Skip to content

Instantly share code, notes, and snippets.

@maesoser

maesoser/fss.py

Created February 19, 2017 18:48
Show Gist options
  • Save maesoser/1a9dbdf3e7070a247cabb0699401a0ae to your computer and use it in GitHub Desktop.
Save maesoser/1a9dbdf3e7070a247cabb0699401a0ae to your computer and use it in GitHub Desktop.
Download ZIP
Find files that could contain interesting information to perform a forensic analysis
Raw
fss.py
import sys
import re
class Rule:
def __init__(self, line):
line = line.split(",")
self.part = line[0]
self.application = line[1].replace(" ","")
self.pattern = line[2].replace(" ","")
self.title = line[3]
self.description = line[4].replace("\n","")
if self.description.replace(" ","") == "null":
self.description=None
def doregex(self,string):
r = re.compile(self.pattern)
if r.search(string)!= None:
return True
else:
return False
def filterstring(self,string):
if self.part == "filename":
string = string.split("/")[-1].split(".")[0]
if self.part == "extension":
string = string.split(".")[-1]
return string
def processRule(self,string):
sol = False
tstring = self.filterstring(string)
if self.application=="regex":
sol = self.doregex(tstring)
else:
if tstring == self.pattern:
sol = True
return sol
def checkRule(self,string):
if self.processRule(string):
if self.description != None:
print(string+" FOUND : "+self.title+", "+self.description)
else:
print(string+" FOUND: "+self.title)
def loadrules(filename):
rules = []
rulefile = open(filename,"r")
lines = rulefile.readlines()
rulefile.close()
for line in lines:
rule = Rule(line)
rules.append(rule)
return rules
rules = loadrules("rules.csv")
print str(len(rules))+" Rules loaded"
for line in sys.stdin:
#sys.stdout.write(line)
line = line.replace("\n","")
found = False
for rule in rules:
if(rule.checkRule(line))==True:
rule.showTitle()
found = True
#if not found:
# print line+ " : PASSED"
Raw
rules.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 28 should actually have 5 columns, instead of 6. in line 27.
filename, regex, \\A.*_rsa\\z, Private SSH key, null
filename, regex, \\A.*_dsa\\z, Private SSH key, null
filename, regex, \\A.*_ed25519\\z, Private SSH key, null
filename, regex, \\A.*_ecdsa\\z, Private SSH key, null
path, regex, \\.?ssh/config\\z, SSH configuration file, null
extension, match, pem, Potential cryptographic private key, null
extension, regex, \\Akey(pair)?\\z, Potential cryptographic private key, null
extension, match, pkcs12, Potential cryptographic key bundle, null
extension, match, pfx, Potential cryptographic key bundle, null
extension, match, p12, Potential cryptographic key bundle, null
extension, match, asc, Potential cryptographic key bundle, null
filename, match, otr.private_key, Pidgin OTR private key, null
filename, regex, \\A\\.?(bash_|zsh_|z)?history\\z, Shell command history file, null
filename, regex, \\A\\.?mysql_history\\z, MySQL client command history file, null
filename, regex, \\A\\.?psql_history\\z, PostgreSQL client command history file, null
filename, regex, \\A\\.?pgpass\\z, PostgreSQL password file, null
filename, regex, \\A\\.?irb_history\\z, Ruby IRB console history file, null
path, regex, \\.?purple\\/accounts\\.xml\\z, Pidgin chat client account configuration file, null
path, regex, \\.?xchat2?\\/servlist_?\\.conf\\z, Hexchat/XChat IRC client server list configuration file, null
path, regex, \\.?irssi\\/config\\z, Irssi IRC client configuration file, null
path, regex, \\.?recon-ng\\/keys\\.db\\z, Recon-ng web reconnaissance framework API key database, null
filename, regex, \\A\\.?dbeaver-data-sources.xml\\z, DBeaver SQL database manager configuration file, null
filename, regex, \\A\\.?muttrc\\z, Mutt e-mail client configuration file, null
filename, regex, \\A\\.?s3cfg\\z, S3cmd configuration file, null
path, regex, \\.?aws/credentials\\z, AWS CLI credentials file, null
filename, regex, \\A\\.?trc\\z, T command-line Twitter client configuration file, null
extension, match, ovpn, OpenVPN client configuration file, null
filename, regex, \\A\\.?gitrobrc\\z, Well, this is awkward... Gitrob configuration file, null
filename, regex, \\A\\.?(bash|zsh)rc\\z, Shell configuration file, Shell configuration files might contain information such as server hostnames, passwords and API keys.
filename, regex, \\A\\.?(bash_|zsh_)?profile\\z, Shell profile configuration file, Shell configuration files might contain information such as server hostnames, passwords and API keys.
filename, regex, \\A\\.?(bash_|zsh_)?aliases\\z, Shell command alias configuration file, Shell configuration files might contain information such as server hostnames, passwords and API keys.
filename, match, secret_token.rb, Ruby On Rails secret token configuration file, If the Rails secret token is known, it can allow for remote code execution. (http://www.exploit-db.com/exploits/27527/)
filename, match, omniauth.rb, OmniAuth configuration file, The OmniAuth configuration file might contain client application secrets.
filename, match, carrierwave.rb, Carrierwave configuration file, Can contain credentials for online storage systems such as Amazon S3 and Google Storage.
filename, match, schema.rb, Ruby On Rails database schema file, Contains information on the database schema of a Ruby On Rails application.
filename, match, database.yml, Potential Ruby On Rails database configuration file, Might contain database credentials.
filename, match, settings.py, Django configuration file, Might contain database credentials, online storage system credentials, secret keys, etc.
filename, regex, \\A(.*)?config(\\.inc)?\\.php\\z, PHP configuration file, Might contain credentials and keys.
extension, match, kdb, KeePass password manager database file, null
extension, match, agilekeychain, 1Password password manager database file, null
extension, match, keychain, Apple Keychain database file, null
extension, regex, \\Akey(store|ring)\\z, GNOME Keyring database file, null
extension, match, log, Log file, Log files might contain information such as references to secret HTTP endpoints, session IDs, user information, passwords and API keys.
extension, match, pcap, Network traffic capture file, null
extension, regex, \\Asql(dump)?\\z, SQL dump file, null
extension, match, gnucash, GnuCash database file, null
filename, regex, backup, Contains word: backup, null
filename, regex, dump, Contains word: dump, null
filename, regex, password, Contains word: password, null
filename, regex, credential, Contains word: credential, null
filename, regex, secret, Contains word: secret, null
filename, regex, private.*key, Contains words: private, key, null
filename, match, jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml, Jenkins publish over SSH plugin file, null
filename, match, credentials.xml, Potential Jenkins credentials file, null
filename, regex, \\A\\.?htpasswd\\z, Apache htpasswd file, null
filename, regex, \\A(\\.|_)?netrc\\z, Configuration file for auto-login process, Might contain username and password.
extension, match, kwallet, KDE Wallet Manager database file, null
filename, match, LocalSettings.php, Potential MediaWiki configuration file, null
extension, match, tblk, Tunnelblick VPN configuration file, null
path, regex, \\.?gem/credentials\\z, Rubygems credentials file, Might contain API key for a rubygems.org account.
filename, regex, \\A*\\.pubxml(\\.user)?\\z, Potential MSBuild publish profile, null
filename, match, Favorites.plist, Sequel Pro MySQL database manager bookmark file, null
filename, match, configuration.user.xpl, Little Snitch firewall configuration file, Contains traffic rules for applications
extension, match, dayone, Day One journal file, null
filename, match, journal.txt, Potential jrnl journal file, null
filename, regex, \\A\\.?tugboat\\z, Tugboat DigitalOcean management tool configuration, null
filename, regex, \\A\\.?git-credentials\\z, git-credential-store helper credentials file, null
filename, regex, \\A\\.?gitconfig\\z, Git configuration file, null
filename, match, knife.rb, Chef Knife configuration file, Might contain references to Chef servers
path, regex, \\.?chef/(.*)\\.pem\\z, Chef private key, Can be used to authenticate against Chef servers
filename, match, proftpdpasswd, cPanel backup ProFTPd credentials file, Contains usernames and password hashes for FTP accounts
filename, match, robomongo.json, Robomongo MongoDB manager configuration file, Might contain credentials for MongoDB databases
filename, match, filezilla.xml, FileZilla FTP configuration file, Might contain credentials for FTP servers
filename, match, recentservers.xml, FileZilla FTP recent servers file, Might contain credentials for FTP servers
filename, match, ventrilo_srv.ini, Ventrilo server configuration file, Might contain passwords
filename, regex, \\A\\.?dockercfg\\z, Docker configuration file, Might contain credentials for public or private Docker registries
filename, regex, \\A\\.?npmrc\\z, NPM configuration file, Might contain credentials for NPM registries
filename, match, terraform.tfvars, Terraform variable config file, Might contain credentials for terraform providers
filename, regex, \\A\\.?env\\z, Environment configuration file, null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment