Skip to content

Instantly share code, notes, and snippets.

@hermanbanken
Last active May 14, 2020 15:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hermanbanken/96925cb9593137fd6816cefd8ac7e93a to your computer and use it in GitHub Desktop.
Save hermanbanken/96925cb9593137fd6816cefd8ac7e93a to your computer and use it in GitHub Desktop.
Scan for credentials (GNU/BSD)
# Remember, never run shell scripts from the internet: go ahead verify the SHA!
curl https://gist.githubusercontent.com/hermanbanken/96925cb9593137fd6816cefd8ac7e93a/raw/070f6bde93b362388b5612648ef17ae612e3cc5c/scan_filenames.sh | \
sed s/=grep/=ggrep/ | \
bash -x
# Educational purposes only!
# Source: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
# Linux/MacOSX grep differ! This works on Linux.
# on OSX, run 'brew install grep' and replace GREP="grep" with GREP="ggrep"
TARGET_DIR="${PWD}"
GREP=grep
EXCLUDE_GLOB='--exclude-dir=*node_modules* --exclude=*google.golang.org/api/internal/service-account.json'
# -P is --perl-regexp, Perl regex
# -z is --null-data, 'lines' means everything until a ASCII NUL character: span regex over multiple lines!
# Service account keys
$GREP $EXCLUDE_GLOB -Pzr "(?s){[^{}]*?service_account[^{}]*?private_key.*?}" \
"$TARGET_DIR"
# Legacy GCP creds
$GREP $EXCLUDE_GLOB -Pzr "(?s){[^{}]*?client_id[^{}]*?client_secret.*?}" \
"$TARGET_DIR"
# Google API keys
$GREP $EXCLUDE_GLOB -Pr "AIza[a-zA-Z0-9\\-_]{35}" \
"$TARGET_DIR"
# Google OAuth tokens
$GREP $EXCLUDE_GLOB -Pr "ya29\.[a-zA-Z0-9_-]{100,200}" \
"$TARGET_DIR"
# Generic SSH keys
$GREP $EXCLUDE_GLOB -Pzr "(?s)-----BEGIN[ A-Z]*?PRIVATE KEY[a-zA-Z0-9/\+=\n-]*?END[ A-Z]*?PRIVATE KEY-----" \
"$TARGET_DIR"
# Signed storage URLs
$GREP $EXCLUDE_GLOB -Pir "storage.googleapis.com.*?Goog-Signature=[a-f0-9]+" \
"$TARGET_DIR"
# Signed policy documents in HTML
$GREP $EXCLUDE_GLOB -Pzr '(?s)<form action.*?googleapis.com.*?name="signature" value=".*?">' \
"$TARGET_DIR"
# Educational purposes only!
# Source: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
# Linux/MacOSX grep differ! This works on Linux.
# on OSX, run 'brew install grep' and replace GREP="grep" with GREP="ggrep"
TARGET_DIR="${PWD}"
GREP=grep
EXCLUDE_GLOB='--exclude-dir=*node_modules* --exclude=*google.golang.org/api/internal/service-account.json'
# -P is --perl-regexp, Perl regex
# -z is --null-data, 'lines' means everything until a ASCII NUL character: span regex over multiple lines!
# Service account keys
$GREP $EXCLUDE_GLOB --files-with-matches -Pzr "(?s){[^{}]*?service_account[^{}]*?private_key.*?}" \
"$TARGET_DIR"
# Legacy GCP creds
$GREP $EXCLUDE_GLOB --files-with-matches -Pzr "(?s){[^{}]*?client_id[^{}]*?client_secret.*?}" \
"$TARGET_DIR"
# Google API keys
$GREP $EXCLUDE_GLOB --files-with-matches -Pr "AIza[a-zA-Z0-9\\-_]{35}" \
"$TARGET_DIR"
# Google OAuth tokens
$GREP $EXCLUDE_GLOB --files-with-matches -Pr "ya29\.[a-zA-Z0-9_-]{100,200}" \
"$TARGET_DIR"
# Generic SSH keys
$GREP $EXCLUDE_GLOB --files-with-matches -Pzr "(?s)-----BEGIN[ A-Z]*?PRIVATE KEY[a-zA-Z0-9/\+=\n-]*?END[ A-Z]*?PRIVATE KEY-----" \
"$TARGET_DIR"
# Signed storage URLs
$GREP $EXCLUDE_GLOB --files-with-matches -Pir "storage.googleapis.com.*?Goog-Signature=[a-f0-9]+" \
"$TARGET_DIR"
# Signed policy documents in HTML
$GREP $EXCLUDE_GLOB --files-with-matches -Pzr '(?s)<form action.*?googleapis.com.*?name="signature" value=".*?">' \
"$TARGET_DIR"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment