Skip to content
/ octopus Public

Simple tool to help you catch hardcode API Keys.

3 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

g0ttfrid/octopus

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

91 Commits
modules
modules
 
 
README.md
README.md
 
 
octopus.py
octopus.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

                                           __                              
                              ____   _____/  |_  ____ ______  __ __  ______
                             /  _ \_/ ___\   __\/  _ \\____ \|  |  \/  ___/
                            (  <_> )  \___|  | (  <_> )  |_> >  |  /\___ \
                             \____/ \___  >__|  \____/|   __/|____//____  >
                                        \/            |__|              \/
                                             .-'   `'.
                                            /         \
                                            |         ;
                                            |         |           ___.--,
                                   _.._     |0) ~ (0) |    _.---'`__.-( (_.
                            __.--'`_.. '.__.\    '--. \_.-' ,.--'`     `""`
                           ( ,.--'`   ',__ /./;   ;, '.__.'`    __
                           _`) )  .---.__.' / |   |\   \__..--""  """--.,_
                          `---' .'.''-._.-'`_./  /\ '.  \ _.-~~~````~~~-._`-.__.'
                                | |  .' _.-' |  |  \  \  '.               `~---`
                                 \ \/ .'     \  \   '. '-._)
                                  \/ /        \  \    `=.__`~-.
                                  / /\         `) )    / / `"". \
                            , _.-'.'\ \        / /    ( (     / /
                             `--~`   ) )    .-'.'      '.'.  | (
                                    (/`    ( (`          ) )  '-;
                                     `      '-;         (-'
                              --== Looking for hardcoded API Keys ==--
                                              B4d C0d3

    Author: g0ttfrid
    Contributor : Achilles0x01

    IBLISS Labs

Intro

Simple tool to help you catch hardcode API Keys.

  1. Enum sub-domains (crt.sh and certspotter);
  2. Fetch all the URLs that Google and Wayback Machine knows of the target (Add new subdomains too);
  3. Connects to sub-domains and search for URLs in code (concatenating with the urls from the previous phase);
  4. Fetch some types of API Keys in source code using regex.
  • following the worst programming practices.

Recommended to use specific proxy for crawling.
subdomains.py accesses crt.sh and certspotter.
archiveweb.py accesses google.com.br and web.archive.org.
getlinks.py and search.py access target urls.

Add more regex in search.py to get other types of keys.

Arguments

-h, --help            show this help message and exit
-d [example.com], --domain [example.com]
                      Specify your domain
-p [username:[email protected]:1337], --proxy [username:[email protected]:1337]
                      Specify your proxy. Recommended to use specific proxies for    
                      crawling

References

ctfr
aws-security-checks
archiveweb
pygmy

About

Simple tool to help you catch hardcode API Keys.

Topics

aws penetration-testing

Resources

Readme
Activity

Stars

3 stars

Watchers

2 watching

Forks

4 forks
Report repository

Languages