 Hello everyone, welcome to the talk Red Team Prudentials Old with a Twist. This talk is presented in Defcon 29, adversary village. About me, my name is Shantanu Khandelwal. I am a cyber security manager at KPNG. I enjoy working in cyber security and have been working in this industry for almost five years now. My journey started with my master's degree in cyber security and incident response. I also have some certifications like OSEP, OSCE, OSCP, etc. This is my first talk at Defcon, so hopefully everything will go fine. So the disclaimer here, the opinions expressed in this presentation and on the following slides are solely those of the presenter, that's me and not necessarily those of KPNG, Private Limited. KPNG does not guarantee the accuracy or reliability of the information provided herein. Okay, so that's done. In this talk, we are going to walk through some of the basic introduction of GitHub, a description and a small walkthrough of current GitHub reconnaissance methodologies. We will also discuss some drawbacks of these methodologies. Then I'm going to introduce a tool which I wrote named as Cred Stroller. We'll also do a walkthrough of it. We'll also talk about some of the future work that can be done to improve the tool as well. So why are we here and before we start this talk, I want to go over the reconnaissance quickly and how it fits inside an adversary simulation or emulation methodology. The reconnaissance is the first step in the kill chain as we know. As a red teamer, we often do it before the initial compromise phase and everybody in the first set keeps saying information gathering or reconnaissance is the most critical steps. It's one of the most critical steps. What is reconnaissance? So in generally, we refer reconnaissance as to find emails, subdomains, IP ranges, leaked passwords, etc. for the target organization. In this talk, we are going to focus on the sensitive data exposure by GitHub. So what is GitHub? As per Wiki, it is a provider of internet hosting for software development and version control using command line tool called Git. Developers use GitHub for storage, sharing projects, collaboration, data transfer, etc. From an adversary's perspective, GitHub is a gold mine. It is mass used and its mass usage makes it a prime target and developers often use GitHub and they unknowingly commit proprietary source code or credentials to the GitHub repository. Interesting information in repository. So we can find several critical information inside GitHub repositories like user names, passwords, keys, email addresses, subdomains, proprietary source code even. We can also find software stack from there as well. In this talk, we are going to focus on the credentials part. So one of the ways which we do GitHub reconnaissance is manual reconnaissance. Searching for the company and then password will find stored passwords in configuration file. Searching for company connection string will find database credentials. You can also look for SSH passwords using the keyword SSH to underscore auth. Send keys is my personal favorite. It can find you automation scripts used by the testers who are also sometimes not security savvy and commit passwords to the Git repositories. There are some docs which you can use to find sensitive information as well. Many researchers have blog posts on it. Here is one of the lists which you can use. You can find other lists as well. So here is the first demo. Hopefully it will go well and then we can move forward from there. If I go to GitHub and search for retin.cafe, you can see that there is 21 results. There are several repositories like test1, test2, domain France, etc. Let's see if we can use retin.cafe and then the keyword password to look for passwords. If I search for passwords, now we have come down from 21 results to 5 results. We see passwords here. We see some passwords here. Some telephone passwords here. We also see some sent keys passwords here in the automation scripts. We also see one of these results where retin.cafe is here and then we also see a password. Of course, this one is not related to the credentials because it does not list any passwords. This is the manual searching. You can use passwords or API or any other keywords which you like to search for passwords or secrets. I don't see any API keys being exposed here. There is none here but we cannot actually use other keywords here as well. Like those docs which we mentioned previously. I just want to bring your attention to one thing which I mentioned very briefly last time. There are two or three repositories which are coming up. Test1, Test2, and then there are some other repositories as well. Keep in mind these Test1 and Test2 repositories as these have been uploaded and designed to showcase the real impact of the Kretschroller plugin which we will discuss later. That's the end of the first manual reconnaissance demo. Coming back to our slides again. In the manual reconnaissance, we saw that we can find passwords like here. We see that there are sent keys passwords, there are web config passwords, and then there are FTP passwords here. Moving forward. Basically, a question comes to my mind that are we losing some of the data or are we getting all of these passwords which are leaked by red team. Just thinking how GitHub search works is that if you put two keywords such as company name and password in the search bar, we are actually finding the results in which both the keywords, the company name and passwords are inside. One file will have these both keywords