⚠️⚠️ Source Code is currently hosted on Codeberg: https://codeberg.org/raginx/weSecretFinder ⚠️⚠️

---

weSecretFinder

A simple Python script designed to scan file shares and directories for potentially hardcoded credentials, API keys, private key headers, and other sensitive secrets based on configurable regular expression patterns.

⚠️ This tool is currently in beta – contributions & feedback are welcome!

✨ Motivation / Defender's Perspective

Hardcoded secrets (passwords, API keys, tokens, private keys) embedded within source code, configuration files, log files, scripts, or even plain text documents stored on file shares represent a significant security risk. These unsecured credentials provide attackers with low-hanging fruit to gain initial access, escalate privileges, or move laterally within a network.

From a defender's perspective, proactively identifying these exposed secrets is crucial for reducing the attack surface. This tool helps security teams, administrators, and developers to:

• Proactively Discover Risks: Find potentially dangerous hardcoded secrets before attackers do.
• Reduce Attack Surface: Remediate findings by removing secrets or moving them to secure storage (like vaults), thereby hardening systems against credential compromise.
• Support Compliance: Assist in identifying data handling policy violations where secrets are stored insecurely.
• Aid Threat Hunting & Incident Response: Quickly scan potentially compromised shares or user directories for exposed credentials during an investigation.

Waiting for an attacker to find these secrets is not a viable strategy. This script provides a basic capability to hunt for these common vulnerabilities across unstructured file data.

🎯 MITRE ATT&CK Linkage

This tool directly addresses the techniques used by adversaries for Credential Access (TA0006), specifically:

• T1552: Unsecured Credentials: This script attempts to find credentials stored in cleartext or weakly protected formats within files. This aligns with sub-techniques such as:
  • T1552.001: Credentials in Files: Searching through various file types for patterns indicative of passwords, tokens, etc.
  • T1552.003: Credentials in Script Files: Specifically scanning script files (.py, .sh, etc.) where secrets might be embedded.
  • T1552.004: Private Keys: Looking for standard headers (-----BEGIN...PRIVATE KEY-----) indicating exposed private keys.

By finding and remediating secrets identified by this tool, defenders can directly hinder an attacker's ability to leverage these common Credential Access techniques, making subsequent actions like Lateral Movement (TA0008) more difficult.

💡 Features

• ✅ Regex-Based Scanning: Uses configurable regular expressions to identify potential secrets.
• ✅ Extensible Patterns: Easily add or modify search patterns in the SEARCH_PATTERNS dictionary.
• ✅ File Type Exclusion: Skips scanning binary files or other configured file types based on extensions (EXCLUDED_EXTENSIONS) for efficiency.
• ✅ Recursive Directory Traversal: Scans all subdirectories within the specified target path using os.walk().
• ✅ Multiple Encodings: Attempts to read files using common text encodings (UTF-8, Latin-1, etc.).
• ✅ Console Output: Prints findings directly to the console.
• ✅ CSV Output: Optionally save findings to a CSV file for easier review and tracking (-o option).
• ✅ Verbose Logging: Optional detailed logging for debugging (-v option).

🛠️ Requirements

• Python 3.x
• Standard Python libraries: os, re, argparse, logging (No external packages required by default).

💾 Installation

1. Clone the repository:

   git clone https://codeberg.org/raginx/weSecretFinder.git
   cd weSecretFinder

2. No further installation is typically required.

🚀 Usage

Run the script from the command line, providing the path to the directory or file share you want to scan.

python weSecretFinder.py <directory_path> [options]

Arguments:

• directory_path: The starting directory or UNC path to the file share (e.g., /path/to/scan or \\server\share). Required.

Options:

• -o OUTPUT_FILE, --output OUTPUT_FILE: Optional path to save results in CSV format.
• -v, --verbose: Enable verbose (DEBUG level) logging output.

Examples:

• Scan a local directory:

  python weSecretFinder.py /home/user/documents

• Scan a Windows file share (ensure the path is accessible):

  python weSecretFinder.py \\fileserver01\public_share

• Scan a directory and save results to CSV:

  python weSecretFinder.py /data/project_files -o scan_results.csv

• Scan with verbose output:

  python weSecretFinder.py /config_backups -v

⚙️ Configuration

The script's behavior can be customized by editing the Python file directly:

📝 Search Patterns

Modify the SEARCH_PATTERNS dictionary to add, remove, or edit the regular expressions used for detection. Each entry requires a descriptive name (key) and a compiled regex object (re.compile(...)).

# Example: Adding a custom pattern for internal project IDs
SEARCH_PATTERNS = {
    # ... other patterns ...
    "Password Keyword": re.compile(r'(?i)(password|passwort|passwd|pwd|passphrase|kennwort)\s*[:=]\s*(["\']?)(.+?)\2', re.IGNORECASE),
    "Internal Project ID": re.compile(r'PROJ-[A-Z]{3}-[0-9]{5}'), # Added pattern
    # ... other patterns ...
}

📝 Excluded File Types

Modify the EXCLUDED_EXTENSIONS set to control which file types are skipped during the scan. Add or remove lowercase file extensions (starting with a dot).

# Example: Adding '.bak' files to the exclusion list
EXCLUDED_EXTENSIONS = {
    '.exe', '.dll', '.so', '.o', '.a', '.lib',
    '.png', '.jpg', '.jpeg', '.gif', # ... other extensions ...
    '.pyc', '.pyo',
    '.class', '.jar',
    '.bak', # Added exclusion
}

📃 Example Output

Console Output:

[...]
INFO: Potential Match: File='/data/project_files/config/db.conf', Line=15, Pattern='Password Keyword'
[...]

(Note: The actual output format depends on the script version, but will typically show File, Line, Pattern Name, and the matched line content.)

CSV Output (scan_results.csv):

"File";"Line";"Pattern";"Match"
"/data/project_files/config/db.conf";15;"Password Keyword";"db_password = highly_secret_password123"
"/data/project_files/scripts/deploy.sh";22;"AWS Secret Access Key";"export AWS_SECRET_ACCESS_KEY=\"wJalrXUanFEMI/F7MDENG/bPxRfiCYEXAMPLEKEY\""

📍 Important Considerations / Disclaimer

• Authorization: Ensure you have explicit permission to scan the target directories and file shares. Unauthorized scanning is illegal and unethical.
• Sensitive Results: The output of this script can contain highly sensitive information. Handle the results securely, restrict access, and dispose of them properly after remediation.
• False Positives: Regex matching is not perfect. Expect false positives (findings that are not actual secrets). Manual review of all findings is essential.
• False Negatives: The script will only find secrets matching the configured patterns. Secrets in other formats or encoded secrets may be missed.
• Performance: Scanning large file shares over the network can be slow and resource-intensive (Network I/O, CPU). Run during off-peak hours if necessary.
• Use Responsibly: Use this tool ethically and legally to improve security posture.

📄 License

This project is licensed under the AGPLv3 License - see the LICENSE file for details.

🙌 Contributing

Contributions are welcome! Please feel free to submit issues or pull requests.