Testing Leaked Credentials
Use the following methods to test for leaked credentials.
AWS
This procedure will help you test if found AWS credentials are valid and aid you identify the potential impact.
The following command will pull the authenticated username and group. Provide information for both the AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
questions.
AWS_ACCESS_KEY_ID=$(read -p "AWS_ACCESS_KEY_ID=" k; echo $k) AWS_SECRET_ACCESS_KEY=$(read -p "AWS_SECRET_ACCESS_KEY=" s; echo $s) aws sts get-caller-identity
If the command is successful you will get a result similar to this:
{
"UserId": "XXXXXXXXX211",
"Account": "XXXXXXXXX211",
"Arn": "arn:aws:iam::XXXXXXXXX211:root"
}
Github
Leaked Github credentials can be tested with the following user-friendly command:
curl https://api.github.com/user?access_token=$(read -p "TOKEN=" t; echo $t)
If the command is successful you will get output similar to this:
{
"login": "xxxxxx",
"id": xxx,
"node_id": "xxx",
"avatar_url": "https://avatars1.githubusercontent.com/u/xxx?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/xxxxxx",
"html_url": "https://github.com/xxxxxx",
"followers_url": "https://api.github.com/users/xxxxxx/followers",
"following_url": "https://api.github.com/users/xxxxxx/following{/other_user}",
"gists_url": "https://api.github.com/users/xxxxxx/gists{/gist_id}",
"starred_url": "https://api.github.com/users/xxxxxx/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/xxxxxx/subscriptions",
"organizations_url": "https://api.github.com/users/xxxxxx/orgs",
"repos_url": "https://api.github.com/users/xxxxxx/repos",
"events_url": "https://api.github.com/users/xxxxxx/events{/privacy}",
"received_events_url": "https://api.github.com/users/xxxxxx/received_events",
"type": "User",
"site_admin": false,
"name": "xxx",
"company": "xxx",
"blog": "",
"location": "USA",
"email": "xxx",
"hireable": true,
"bio": "xxx",
"public_repos": 76,
"public_gists": 4,
"followers": 1,
"following": 44,
"created_at": "xxx",
"updated_at": "xxx"
}
Mailchimp
Leaked Mailchimp credentials can be tested with the following command:
curl "https://us3.api.mailchimp.com/2.0/helper/ping?apikey=${read -p 'TOKEN=' t; echo $t}"
The credentials will contain the Mailchimp region. Ensure the region of the token matches the region in the request. For example, a token like da851247f37f871a7f8ef7dfdf51d849-us3
corresponds to us3
region.
Squire
The following command can be used for testing leaked Squire credentials:
curl -H "Authorization: Bearer $(read -p 'TOKEN=' t; echo $t)" https://connect.squareup.com/v1/me/payments
Postgresql
The following command can be used to dump postgresql database if the credentials are correct:
pg_dump -d "$(read -p 'DATABASE=' d; echo $d)" -h "$(read -p 'HOST=' h; echo $h)" -U "$(read -p 'USER=' u; echo $u)"
You will be prompted to enter your passwords upon successful connection to the database server.
Azure Blob Storage
The following command can be used to test for leaked azzure blob storage credentials:
az storage blob list --container-name "$(read -p 'CONTAINER_NAME=' c; echo $c)" --account-name "$(read -p 'ACCOUNT_NAME=' n; echo $n)" --account-key "$(read -p 'ACCOUNT_KEY=' c; echo $k)" --auth-mode key