Find leaked credentials and sensitive data (e.g., tokens, API keys) based on URL, Subdomain & JavaScript File Permutations.
Current Version: 1.11
- Subdomain Scan
- (Internal) URL / JavaScript File / Network File Scan
- Multiprocessing based on CPU cores
- DDoS Prevention Instruments (e.g., time delays)
- Scan up to 100,000 URLs / Network Files based on a single domain
The CSV file is created in the credentialthreat/data/output
folder with the following columns:
- Base URL: URL with affected sensitive data candidate
- Affected Network Resource from Base URL
- Registered Domain of Base URL
- Credential Sensitive Data Candidate
git clone https://github.com/PAST2212/credentialthreat.git
cd credentialthreat
pip install -r requirements.txt
- Add root domain(s) to scan in
credentialthreat/data/input/domains.txt
(one per line, including TLD). - Run the script:
python3 credentialthreat.py
cd credentialthreat
git pull
If you encounter a merge error, try:
git reset --hard
git pull
Note: Make a backup of your userdata folder before updating.
For updates, please see the Changelog.
Patrick Steinhoff - LinkedIn
- Implement PEP 8 compliance
- Add new Regex patterns
- URL scans are currently capped at 100,000 URLs due to performance and capacity considerations.
- GET requests may take considerable time due to the trade-off between speed performance and DDoS prevention.
- Credit goes to Bug Bounty Hunter h4x0r-dz and their project Leaked-Credentials, which this project's regex is based on.