Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

create a secrets detection testbed branch with revoked credentials #201

Open
32 of 44 tasks
Tracked by #37
commjoen opened this issue Feb 17, 2022 · 3 comments
Open
32 of 44 tasks
Tracked by #37

create a secrets detection testbed branch with revoked credentials #201

commjoen opened this issue Feb 17, 2022 · 3 comments
Labels
help wanted Extra attention is needed

Comments

@commjoen
Copy link
Collaborator

commjoen commented Feb 17, 2022

Steps to take:

Keys that can be added:

  • Azure
  • AWS
  • GCP
  • Git credentials :SSH key
  • Git credentials: developer token
  • private key RSA key & private ECC key
  • GPG keychain (armored and notarmored)
  • AES keys
  • Slack callback
  • kubeconfig
  • QR-code (will be hard to represent a secret which is detactable other than through entropy,skipping it)
  • BasicAuth
  • gradle credentials
  • mvn credentials
  • NPM
  • Firebase push notification keys (android/ios)
  • OTP Seed
  • segment.io access keys
  • Vault root token & unseal keys
  • Any JWT Token
  • Gitlab PAT
  • Gpg armoured export private and public keys
  • Azure devops access token
  • onepassword emergency kit, 1password-credentials.json and accesstokens
  • keybase paperkey
  • IBM-cloud?
  • Nomad credentials (wait till Nomad support #299 happens)
  • Spring boot Session token
  • Slack access tokens:bottoken & usertoken, applevel token & config token (requested..pending)
  • Braze API-keys (requested)
  • Lastpass integration/api-key
  • Confidant key
  • Docker hub access token
  • Vagrant cloud access token
  • confluence/jira secrets
  • AWS instance profile
  • add dockerconfig (https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
  • secrets above with encodings (base64, Hex encoding)
  • Database connection strings
  • OIDC token

which other secret would you like to add? please comment

@commjoen commjoen self-assigned this Mar 31, 2022
@commjoen
Copy link
Collaborator Author

commjoen commented Mar 31, 2022

Current secrets stored in the repo/docker/k8s/cloud:

  1. 5 Random human rememberable passwords in Git & Docker container
  2. 1 file containing a secret base64 encoded in Docker
  3. 1 random passwords in Java code with higher entropy (not used)
  4. 3 AWS keypairs in git history
  5. 3 secrets in TF state (requires cloud installation)
  6. 1 human readable secret in k8s/secret, 1 in k8s/configmap (requires k8s/cloud installation)
  7. 1 root token for vault after deployment of vault(requires vault&k8s/cloud installation)
  8. 1 root token and unseal keys comitted (git show 6c4715c)
  9. 1 random value generated after startup
  10. 1 secret in github action
  11. 1 AES key
  12. multiple ciphertexts (6)
  13. 1 human readable secret in pw manager file(keepass)
  14. 5 canarytoken-urls in container&code
  15. multiple secrets in java testing code (of which some used in the actual app)
  16. secrets in cross-compiled C binaries (2 secrets/binary for 3 binaries)
  17. 1 client credential
  18. 2 weak password hashes (md5/sha1)
  19. 3 hardcoded passwords in binaries (C/C++/Golang)

In https://github.com/commjoen/wrongsecrets/tree/experiment-bed :

  1. 1 Azure dotifle
  2. 1 Azure Devops access token
  3. 1 AES key
  4. 1 basic auth enriched curl script
  5. 1 Callback url for Slack (invalidated)
  6. 1 Docker hub access token
  7. 1 ECC keypair
  8. 1 Firebase project config
  9. 1 gCP service account access key export (blocked/disabled)
  10. github dev token (revoked)
  11. gitlab access/email/feed tokens (revoked)
  12. github access key(ssh)/1 SSH key pair (RSA-4096)
  13. 1 gpg armored gpg exported private/public key
  14. 1 gpg binary private/secret keyring
  15. 1 kubeconfig (canarytoken)
  16. jwt.io generated jwt token with rs256 required keys
  17. Keybase paperkey
  18. Maven and Gradle auth setup (not working)
  19. NPM credentials (not working)
  20. 1 OTP seed
  21. 1 1Password emergency kit, JWT, and credentials file
  22. 1RSA keypair
  23. segment.io token
  24. 1 Slack callback
  25. 1 Vagrant access token
  26. 2 slack tokens

@commjoen
Copy link
Collaborator Author

@bendehaan , what would be a good place to dump the other secrets for benchmarking? i guess we have to spread it a bit...

commjoen added a commit that referenced this issue Apr 4, 2022
Experiment bed readme update: add instructions related to #201
commjoen added a commit that referenced this issue Apr 17, 2022
commjoen added a commit that referenced this issue Apr 17, 2022
commjoen added a commit that referenced this issue Apr 17, 2022
commjoen added a commit that referenced this issue May 23, 2022
commjoen added a commit that referenced this issue May 23, 2022
commjoen added a commit that referenced this issue May 23, 2022
commjoen added a commit that referenced this issue May 28, 2022
@commjoen
Copy link
Collaborator Author

Asked Slack via twitter for possible canarytokens...

commjoen added a commit that referenced this issue May 28, 2022
commjoen added a commit that referenced this issue Jun 18, 2022
@commjoen commjoen changed the title add fake AWS, GCP, Azure and other typical access keys to a challenge which is about telling which items are present in the system which counts as somewhat of a benchmark. create a secrets detection testbed branch with revoked credentials Jun 18, 2022
commjoen added a commit that referenced this issue Jun 19, 2022
commjoen added a commit that referenced this issue Jun 19, 2022
commjoen added a commit that referenced this issue Jun 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed
Projects
Status: To do
Development

No branches or pull requests

1 participant