Credential Hunting

Hunting for credentials in exposed repositories, code, and configuration files. Once credentials are discovered, see Password Attacks for cracking hashes and testing authentication.

Git Repository Secret Scanning

TruffleHog

Entropy-based secret scanner that finds high-entropy strings and known patterns.

Installation:

# Via pip
pip install truffleHog

# Via Docker
docker pull trufflesecurity/trufflehog:latest

Basic Scanning:

# Scan a remote repository
trufflehog git https://github.com/target/repo

# Scan local repository
trufflehog filesystem /path/to/repo

# Scan GitHub organization
trufflehog github --org=target-org

# Only verified secrets
trufflehog git https://github.com/target/repo --only-verified

# JSON output for parsing
trufflehog git https://github.com/target/repo --json

Advanced Usage:

# Scan specific branch
trufflehog git https://github.com/target/repo --branch=dev

# Scan since specific commit
trufflehog git https://github.com/target/repo --since-commit=abc123

# Custom regex patterns
trufflehog filesystem /path/to/repo --config=custom-patterns.yaml

# Exclude paths
trufflehog git https://github.com/target/repo --exclude-paths=exclude.txt

Gitleaks

Fast, configurable secret scanner with comprehensive rule sets.

Installation:

# Via Docker
docker pull zricethezav/gitleaks:latest

# Download binary
wget https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_arm64.tar.gz

Basic Scanning:

# Detect secrets in repository
gitleaks detect --source . --verbose

# Scan specific directory
gitleaks detect --source /path/to/repo

# Report to file
gitleaks detect --source . --report-path report.json

# SARIF output for CI/CD
gitleaks detect --source . --report-format sarif --report-path results.sarif

Advanced Usage:

# Custom configuration
gitleaks detect --config gitleaks.toml --source .

# Scan uncommitted changes only
gitleaks protect --staged

# Baseline scan to ignore existing secrets
gitleaks detect --baseline-path gitleaks-report.json

# Scan commits since date
gitleaks detect --log-opts="--since='2024-01-01'"

# Verbose with redaction
gitleaks detect --verbose --redact

Git-Secrets

AWS-developed tool to prevent committing secrets.

Installation:

# Clone and install
git clone https://github.com/awslabs/git-secrets
cd git-secrets
make install

Setup and Scanning:

# Install hooks in repository
git secrets --install

# Add AWS patterns
git secrets --register-aws

# Add custom patterns
git secrets --add 'password\s*=\s*.+'
git secrets --add --allowed 'example\.com'

# Scan current repository
git secrets --scan

# Scan entire history
git secrets --scan-history

# List patterns
git secrets --list

GitGuardian (Free Tier)

Commercial tool with free tier for public repositories.

Installation:

# Via pip
pip install ggshield

# Initialize
ggshield auth login

Basic Scanning:

# Scan current repository
ggshield secret scan repo .

# Scan specific commit range
ggshield secret scan commit-range HEAD~10..HEAD

# Pre-commit hook
ggshield secret scan pre-commit

# CI mode (exit 0 on findings)
ggshield secret scan repo . --mode=ci

# Ignore known findings
ggshield secret scan repo . --ignore-known-secrets

Detect-Secrets

Yelp's enterprise-focused secret scanner.

Installation:

# Via pip
pip install detect-secrets

Basic Usage:

# Create baseline
detect-secrets scan > .secrets.baseline

# Audit findings
detect-secrets audit .secrets.baseline

# Scan all files
detect-secrets scan --all-files

# Update baseline
detect-secrets scan --baseline .secrets.baseline --update

# Custom plugins
detect-secrets scan --use-all-plugins

Advanced Configuration:

