We are finally fully publicly releasing my new BLS tool Badsecrets! (https://t.co/esgTOFqDKL). Can detect the use of known cryptographic secrets by looking at the cryptographic products they produce and checking against list of leaked keys, or against common passwords.
@irsdl I haven't seen the talk, do you have a link? I am working through your additions now, the resource module is a good idea, i had no idea that was possible. If I hit any snags I'll let you know. Might not take everything right away.
@Burp_Suite Any chance you could make the tab pop-out thing require more than 1 pixel of movement? I pop my tabs out accidentally like 100 times a day 😆
Big upgrades to Badsecrets https://t.co/esgTOFqDKL in version 0.3.x
Upgraded CLI!
Supply your own custom secrets file that will work alongside the defaults with -c
Also, some modules will give you the hashcat command to facilitate bruteforce cracking when no secret is found
@Jhaddix Particularly if they are pushing into post-exploitation, this is an awful idea. They are going to look identical to someone there to do them existential harm to the SOC once they start generating crowdstrike alerts.
@Jhaddix I know the point of your tweet was "no command line tools" and "quick" but if instead thoroughness was your priority, c99 is just one of 80+ modules in BBOT https://t.co/wt5MNhbGHU, roughly half of which are focused on subdomain enumeration.
#ASPNET web form tip when bypassing certain WAF rules using #COOKIELESS:
✔️WAF blocks `/admin/main.aspx`
✔️WAF uses canonicalization & not case sensitive
Possible bypasses:
🍪/admin/(S(X))/main.aspx
🍪/admin/Foobar/(S(X))/../(S(X))/main.aspx
🍪/(S(X))/admin/(S(X))/main.aspx
@Jhaddix@mattjay@BlackLanternLLC We were definitely surprised at how common this is.
It's 'unpatchable' because the vulnerability is human carelessness, but web frameworks can and should be making this almost impossible, and many already do.
@Jhaddix@mattjay@BlackLanternLLC Which means the other part of the effort is collecting such keys. It's a little sparse for some of the modules at the moment, that's where i'm really hoping the community can pitch in.
@Jhaddix@mattjay@BlackLanternLLC Whereas Trufflehog is looking at a repo to find unknown secrets, Badsecrets is determining when a known secret is in use when all you have is the product of it - I.E., was this cookie signed with a key found all over GitHub?
We are finally fully publicly releasing my new BLS tool Badsecrets! (https://t.co/esgTOFqDKL). Can detect the use of known cryptographic secrets by looking at the cryptographic products they produce and checking against list of leaked keys, or against common passwords.
Similar to Blacklist3r, but covering many more platforms, and 100% python (no more booting up a windows box to check for known dotnet machineKeys), and much faster. Best of all, there's already a BBOT (https://t.co/wt5MNhbGHU) module to help you find these issues at scale.
@irsdl I absolutely love this vulnerability. We've written a pure python version inspired by your tool in BBOT https://t.co/QEQ4ohxJie. We even have another module that takes the hints, makes a custom wordlist of words that match the prefix, and runs FFUF against it