF55d0E9bfCeC7988AdC8C89cbbafbC2F1acdfCeF2c3133f9db' + + # APIs + # https://github.com/l4yton/RegHex/blob/master/README.md + - name: APIs + regexes: + - name: Artifactory API Token # False + + regex: 'AKC[a-zA-Z0-9]{10,}' # False + + example: 'AKCEoCMlFkeYNmd4Wcqegqp29emhzZNgOCWgQWGrON9nLVBhY' + falsePositives: True + + - name: Artifactory Password + regex: 'AP[0-9ABCDEF][a-zA-Z0-9]{8,}' + example: 'APAbCuDoU02wd5zuA423XeGf' + falsePositives: True + + - name: Authorization Basic # Too many false positives + regex: 'basic [a-zA-Z0-9_:\.=\-]+' + example: 'basic _FWaszX4nLMF2RozmQS19y' + falsePositives: True + + - name: Authorization Bearer # Too many false positives + regex: 'bearer [a-zA-Z0-9_\.=\-]+' + example: 'bearer CydywyUjXWUf' + falsePositives: True + + - name: Adafruit API Key + regex: '([a-z0-9_-]{32})' + example: 16bkl1dofm2-ct-93a8cpdd58pu98dtc + falsePositives: True + + - name: Adobe Client Id (Oauth Web) + regex: > + (adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-f0-9]{32})['"] + caseinsensitive: True + example: adobe_key="abfbc6ccd7dcc43a0b40864b3053c947" + + - name: Abode Client Secret + regex: > + (p8e-)[a-z0-9]{32} + caseinsensitive: True + example: p8e-wg5onua8kmrzdd9cft5f36qw02m6bxda + + - name: Age Secret Key + regex: > + AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58} + example: AGE-SECRET-KEY-1K3WZXJG2V6ERG49R2L5UK8RHT49T2XKXFPPU4UL0SF6GWR6HKVKEC5V969 + + - name: Airtable API Key + regex: > + ["']?air[-_]?table[-_]?api[-_]?key["']?[=:]["']?.+["']" + example: air-table-api-key="5asbtwsfcvfc9zEzFV + (alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-zA-Z0-9-]{32})['"] + caseinsensitive: True + example: alchemi_api_kew='OKPUGsiiZ7iVOPC03J0YP1z55xlJW1CA' + + - name: Alibaba Access Key ID + regex: > + (LTAI)[a-z0-9]{20} + caseinsensitive: True + example: LTAIjzto443k30bsher79cf1 + + - name: Alibaba Secret Key + regex: > + (alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{30})['"] + caseinsensitive: True + example: alibaba_key=>'47c0gportvf7cv0d6cbd8lsh5a1ulh' + + - name: Artifactory API Key & Password + regex: > + ["']AKC[a-zA-Z0-9]{10,}["']|["']AP[0-9ABCDEF][a-zA-Z0-9]{8,}["'] + example: > + "AP6XBwIRozqtcJXCax1Sqnerb9X5n0krYeBD93A7UtUuiQczuWM3lwGybD7T7sFNc17f7iw2TMwjWI4ySAiOcBjbvrIGrFz45pRpcvj" + + - name: Asana Client ID + regex: > + ((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([0-9]{16})['"])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{32})['"]) + caseinsensitive: True + example: > + asana_key ="8495730476014822" + + - name: Atlassian API Key + regex: > + (atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{24})['"] + caseinsensitive: True + example: > + atlassian_apikey:'i6xoje8cbxlb32ray2z6eo1o' + + - name: AWS Client ID + regex: '(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}' + extra_grep: '-Ev ":#|:<\!\-\-"' + example: AKIAC7Y99LK8QKG1QWKP + + - name: AWS MWS Key + regex: 'amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' + example: amzn.mws.92ace9f0-3185-779b-583b-2f0c8a92c506 + + - name: AWS Secret Key + regex: aws(.{0,20})?['"][0-9a-zA-Z\/+]{40}['"] + example: aws_key="i6xoje8cbaasxlb32ray2z6eo1oadgfg5e56645a" + + - name: AWS AppSync GraphQL Key + regex: da2-[a-z0-9]{26} + example: da2-0dzr45lxiqwtjq7kbek03wf543 + + #B + - name: Base32 #Too many false positives + regex: '(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?' + example: 'KYZL4CCR7JWGYEFE5V747WSPXSD7LZJDDGBBZPJRCMB65Q5JY74VAUSKVSGMQ3KNXTIFWBHJKQ2FI6Y7L6SLOBUYOCAIRFRYKCYAU2YCUSVS6ODNQHHTJQU3Q47C5IRZIXJ5YZNTMXH2AVRVC2XQPWKL6YT65OKAYZIZQPO3MS4W4JGNCCK2SYTQUYZ5QN3VIZ5YKOWYFKMV55MZNEPTQJO6LHQCOGS2FP3SCAKZCSGIIMS23VXJGTSTL2FP6WVHWNYEHSF3NER5RY42Y7HDYOL2FP3GNTT2HG7X7VGGKRWLS6N73AE2MDGOMW26TCV6VMDLBG2Z4S6BX6FNT33MVXRIQGGGFD42W7PHM4LIOTQL7UCPYXW7WAICZNRBJPMWDXUHXFLQQPICLOIFBQQRYB6WHMR5KIADSKUBGSH47CJZN6NBY5DXH4LW63TGLWV2XHBBYNJDYJ2X3YUAX62AIAEQ4TTLM7WYYRYJRPDCCVVTS6IEBCXWQXLUUJCCUODZKZ2LMIFLI252NW7ROYC47I3EFYMGBKUMXRVTKXU42YMX5NONTZRXPTWSLAZVAT5HX5QJGOUO6NK6NYM7MUB5LSRYTULGE3PQVI3TBAWE6AXQUG2KLH4S6YEACHKDT3PRHSWMIM36ETCQLDI3YDM7HILDWSP4X5FUUNILGRUPQ6MBA5KPWFEKOQBK5ZCKDYYU2NASMJZ25ACP5ZK3HH753ZLSXMP7WXBETCZDQB2OGKI5QICU7I6NAPOSBGHYFYDNQB6WIIOH' + falsePositives: True + + - name: Base64 #Too many false positives + regex: '(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+/]+={0,2}' + example: 'aHR0cHM6LFRGovTvghMQEwj+Qeq6rhoYcgDSW1e3ZImGF7gmx5I3abFUzFmixjiYyAwEMsrDIULlNypIeZUMthW60/C0J' + falsePositives: True + + + - name: Basic Auth Credentials + regex: '://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+' + example: '://username:password@domain.com' + + - name: Beamer Client Secret + regex: > + (beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"](b_[a-z0-9=_\-]{44})['"] + caseinsensitive: True + example: > + beamer_secret>'b_b4mercz6k_4vmbhk5xbhl6ocnnqcgg0qlmxq8-cts=s6' + + - name: Binance API Key + regex: > + (binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-zA-Z0-9]{64})['"] + caseinsensitive: True + example: > + binance-apikey=>"1q1MFdKkCpJdaIl6d0oqPsO1KAATglQuRhQsCgZoj8atWRAzgyWmi3eleuuJ31J3' + + - name: Bitbucket Client Id + regex: > + ((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{32})['"]) + caseinsensitive: True + example: > + bitbucket-client-id="zuvwzyrzs26ut4bh6oxel0e7444mpd7c" + + - name: Bitbucket Client Secret + regex: > + ((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9_\-]{64})['"]) + caseinsensitive: True + example: > + bitbucketd-client-secret='vnx0ngdq1bvaq1ygo8mcez4vk88ovthfx86y8dgaw1y2s020e1v0o4l1l6tu6q7u" + + - name: BitcoinAverage API Key + regex: > + (bitcoin.?average[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-zA-Z0-9]{43})['"] + caseinsensitive: True + example: > + bitcoin3average-apikey ="M39fxqAGAt9c5KdyKwi8LwpInxsIrHq6Q2EdW3pCiW2" + + - name: Bitquery API Key + regex: > + (bitquery[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([A-Za-z0-9]{32})['"] + caseinsensitive: True + example: > + bitquery-apikey="NWUlHtnehbYZCQN5O46q7oRhzfbZeDjr' + + - name: Bittrex Access Key and Access Key + regex: > + ([a-z0-9]{32}) + example: zyppbifc36v4whhn6b0q9x3znqqgkeel + falsePositives: True + + - name: Birise API Key + regex: > + (bitrise[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-zA-Z0-9_\-]{86})['"] + caseinsensitive: True + example: > + bitrisejme="BzVkwOcKAqUPeFAiQCAdlREdK6gUOMIKl3TXKnkxn2frFtkzgw4iDfnI-fkfP3HHXSnt6R9ebZdsNieCm9zQ6m" + + - name: Block API Key + regex: > + (block[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4})['"] + caseinsensitive: True + example: > + block-api-key>'6d6i-b8z9-rgob-gzn7' + + - name: Blockchain API Key + regex: > + mainnet[a-zA-Z0-9]{32}|testnet[a-zA-Z0-9]{32}|ipfs[a-zA-Z0-9]{32} + example: mainnetXahUq3S6jcKpNODEnZuswNASzNl3SWA0 + + - name: Blockfrost API Key + regex: > + (blockchain[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[0-9a-f]{12})['"] + caseinsensitive: True + example: > + blockchain='7f803740-47a6-4491-2630-fed376f83003' + + - name: Box API Key + regex: > + (box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-zA-Z0-9]{32})['"] + caseinsensitive: True + example: > + box-apikey='fwtfdyIEe47lkfI7ErloLt8wgzLgoLsc' + + - name: Bravenewcoin API Key + regex: > + (bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{50})['"] + caseinsensitive: True + example: > + bravenewcoinq93-key<="r42uv5ahxu9ohr4blcom4fkc2vh873f2g8hi64l2ddsit6ipk6" + + #C + - name: Clearbit API Key + regex: > + sk_[a-z0-9]{32} + example: sk_oywau29kv7gcazau366iqeri6rm9qvxz + + - name: Clojars API Key + regex: > + (CLOJARS_)[a-zA-Z0-9]{60} + example: CLOJARS_zU0NGGFrLJZP4QUC46UdwkOCfHJsD6BBssuWSsI0ubOoNNRE9M3dX3BQouu3 + + - name: Cloudinary Basic Auth + regex: 'cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+' + example: cloudinary://152763652812343:PoA@tyrqrxt + + # - name: CoinAPI API Key + # regex: > + # cloudinary://152763652812343:PoA@tyrqrxtrqhxthhhowoohrwwmgkugcizomojityqatiyvfzonomebafubqwlpseppdfgsybuagjrtthlolkifoyg + # caseinsensitive: True + # example: > + # cloudinary://152763652812343:PoA@tyrqrxtrqhxthhhowoohrwwmgkugcizomojityqatiyvfzonomebafubqwlpseppdfgsybuagjrtthlolkifoyg + + - name: Coinbase Access Token + regex: > + ([a-z0-9_-]{64}) + example: ez8c5hpyy258a-9gjtsjf-ov7bir--tksmepd_7vg0jcxo8cq85i2p-lnlvdu_rb + falsePositives: True + + - name: Coinlayer API Key + regex: > + (coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{32})['"] + caseinsensitive: True + example: > + coinlayer-apikey=>'mhv6iadrtuiad424xvrhxwgdhqysnmkc' + + - name: Coinlib API Key + regex: > + (coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{16})['"] + caseinsensitive: True + example: > + coinlib-apikey="9vsan5dmjnnlnwqf" + + - name: Confluent Access Token & Secret Key + regex: > + ([a-z0-9]{16}) + example: rd7j4d1is0jpr5d3 + falsePositives: True + + - name: Contentful delivery API Key + regex: > + (contentful[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9=_\-]{43})['"] + caseinsensitive: True + example: > + contentful-key>"0a9cqu5ppw11j0qh-pdydco7c_liooohdv6hcgeqyw5" + + - name: Covalent API Key + regex: > + ckey_[a-z0-9]{27} + example: ckey_63aarh0ax2u56buzhrcsthl9rjo + + - name: Charity Search API Key + regex: > + (charity.?search[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{32})['"] + caseinsensitive: True + example: > + charitysearch-apikey="bcd9589xb6xbrkmhotwvjem16q27a48d" + + #D + - name: Databricks API Key + regex: > + dapi[a-h0-9]{32} + example: dapi3d7473490ca0a6fcdffhdb22c834f3h6 + + - name: DDownload API Key + regex: > + (ddownload[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{22})['"] + caseinsensitive: True + example: > + ddownload-key="pbthiugya51o99xqf8p1wn" + + - name: Defined Networking API token + regex: > + (dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52}) + example: dnkey-22ekn3bd_augf8fg_4vfudl9w2-778r_de4slu1ksk2h8nc8tg53_p4nq=ny5-_li72-3bna9l0_lx9 + + - name: Discord API Key, Client ID & Client Secret + regex: > + ((discord[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-h0-9]{64}|[0-9]{18}|[a-z0-9=_\-]{32})['"]) + caseinsensitive: True + example: > + discord-apikey="231ahdc61b46afg8hd39bbbf75f40f9e1e1a637df02de861751ahab6fhgf210e" + + - name: Droneci Access Token + regex: > + ([a-z0-9]{32}) + example: 0ewqr6fc0bhsveyemc0891o53x13z0m6 + falsePositives: True + + - name: Dropbox API Key + regex: > + sl.[a-zA-Z0-9_-]{136} + example: sl&M-ECOse0dUJnSVECSH6TXIj3JJUPCWUEu6Cy2URGlElV8eZgEA9ASDZ3V3B1QnNGZVU8p4DCjl-bBLhmtkF4WzAPNpGOxzfp3SsVjC5aOiYjFXpM_Rw3g8w7O9Ow5X5gwb7HGQHu + + - name: Doppler API Key + regex: > + (dp\.pt\.)[a-zA-Z0-9]{43} + example: dp.pt.uOy0bgBrCHHFqCo2SVN0oZh6SjVqcNnSQaVhs1s2tBR + + - name: Dropbox API secret/key, short & long lived API Key + regex: > + (dropbox[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{15}|sl\.[a-z0-9=_\-]{135}|[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9_=\-]{43})['"] + caseinsensitive: True + example: > + dropbox="yxmet57firzAAAAAAAAAAbt2vvca5egmx5e2srt1q2k2tt6td8szseyd==9wdb7h" + + - name: Duffel API Key + regex: > + duffel_(test|live)_[a-zA-Z0-9_-]{43} + example: duffel_live_-24wL_oJ8O0gr_dBDvPMQR7-02eVoVq3iT85o62FG3x + + - name: Dynatrace API Key + regex: > + dt0c01\.[a-zA-Z0-9]{24}\.[a-z0-9]{64} + example: dt0c01.rG3Hz503P4Tmy5lqVo6Sa6lc.2fwfacxwb7e1fhdo1tu43rjwz6jfqx2t3c7x0w8xzgnw7l8d405w1bcw68t3b74f + + #E + - name: EasyPost API Key + regex: > + EZAK[a-zA-Z0-9]{54} + example: EZAKvZpo6bs0bnqOY3ty0ircwUQQJNK2nhTSL5lF65itLP8OIhQDvOYaBP + + - name: EasyPost test API Key + regex: > + EZTK[a-zA-Z0-9]{54} + example: EZTK47b3UoWmg9DhE7Jif1pw8YnWyNqHwbb1yGHk8IaKYLQP52tbubKhk4 + + - name: Etherscan API Key + regex: > + (etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([A-Z0-9]{34})['"] + example: > + etherscan-apikey="VOOB4X83RVIL0G9B4GN0CMDB103KYKS2VE" + + - name: Etsy Access Token + regex: > + ([a-z0-9]{24}) + example: d71s4p3clzc2gnlshgxbwpgn + falsePositives: True + + #F + - name: Facebook Access Token + regex: 'EAACEdEose0cBA[0-9A-Za-z]+' + example: EAACEdEose0cBANhYw0IOm0ca1l5wt6AosU7OBvtKHtApURC3sSRIH3VlcCnZBapibvKR9XtiJuiwg5T0U8FLdOl3DF4LMlVp3wCF3N + + - name: Facebook Client ID + regex: ([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['"][0-9]{13,17} + example: > + fACEBOOK-clientID="4507045253731 + + - name: Facebook Oauth + regex: > + [fF][aA][cC][eE][bB][oO][oO][kK].*['|"][0-9a-f]{32}['|"] + example: > + FACEBooK-oauth='ff2a9017d57f3b483d5459187522624c' + + - name: Facebook Secret Key + regex: > + ([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['"][0-9a-f]{32} + example: > + faceBOOk-secret='c0fcb075723dac614f1d01651ec75c79 + + - name: Fastly API Key + regex: > + (fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9=_\-]{32})['"] + caseinsensitive: True + example: > + fastly-apikey="487liqwns3mx2zdfyyun=m6co2s2-s1x" + + - name: Finicity API Key & Client Secret + regex: > + (finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-f0-9]{32}|[a-z0-9]{20})['"] + caseinsensitive: True + example: > + finicity-key="78cf798530fd0c892d863dd0991a6e90" + + - name: Flickr Access Token + regex: > + ([a-z0-9]{32}) + example: 36ce23shl017fi72pdeyz2lf3d9vda9w + falsePositives: True + + - name: Flutterweave Keys + regex: > + FLWPUBK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST[a-hA-H0-9]{12} + example: > + FLWPUBK_TEST-40672c4BFaHBHe84a9fd2af3e98c7D23-X + + - name: Frame.io API Key + regex: > + fio-u-[a-zA-Z0-9_=\-]{64} + example: > + fio-u-Qq8OTgvWoXvJNK815rMihgunAdKXk9X0n8P_j52CJKtcpww1h1VCZ4UD9Wd4IhMW + + - name: Freshbooks Access Token + regex: > + ([a-z0-9]{64}) + example: bjbv4xvi5g55oqtkdlokxgp3af1bq02ryhsgmhhj9qt7c4hl7t1jvtx0so6y45gd + falsePositives: True + + #G + - name: Github + regex: > + github(.{0,20})?