From 2f53a83e7dd48baab7a61305f2f6ac56d06c1067 Mon Sep 17 00:00:00 2001 From: Brad Larsen Date: Thu, 18 Apr 2024 18:02:23 -0400 Subject: [PATCH 1/2] Add rule for AWS AppSync API Key --- CHANGELOG.md | 4 +++ README.md | 2 +- ...parker__rules__rules_check_builtins-2.snap | 3 +- ...noseyparker__rules__rules_list_json-2.snap | 19 +++++++++++- ...seyparker__rules__rules_list_noargs-2.snap | 7 ++--- .../data/default/builtin/rules/aws.yml | 30 +++++++++++++++++++ .../data/default/builtin/rulesets/default.yml | 1 + 7 files changed, 58 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a432e935a..9a5470f7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - A new `datastore export` command has been added ([#166](https://github.com/praetorian-inc/noseyparker/pull/166)). This command exports the essential content from a Nosey Parker datastore as a .tgz file that can be extracted wherever it is needed. +- New rules have been added: + + - AWS AppSync API Key + ### Changes - The vendored copy of Boost included in the internal `vectorscan-sys` crate has been removed in favor of using the system-provided Boost ([#150](https://github.com/praetorian-inc/noseyparker/pull/150) from @seqre). diff --git a/README.md b/README.md index 70a2e24fd..2bc088803 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information **Key features:** - It can natively scan files, directories, and Git repository history -- It uses regular expression matching with a set of [139 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements +- It uses regular expression matching with a set of [140 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements - It deduplicates its findings, grouping matches together that share the same secret, which in practice can reduce review burden by 100x or more - It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro - It scales: it has scanned inputs as large as 20TiB during security engagements diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap index a06727d55..9441ec536 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap @@ -2,5 +2,4 @@ source: crates/noseyparker-cli/tests/rules/mod.rs expression: stdout --- -139 rules and 3 rulesets: no issues detected - +140 rules and 3 rulesets: no issues detected diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap index 1037b9c23..0a7f3f4c8 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap @@ -81,6 +81,23 @@ expression: stdout ] } }, + { + "id": "np.appsync.1", + "structural_id": "1a653a8d9b81fd1ef03814630e219dfcd01d847b", + "name": "AWS AppSync API Key", + "syntax": { + "name": "AWS AppSync API Key", + "id": "np.appsync.1", + "pattern": "(?x)\n\\b\n(da2-[a-z0-9]{26})\n\\b\n", + "examples": [ + " aws_appsync_apiKey: 'da2-nmaqhbb63zabjactesiydcfuvu'," + ], + "negative_examples": [], + "references": [ + "https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#api-key-authorization" + ] + } + }, { "id": "np.arn.1", "structural_id": "9b6dbcab66d56d9b6b9b3abbe3269f0eefcfd7da", @@ -2784,7 +2801,7 @@ expression: stdout { "id": "default", "name": "Nosey Parker default rules", - "num_rules": 119 + "num_rules": 120 }, { "id": "np.assets", diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap index 8afb7fce5..eabc49a13 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap @@ -2,13 +2,13 @@ source: crates/noseyparker-cli/tests/rules/mod.rs expression: stdout --- - Rule ID Rule Name ───────────────────────────────────────────────────────────────────────────── np.adafruit.1 Adafruit IO Key np.adobe.1 Adobe OAuth Client Secret np.age.1 Age Recipient (X25519 public key) np.age.2 Age Identity (X22519 secret key) + np.appsync.1 AWS AppSync API Key np.arn.1 Amazon Resource Name np.artifactory.1 Artifactory API Key np.aws.1 AWS API Key @@ -147,7 +147,6 @@ expression: stdout Ruleset ID Ruleset Name Rules ───────────────────────────────────────────────────────── - default Nosey Parker default rules 119 + default Nosey Parker default rules 120 np.assets Nosey Parker asset detection rules 15 - np.hashes Nosey Parker password hash rules 5 - + np.hashes Nosey Parker password hash rules 5 diff --git a/crates/noseyparker/data/default/builtin/rules/aws.yml b/crates/noseyparker/data/default/builtin/rules/aws.yml index dc18750e9..fa7ce3c70 100644 --- a/crates/noseyparker/data/default/builtin/rules/aws.yml +++ b/crates/noseyparker/data/default/builtin/rules/aws.yml @@ -310,3 +310,33 @@ rules: - '"aws-kms://arn:aws:kms:us-east-1:003084325827:key/84a66985-f968-4bac-82c2-365518adf157";' - 'return f"arn:aws:s3:::{bucket_name}"' - 'return f"arn:aws:s3:::${bucket_name}"' + + +# "AWS AppSync is an enterprise-level, fully managed GraphQL service with real-time data synchronization and offline programming features." +- name: AWS AppSync API Key + id: np.appsync.1 + pattern: | + (?x) + \b + (da2-[a-z0-9]{26}) + \b + + # Note: AWS AppSync provides several authorization mechanisms. + # This API Key mechanism is but one. + # It is also not clear that an AWS AppKey is _always_ secret: + # + # An API key is a hard-coded value in your application that is generated + # by the AWS AppSync service when you create an unauthenticated GraphQL + # endpoint. + # + # ... + # + # API keys are configurable for up to 365 days, and you can extend an + # existing expiration date for up to another 365 days from that day. API + # Keys are recommended for development purposes or use cases where it’s + # safe to expose a public API. + references: + - https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#api-key-authorization + + examples: + - " aws_appsync_apiKey: 'da2-nmaqhbb63zabjactesiydcfuvu'," diff --git a/crates/noseyparker/data/default/builtin/rulesets/default.yml b/crates/noseyparker/data/default/builtin/rulesets/default.yml index d2c5d752b..e122a0177 100644 --- a/crates/noseyparker/data/default/builtin/rulesets/default.yml +++ b/crates/noseyparker/data/default/builtin/rulesets/default.yml @@ -19,6 +19,7 @@ rulesets: - np.adobe.1 # Adobe OAuth Client Secret - np.age.2 # Age Identity (X22519 secret key) - np.artifactory.1 # Artifactory API Key + - np.appsync.1 # AWS AppSync API Key - np.aws.2 # AWS Secret Access Key - np.aws.4 # AWS Session Token - np.aws.5 # Amazon MWS Auth Token From 6199c7785e792c8168405464da6499e25cf28fc8 Mon Sep 17 00:00:00 2001 From: Brad Larsen Date: Fri, 19 Apr 2024 16:29:50 -0400 Subject: [PATCH 2/2] Add rule for Kerberos 5, etype 23, AS-REP password hashes --- CHANGELOG.md | 3 +- README.md | 2 +- ...parker__rules__rules_check_builtins-2.snap | 2 +- ...noseyparker__rules__rules_list_json-2.snap | 23 +- ...seyparker__rules__rules_list_noargs-2.snap | 287 +++++++++--------- .../data/default/builtin/rules/hashes.yml | 27 ++ .../default/builtin/rulesets/np.hashes.yml | 11 +- 7 files changed, 203 insertions(+), 152 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2386ed4db..ea64022cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - New rules have been added: - - AWS AppSync API Key + - AWS AppSync API Key ([#176](https://github.com/praetorian-inc/noseyparker/pull/176)) + - Password Hash (Kerberos 5, etype 23, AS-REP) ([#176](https://github.com/praetorian-inc/noseyparker/pull/176)) ### Changes diff --git a/README.md b/README.md index 2bc088803..1dc99388d 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information **Key features:** - It can natively scan files, directories, and Git repository history -- It uses regular expression matching with a set of [140 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements +- It uses regular expression matching with a set of [141 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements - It deduplicates its findings, grouping matches together that share the same secret, which in practice can reduce review burden by 100x or more - It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro - It scales: it has scanned inputs as large as 20TiB during security engagements diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap index 9441ec536..ab83a31b4 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap @@ -2,4 +2,4 @@ source: crates/noseyparker-cli/tests/rules/mod.rs expression: stdout --- -140 rules and 3 rulesets: no issues detected +141 rules and 3 rulesets: no issues detected diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap index 0a7f3f4c8..00cb42e38 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap @@ -1383,6 +1383,27 @@ expression: stdout ] } }, + { + "id": "np.krb5.asrep.23.1", + "structural_id": "0026c7bd3577be46d947892edab1bde4e1c320a0", + "name": "Password Hash (Kerberos 5, etype 23, AS-REP)", + "syntax": { + "name": "Password Hash (Kerberos 5, etype 23, AS-REP)", + "id": "np.krb5.asrep.23.1", + "pattern": "(?x)\n(\n\\$ krb5asrep (?# magic )\n\\$ 23 (?# etype )\n\\$\n(?: [^:]+ : )? (?# user @ domain : )\n[0-9a-f]{32} (?# salt )\n\\$ [0-9a-f]{64,} (?# hash )\n)\n\\b\n", + "examples": [ + "$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac", + "$krb5asrep$23$8cf8eb5287e28a4006c064892150c4fb$3e05ecc13548bec8e1eeb900dea5429cc6931bae9b8524490eb3a8801560871fe44355ed556202afbb39872e1bbb5c3c4f1b37dcd68fda89a23ebad917d4bbb0933edd94331598939e5d0c0c98c7e219a2e9dd6b877280d1bd7c51131413be577a167208bcc21e9fe7ae8f393278d740e72ca5c44c42d5cb0bf6bab0a36f1b88b7ddc4abbc6f152e652f6ba35c2955fb4132e11b7e566f3b422c3740f79847b77783d245a4e570b8a621b4ff6ff4815566446af70313ee78133707a76a4e4424783bd7c04920aa822a1a36b29f7e25cef186e6439fc46e42e23d6bd918969ef49b8388aef158e443b3a57dbde7ada631fbef7326f9046a9b", + "$krb5asrep$23$c447eddaebf22ebf006a8fc6f986488c$eb3a17eb56287b474cecad5d4e0490d949977ba3f5015220bcd3080444d5601d67b76c5453b678e8527624e40c273bea4cfe4a7303e136b9bc3b9e63b6fb492ee4b4d2f830c5fa5a55466b57a678f708438f6712354a2deb851792b09270f4941966b82a2fd5ad8fa1fbd95a60b0f9bcd57774b3e55467a02ffcb3f1379104c24e468342f83df20b571e6f34f9a9842b43735d58d94514dcefa76719c0f5c7c3a3bfa770380924625aa0a3472d7c02d10dbb278fd946f7efcfe59a4d4cb7bdb9c5dbddc027611fe333d3ac940ec5b4ed43b55ab54b03cd2df0a9a2a7b5d235c226b259bd5ff8e0e49680351d4f0c4d13e258bc8d383cad6fc2711be0", + "$krb5asrep$23$771adbc2397abddef676742924414f2b$2df6eb2d9c71820dc3fa2c098e071d920f0e412f5f12411632c5ee70e004da1be6f003b78661f8e4507e173552a52da751c45887c19bc1661ed334e0ccb4ef33975d4bd68b3d24746f281b4ca4fdf98fca0e50a8e845ad7d834e020c05b1495bc473b0295c6e9b94963cb912d3ff0f2f48c9075b0f52d9a31e5f4cc67c7af1d816b6ccfda0da5ccf35820a4d7d79073fa404726407ac840910357ef210fcf19ed81660106dfc3f4d9166a89d59d274f31619ddd9a1e2712c879a4e9c471965098842b44fae7ca6dd389d5d98b7fd7aca566ca399d072025e81cf0ef5075447687f80100307145fade7a8", + "$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac" + ], + "negative_examples": [], + "references": [ + "https://hashcat.net/wiki/doku.php?id=example_hashes" + ] + } + }, { "id": "np.linkedin.1", "structural_id": "2fb4e1caf47a02501461f43476d779dc3c867f0f", @@ -2811,7 +2832,7 @@ expression: stdout { "id": "np.hashes", "name": "Nosey Parker password hash rules", - "num_rules": 5 + "num_rules": 6 } ] } diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap index eabc49a13..757e51e46 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap @@ -2,151 +2,152 @@ source: crates/noseyparker-cli/tests/rules/mod.rs expression: stdout --- - Rule ID Rule Name -───────────────────────────────────────────────────────────────────────────── - np.adafruit.1 Adafruit IO Key - np.adobe.1 Adobe OAuth Client Secret - np.age.1 Age Recipient (X25519 public key) - np.age.2 Age Identity (X22519 secret key) - np.appsync.1 AWS AppSync API Key - np.arn.1 Amazon Resource Name - np.artifactory.1 Artifactory API Key - np.aws.1 AWS API Key - np.aws.2 AWS Secret Access Key - np.aws.3 AWS Account ID - np.aws.4 AWS Session Token - np.aws.5 Amazon MWS Auth Token - np.azure.1 Azure Connection String - np.azure.2 Azure App Configuration Connection String - np.blynk.1 Blynk Device Access Token - np.blynk.2 Blynk Organization Access Token (URL first) - np.blynk.3 Blynk Organization Access Token (URL last) - np.blynk.4 Blynk Organization Client ID (URL first) - np.blynk.5 Blynk Organization Client ID (URL last) - np.blynk.6 Blynk Organization Client Secret (URL first) - np.blynk.7 Blynk Organization Client Secret (URL last) - np.codeclimate.1 CodeClimate Reporter ID - np.cratesio.1 crates.io API Key - np.digitalocean.1 DigitalOcean Application Access Token - np.digitalocean.2 DigitalOcean Personal Access Token - np.digitalocean.3 DigitalOcean Refresh Token - np.dockerhub.1 Docker Hub Personal Access Token - np.doppler.1 Doppler CLI Token - np.doppler.2 Doppler Personal Token - np.doppler.3 Doppler Service Token - np.doppler.4 Doppler Service Account Token - np.doppler.5 Doppler SCIM Token - np.doppler.6 Doppler Audit Token - np.dropbox.1 Dropbox Access Token - np.dtrack.1 Dependency-Track API Key - np.dynatrace.1 Dynatrace Token - np.facebook.1 Facebook Secret Key - np.facebook.2 Facebook Access Token - np.figma.1 Figma Personal Access Token - np.gcs.1 Google Cloud Storage Bucket (subdomain style) - np.gcs.2 Google Cloud Storage Bucket (path style) - np.generic.1 Generic Secret - np.generic.2 Generic API Key - np.generic.3 Generic Username and Password (quoted) - np.generic.4 Generic Username and Password (unquoted) - np.generic.5 Generic Password (double quoted) - np.generic.6 Generic Password (single quoted) - np.github.1 GitHub Personal Access Token - np.github.2 GitHub OAuth Access Token - np.github.3 GitHub App Token - np.github.4 GitHub Refresh Token - np.github.5 GitHub Client ID - np.github.6 GitHub Secret Key - np.github.7 GitHub Personal Access Token (fine-grained permissions) - np.gitlab.1 GitLab Runner Registration Token - np.gitlab.2 GitLab Personal Access Token - np.gitlab.3 GitLab Pipeline Trigger Token - np.google.1 Google Client ID - np.google.2 Google OAuth Client Secret (prefixed) - np.google.3 Google OAuth Client Secret - np.google.4 Google OAuth Access Token - np.google.5 Google API Key - np.gradle.1 Hardcoded Gradle Credentials - np.grafana.1 Grafana API Token - np.grafana.2 Grafana Cloud API Token - np.grafana.3 Grafana Service Account Token - np.heroku.1 Heroku API Key - np.huggingface.1 HuggingFace User Access Token - np.jenkins.1 Jenkins Token or Crumb - np.jwt.1 JSON Web Token (base64url-encoded) - np.linkedin.1 LinkedIn Client ID - np.linkedin.2 LinkedIn Secret Key - np.mailchimp.1 MailChimp API Key - np.mailgun.1 Mailgun API Key - np.mapbox.1 Mapbox Public Access Token - np.mapbox.2 Mapbox Secret Access Token - np.mapbox.3 Mapbox Temporary Access Token - np.msteams.1 Microsoft Teams Webhook - np.netrc.1 netrc Credentials - np.newrelic.1 New Relic License Key - np.newrelic.2 New Relic License Key (non-suffixed) - np.newrelic.3 New Relic API Service Key - np.newrelic.4 New Relic Admin API Key - np.newrelic.5 New Relic Insights Insert Key - np.newrelic.6 New Relic Insights Query Key - np.newrelic.7 New Relic REST API Key - np.newrelic.8 New Relic Pixie API Key - np.newrelic.9 New Relic Pixie Deploy Key - np.npm.1 NPM Access Token (fine-grained) - np.nuget.1 NuGet API Key - np.odbc.1 Credentials in ODBC Connection String - np.okta.1 Okta API Token - np.openai.1 OpenAI API Key - np.particleio.1 particle.io Access Token (URL first) - np.particleio.2 particle.io Access Token (URL last) - np.pem.1 PEM-Encoded Private Key - np.postman.1 Postman API Key - np.psexec.1 Credentials in PsExec - np.pwhash.1 Password Hash (md5crypt) - np.pwhash.2 Password Hash (bcrypt) - np.pwhash.3 Password Hash (sha256crypt) - np.pwhash.4 Password Hash (sha512crypt) - np.pwhash.5 Password Hash (Cisco IOS PBKDF2 with SHA256) - np.pypi.1 PyPI Upload Token - np.reactapp.1 React App Username - np.reactapp.2 React App Password - np.rubygems.1 RubyGems API Key - np.s3.1 AWS S3 Bucket (subdomain style) - np.s3.2 AWS S3 Bucket (path style) - np.salesforce.1 Salesforce Access Token - np.sauce.1 Sauce Token - np.segment.1 Segment Public API Token - np.sendgrid.1 SendGrid API Key - np.shopify.1 Shopify Domain - np.shopify.2 Shopify App Secret - np.shopify.3 Shopify Access Token (Public App) - np.shopify.4 Shopify Access Token (Custom App) - np.shopify.5 Shopify Access Token (Legacy Private App) - np.slack.2 Slack Bot Token - np.slack.3 Slack Webhook - np.slack.4 Slack User Token - np.slack.5 Slack App Token - np.slack.6 Slack Legacy Bot Token - np.sonarqube.1 SonarQube Token - np.square.1 Square Access Token - np.square.2 Square OAuth Secret - np.stackhawk.1 StackHawk API Key - np.stripe.1 Stripe API Key - np.stripe.2 Stripe API Test Key - np.telegram.1 Telegram Bot Token - np.thingsboard.1 ThingsBoard Access Token - np.thingsboard.2 ThingsBoard Provision Device Key - np.thingsboard.3 ThingsBoard Provision Device Secret - np.truenas.1 TrueNAS API Key (WebSocket) - np.truenas.2 TrueNAS API Key (REST API) - np.twilio.1 Twilio API Key - np.twitter.1 Twitter Client ID - np.twitter.2 Twitter Secret Key - np.wireguard.1 WireGuard Private Key - np.wireguard.2 WireGuard Preshared Key + Rule ID Rule Name +────────────────────────────────────────────────────────────────────────────── + np.adafruit.1 Adafruit IO Key + np.adobe.1 Adobe OAuth Client Secret + np.age.1 Age Recipient (X25519 public key) + np.age.2 Age Identity (X22519 secret key) + np.appsync.1 AWS AppSync API Key + np.arn.1 Amazon Resource Name + np.artifactory.1 Artifactory API Key + np.aws.1 AWS API Key + np.aws.2 AWS Secret Access Key + np.aws.3 AWS Account ID + np.aws.4 AWS Session Token + np.aws.5 Amazon MWS Auth Token + np.azure.1 Azure Connection String + np.azure.2 Azure App Configuration Connection String + np.blynk.1 Blynk Device Access Token + np.blynk.2 Blynk Organization Access Token (URL first) + np.blynk.3 Blynk Organization Access Token (URL last) + np.blynk.4 Blynk Organization Client ID (URL first) + np.blynk.5 Blynk Organization Client ID (URL last) + np.blynk.6 Blynk Organization Client Secret (URL first) + np.blynk.7 Blynk Organization Client Secret (URL last) + np.codeclimate.1 CodeClimate Reporter ID + np.cratesio.1 crates.io API Key + np.digitalocean.1 DigitalOcean Application Access Token + np.digitalocean.2 DigitalOcean Personal Access Token + np.digitalocean.3 DigitalOcean Refresh Token + np.dockerhub.1 Docker Hub Personal Access Token + np.doppler.1 Doppler CLI Token + np.doppler.2 Doppler Personal Token + np.doppler.3 Doppler Service Token + np.doppler.4 Doppler Service Account Token + np.doppler.5 Doppler SCIM Token + np.doppler.6 Doppler Audit Token + np.dropbox.1 Dropbox Access Token + np.dtrack.1 Dependency-Track API Key + np.dynatrace.1 Dynatrace Token + np.facebook.1 Facebook Secret Key + np.facebook.2 Facebook Access Token + np.figma.1 Figma Personal Access Token + np.gcs.1 Google Cloud Storage Bucket (subdomain style) + np.gcs.2 Google Cloud Storage Bucket (path style) + np.generic.1 Generic Secret + np.generic.2 Generic API Key + np.generic.3 Generic Username and Password (quoted) + np.generic.4 Generic Username and Password (unquoted) + np.generic.5 Generic Password (double quoted) + np.generic.6 Generic Password (single quoted) + np.github.1 GitHub Personal Access Token + np.github.2 GitHub OAuth Access Token + np.github.3 GitHub App Token + np.github.4 GitHub Refresh Token + np.github.5 GitHub Client ID + np.github.6 GitHub Secret Key + np.github.7 GitHub Personal Access Token (fine-grained permissions) + np.gitlab.1 GitLab Runner Registration Token + np.gitlab.2 GitLab Personal Access Token + np.gitlab.3 GitLab Pipeline Trigger Token + np.google.1 Google Client ID + np.google.2 Google OAuth Client Secret (prefixed) + np.google.3 Google OAuth Client Secret + np.google.4 Google OAuth Access Token + np.google.5 Google API Key + np.gradle.1 Hardcoded Gradle Credentials + np.grafana.1 Grafana API Token + np.grafana.2 Grafana Cloud API Token + np.grafana.3 Grafana Service Account Token + np.heroku.1 Heroku API Key + np.huggingface.1 HuggingFace User Access Token + np.jenkins.1 