company name and password. There were also results which had just the password but it contains no passwords. Just keep that in mind. Another approach to search for passwords is using automated approach which is using the current tools namely TruffleHog, GitSecrets, GitScan, etc. The disadvantage of using these tools is that these tools will only search for the repositories within an organization for a specific user or in a specific repository. Why this is the case is because GitHub does not currently allow you to search all of its repositories using API. Previously it was allowed but now it has been disallowed because of the abuse of searching passwords inside repositories using APIs. This API for searching passwords or any keywords on GitHub has been discontinued I think since two years now. Why these are working is because GitHub only provides searches inside an organization, inside a user repository or inside one specific repository. Let's quickly do an automated reconnaissance demo and then we can go to our new tool which I have developed and look at that as well. Quickly let's do an automated reconnaissance demo. Here I have him using TruffleHog and in TruffleHog we can search for credentials here. How to use that TruffleHog is TruffleHog and then if I provide keyword rejects and then I can go and take one repository. Let's say I'll take test one and then I can pass in the argument and if I click enter it will search inside that repository and find me passwords. I can see that it has only found me one password here which is also not very visible and it only shows high entropy etc. You can already see that in the manual reconnaissance we found more passwords. I may be running this tool wrong, I'm not too sure but I can definitely tell you that I've used many other tools. They will never always find you all of these results. Some of them will miss something or the other. This was a very small demo of the current tools. If TruffleHog author is watching me please do let me know how to use this tool but moving forward. We saw in automated reconnaissance that it barely finds one password but even if it finds all the passwords we have to give all of these repositories line by line. It will become difficult for you to find all of these repositories because if you're searching for a very big organization you will have hundreds of repositories and providing that hundreds of repositories and then passing it as command line will actually be very difficult. And then finding passwords like this which is not very highlightable as well will have more difficulty as well. This brings us to QuetzTroller yet another GitHub search tool. So QuetzTroller as I mentioned is developed by me. It is an automated reconnaissance tool. It's a Chrome plugin made in JavaScript. So QuetzTroller searches for the company name first and then after the search completes it will actually go inside each of the repositories which mentions the company name and then it will try to search for the password inside that repository. QuetzTroller also allows you to do a reject search. The reject search is mentioned as lucky results. So why do we need QuetzTroller? So QuetzTroller is searching for credentials using Rejects. GitHub does not allow you to search Rejects. So this is one of the major advantages. It allows search inside the repositories after matching the company name and then you can go and search for the keywords. It has two types of results, all results and lucky results. The lucky results are based out of Rejects which is customizable Rejects. It is very easy to deploy and does not need any expertise. It's a Chrome plugin so it's very easy to use as well. Both blue teams and red teams can use it. Blue teams can use it to monitor credentials for their organization while red teams can use it to search for the credentials inside many repositories. This search is in depth and it will have more passwords than just searching for two or three keywords. It also has an advantage that it runs in background. So once it starts you can actually come back at a later stage and see all the results. This is particularly useful if the search results for your company name which you are searching are very large. So how QuetzTroller works? So think of this as a browser. So once you open your browser and use the QuetzTroller, the QuetzTroller will search the GitHub using the UI and it will try to get the repositories. So searching for the UI is for the company keyword and once it gets the repositories, now the repositories are basically sent to the API to search for the keywords. So this section is all for the keywords. So once we get the repositories, these repositories are now sent to the API to search for the keywords. So the keywords are searched and once the keywords are searched, all the search results are stored in all results. So till here no regular expression rejects has been applied. So if the file contains getPassword method, all results will have a getPassword method in its output. After all of these results are gathered, all of these results are now filtered using the rejects and then we get the lucky results. So lucky results are basically a subset of all the results and it comes from all the results after applying the regular expressions. So a lot of talk already. Let's see the demo and hope it works. Okay, so let's go back to GitHub again. I hope everything is visible. Maybe I can increase some font size. Okay, so if you click on the credits roller plugin which I've installed here, there are many buttons here. I'll