['"][0-9a-zA-Z]{35,40} + example: > + github="5fJnOG7J5g32cudy8X1moNmFmLLt3V5ZQxvE + + #- name: Github App Token, OAuth Access Token, Personal Access Token & Refresh Token + # regex: > + # (ghu|ghs)_[0-9a-zA-Z]{36}|gho_[0-9a-zA-Z]{36}|ghp_[0-9a-zA-Z]{36}|ghr_[0-9a-zA-Z]{76} + + - name: Github App Token + regex: > + (ghu|ghs)_[0-9a-zA-Z]{36} + example: > + ghu_di9hDkVMVGKPN1jjTt9UuTf363LhlmHm9mws + + - name: Github OAuth Access Token + regex: > + gho_[0-9a-zA-Z]{36} + example: > + gho_sfo8CcdMKCREliT5E5siPIp8gHEWeYC4GcQF + + - name: Github Personal Access Token + regex: > + ghp_[0-9a-zA-Z]{36} + example: > + ghp_QwoInpFNt286yfutmm0wAJzg9zbHKpUY8G34 + + - name: Github Refresh Token + regex: > + ghr_[0-9a-zA-Z]{76} + example: > + ghr_T3PPq0D1KnSVY7tERnMgVV5dcDkt0q4lXOuYMdEPpefkROVgJQWYSxEJk4hG1idcLdEu1TR1eWDi + + - name: GitHub Fine-Grained Personal Access Token + regex: > + github_pat_[0-9a-zA-Z_]{82} + example: > + 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 + + - name: Gitlab Personal Access Token + regex: > + glpat-[0-9a-zA-Z\-]{20} + example: > + glpat-RrZBU3rfrA2UahiOH6XQ + + - name: GitLab Pipeline Trigger Token + regex: > + glptt-[0-9a-f]{40} + example: > + glptt-30810ea3eda2611d3500eb3a95dd004fa1965928 + + - name: GitLab Runner Registration Token + regex: > + GR1348941[0-9a-zA-Z_\-]{20} + example: > + GR1348941RzEF5zAQQ0ljjE72T-33 + + - name: Gitter Access Token + regex: > + ([a-z0-9_-]{40}) + example: 9rh0n83z874h767-2-lmwmjq-t63dcsik6yr0awn + falsePositives: True + + - name: GoCardless API Key + regex: > + live_[a-zA-Z0-9_=\-]{40} + example: > + live_tQ-4JaiqLoamdNuNMtwbP52m-HgqyS52gVedEBoC + + - name: GoFile API Key + regex: > + (gofile[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-zA-Z0-9]{32})['"] + caseinsensitive: True + example: > + gofile-apikey="Tt3euLPBD4iwHfGRq3pk7CRysWqkk2ge" + + - name: Google API Key + regex: 'AIza[0-9A-Za-z_\-]{35}' + example: > + 'AIzah9OABA-RY7awgoau_C6RRi5R3g3e9d9Q37P' + + - name: Google Cloud Platform API Key + regex: > + (google|gcp|youtube|drive|yt)(.{0,20})?['"][AIza[0-9a-z_\-]{35}]['"] + example: > + google-cloud-apikey='uhldjibyb56zz-Afos3m[wxa-mnp1oAfs6e]' + + - name: Google Drive Oauth + regex: '[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com' + example: 06181489670499612563316814427797547102771400020446857617056-osFKrSfrtmoEl3dSshnlTHDM6rTevnn4.apps.googleusercontent.com + + - name: Google Oauth Access Token + regex: 'ya29\.[0-9A-Za-z_\-]+' + example: ya29.j8lNIMiRgzGa4KQTehLAlBUx441wduUe9vYLQqp + + - name: Google (GCP) Service-account + regex: '"type.+:.+"service_account' + example: > + "type": "service_account" + + + # - name: Google API Key, Drive Oauth, Oauth Access Token, Service Account, Signed storage URLs, Legacy creds and Signed policy documents in HTML + # regex: > + # (AIza[0-9A-Za-z_\-]{35})|([0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com)|(ya29\.[0-9A-Za-z_\-]+)|("type": "service_account")|(storage.googleapis.com.*?Goog-Signature=[a-f0-9]+)|([^{}]*?client_id[^{}]*?client_secret.*)|(
) + + - name: Grafana API Key + regex: > + eyJrIjoi[a-z0-9_=\-]{72,92} + caseinsensitive: True + example: eyJrIjoi-grafana-api-key=-asadcaxcpg319pihinvbs=bm-qhxyoag6ol0hdhjdb7b5tl1dx_uqhl + + - name: Grafana cloud api token + regex: > + glc_[A-Za-z0-9\+/]{32,}={0,2} + example: > + glc_vC2f5kkH7NDcyRd/8I9mSPmKsrpwDpWHCmjxNOjmXLN+AuYmh0y9gA5/X3BD0b5qkBNV7TTwatcJC4mvIq0VEySn2bfnsXQIxtuqaPw/xc3/9PmALD/EHfoR6ebEGgMO1C2lW81Nz6Js94BX5eMDPn/0+WRwMrYnxNxqwJr7yI0Kw0ZfNDC+ROHE7XjcDfRmzUvn7mZoxePoI4aYd0RAUmzbfCs/bwSWzWVuLkc63uNsNApUSMhQG5Vndb/QQGzb79XX+yHuXrLYy= + + - name: Grafana service account token + regex: > + (glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8}) + example: glsa_fWkrfIUhX7gYNSQIFWSbnNyR1kAyOiA9_ecd27EAb + + #H + - name: Hashicorp Terraform user/org API Key + regex: > + [a-z0-9]{14}\.atlasv1\.[a-z0-9_=\-]{60,70} + example: > + izk1hawfnui5xc.atlasv1.kxfv6ncrmadace26slc1-sbbaim4yw5k2f2-y4-8wtv_ukr=61-bnatt71551o6qgeo5 + + - name: Heroku API Key + regex: '[hH][eE][rR][oO][kK][uU].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}' + example: > + HeRokU-apikey=WBEA1B3FE-4C62-30C9-B600-45D4382AC0A5 + + - name: Hubspot API Key + regex: > + ['"][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12}['"] + caseinsensitive: True + example: > + "f69772hb-3d78-c7hd-47eh-9fg423a4beh1" + + #I + - name: Instatus API Key + regex: > + (instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{32})['"] + caseinsensitive: True + example: > + instatus-apikey="ux6mmcb4hvbd37ypufm9wtag8c6it8i9" + + - name: Intercom API Key & Client Secret/ID + regex: > + (intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['"] + caseinsensitive: True + example: > + intercom-apikey='20db6c3a-7e9g-4115-fgga-8e9g9bdb66ga' + + - name: Ionic API Key + regex: > + (ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"](ion_[a-z0-9]{42})['"] + caseinsensitive: True + example: > + ionic-apikey="ion_iftdb2dqw2p4zjrx4ukmd3gyu1j09tisku8krr7ftb" + + #J + - name: Jenkins Creds + regex: > + <[a-zA-Z]*>{[a-zA-Z0-9=+/]*}< + example: > + {zNWoeLK6b/VTY/zjcXLRicWTgygWmieeyS55L5RCaAul9Y3B5hrySZeWIO/u68LMVa0QuvOZoviAAW6Ewlz0Vy9vFgAi8zhzC}< + + - name: JSON Web Token + regex: > + (ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2}) + example: > + ey1j0if36vnu4kd71g19bwm90albqy3ghdpo.ey_-l6_8nramid0tsubb0y4uuf/m7e/wv804gd19bl4r3ddohfiqqfhavbaa9koe_4_34s_4uo70w_gec8t1-jvnqn9qxgdtav_pq_h0km0lh/v51ymqd7s-rd2bx8v0v4zceq4bojrtltxh.LIlpO2lRyoIXqI33jrJ6BNyh_BbGH-nsqjRTABzoOURRhK1NhKtzBmOwRd4Q1pBWAOJC_PyAmTPIxise9MU0zNO6bycbx== + + #K + + - name: Kraken Access Token + regex: > + ([a-z0-9\/=_\+\-]{80,90}) + example: 78v5z=/0wzau+a3hmj2dtw3og5zl64_g-7hy/w8tpa68evvu+2yx73dnhr7xff-p7w0simau/8qlz0p=b + falsePositives: True + + - name: Kucoin Access Token + regex: > + ([a-f0-9]{24}) + example: 1a74895b3e160591722b5b27 + falsePositives: True + + - name: Kucoin Secret Key + regex: > + ([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}) + example: 94a1b7bd-3d95-1358-cfe5-dc139bf0fd38 + falsePositives: True + + #L + - name: Launchdarkly Access Token + regex: > + ([a-z0-9=_\-]{40}) + example: jqn==s5wkr4ky1=u1wm=rt2rh9y69futftgcztr9 + falsePositives: True + + - name: Linear API Key + regex: > + (lin_api_[a-zA-Z0-9]{40}) + example: > + lin_api_Z0jIN8ST4vHdrVskbfwp2KGiW7IdYwjNGbRKwLP6 + + - name: Linear Client Secret/ID + regex: > + ((linear[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-f0-9]{32})['"]) + example: > + linear-secret="9956feac192dfb52a9ab1ed56b82f9c9" + + - name: LinkedIn Client ID + regex: > + linkedin(.{0,20})?['"][0-9a-z]{12}['"] + example: > + linkedin-clienId = 'cznnp67tejf8' + + - name: LinkedIn Secret Key + regex: > + linkedin(.{0,20})?