Testing Leaked Credentials

Use the following methods to test for leaked credentials.

AWS

This procedure will help you test if found AWS credentials are valid and aid you identify the potential impact.

The following command will pull the authenticated username and group. Provide information for both the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY questions.

AWS_ACCESS_KEY_ID=$(read -p "AWS_ACCESS_KEY_ID=" k; echo $k) AWS_SECRET_ACCESS_KEY=$(read -p "AWS_SECRET_ACCESS_KEY=" s; echo $s) aws sts get-caller-identity

If the command is successful you will get a result similar to this:

{
    "UserId": "XXXXXXXXX211",
    "Account": "XXXXXXXXX211",
    "Arn": "arn:aws:iam::XXXXXXXXX211:root"
}

Github

Leaked Github credentials can be tested with the following user-friendly command:

curl https://api.github.com/user?access_token=$(read -p "TOKEN=" t; echo $t)

If the command is successful you will get output similar to this:

{
  "login": "xxxxxx",
  "id": xxx,
  "node_id": "xxx",
  "avatar_url": "https://avatars1.githubusercontent.com/u/xxx?v=4",
  "gravatar_id": "",
  "url": "https://api.github.com/users/xxxxxx",
  "html_url": "https://github.com/xxxxxx",
  "followers_url": "https://api.github.com/users/xxxxxx/followers",
  "following_url": "https://api.github.com/users/xxxxxx/following{/other_user}",
  "gists_url": "https://api.github.com/users/xxxxxx/gists{/gist_id}",
  "starred_url": "https://api.github.com/users/xxxxxx/starred{/owner}{/repo}",
  "subscriptions_url": "https://api.github.com/users/xxxxxx/subscriptions",
  "organizations_url": "https://api.github.com/users/xxxxxx/orgs",
  "repos_url": "https://api.github.com/users/xxxxxx/repos",
  "events_url": "https://api.github.com/users/xxxxxx/events{/privacy}",
  "received_events_url": "https://api.github.com/users/xxxxxx/received_events",
  "type": "User",
  "site_admin": false,
  "name": "xxx",
  "company": "xxx",
  "blog": "",
  "location": "USA",
  "email": "xxx",
  "hireable": true,
  "bio": "xxx",
  "public_repos": 76,
  "public_gists": 4,
  "followers": 1,
  "following": 44,
  "created_at": "xxx",
  "updated_at": "xxx"
}

Mailchimp

Leaked Mailchimp credentials can be tested with the following command:

curl "https://us3.api.mailchimp.com/2.0/helper/ping?apikey=${read -p 'TOKEN=' t; echo $t}"

The credentials will contain the Mailchimp region. Ensure the region of the token matches the region in the request. For example, a token like da851247f37f871a7f8ef7dfdf51d849-us3 corresponds to us3 region.

Squire

The following command can be used for testing leaked Squire credentials:

curl -H "Authorization: Bearer $(read -p 'TOKEN=' t; echo $t)" https://connect.squareup.com/v1/me/payments

Postgresql

The following command can be used to dump postgresql database if the credentials are correct:

pg_dump -d "$(read -p 'DATABASE=' d; echo $d)" -h "$(read -p 'HOST=' h; echo $h)" -U "$(read -p 'USER=' u; echo $u)"

You will be prompted to enter your passwords upon successful connection to the database server.

Azure Blob Storage

The following command can be used to test for leaked azzure blob storage credentials:

az storage blob list --container-name "$(read -p 'CONTAINER_NAME=' c; echo $c)" --account-name "$(read -p 'ACCOUNT_NAME=' n; echo $n)" --account-key "$(read -p 'ACCOUNT_KEY=' c; echo $k)" --auth-mode key