# Exclude paths
detect-secrets scan --exclude-files '.*\.test\.js$'

# Custom word list
detect-secrets scan --word-list custom-words.txt

# Base64 high entropy strings
detect-secrets scan --base64-limit 4.5

# Hex high entropy strings
detect-secrets scan --hex-limit 3.0

Manual Git History Analysis

Git Log Techniques

# Search commit messages
git log --all --grep='password'

# Search code changes
git log -S 'password' --source --all

# Show file history
git log --all --full-history -- "**/config.php"

# Find deleted files
git log --all --full-history --diff-filter=D -- "*.env"

# Search by author
git log --author="admin" --all --oneline

# Date range search
git log --since="2024-01-01" --until="2024-12-31" -S "api_key"

Git Grep for Secrets

# Search all branches
git grep -i 'password' $(git rev-list --all)

# Search for common patterns
git grep -E 'api[_-]?key|password|secret' $(git rev-list --all)

# Search with context
git grep -C 3 'BEGIN RSA PRIVATE KEY' $(git rev-list --all)

# Case-insensitive search
git grep -i 'aws_access_key' $(git rev-list --all)

Specific File Recovery

# List all config files ever committed
git log --all --full-history --pretty=format: --name-only -- '*.env' | sort -u

# Show specific file at commit
git show COMMIT_HASH:path/to/.env

# Recover deleted file
git checkout COMMIT_HASH -- path/to/deleted-file

Source Code Credential Patterns

Common Patterns to Search

# API keys
grep -r "api[_-]?key.*=.*['\"].*['\"]" .

# Database credentials
grep -r "mysql://\|postgres://\|mongodb://" .

# AWS credentials
grep -r "AKIA[0-9A-Z]{16}" .

# Private keys
grep -r "BEGIN.*PRIVATE KEY" .

# Generic secrets
grep -r -E "password|passwd|pwd.*=.*['\"].*['\"]" .

# OAuth tokens
grep -r "oauth.*token" .

# JWT tokens
grep -r "eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*" .

File Extensions to Target

# Configuration files
find . -type f \( -name "*.env" -o -name "*.config" -o -name "*.conf" -o -name "*.yaml" -o -name "*.yml" \)

# Credential files
find . -type f \( -name "*credentials*" -o -name "*secret*" -o -name "*password*" \)

# Key files
find . -type f \( -name "*.pem" -o -name "*.key" -o -name "*.p12" -o -name "*.pfx" \)

# Database dumps
find . -type f \( -name "*.sql" -o -name "*.db" -o -name "*.sqlite" \)

# Backup files
find . -type f \( -name "*.bak" -o -name "*.backup" -o -name "*~" \)

Cloud Provider Specific

AWS Credential Hunting

# Access keys in code
git grep -E 'AKIA[0-9A-Z]{16}' $(git rev-list --all)

# In environment files
grep -r "AWS_ACCESS_KEY_ID" .

# AWS configuration files
find . -name "credentials" -o -name "config" | xargs cat

# S3 bucket references
git grep -E 's3://[a-z0-9.-]+' $(git rev-list --all)

Azure Credential Hunting

# Service principal credentials
git grep -i "azure.*client.*secret" $(git rev-list --all)

# Connection strings
grep -r "AccountName=.*AccountKey=" .

# Azure storage keys
git grep -E '[a-zA-Z0-9+/]{88}==' $(git rev-list --all)

GCP Credential Hunting

# Service account keys (JSON)
find . -name "*service*account*.json"

# API keys
git grep -E 'AIza[0-9A-Za-z_-]{35}' $(git rev-list --all)

# OAuth client secrets
git grep "client_secret" $(git rev-list --all)

Post-Discovery Validation

Test AWS Credentials

# Configure temporary profile
aws configure --profile test-creds

# Test access
aws sts get-caller-identity --profile test-creds

# Enumerate permissions
aws iam get-user --profile test-creds
aws s3 ls --profile test-creds

Test Database Credentials

# MySQL
mysql -h host -u username -p'password' -e "SELECT version();"

# PostgreSQL
psql -h host -U username -d database -c "SELECT version();"

# MongoDB
mongosh "mongodb://username:password@host:27017/database" --eval "db.version()"

Test API Keys

# Generic API test
curl -H "Authorization: Bearer API_KEY" https://api.example.com/v1/user

# With API key parameter
curl "https://api.example.com/v1/data?api_key=KEY"

# With custom header
curl -H "X-API-Key: KEY" https://api.example.com/v1/endpoint

CI/CD Integration

GitHub Actions Example

name: Secret Scanning

on: [push, pull_request]

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit

# Gitleaks
gitleaks protect --staged --verbose

if [ $? -ne 0 ]; then
    echo "Warning: Gitleaks detected secrets!"
    exit 1
fi

Best Practices

1. Automated Scanning: Run tools in CI/CD pipelines
2. Multiple Tools: Use 2-3 different scanners for comprehensive coverage
3. Entropy Analysis: Combine pattern matching with entropy detection
4. History Scanning: Always scan entire git history, not just current state
5. Validation: Verify findings before reporting
6. Safe Handling: Never commit found secrets to your reporting repository
7. Scope Awareness: Understand what constitutes in-scope for credential testing
8. Documentation: Record where credentials were found for reporting

Common False Positives

• Example/dummy credentials in documentation
• Test data in unit tests
• Public API keys (e.g., Google Maps)
• Encrypted or hashed values
• Code comments showing examples
• License keys (non-security related)

Useful Resources

• TruffleHog Documentation
• Gitleaks Official Site
• Git-Secrets GitHub
• GitGuardian Docs
• Detect-Secrets