['"][0-9a-z]{16}['"] + example: > + linkedin-secret-key='ob99z693jsuo7squ' + + - name: Lob API Key + regex: > + ((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]((live|test)_[a-f0-9]{35})['"])|((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]((test|live)_pub_[a-f0-9]{31})['"]) + caseinsensitive: True + example: > + lob-key='live_pub_057b776b74ef015b3dedeef0ad00e75' + + - name: Lob Publishable API Key + regex: > + ((test|live)_pub_[a-f0-9]{31}) + example: live_pub_f85c6881326b1054d35a88edfaeeb5c + + #M + - name: MailboxValidator + regex: > + (mailbox.?validator[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([A-Z0-9]{20})['"] + caseinsensitive: True + example: > + mailboxCvalidator="ZKLAP8XCH2748GFZO5YQ" + + - name: Mailchimp API Key + regex: '[0-9a-f]{32}-us[0-9]{1,2}' + example: > + 1a5576f801fd309054c2a33565a4861a-us0 + + # - name: Mailgun API Key, Public Validation Key & Webhook signing key + # regex: > + # key-[0-9a-zA-Z]{32}'|pubkey-[a-f0-9]{32}|[a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8} + + - name: Mailgun API Key + regex: > + key-[0-9a-zA-Z]{32}' + example: > + key-aW3RBFRd70BUjs8RF0kO52mzMT5dumQa' + + - name: Mailgun Public Validation Key + regex: > + pubkey-[a-f0-9]{32} + example: pubkey-520f647b5c0aef421bb2dd609a2f2435 + + - name: Mailgun Webhook signing key + regex: > + [a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8} + example: 332f30ehda61ggg1gc3cd272c1eh275c-d6cadcge-abd44751 + + - name: Mandrill API Key + regex: > + md-[A-Za-z0-9]{22} + example: md-I0rALsRbtC6Z7BHs9EfMgQ + + - name: Mapbox API Key + regex: '(pk\.[a-z0-9]{60}\.[a-z0-9]{22})' + caseinsensitive: True + example: > + pk.5ao0tbtxbbjaqil39ayfv9dufje7756s32htr3k2mk85lmq895g2edwyon6c.e4ivqopwbuulo78o09il94 + + - name: Mattermost Access Token + regex: > + ([a-z0-9]{26}) + example: oiptatdsolk3v3ez1bssf132ob + falsePositives: True + + - name: MessageBird API Key & API client ID + regex: > + (messagebird[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{25}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['"] + caseinsensitive: True + example: > + messagebird-clientid='45a929hf-bc4e-0b17-1bae-4hbce55dg348' + + - name: Microsoft Teams Webhook + regex: > + https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12} + example: > + https://ceftexl1bdkycusaze1xpwgss9sh8mjwo63lcx9wps3ii9yp9bxn10wradj81dc4bb42y7htxmbf6rybe12.webhook.office.com/webhookb2/wjph4wcu-5pd2-mzib-gm5k-hn2pxkhrokgx@61jrwbxf-i1aq-gn0f-3jee-ce7i69plt8je/IncomingWebhook/1uc2a14qtejjcradtkofxbmi9d7oasot/5p58k8hx-23qy-pq90-qdql-xgkl746l8hq6 + + - name: MojoAuth API Key + regex: > + [a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12} + example: c226c5fc-11d5-9715-82e1-9992fba09ab7 + falsePositives: True + + #N + - name: Netlify Access Token + regex: > + ([a-z0-9=_\-]{40,46}) + example: 981ppppz8if=o5tv61mb4ozxyt=2sgx_-unn2ycpvyffh + falsePositives: True + + - name: New Relic User API Key, User API ID & Ingest Browser API Key + regex: > + (NRAK-[A-Z0-9]{27})|((newrelic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([A-Z0-9]{64})['"])|(NRJS-[a-f0-9]{19}) + example: > + NRJS-a22f182e458a8b3c1be + + - name: Nownodes + regex: > + (nownodes[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([A-Za-z0-9]{32})['"] + example: > + nownodes="Aj1oaOKzBMQbeJmbDJrQynPdnQZLNVs4" + + - name: Npm Access Token + regex: > + (npm_[a-zA-Z0-9]{36}) + example: npm_4B7WG9aTx3E82k5RVFf75NnZ1a3AgQDSmmVr + + - name: Nytimes Access Token + regex: > + ([a-z0-9=_\-]{32}) + example: knl9e1tk954c5o38urb7yv9nemx6_4n9 + falsePositives: True + + #O + - name: Okta Access Token + regex: > + ([a-z0-9=_\-]{42}) + example: 3hyl=yjq9ctnc4dv44c72_ij93c_0auxzad8ybb4e8 + falsePositives: True + + - name: OpenAI API Token + regex: > + sk-[A-Za-z0-9]{48} + example: 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 + + - name: ORB Intelligence Access Key + regex: > + ['"][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['"] + example: > + '25753e76-3c39-81e8-5d79-dc5d516df5ac' + + #P + - name: Pastebin API Key + regex: > + (pastebin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{32})['"] + caseinsensitive: True + example: > + pastebin-apikey='i7oebqjseaz6ykkiounpy7qsg0dodtvz' + + - name: PayPal Braintree Access Token + regex: > + access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32} + example: > + access_token$production$0ryxj99lrf9du9nd$dd5c8484b79bfe6fc0083d479ade256d + + - name: Picatic API Key + regex: 'sk_live_[0-9a-z]{32}' + example: sk_live_wwo1bqvcv038p28p6t7tjwrd890w6cfy + + - name: Pinata API Key + regex: > + (pinata[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{64})['"] + caseinsensitive: True + example: > + pinata-apikey="0qzrcgwdjf75gqo8k1jmahsx0z9yfhn29r6qrtpbebb8cpxwze1jw87w7rnco5rt" + + - name: Planetscale API Key + regex: > + pscale_tkn_[a-zA-Z0-9_\.\-]{43} + example: > + pscale_tkn_Be8DvVdA-lx5bFT5zSm9dB.j5h9Wf28udxNZzuAUta. + + - name: PlanetScale OAuth token + regex: > + (pscale_oauth_[a-zA-Z0-9_\.\-]{32,64}) + example: > + pscale_oauth_s81e5G44cwgi0l6_6YyRIxRLtXSJcaVB-8UtQ-hU-X_SS75J + + - name: Planetscale Password + regex: > + pscale_pw_[a-zA-Z0-9_\.\-]{43} + example: > + pscale_pw_hjn.wGE5_4QyNi9oTU6zTISo3a6z7KEFYTkRoqftKY9 + + - name: Plaid API Token + regex: > + (access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}) + example: access-production-e76e4577-7d49-3798-55dd-ae74fbfbc35c + + - name: Plaid Client ID + regex: > + ([a-z0-9]{24}) + example: kb3rphq68yglgqx9tm4ieggx + falsePositives: True + + - name: Plaid Secret key + regex: > + ([a-z0-9]{30}) + example: nj6e8igjbii8qd1kzg0vceiywemfsy + falsePositives: True + + - name: Prefect API token + regex: > + (pnu_[a-z0-9]{36}) + example: pnu_hcozg01pfx6buqf66jjqlbl1tt28kvm13vya + + - name: Postman API Key + regex: > + PMAK-[a-fA-F0-9]{24}-[a-fA-F0-9]{34} + example: > + PMAK-7C6A2bB463efEF8d475e5fFA-dEBf2BcA21fC3fC2fFcbc9bDD7F490bDbf + + - name: Private Keys + regex: > + \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN OPENSSH PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN PGP PRIVATE KEY BLOCK\-\-\-\-\-|\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\- + example: -----BEGIN PGP PRIVATE KEY BLOCK----- + + - name: Pulumi API Key + regex: > + pul-[a-f0-9]{40} + example: pul-810ee274558b1d4259bad12e69813fe882dc088d + + - name: PyPI upload token + regex: > + pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_\-]{50,} + example: pypi-AgEIcHlwaS5vcmcMSAFV3tdkC4E3igwL3BBXYihtA9DksF308NrGABBCUo5XUqOrRwHr6wlGdBtV7sdbF9rYRz_K4sestJOyVhDUmGe7sAlXq7IWa2U8wPA5dxzGyoBOOq71P53rgGUvI-OG4VXe8qauHENTvW2H-bHS3jvBP3AKWAi3ux3qxl4oyp7752I8sF3Ho6YA6yIwQLBGWk_tQueTkxSVSTqfDUmbDd87AZXWLG1q5YCPS1vxU5CAr-2iQMp3B94c7wVkbO1gt3HGPMZhk8BFQF0k24PigC4q4ZUP917XJsC9GOfdJkZxoBOtjf8df2xJyriDxNlD3Xd4g5ugEkwg-isiulEMHJSl89WJbGcXWmdUJIPAfmcI6QjaoYEemlEkRxHlOWa_tavMHnARKCkLq2XAB65WpKipsD3WlqPw2A8ekc131ok2psVtFnxE6RFmYB2QacVa1ZQ8bd8Z5V5InAEDA7cBkhcaBFhgcfJRr0YBUmUB2BpZFimgOn3gewiBNU_NRPSK0v319k7CQI57gzyU9BajW3vVte8RKorviV94fytNx-epCP + + #Q + - name: Quip API Key + regex: > + (quip[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-zA-Z0-9]{15}=\|[0-9]{10}\|[a-zA-Z0-9\/+]{43}=)['"] + caseinsensitive: True + example: > + quip-apikey= "ynkkxF8S9sm67Z8=|8554544522|S2Ortt+EcWPwdb0gi8c/XWXXAX30nIJH7pdygqsMnXp=' + + #R + - name: RapidAPI Access Token + regex: > + ([a-z0-9_-]{50}) + example: jle6dmk-8n2s8sexr4_8_1iqqeoflouzbt1re4871iiwa3w0bi + falsePositives: True + + - name: Rubygem API Key + regex: > + rubygems_[a-f0-9]{48} + example: rubygems_f59b6a3470ed9e76f6ea9c9cd7b3b8543fb7c386c626f92c + + - name: Readme API token + regex: > + rdme_[a-z0-9]{70} + example: rdme_k50cmrdy4vuysoe6gtuwgajs58em0bobohk747mf5lgtjw477nvllkz37tedjqok362xaf + + #S + - name: Sendbird Access ID + regex: > + ([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}) + example: 99525f82-5f75-cc96-dd2a-f5ae9fb78002 + alsePositives: True + + - name: Sendbird Access Token + regex: > + ([a-f0-9]{40}) + example: d214692636fda359cb7cd3d752a03c9785e9a18c + falsePositives: True + + - name: Sendgrid API Key + regex: > + SG\.