Jenkins Token or Crumb + np.jwt.1 JSON Web Token (base64url-encoded) + np.krb5.asrep.23.1 Password Hash (Kerberos 5, etype 23, AS-REP) + np.linkedin.1 LinkedIn Client ID + np.linkedin.2 LinkedIn Secret Key + np.mailchimp.1 MailChimp API Key + np.mailgun.1 Mailgun API Key + np.mapbox.1 Mapbox Public Access Token + np.mapbox.2 Mapbox Secret Access Token + np.mapbox.3 Mapbox Temporary Access Token + np.msteams.1 Microsoft Teams Webhook + np.netrc.1 netrc Credentials + np.newrelic.1 New Relic License Key + np.newrelic.2 New Relic License Key (non-suffixed) + np.newrelic.3 New Relic API Service Key + np.newrelic.4 New Relic Admin API Key + np.newrelic.5 New Relic Insights Insert Key + np.newrelic.6 New Relic Insights Query Key + np.newrelic.7 New Relic REST API Key + np.newrelic.8 New Relic Pixie API Key + np.newrelic.9 New Relic Pixie Deploy Key + np.npm.1 NPM Access Token (fine-grained) + np.nuget.1 NuGet API Key + np.odbc.1 Credentials in ODBC Connection String + np.okta.1 Okta API Token + np.openai.1 OpenAI API Key + np.particleio.1 particle.io Access Token (URL first) + np.particleio.2 particle.io Access Token (URL last) + np.pem.1 PEM-Encoded Private Key + np.postman.1 Postman API Key + np.psexec.1 Credentials in PsExec + np.pwhash.1 Password Hash (md5crypt) + np.pwhash.2 Password Hash (bcrypt) + np.pwhash.3 Password Hash (sha256crypt) + np.pwhash.4 Password Hash (sha512crypt) + np.pwhash.5 Password Hash (Cisco IOS PBKDF2 with SHA256) + np.pypi.1 PyPI Upload Token + np.reactapp.1 React App Username + np.reactapp.2 React App Password + np.rubygems.1 RubyGems API Key + np.s3.1 AWS S3 Bucket (subdomain style) + np.s3.2 AWS S3 Bucket (path style) + np.salesforce.1 Salesforce Access Token + np.sauce.1 Sauce Token + np.segment.1 Segment Public API Token + np.sendgrid.1 SendGrid API Key + np.shopify.1 Shopify Domain + np.shopify.2 Shopify App Secret + np.shopify.3 Shopify Access Token (Public App) + np.shopify.4 Shopify Access Token (Custom App) + np.shopify.5 Shopify Access Token (Legacy Private App) + np.slack.2 Slack Bot Token + np.slack.3 Slack Webhook + np.slack.4 Slack User Token + np.slack.5 Slack App Token + np.slack.6 Slack Legacy Bot Token + np.sonarqube.1 SonarQube Token + np.square.1 Square Access Token + np.square.2 Square OAuth Secret + np.stackhawk.1 StackHawk API Key + np.stripe.1 Stripe API Key + np.stripe.2 Stripe API Test Key + np.telegram.1 Telegram Bot Token + np.thingsboard.1 ThingsBoard Access Token + np.thingsboard.2 ThingsBoard Provision Device Key + np.thingsboard.3 ThingsBoard Provision Device Secret + np.truenas.1 TrueNAS API Key (WebSocket) + np.truenas.2 TrueNAS API Key (REST API) + np.twilio.1 Twilio API Key + np.twitter.1 Twitter Client ID + np.twitter.2 Twitter Secret Key + np.wireguard.1 WireGuard Private Key + np.wireguard.2 WireGuard Preshared Key Ruleset ID Ruleset Name Rules ───────────────────────────────────────────────────────── default Nosey Parker default rules 120 np.assets Nosey Parker asset detection rules 15 - np.hashes Nosey Parker password hash rules 5 + np.hashes Nosey Parker password hash rules 6 diff --git a/crates/noseyparker/data/default/builtin/rules/hashes.yml b/crates/noseyparker/data/default/builtin/rules/hashes.yml index 839a0a523..cffc43252 100644 --- a/crates/noseyparker/data/default/builtin/rules/hashes.yml +++ b/crates/noseyparker/data/default/builtin/rules/hashes.yml @@ -94,3 +94,30 @@ rules: examples: - '$8$TnGX/fE4KGHOVU$pEhnEvxrvaynpi8j4f.EMHr6M.FzU8xnZnBr/tJdFWk' - '$8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.' + + +- name: Password Hash (Kerberos 5, etype 23, AS-REP) + id: np.krb5.asrep.23.1 + pattern: | + (?x) + ( + \$ krb5asrep (?