Hackers of India

Red Team Credentials Reconnaissance (OLD with a TWIST)

By Shantanu Khandelwal on 07 Aug 2021 @ Defcon : Adversary Village : DemoLabs
πŸ“Ή Video πŸ”— Link
We need help to complete this entry! Missing: Source Code
I can help!
#reconnaissance #red-teaming #osint
Focus Areas: 🎯 Penetration Testing
This tool demo covers following tools where the speaker has contributed or authored
GITHUB-CREDENTIALS-STROLLER

Presentation Material

Abstract

This talk covers the basics of credentials reconnaissance performed for a red team. Mostly covers the reconnaissance performed on GitHub to search for leaked passwords by developers. The current toolset and the Shiny new GitHub Credentials Stroller which dives into each repository and performs a deep scan.

AI Generated Summary

The talk addresses GitHub reconnaissance for credential exposure within adversary simulations, critiquing existing manual and automated methodologies. Manual searching relies on combining organization names with keywords like “password” within GitHub’s UI, but misses credentials stored in files that lack the organization’s identifier. Automated tools such as Truffle Hog and Git Secrets are limited because GitHub’s API no longer permits searching all public repositories; these tools only scan specific, pre-selected repositories or organizations, leading to incomplete results.

To overcome these limitations, the speaker introduces CredStroller, a Chrome extension that automates reconnaissance. The tool first uses GitHub’s UI to search for all public repositories mentioning a target organization. It then iterates through each discovered repository, scanning all files for user-defined keywords (e.g., “password,” “api,” “key”). Results are categorized into “all results” (any keyword occurrence) and “lucky results” (a filtered subset matching customizable regular expressions for credential patterns). A demonstration against a test organization showed CredStroller identified passwords in configuration files that did not contain the organization’s name, which were missed by a manual combined search. The tool runs in the background, supports multiple GitHub tokens to mitigate API rate limits, and allows saving/loading configurations.

Practical implications include efficient credential harvesting for red teams and proactive monitoring for blue teams. The approach highlights GitHub’s potential for mass credential aggregation due to its widespread use and developer misconfigurations. Proposed future enhancements include cron job scheduling for periodic scans, CSV export for reporting, and community-contributed regex patterns. The tool underscores the need for improved developer practices and organizational monitoring of public code repositories.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.