go through all of these buttons here as well. So of course, submit search is for the searching. All results are, as I mentioned previously, all of the results. And I am feeling lucky button is for the lucky results. You have these two buttons for clearing the results and the lucky results. You have the save configuration and the load configuration as well. These two fields are for the tokens. I'll share with you later what these tokens are or maybe you know GitHub tokens and GitHub username. These two buttons are basically default search keywords and default rejects. You can modify it as per your liking. Today I have modified it to use only two keywords and I have kept the same rejects. And I put routine.cafe here. So what this will do is it will search for routine.cafe as a company name in all of the GitHub repositories. Once it finds those repositories, it will go and search for all these keywords which I have separated by comma. And then it will find these keywords inside all of the files which we found in the repositories. And then it will parse it with this with this rejects and see if there are any lucky results. Those lucky results will be saved in the lucky file which we can see later. So let's quickly submit the search. The search takes a bit of time so it will go automatically to all of the pages. And then once all of the searching finishes, it will stop. So the searching from the UI has stopped but the background mode is still working. To see how it works and background mode working, we can come back to the Crestroller plugin. We can click on show all results. So all results are basically, as I told you previously, all of the results. So if there's a password word anywhere, you can see the password here. Of course, this is too much overwhelming and there are so many results here. You can keep scrolling and these are being still added. So there are so many results you can find so much data here. Wow, we found some usernames and passwords here as well. So basically as I told you, all results are definitely all of the results which Crestroller can come up with. We are also interested in the lucky results. So lucky results are the results which are parsed and are retrieved from all of the results after using the regular expressions. I think this one is still populating so let's wait for a few minutes and come back to it once all of the results are populated. In the meantime, you can see here that it has already populated one result which was not shown to us in the first manual search where we searched for retin.cafe and the password. So this specific keyword and password was not shown there. Let's see and let's hope if this is already updated. It is not updated yet. So let's wait for a few more minutes. So all of the results have been populated now and we can see that it has found a lot of passwords. It has also found some passwords which we didn't find the last time like these ones. And it has also found passwords which I didn't intend to find in the first place. But as long as it works, I'm great. So of course you can see that there are some false positives like these but this actually tells me that there is some automation script which I can go and see inside this specific repository. So it is still useful. I'm not saying this is completely useful but this does give me an idea of what may be inside this repository. So we come back to the results here and we can see that it has found some passwords here. Now this password was definitely not found in the first manual search. Why? Because this specific file if I go to this file, you can see that there is no mention of routine.cafe. So if there is no mention of routine.cafe, the combined search, the combined manual search of routine.cafe space password will definitely not find this file because there is no mention of routine.cafe in this specific file. So I can say this is the best scenario of why you should use Crestroller because Crestroller is actually able to find these passwords which are hidden inside configuration finds and may not have the company name inside those files. So coming back to the slides. So as you can think, this can also be abused for mass credential gathering. I will not deep dive into that because that is something I leave it up to your imagination. If you provide right rejects, then you can do anything you want from this tool. For the future improvements, there are some GitHub API restrictions which we think we should bypass or we should try to overcome. So that's why we were using two keys. We can use many keys. So the more keys you use, the faster is the search. We are definitely thinking to add, I'm definitely thinking to add the cron job functionality because this will greatly increase the usability of the tool. So I can run it in the background and it will keep searching after every one hour, for example. And anytime there is a credit leak, I can quickly get a notification on my desktop. We can have an export to CSV because that's very important. And because sometimes we need CSV to show to the management. We can also think of adding more rejects. So if community wants, they can add more rejects and the keywords and then we can have multiple keywords and rejects for people to use in the future. If you have any questions, please let us know or please let me know using the Discord channel. So that's it. Thank you. If you have any questions after this talk, you can contact me on Twitter. That's my handle and you can also find me on my website. That's it. Thank you. Have a nice day. Bye-bye.