[a-zA-Z0-9_\.\-]{66} + example: SG.SAOyez.icLIwv1UnBSGxw0jnMLlwAO65yHWh4uwL_jc6tmPf4kI1B08YvnWx0XpJGX + + - name: Sendinblue API Key + regex: > + xkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16} + example: 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 + + - name: Sentry Access Token + regex: > + ([a-f0-9]{64}) + example: 03f0995a9ac969aa0325da15b006865031733e421fa0594c8025d6321793d5af + falsePositives: True + + - name: Shippo API Key, Access Token, Custom Access Token, Private App Access Token & Shared Secret + regex: > + shippo_(live|test)_[a-f0-9]{40}|shpat_[a-fA-F0-9]{32}|shpca_[a-fA-F0-9]{32}|shppa_[a-fA-F0-9]{32}|shpss_[a-fA-F0-9]{32} + example: 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 + + - name: Sidekiq Secret + regex: > + ([a-f0-9]{8}:[a-f0-9]{8}) + example: aa6971d0:acbd1cdf + + - name: Sidekiq Sensitive URL + regex: > + ([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com) + example: > + 8ffd9ff3:69359946@enterprisebcontribsysrcom + + - name: Slack Token + regex: 'xox[baprs]-([0-9a-zA-Z]{10,48})?' + example: > + xoxr-D4tmaOXPgFU8b9b5fdLEinAI + + - name: Slack Webhook #Not interesting + regex: 'https://hooks.slack.com/services/T[a-zA-Z0-9_]{10}/B[a-zA-Z0-9_]{10}/[a-zA-Z0-9_]{24}' + example: > + https://hooks~slack4com/services/TT2AyZS32eh/BgMtxMkFcGT/lgXCUInK2hgMgs2VIoDrYBbK + + - name: Smarksheel API Key + regex: > + (smartsheet[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{26})['"] + caseinsensitive: True + example: > + smartsheet-apikey='2dqi66zfexrmtmgo6fwbpwr4dk' + + - name: Square Access Token + regex: 'sqOatp-[0-9A-Za-z_\-]{22}' + example: > + sqOatp-QzdbHA0Vb5xMWSzlJZq0G3 + + - name: Square API Key + regex: > + EAAAE[a-zA-Z0-9_-]{59} + example: EAAAEN71jw35eKEfh8Tuduzbjf2WDl1p3Jt9MtDLL4A0w2GMa7zliU1mI-DouJML + + - name: Square Oauth Secret + regex: 'sq0csp-[ 0-9A-Za-z_\-]{43}' + example: > + sq0csp-6NsAS fw9NQQ6nnOMzqHt-JJEDHIxuBSFjoU37VqTda + + - name: Stytch API Key + regex: 'secret-.*-[a-zA-Z0-9_=\-]{36}' + example: > + secret-2&5="]g`/7%1!fM|+nw*T:>QQZsZEe-IRtV|w + (sk|pk)_(test|live)_[0-9a-z]{10,32}|k_live_[0-9a-zA-Z]{24} + caseinsensitive: True + example: > + sk_test_t9abh3jbt4h54uscv00xbvj + + - name: SumoLogic Access ID + regex: > + ([a-z0-9]{14}) + example: 96c2p2dkmot543 + falsePositives: True + + - name: SumoLogic Access Token + regex: > + ([a-z0-9]{64}) + example: elnz883f0nr0bq2w4iwmubu1nzxoy9vl76230yiz88latw21ci5e5vlo0npoznq7 + falsePositives: True + + #T + - name: Telegram Bot API Token + regex: > + [0-9]+:AA[0-9A-Za-z\\-_]{33} + example: > + 45319947787793085566872946499104659857938160004516372140868611:AA7HRqPqHBc]rgeV73I2^Vy2^]gn2Zqag5E + + - name: Travis CI Access Token + regex: > + ([a-z0-9]{22}) + example: yil7rjygrps8n92ume8eie + falsePositives: True + + - name: Trello API Key + regex: > + (trello[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([0-9a-z]{32})['"] + example: > + trellop-apikey='fefv0v1t1u0kcu27aghl6x7rkgh22o9j' + + - name: Twilio API Key + regex: 'SK[0-9a-fA-F]{32}' + example: SK7dAbbd7E729f7B15aBf2E23936dB1f1E + + - name: Twitch API Key + regex: > + (twitch[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([a-z0-9]{30})['"] + example: > + twitch-apikey='m1apxmp9wx0zho75dqepftliue4lki' + + - name: Twitter Client ID + regex: > + [tT][wW][iI][tT][tT][eE][rR](.{0,20})?['"][0-9a-z]{18,25} + example: > + twITter"8dbvxacfwy156oy7bju + + - name: Twitter Bearer Token + regex: > + (A{22}[a-zA-Z0-9%]{80,100}) + example: AAAAAAAAAAAAAAAAAAAAAAsrIRuumqNo14xDR667rmftkzr3Wf2l7RjZaDkn8dNPoW6AZ7SLNEkY3DUwlcadFYI9TGeY0fhJfQ85kM5lt5X3vm%BpAOe2E5Hm + + - name: Twitter Oauth + regex: > + [tT][wW][iI][tT][tT][eE][rR].{0,30}['"\\s][0-9a-zA-Z]{35,44}['"\\s] + example: > + TwittER%bwO{:ApFxi(vPdsWfKrJSJzDvq9k23tIrYmpLi1iKJTaSjLuYd22L' + + - name: Twitter Secret Key + regex: > + [tT][wW][iI][tT][tT][eE][rR](.{0,20})?['"][0-9a-z]{35,44} + example: > + TWiTTer'lv93m7sakl98b0b42cn3vka3zc2952oicl4w + + - name: Typeform API Key + regex: > + tfp_[a-z0-9_\.=\-]{59} + example: > + tfp_k-hu0c.._s1of67nozvagd2j-i09w6x.r-jsj_qd2wnqanobjz.ln=d3d1f + + #U + - name: URLScan API Key + regex: > + ['"][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['"] + example: > + "96d6faf6-2e24-2c35-0538-390a7f3a9961" + + - name: Vault Token #False + + regex: '[sb]\.[a-zA-Z0-9]{24}' + example: 'b.fw94cMfbUwIUqTi6JgZACqcL' + falsePositives: true + + #Y + - name: Yandex Access Token + regex: > + (t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}) + example: t1.yandex-access-token=.dlYbt__bUqHydFrwsu9ZwyaXntQILjfpFiwqYAaOsjiwA1WCyR-CNuYIWb2_7Elc8nXTfRVK8018V9cxpEWzte + + - name: Yandex API Key + regex: > + (AQVN[A-Za-z0-9_\-]{35,38}) + example: AQVNpkr5yIKylWh-Edv4XCokHgnTIp3f2PQTXWJ + + - name: Yandex AWS Access Token + regex: > + (YC[a-zA-Z0-9_\-]{38}) + example: YCeKYhqk9alQFHsIvTkb6_0lciJm0ZkEmaaKM2ml + falsePositives: true + + #W + - name: Web3 API Key + regex: > + (web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['"] + caseinsensitive: True + example: > + web3-apikey='_WfF7x3Cey.NMZS4K6MDz7ONmYT9iEqn2MiqenLs0o69VIc18GYOqfhpDp-OQcqFj9mtfo0InxQCQeCD1Rhjo4esJoQlNRfsrtiweSfHCM17Ir.RPigbHjYLwNTSgsp_0QhqIO7z0+YkXOS7w==uwx-eDPuj7nDSwxIUFPkyw4QIhg5YNZMkncDx1_i0/OQ/GJ' + + #Z + - name: Zendesk Secret Key + regex: > + ([a-z0-9]{40}) + example: kwyilgkkvb2bi6m2xqyh5snuikuawgbd9h2tdgn6 + falsePositives: True + + + # Misc + - name: Misc + regexes: + - name: Generic API Key + regex: > + ((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([0-9a-zA-Z_=\-]{8,64})['"] + example: > + secret-key="FLdz-Wt1CQYcl9EywqaeZ2_IL65oH5HwL7jUWpdFucN" + falsePositives: True + + - name: Generic Secret + regex: > + [sS][eE][cC][rR][eE][tT].*['"][0-9a-zA-Z]{32,45}['"] + example: > + sECret = "aso3pje4ghu4gbf3rgu3gr3rg34gdiwubeyfvwDEf6ed" + + - name: Code asigning passwords + regex: > + (pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+ + example: > + dbpass = "asdasd" + falsePositives: True + + - name: PHP defined password + regex: > + define ?\(['"](\w*pass|\w*pwd|\w*user|\w*datab) + example: > + define('password', 'somerandomvalue') + + - name: Config Secrets + regex: > + passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config + example: " secret: 'lala'" + falsePositives: True + + - name: Simple Passwords + regex: > + passw.*[=:].+ + example: > + passw='sz&v5u.}WJV>v' + + - name: Generic API tokens search (A-C) + regex: > + (access_key|access_token|account_sid|admin_email|admin_pass|admin_user|adzerk_api_key|algolia_admin_key|algolia_api_key| + algolia_search_key|alias_pass|alicloud_access_key|alicloud_secret_key|amazon_bucket_name|amazon_secret_access_key| + amazonaws|anaconda_token|android_docs_deploy_token|ansible_vault_password|aos_key|aos_sec| + api_key|api_key_secret|api_key_sid|api_secret|apiary_api_key|apigw_access_token|api.googlemaps|AIza|apidocs| + apikey|apiSecret|app_bucket_perm|appclientsecret|app_debug|app_id|appkey|appkeysecret|app_key|app_log_level|app_report_token_key| + app_secret|app_token|apple_id_password|application_key|appsecret|appspot|argos_token|artifactory_key|artifacts_aws_access_key_id| + artifacts_aws_secret_access_key|artifacts_bucket|artifacts_key|artifacts_secret|assistant_iam_apikey|auth0_api_clientsecret| + auth0_client_secret|auth_token|authorizationToken|author_email_addr|author_npm_api_key|authsecret|awsaccesskeyid|aws_access| + aws_access_key|aws_access_key_id|aws_bucket|aws_config_accesskeyid|aws_key|aws_secret|aws_secret_access_key|awssecretkey| + aws_secret_key|aws_secrets|aws_ses_access_key_id|aws_ses_secret_access_key|aws_token|awscn_access_key_id|awscn_secret_access_key| + AWSSecretKey|b2_app_key|b2_bucket|bashrc password|bintray_api_key|bintray_apikey|bintray_gpg_password|bintray_key| + bintray_token|bintraykey|bluemix_api_key|bluemix_auth|bluemix_pass|bluemix_pass_prod|bluemix_password|bluemix_pwd|bluemix_username + brackets_repo_oauth_token|browser_stack_access_key|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id| + bucketeer_aws_secret_access_key|built_branch_deploy_key|bundlesize_github_token|bx_password|bx_username|cache_driver| + cache_s3_secret_key|cargo_token|cattle_access_key|cattle_agent_instance_auth|cattle_secret_key|censys_secret|certificate_password| + cf_password|cheverny_token|chrome_client_secret|chrome_refresh_token|ci_deploy_password|ci_project_url|ci_registry_user| + ci_server_name|ci_user_token|claimr_database|claimr_db|claimr_superuser|claimr_token|cli_e2e_cma_token|client_secret| + client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key| + cloudant_archived_database|cloudant_audited_database|cloudant_database|cloudant_instance|cloudant_order_database| + cloudant_parsed_database|cloudant_password|cloudant_processed_database|cloudant_service_database| + cloudflare_api_key|cloudflare_auth_email|cloudflare_auth_key|cloudflare_email|cloudinary_api_secret|cloudinary_name| + cloudinary_url|cloudinary_url_staging|clu_repo_url|clu_ssh_private_key_base64|cn_access_key_id|cn_secret_access_key| + cocoapods_trunk_email|cocoapods_trunk_token|codacy_project_token|codeclimate_repo_token|codecov_token|coding_token| + conekta_apikey|conn.login|connectionstring|consumerkey|consumer_key|consumer_secret|contentful_access_token| + contentful_cma_test_token|contentful_integration_management_token|contentful_integration_management_token| + contentful_management_api_access_token|contentful_management_api_access_token_new|contentful_php_management_test_token| + contentful_test_org_cma_token|contentful_v2_access_token|conversation_password|conversation_username|cos_secrets| + coveralls_api_token|coveralls_repo_token|coveralls_token|coverity_scan_token|credentials| + cypress_record_key)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([0-9a-zA-Z_=\-]{8,64})['"] + example: > + aws_token='-A1nivVI1TSm_e4Og2akP_3vI9FxGj' + + - name: Generic API tokens search (D-H) + regex: > + (danger_github_api_token|database_host|database_name|database_password|database_port|database_schema_test| + database_user|database_username|datadog_api_key|datadog_app_key|db_connection|db_database|db_host|db_password| + db_pw|db_server|db_user|db_username|dbpasswd|dbpassword|dbuser|ddg_test_email|ddg_test_email_pw|ddgc_github_token| + deploy_password|deploy_secure|deploy_token|deploy_user|dgpg_passphrase|digitalocean_access_token| + digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| + docker_password|docker_postgres_url|docker_token|dockerhub_password|dockerhubpassword|doordash_auth_token| + dot-files|dotfiles|dropbox_oauth_bearer|droplet_travis_password|dsonar_login|dsonar_projectkey|dynamoaccesskeyid| + dynamosecretaccesskey|elastic_cloud_auth|elastica_host|elastica_port|elasticsearch_password|encryption_key| + encryption_password|end_user_password|env_github_oauth_token|env_heroku_api_key|env_key|env_secret|env_secret_access_key| + env_sonatype_password|eureka_awssecretkey|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey|exp_password| + file_password|firebase_api_json|firebase_api_token|firebase_key|firebase_project_develop|firebase_token|firefox_secret| + flask_secret_key|flickr_api_key|flickr_api_secret|fossa_api_key|ftp_host|ftp_login|ftp_password|ftp_pw|ftp_user|ftp_username| + gcloud_bucket|gcloud_project|gcloud_service_key|gcr_password|gcs_bucket|gh_api_key|gh_email|gh_next_oauth_client_secret| + gh_next_unstable_oauth_client_id|gh_next_unstable_oauth_client_secret|gh_oauth_client_secret|gh_oauth_token|gh_repo_token| + gh_token|gh_unstable_oauth_client_secret|ghb_token|ghost_api_key|git_author_email|git_author_name|git_committer_email| + git_committer_name|git_email|git_name|git_token|github_access_token|github_api_key|github_api_token|github_auth|github_auth_token| + github_auth_token|github_client_secret|github_deploy_hb_doc_pass|github_deployment_token|github_hunter_token|github_hunter_username| + github_key|github_oauth|github_oauth_token|github_oauth_token|github_password|github_pwd|github_release_token|github_repo| + github_token|github_tokens|gitlab_user_email|gogs_password|google_account_type|google_client_email|google_client_id|google_client_secret| + google_maps_api_key|google_private_key|gpg_key_name|gpg_keyname|gpg_ownertrust|gpg_passphrase|gpg_private_key|gpg_secret_keys| + gradle_publish_key|gradle_publish_secret|gradle_signing_key_id|gradle_signing_password|gren_github_token|grgit_user|hab_auth_token| + hab_key|hb_codesign_gpg_pass|hb_codesign_key_pass|heroku_api_key|heroku_email|heroku_token|hockeyapp_token|homebrew_github_api_token| + hub_dxia2_password)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([0-9a-zA-Z_=\-]{8,64})['"] + example: > + flickr_api_key='-A1nivVI1TSm_e4Og2akP_3vI9FxGj' + + - name: Generic API tokens search (I-R) + regex: > + (ij_repo_password|ij_repo_username|index_name|integration_test_api_key|integration_test_appid|internal_secrets| + ios_docs_deploy_token|itest_gh_token|jdbc_databaseurl|jdbc_host|jdbc:mysql|jwt_secret|kafka_admin_url|kafka_instance_name|kafka_rest_url| + keystore_pass|kovan_private_key|kubecfg_s3_path|kubeconfig|kxoltsn3vogdop92m|leanplum_key|lektor_deploy_password|lektor_deploy_username| + lighthouse_api_key|linkedin_client_secretorlottie_s3_api_key|linux_signing_key|ll_publish_url|ll_shared_key|looker_test_runner_client_secret| + lottie_happo_api_key|lottie_happo_secret_key|lottie_s3_secret_key|lottie_upload_cert_key_password|lottie_upload_cert_key_store_password| + mail_password|mailchimp_api_key|mailchimp_key|mailer_password|mailgun_api_key|mailgun_apikey|mailgun_password|mailgun_priv_key| + mailgun_pub_apikey|mailgun_pub_key|mailgun_secret_api_key|manage_key|manage_secret|management_token|managementapiaccesstoken| + manifest_app_token|manifest_app_url|mapbox_access_token|mapbox_api_token|mapbox_aws_access_key_id|mapbox_aws_secret_access_key| + mapboxaccesstoken|mg_api_key|mg_public_api_key|mh_apikey|mh_password|mile_zero_key|minio_access_key|minio_secret_key|multi_bob_sid| + multi_connect_sid|multi_disconnect_sid|multi_workflow_sid|multi_workspace_sid|my_secret_env|mysql_database|mysql_hostname|mysql_password| + mysql_root_password|mysql_user|mysql_username|mysqlmasteruser|mysqlsecret|nativeevents|netlify_api_key|new_relic_beta_token|nexus_password| + nexuspassword|ngrok_auth_token|ngrok_token|node_env|node_pre_gyp_accesskeyid|node_pre_gyp_github_token|node_pre_gyp_secretaccesskey| + non_token|now_token|npm_api_key|npm_api_token|npm_auth_token|npm_email|npm_password|npm_secret_key|npm_token|nuget_api_key|nuget_apikey| + nuget_key|numbers_service_pass|oauth_token|object_storage_password|object_storage_region_name|object_store_bucket|object_store_creds| + oc_pass|octest_app_password|octest_app_username|octest_password|ofta_key|ofta_region|ofta_secret|okta_client_token|okta_oauth2_client_secret| + okta_oauth2_clientsecret|onesignal_api_key|onesignal_user_auth_key|open_whisk_key|openwhisk_key|org_gradle_project_sonatype_nexus_password| + org_project_gradle_sonatype_nexus_password|os_auth_url|os_password|ossrh_jira_password|ossrh_pass|ossrh_password|ossrh_secret| + ossrh_username|packagecloud_token|pagerduty_apikey|parse_js_key|passwordtravis|paypal_client_secret|percy_project|percy_token|personal_key| + personal_secret|pg_database|pg_host|places_api_key|places_apikey|plotly_apikey|plugin_password|postgresql_db|postgresql_pass| + postgres_env_postgres_db|postgres_env_postgres_password|preferred_username|pring_mail_username|private_signing_password|prod_access_key_id| + prod_password|prod_secret_key|project_config|publish_access|publish_key|publish_secret|pushover_token|pypi_passowrd|qiita_token| + quip_token|rabbitmq_password|randrmusicapiaccesstoken|redis_stunnel_urls|rediscloud_url|refresh_token|registry_pass|registry_secure| + release_gh_token|release_token|reporting_webdav_pwd|reporting_webdav_url|repotoken|rest_api_key|rinkeby_private_key|ropsten_private_key| + route53_access_key_id|rtd_key_pass|rtd_store_pass|rubygems_auth_token)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([0-9a-zA-Z_=\-]{8,64})['"] + example: > + packagecloud_token='-A1nivVI1TSm_e4Og2akP_3vI9FxGj' + + - name: Generic API tokens search (S-Z) + regex: > + (s3_access_key|s3_access_key_id|s3_bucket_name_app_logs|s3_bucket_name_assets|s3_external_3_amazonaws_com|s3_key| + s3_key_app_logs|s3_key_assets|s3_secret_app_logs|s3_secret_assets|s3_secret_key|s3_user_secret|sacloud_access_token| + sacloud_access_token_secret|sacloud_api|salesforce_bulk_test_password|salesforce_bulk_test_security_token| + sandbox_access_token|sandbox_aws_access_key_id|sandbox_aws_secret_access_key|sauce_access_key|scrutinizer_token|sdr_token|secret_0| + secret_1|secret_10|secret_11|secret_2|secret_3|secret_4|secret_5|secret_6|secret_7|secret_8|secret_9|secret_key_base|secretaccesskey| + secret_key_base|segment_api_key|selion_log_level_dev|selion_selenium_host|sendgrid|sendgrid_api_key|sendgrid_key|sendgrid_password|sendgrid_user| + sendgrid_username|sendwithus_key|sentry_auth_token|sentry_default_org|sentry_endpoint|sentry_secret|sentry_key|service_account_secret|ses_access_key| + ses_secret_key|setdstaccesskey|setdstsecretkey|setsecretkey|signing_key|signing_key_password|signing_key_secret|signing_key_sid|slash_developer_space| + slash_developer_space_key|slate_user_email|snoowrap_client_secret|snoowrap_password|snoowrap_refresh_token|snyk_api_token|snyk_token| + socrata_app_token|socrata_password|sonar_organization_key|sonar_project_key|sonar_token|sonatype_gpg_key_name|sonatype_gpg_passphrase| + sonatype_nexus_password|sonatype_pass|sonatype_password|sonatype_token_password|sonatype_token_user|sonatypepassword|soundcloud_client_secret| + soundcloud_password|spaces_access_key_id|spaces_secret_access_key|spotify_api_access_token|spotify_api_client_secret|spring_mail_password|sqsaccesskey| + sqssecretkey|square_reader_sdk_repository_password|srcclr_api_token|sshpass|ssmtp_config|staging_base_url_runscope|star_test_aws_access_key_id| + star_test_bucket|star_test_location|star_test_secret_access_key|starship_account_sid|starship_auth_token|stormpath_api_key_id|stormpath_api_key_secret| + strip_publishable_key|strip_secret_key|stripe_private|stripe_public|surge_login|surge_token|svn_pass|tesco_api_key|test_github_token| + test_test|tester_keys_password|thera_oss_access_key|token_core_java|travis_access_token|travis_api_token|travis_branch|travis_com_token|travis_e2e_token| + travis_gh_token|travis_pull_request|travis_secure_env_vars|travis_token|trex_client_token|trex_okta_client_token|twilio_api_key|twilio_api_secret| + twilio_chat_account_api_service|twilio_configuration_sid|twilio_sid|twilio_token|twine_password|twitter_consumer_key|twitter_consumer_secret|twitteroauthaccesssecret| + twitteroauthaccesstoken|unity_password|unity_serial|urban_key|urban_master_secret|urban_secret|us_east_1_elb_amazonaws_com|use_ssh| + user_assets_access_key_id|user_assets_secret_access_key|usertravis|v_sfdc_client_secret|v_sfdc_password|vip_github_build_repo_deploy_key|vip_github_deploy_key| + vip_github_deploy_key_pass|virustotal_apikey|visual_recognition_api_key|vscetoken|wakatime_api_key|watson_conversation_password|watson_device_password| + watson_password|widget_basic_password|widget_basic_password_2|widget_basic_password_3|widget_basic_password_4|widget_basic_password_5|widget_fb_password| + widget_fb_password_2|widget_fb_password_3|widget_test_server|wincert_password|wordpress_db_password|wordpress_db_user|wpjm_phpunit_google_geocode_api_key| + wporg_password|wpt_db_password|wpt_db_user|wpt_prepare_dir|wpt_report_api_key|wpt_ssh_connect|wpt_ssh_private_key_base64|www_googleapis_com| + yangshun_gh_password|yangshun_gh_token|yt_account_client_secret|yt_account_refresh_token|yt_api_key|yt_client_secret|yt_partner_client_secret| + yt_partner_refresh_token|yt_server_api_key|zensonatypepassword|zhuliang_gh_token|zopim_account_key)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['"]([0-9a-zA-Z_=\-]{8,64})['"] + example: > + user_assets_secret_access_key='-A1nivVI1TSm_e4Og2akP_3vI9FxGj' + + - name: Usernames + regex: > + username.*[=:].+ + example: > + usernameF~K\68*X[:Pz("\`*BAZn4de%I1P8Lce`pIh)EJ9Og[*;Xy+*!xc4#|f%GpE8TN2AjEl>A>9&6(C[=;42X6%zhifQvai%G*IB^tm{%b&E#(>m'<}!\(qehQwy&*K{HM{m_sj + falsePositives: True + + - name: Net user add + regex: > + net user .+ /add + example: > + net user UserNamer234234 passwordIg]N:X0,07GOY/wO}]P1Xy] /add + + - name: IPs + regex: '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' + example: '251.093.15.235' + falsePositives: True + + - name: Emails # Too many false positives + regex: '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}' + example: 'example_email@sub.domain.com' + falsePositives: True diff --git a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh index df9b141..3cb5779 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh @@ -19,20 +19,20 @@ print_2title "Internet Access?" TIMEOUT_INTERNET_SECONDS=5 if [ "$SUPERFAST" ]; then - TIMEOUT_INTERNET_SECONDS=2 + TIMEOUT_INTERNET_SECONDS=2.5 fi # Run all checks in background -check_tcp_80 2>/dev/null & pid1=$! -check_tcp_443 2>/dev/null & pid2=$! -check_icmp 2>/dev/null & pid3=$! -check_dns 2>/dev/null & pid4=$! +check_tcp_80 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid1=$! +check_tcp_443 "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid2=$! +check_icmp "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid3=$! +check_dns "$TIMEOUT_INTERNET_SECONDS" 2>/dev/null & pid4=$! # Kill all after 10 seconds -(sleep $TIMEOUT_INTERNET_SECONDS && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) & +(sleep $(( $TIMEOUT_INTERNET_SECONDS + 1 )) && kill -9 $pid1 $pid2 $pid3 $pid4 2>/dev/null) & -check_tcp_443_bin 2>/dev/null +check_tcp_443_bin $TIMEOUT_INTERNET_SECONDS 2>/dev/null tcp443_bin_status=$? wait $pid1 $pid2 $pid3 $pid4 2>/dev/null diff --git a/linPEAS/builder/linpeas_parts/functions/check_dns.sh b/linPEAS/builder/linpeas_parts/functions/check_dns.sh index 6b1bbf5..11d9381 100644 --- a/linPEAS/builder/linpeas_parts/functions/check_dns.sh +++ b/linPEAS/builder/linpeas_parts/functions/check_dns.sh @@ -8,25 +8,19 @@ # Functions Used: # Global Variables: # Initial Functions: -# Generated Global Variables: $pid, $pids +# Generated Global Variables: $TIMEOUT_INTERNET_SECONDS_DNS, $local_pid # Fat linpeas: 0 # Small linpeas: 1 - check_dns(){ + local TIMEOUT_INTERNET_SECONDS_DNS=$1 if ! [ -f "/bin/bash" ]; then echo " /bin/bash not found" return fi - /bin/bash -c ' - for ip in 1.1.1.1 8.8.8.8 ; do - (( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/$ip/53 && echo "DNS available" && exit 0) & - pids+=($!) - done - for pid in ${pids[@]}; do - wait $pid && exit 0 - done - echo "DNS not available" - ' 2>/dev/null | grep "available" || echo "DNS not available" + # example.com + (bash -c '((( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS accessible") | grep "accessible" && exit 0 ) 2>/dev/null || echo "DNS is not accessible"') & local_pid=$! + + sleep $TIMEOUT_INTERNET_SECONDS_DNS && kill -9 $local_pid 2>/dev/null && echo "DNS is not accessible" } \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/functions/check_icmp.sh b/linPEAS/builder/linpeas_parts/functions/check_icmp.sh index 6f44f20..4f7d132 100644 --- a/linPEAS/builder/linpeas_parts/functions/check_icmp.sh +++ b/linPEAS/builder/linpeas_parts/functions/check_icmp.sh @@ -8,11 +8,20 @@ # Functions Used: # Global Variables: # Initial Functions: -# Generated Global Variables: +# Generated Global Variables: $TIMEOUT_INTERNET_SECONDS_ICMP, $local_pid # Fat linpeas: 0 # Small linpeas: 1 check_icmp(){ - (ping -c 1 1.1.1.1 | grep -E "1 received|1 packets received" && echo "Ping is available" || echo "Ping is not available" 2>/dev/null) | grep -i "available" + local TIMEOUT_INTERNET_SECONDS_ICMP=$1 + if ! [ "$(command -v ping 2>/dev/null || echo -n '')" ]; then + echo " ping not found" + return + fi + + # example.com + ((ping -c 1 1.1.1.1 2>/dev/null | grep -Ei "1 received|1 packets received" && echo "ICMP is accessible" || echo "ICMP is not accessible" 2>/dev/null) | grep "accessible" && exit 0 ) 2>/dev/null || echo "ICMP is not accessible" & local_pid=$! + + sleep $TIMEOUT_INTERNET_SECONDS_ICMP && kill -9 $local_pid 2>/dev/null && echo "ICMP is not accessible" } \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/functions/check_tcp_443.sh b/linPEAS/builder/linpeas_parts/functions/check_tcp_443.sh index 77b6955..89394bb 100644 --- a/linPEAS/builder/linpeas_parts/functions/check_tcp_443.sh +++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_443.sh @@ -8,30 +8,21 @@ # Functions Used: # Global Variables: # Initial Functions: -# Generated Global Variables: $pid, $pids +# Generated Global Variables: $local_pid, $TIMEOUT_INTERNET_SECONDS_443 # Fat linpeas: 0 # Small linpeas: 1 check_tcp_443(){ + local TIMEOUT_INTERNET_SECONDS_443=$1 if ! [ -f "/bin/bash" ]; then echo " /bin/bash not found" return fi - /bin/bash -c ' - for ip in 1.1.1.1; do - (echo >/dev/tcp/$ip/443 && echo "Port 443 is accessible" && exit 0) & - pids+=($!) - done - for pid in ${pids[@]}; do - wait $pid && exit 0 - done - echo "Port 443 is not accessible" - ' 2>/dev/null | grep "accessible" || echo "Port 443 is not accessible" + # example.com + (bash -c '(echo >/dev/tcp/104.18.74.230/443 2>/dev/null && echo "Port 443 is accessible" && exit 0) 2>/dev/null || echo "Port 443 is not accessible"') & local_pid=$! + + sleep $TIMEOUT_INTERNET_SECONDS_443 && kill -9 $local_pid 2>/dev/null && echo "Port 443 is not accessible" } - - - - diff --git a/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh b/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh index be5f959..d5afc1e 100644 --- a/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh +++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh @@ -8,16 +8,17 @@ # Functions Used: # Global Variables: # Initial Functions: -# Generated Global Variables: $url_lambda +# Generated Global Variables: $url_lambda, $TIMEOUT_INTERNET_SECONDS_443_BIN # Fat linpeas: 0 # Small linpeas: 1 check_tcp_443_bin () { + local TIMEOUT_INTERNET_SECONDS_443_BIN=$1 local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" if command -v curl >/dev/null 2>&1; then - if curl -s --connect-timeout 5 "$url_lambda" \ + if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \ -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1 then echo "Port 443 is accessible with curl" @@ -28,7 +29,7 @@ check_tcp_443_bin () { fi elif command -v wget >/dev/null 2>&1; then - if wget -q --timeout=5 -O - "$url_lambda" \ + if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \ --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1 then echo "Port 443 is accessible with wget" diff --git a/linPEAS/builder/linpeas_parts/functions/check_tcp_80.sh b/linPEAS/builder/linpeas_parts/functions/check_tcp_80.sh index c9e71d5..f7d8455 100644 --- a/linPEAS/builder/linpeas_parts/functions/check_tcp_80.sh +++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_80.sh @@ -8,25 +8,21 @@ # Functions Used: # Global Variables: # Initial Functions: -# Generated Global Variables: $pid, $pids +# Generated Global Variables: $local_pid, $TIMEOUT_INTERNET_SECONDS_80 # Fat linpeas: 0 # Small linpeas: 1 + check_tcp_80(){ + local TIMEOUT_INTERNET_SECONDS_80=$1 if ! [ -f "/bin/bash" ]; then echo " /bin/bash not found" return fi - /bin/bash -c ' - for ip in 1.1.1.1; do - (echo >/dev/tcp/$ip/80 && echo "Port 80 is accessible" && exit 0) & - pids+=($!) - done - for pid in ${pids[@]}; do - wait $pid && exit 0 - done - echo "Port 80 is not accessible" - ' 2>/dev/null | grep "accessible" + # example.com + (bash -c '(echo >/dev/tcp/104.18.74.230/80 2>/dev/null && echo "Port 80 is accessible" && exit 0) 2>/dev/null || echo "Port 80 is not accessible"') & local_pid=$! + + sleep $TIMEOUT_INTERNET_SECONDS_80 && kill -9 $local_pid 2>/dev/null && echo "Port 80 is not accessible" } \ No newline at end of file