CredCheck - A credential Pentesting framework

Framework to test all kind of Credentials found during Pen-testing exercise

Inspiration

I had a lot of keys while testing multiple targets, testing them is a tedious task. There are three steps to test if a key is working.

  • You need to first find out the right documentation for respective keys.

  • Then you go and test if those docs are working on the key.

  • Then you need to find out whats the response need to be for valid credentials.

During this exercise, you’ll face the following problem

  • Finding correct service and documentation for the key.

  • Method and param setting for simple curl requests to test the key.

  • response checking — working key response vs invalid key response.

This thing can take from 5 Minutes to 30 minutes for a single service. Every security researcher doing the same thing this would waste everyone's time. Hence decided to automate that process. I started searching if any such project exists open-source, found out Keyhacks It’s an awesome collection of one-liners curl requests for key validation. I dropped the idea at first and started using Keyhacks for my workflow but I needed something to automate the process so I decided to create a framework where anyone can add new API key service without needing to write code, also framework should be extendable for other Credential checking such as private key over SSH protocol or cryptocurrency Address over Blockchain.

CredCheck

So I’ve started working creating a base framework and created CredCheck for the same.

You can use this as a command-line tool, and as a python library depends upon your workflow.

Features

  1. Static validation of Keys using regex.

  2. Dynamic validation over HTTP for an API key, token, secret, Id.

  3. Decide Or narrow down the service of an unknown Keys.

The framework will support Other Protocols in Future Currently it only supports HTTP.

Contribution

Currently, CredCheck supports 43 services credential checking over HTTP- Algolia, asana, Bitly, branch, Browserstacks, Buildkite, Datadog, Deviant-art, dropbox, facebook-app-secret, facebook_access_token, firebase, Github-id-secret, Github-token, Gitlab, google-cloud-messaging, google_maps, google_recaptcha, Heroku, Instagram, Mailchimp, Mailgun, Mapsbox, Pagerduty, Paypal, Pendo-integration-key, Razorpay, salesforce, Saucelabs, Sendgrid, slack-token, slack-webhook, Spotify, square, stripe, Travis, Twilio, Twitter, twitter-bearer, Wakatime, Wpengine, Zapier-webhook, Zendesk.

There are three major areas of contribution

{
"sendgrid": {
"helper": {
"_doc": "",
"help": "TOKEN is required"
},
"config": {
"url": "https://api.sendgrid.com/v3/scopes",
"args": {
"headers": {
"Authorization": "Bearer {TOKEN}",
"Content-Type": "application/json"
}
}
},
"static": {
"TOKEN": ".*"
}
},
"stripe": {
"helper": {
"_doc": "",
"help": "TOKEN is required"
},
"config": {
"url": "https://api.stripe.com/v1/charges",
"args": {
"headers": {
"Authorization": "Bearer {TOKEN}"
}
}
},
"static": {
"TOKEN": "sk_live_[0-9a-zA-Z]{24}"
}
}
}
  • Test cases for Given 43 service using available API Credentials.

  • Protocol handler client for new protocols.