Skip to content

find credentials and sensitive data (e.g. access tokens, api keys, passwords, ...) on websites

License

Notifications You must be signed in to change notification settings

PAST2212/credentialthreat

Repository files navigation

credentialthreat

Find leaked credentials and sensitive data (e.g., tokens, API keys) based on URL, Subdomain & JavaScript File Permutations.

Current Version: 1.11

Features

Key Features

  • Subdomain Scan
  • (Internal) URL / JavaScript File / Network File Scan
  • Multiprocessing based on CPU cores
  • DDoS Prevention Instruments (e.g., time delays)
  • Scan up to 100,000 URLs / Network Files based on a single domain

CSV Output

The CSV file is created in the credentialthreat/data/output folder with the following columns:

  • Base URL: URL with affected sensitive data candidate
  • Affected Network Resource from Base URL
  • Registered Domain of Base URL
  • Credential Sensitive Data Candidate

Example Output

CSV Output Example

Installation

git clone https://github.com/PAST2212/credentialthreat.git
cd credentialthreat
pip install -r requirements.txt

Usage

  1. Add root domain(s) to scan in credentialthreat/data/input/domains.txt (one per line, including TLD).
  2. Run the script:
    python3 credentialthreat.py

Updating

cd credentialthreat
git pull

If you encounter a merge error, try:

git reset --hard
git pull

Note: Make a backup of your userdata folder before updating.

Example Results

Result Example 1

Result Example 2

Result Example 3

Changelog

For updates, please see the Changelog.

Notes

Author

Patrick Steinhoff - LinkedIn

To-Do

  • Implement PEP 8 compliance
  • Add new Regex patterns

Additional Information

  • URL scans are currently capped at 100,000 URLs due to performance and capacity considerations.
  • GET requests may take considerable time due to the trade-off between speed performance and DDoS prevention.
  • Credit goes to Bug Bounty Hunter h4x0r-dz and their project Leaked-Credentials, which this project's regex is based on.

About

find credentials and sensitive data (e.g. access tokens, api keys, passwords, ...) on websites

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages