Skip to content
A tool to spider Github or search URLs for various information leaks
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
Keyring.py
README.md Update README.md Sep 11, 2019
lib.py Fixed lib.DoNothing() (I was tired when I originally wrote the functi… Sep 11, 2019
main.py Added main.py (use this to run script), Moved random_headers() into l… Sep 11, 2019
requirements.txt Add requirements.txt Sep 7, 2019

README.md

Keyring

Keyring is a tool to search a given URL for API Keys and other secrets.

Current Keys:

  • Shodan (Very High Confidence, checks validity and available credits with the shodan library)
  • Github API (High confidence, static characters and unique substring)
  • Slack (High Confidence, static characters)
  • Slack Bot (High Confidence, static characters)
  • Slack Webhook Links (High Confidence, static characters and unique substring)
  • Google API (High Confidence, static characters)
  • Google Access Tokens (High Confidence, static characters)
  • Google OAUTH Secrets (High Confidence, unique substring)
  • AWS Access Tokens (High Confidence, static characters)
  • Discord Bot Tokens (High Confidence, static characters and substring sizes)
  • Discord Webhook Links: (High Confidence, static characters and substring types)
  • Discord Nitro Links (High Confidence, static characters and substring sizes)
  • Redis URLs (High Confidence, static characters and unique substring)
  • SSH Keys (High Confidence, static characters)
  • Heroku API Keys (High Confidence, static characters and unique substring)
  • Twilio API Keys (Medium Confidence, few static characters but static string size)
  • Facebook OAUTH (High Confidence, static characters and unique substring)
  • Non-specific API Keys (Medium Confidence, static format may exclude potential keys)

Severity Rating (1-10):

  • Access Tokens (10: can result in direct compromise of related systems)
  • Redis URLs (10: can lead to potentially severe leaks)
  • SSH Keys (9: can potentially lead to system access in systems with poorly configured access control)
  • OAUTH Secrets (7: can disclose sensitive information or lead to credential theft)
  • Bot Tokens and Webhooks (6: can result in sensitive information being viewed, members being banned/kicked/etc.)
  • API Keys (5: can result in either loss of credits or sensitive information being viewed)
  • Nitro Links (2 or 0: If not intended for giveaway, can result in neglibigle financial loss.)

TODO:

  • Add more keys (please send me either a sample key or regex for anything you want added)
  • Bug fixes
You can’t perform that action at this time.