Pennyw0rth
New module: AWS Credentials Finder
This pull request introduces a new module that searches for files named "credentials" and "config" on remote servers and returns their file paths. At the moment, this module works on Linux and Windows remote servers.
Features:
- Scans Linux and Windows remote servers for files specifically named "credentials" and "config"
- Outputs the file paths of the found credentials files for further analysis.
Why this module is useful:
- The "credentials" file is often used by developers or IT admins to store sensitive information, making it a common target during penetration testing.
- Automating the discovery of such files improves the efficiency of Red Team operations by highlighting potential areas of vulnerability.
Future Plans:
- Add additional file pattern searches (e.g.,
*.config,*.key) for more comprehensive scanning. - Enhance filtering options to allow users to specify file types.
Please let me know if there are any improvements or additional requirements to get this merged. Thank you for considering this contribution!
@dev-fortress really sorry for the late response. Are you sure you pushed your latest changes? In the PR is no logging statement or something similar that would print the output of your module as in your screenshot. Also command execution is only available with on_admin_login.
@dev-fortress any update? I could quickly patch in some output function for the gathered data, but that might not be all you planned on doing or have done locally.
@NeffIsBack Sorry, I didn’t see your response earlier. In my initial test, I didn’t need to log the response in any function. Perhaps something has changed and now requires some adjustments. Please give me some time to review it and see what I can do.
@NeffIsBack Sorry, I didn’t see your response earlier. In my initial test, I didn’t need to log the response in any function. Perhaps something has changed and now requires some adjustments. Please give me some time to review it and see what I can do.
No worries, take your time. Maybe just an context.log.highlight() is missing for the output that the module queries (that's how it looks on the screenshot).
In theory this looks good now.
However checking for config results in A LOT of files that aren't necessarily aws related files. @dev-fortress what is the default in aws? Is there a way to reduce false positives?
My list of false positives on linux is even longer:
Hi, I’ve just made some updates to the credential detection script:
Both the Bash and PowerShell versions now target only files named credentials that contain the keyword aws, as it's a reliable indicator in AWS-related configurations.
The config file has been excluded since it doesn’t provide useful information.
Also, in Linux, “permission denied” messages are now suppressed for cleaner output during scans.
The commit is ready for review. Let me know if you have any feedback!
@dev-fortress careful when merging in changes from remote. I believe you rebased your changes (at least that is what it looks like) because of merge conflicts, but that reverted all previous changes i made. TLDR; never rebase -> always merge and resolve conflicts with the editor of your choice
I reverted the commit and applied your changes manually.
Thanks! Sorry about all the changes — I’m not a developer by trade and still learning Git, but I’m committed to getting better at it. Really appreciate you merging into main!
Thanks! Sorry about all the changes — I’m not a developer by trade and still learning Git, but I’m committed to getting better at it. Really appreciate you merging into main!
No worries! Just for the future :)