# magic ) + \$ 23 (?# etype ) + \$ + (?: [^:]+ : )? (?# user @ domain : ) + [0-9a-f]{32} (?# salt ) + \$ [0-9a-f]{64,} (?# hash ) + ) + \b + + references: + - https://hashcat.net/wiki/doku.php?id=example_hashes + + examples: + # Kerberos 5, etype 23, AS-REP + - '$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac' + - '$krb5asrep$23$8cf8eb5287e28a4006c064892150c4fb$3e05ecc13548bec8e1eeb900dea5429cc6931bae9b8524490eb3a8801560871fe44355ed556202afbb39872e1bbb5c3c4f1b37dcd68fda89a23ebad917d4bbb0933edd94331598939e5d0c0c98c7e219a2e9dd6b877280d1bd7c51131413be577a167208bcc21e9fe7ae8f393278d740e72ca5c44c42d5cb0bf6bab0a36f1b88b7ddc4abbc6f152e652f6ba35c2955fb4132e11b7e566f3b422c3740f79847b77783d245a4e570b8a621b4ff6ff4815566446af70313ee78133707a76a4e4424783bd7c04920aa822a1a36b29f7e25cef186e6439fc46e42e23d6bd918969ef49b8388aef158e443b3a57dbde7ada631fbef7326f9046a9b' + - '$krb5asrep$23$c447eddaebf22ebf006a8fc6f986488c$eb3a17eb56287b474cecad5d4e0490d949977ba3f5015220bcd3080444d5601d67b76c5453b678e8527624e40c273bea4cfe4a7303e136b9bc3b9e63b6fb492ee4b4d2f830c5fa5a55466b57a678f708438f6712354a2deb851792b09270f4941966b82a2fd5ad8fa1fbd95a60b0f9bcd57774b3e55467a02ffcb3f1379104c24e468342f83df20b571e6f34f9a9842b43735d58d94514dcefa76719c0f5c7c3a3bfa770380924625aa0a3472d7c02d10dbb278fd946f7efcfe59a4d4cb7bdb9c5dbddc027611fe333d3ac940ec5b4ed43b55ab54b03cd2df0a9a2a7b5d235c226b259bd5ff8e0e49680351d4f0c4d13e258bc8d383cad6fc2711be0' + - '$krb5asrep$23$771adbc2397abddef676742924414f2b$2df6eb2d9c71820dc3fa2c098e071d920f0e412f5f12411632c5ee70e004da1be6f003b78661f8e4507e173552a52da751c45887c19bc1661ed334e0ccb4ef33975d4bd68b3d24746f281b4ca4fdf98fca0e50a8e845ad7d834e020c05b1495bc473b0295c6e9b94963cb912d3ff0f2f48c9075b0f52d9a31e5f4cc67c7af1d816b6ccfda0da5ccf35820a4d7d79073fa404726407ac840910357ef210fcf19ed81660106dfc3f4d9166a89d59d274f31619ddd9a1e2712c879a4e9c471965098842b44fae7ca6dd389d5d98b7fd7aca566ca399d072025e81cf0ef5075447687f80100307145fade7a8' + - '$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac' + diff --git a/crates/noseyparker/data/default/builtin/rulesets/np.hashes.yml b/crates/noseyparker/data/default/builtin/rulesets/np.hashes.yml index 1ac6a6da6..23e4e1628 100644 --- a/crates/noseyparker/data/default/builtin/rulesets/np.hashes.yml +++ b/crates/noseyparker/data/default/builtin/rulesets/np.hashes.yml @@ -11,8 +11,9 @@ rulesets: words, few false positives. include_rule_ids: - - np.pwhash.1 # Password Hash (bcrypt) - - np.pwhash.2 # Password Hash (md5crypt) - - np.pwhash.3 # Password Hash (sha256crypt) - - np.pwhash.4 # Password Hash (sha256crypt) - - np.pwhash.5 # Password Hash (Cisco IOS PBKDF2 with SHA256) + - np.pwhash.1 # Password Hash (bcrypt) + - np.pwhash.2 # Password Hash (md5crypt) + - np.pwhash.3 # Password Hash (sha256crypt) + - np.pwhash.4 # Password Hash (sha256crypt) + - np.pwhash.5 # Password Hash (Cisco IOS PBKDF2 with SHA256) + - np.krb5.asrep.23.1 # Password Hash (Kerberos 5, etype 23, AS-REP)