CredCheck — A credential Pentesting framework

Apoorv Raj Saxena
Dec 19, 2019 · 3 min read

Inspiration

Testing a good number of keys for multiple targets is a tedious task with no automation. The process involves three steps to test if its working and valid.

  • You need to first find out the right documentation for respective keys.
  • Then you go and test if any client or rest endpoint is available for the key.
  • Then you need to find out what the response should be for the credentials to be valid.

During this exercise, you’ll face the following problems

  • Finding the correct client and documentation for the key.
  • Method and param setting for simple curl requests to test the key.
  • response checking — valid key response vs invalid key response.

This thing can take from 5 Minutes to 30 minutes for a single service. Every security researcher doing the same thing, this would waste everyone's time. Hence decided to automate the process. I started searching if any such project exists open-source, found out Keyhacks. It’s an awesome collection of one-liners curl requests for key validation. I dropped the idea at first and started using Keyhacks for my workflow but I needed something to automate the process then I decided to create a framework where anyone can add a new API key service without needing to write any code, also framework should be extendable for other Credential checking such as private key over SSH protocol or cryptocurrency Address over Blockchain.

Presenting CredCheck

I started working on a base framework and created CredCheck, You can use this as a command-line tool or as a python library depending upon your workflow and yes I would be happy to accept contributions from the lovely open-source community.

Features

  1. Static Test — It uses regex to check the key’s pattern before any REST call.
  2. Dynamic Test — Over HTTP validation for an API key, token, secret, Id.
  3. Decide Or narrow down the service of unknown Keys Using regex.

The framework will support other protocols in the future. Currently, it only supports HTTP.

Contribution

Currently, CredCheck supports 43 services credential checking over HTTP- Algolia, asana, Bitly, branch, Browserstacks, Buildkite, Datadog, Deviant-art, dropbox, facebook-app-secret, facebook_access_token, firebase, Github-id-secret, Github-token, Gitlab, google-cloud-messaging, google_maps, google_recaptcha, Heroku, Instagram, Mailchimp, Mailgun, Mapsbox, Pagerduty, Paypal, Pendo-integration-key, Razorpay, salesforce, Saucelabs, Sendgrid, slack-token, slack-webhook, Spotify, square, stripe, Travis, Twilio, Twitter, twitter-bearer, Wakatime, Wpengine, Zapier-webhook, Zendesk.

There are three major areas where interested folks can contribute:

  • Test cases for Given 43 services using available API Credentials.
  • Protocol handler client for new protocols.
  • Spread the word.
  • Improve C0d3 Qu4li7y

I’ll be building some adapters in the future, a burp plugin, a scanner with a unified interface for all my upcoming and existing tools.

Thanks for reading!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade