Skip to content

New module: AWS Credentials Finder#455

Merged
NeffIsBack merged 14 commits into
Pennyw0rth:mainfrom
dev-fortress:aws-credentials
Jun 16, 2025
Merged

New module: AWS Credentials Finder#455
NeffIsBack merged 14 commits into
Pennyw0rth:mainfrom
dev-fortress:aws-credentials

Conversation

@dev-fortress

Copy link
Copy Markdown
Contributor

This pull request introduces a new module that searches for files named "credentials" and "config" on remote servers and returns their file paths. At the moment, this module works on Linux and Windows remote servers.

Features:

  • Scans Linux and Windows remote servers for files specifically named "credentials" and "config"
  • Outputs the file paths of the found credentials files for further analysis.

Why this module is useful:

  • The "credentials" file is often used by developers or IT admins to store sensitive information, making it a common target during penetration testing.
  • Automating the discovery of such files improves the efficiency of Red Team operations by highlighting potential areas of vulnerability.

Future Plans:

  • Add additional file pattern searches (e.g., *.config, *.key) for more comprehensive scanning.
  • Enhance filtering options to allow users to specify file types.

Please let me know if there are any improvements or additional requirements to get this merged. Thank you for considering this contribution!

imagen

@NeffIsBack

Copy link
Copy Markdown
Member

Looks really cool, thanks for the PR!

@NeffIsBack

Copy link
Copy Markdown
Member

@dev-fortress really sorry for the late response. Are you sure you pushed your latest changes? In the PR is no logging statement or something similar that would print the output of your module as in your screenshot. Also command execution is only available with on_admin_login.

@NeffIsBack

Copy link
Copy Markdown
Member

@dev-fortress any update? I could quickly patch in some output function for the gathered data, but that might not be all you planned on doing or have done locally.

@dev-fortress

Copy link
Copy Markdown
Contributor Author

@NeffIsBack Sorry, I didn’t see your response earlier. In my initial test, I didn’t need to log the response in any function. Perhaps something has changed and now requires some adjustments. Please give me some time to review it and see what I can do.

@NeffIsBack

Copy link
Copy Markdown
Member

@NeffIsBack Sorry, I didn’t see your response earlier. In my initial test, I didn’t need to log the response in any function. Perhaps something has changed and now requires some adjustments. Please give me some time to review it and see what I can do.

No worries, take your time. Maybe just an context.log.highlight() is missing for the output that the module queries (that's how it looks on the screenshot).

Added context.log.highlight() to the module

Signed-off-by: Braiant Giraldo <33358096+dev-fortress@users.noreply.github.com>
@dev-fortress

Copy link
Copy Markdown
Contributor Author

Added context.log.highlight() to the module

@NeffIsBack

Copy link
Copy Markdown
Member

Fyi, fixed winrm execution to be able to use it in modules

@NeffIsBack

NeffIsBack commented May 25, 2025

Copy link
Copy Markdown
Member

In theory this looks good now.
image

However checking for config results in A LOT of files that aren't necessarily aws related files. @dev-fortress what is the default in aws? Is there a way to reduce false positives?
My list of false positives on linux is even longer:
image
image

@NeffIsBack

Copy link
Copy Markdown
Member

Gonna reping @dev-fortress in case you missed the notification 👀

@dev-fortress

Copy link
Copy Markdown
Contributor Author

I will do it, I think how i can filter the false positive

Refined AWS credentials detection: updated both Bash and PowerShell scripts to search only for files named 'credentials' that contain the keyword 'aws', which is consistently present in relevant AWS configuration files. Removed 'config' from the scope after confirming it contains no useful information. Also suppressed 'permission denied' errors in the Bash script for cleaner output during scans.

Signed-off-by: Braiant Giraldo <33358096+dev-fortress@users.noreply.github.com>
@dev-fortress

Copy link
Copy Markdown
Contributor Author

Hi, I’ve just made some updates to the credential detection script:

Both the Bash and PowerShell versions now target only files named credentials that contain the keyword aws, as it's a reliable indicator in AWS-related configurations.
The config file has been excluded since it doesn’t provide useful information.
Also, in Linux, “permission denied” messages are now suppressed for cleaner output during scans.

The commit is ready for review. Let me know if you have any feedback!

@NeffIsBack

Copy link
Copy Markdown
Member

@dev-fortress careful when merging in changes from remote. I believe you rebased your changes (at least that is what it looks like) because of merge conflicts, but that reverted all previous changes i made. TLDR; never rebase -> always merge and resolve conflicts with the editor of your choice

I reverted the commit and applied your changes manually.

@NeffIsBack NeffIsBack left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM:
image

@NeffIsBack NeffIsBack merged commit fde3de7 into Pennyw0rth:main Jun 16, 2025
5 checks passed
@dev-fortress

Copy link
Copy Markdown
Contributor Author

Thanks! Sorry about all the changes — I’m not a developer by trade and still learning Git, but I’m committed to getting better at it. Really appreciate you merging into main!

@NeffIsBack

Copy link
Copy Markdown
Member

Thanks! Sorry about all the changes — I’m not a developer by trade and still learning Git, but I’m committed to getting better at it. Really appreciate you merging into main!

No worries! Just for the future :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants