-
Notifications
You must be signed in to change notification settings - Fork 3
/
hunter.config
124 lines (107 loc) · 14.1 KB
/
hunter.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
[general]
max_file_size_bytes = 1048576
max_archive_size_bytes = 67108864
supported_archives = ["zip", "bz2", "bzip2", "7z", "bz2", "bzip2", "gzip", "gz", "tar", "lzip", "lz", "rar", "xz"]
match_rules = [
# Java Enterprise Application Packaging Unit, which most likely contains at least database credentials.
{"search_location": "file_name", "category": "Application (Java)", "search_pattern": "^.*\\.ear$", "relevance": "medium", "accuracy": "low"},
{"search_location": "file_name", "category": "Application (Java)", "search_pattern": "^.*\\.war$", "relevance": "medium", "accuracy": "low"},
# Microsoft SQL server backup files, which might contain user passwords/hashes.
{"search_location": "file_content", "category": "Backup", "search_pattern": "^MSSQLBAK[\\W]+", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_content", "category": "Backup", "search_pattern": "^TAPE[\\W]+", "relevance": "medium", "accuracy": "medium"},
# Backup files, which might contain sensitive data.
{"search_location": "file_name", "category": "Backup", "search_pattern": "^.*\\.bak$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Backup (Veeam)", "search_pattern": "^.*\\.((vbk)|(vib)|(vrb)|(vbm)|(vsb)|(vlb)|(vsm)|(vom)|(vlm))$", "relevance": "medium", "accuracy": "low"},
{"search_location": "file_name", "category": "Backup (Veritas)", "search_pattern": "^.*\\.((v2i)|(iv2i)|(sv2i)|(fbf))$", "relevance": "medium", "accuracy": "low"},
# Configuration files of low relevance. Only useful to identify new matching rules.
{"search_location": "file_name", "category": "Source Code", "search_pattern": "^.*\\.sql$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^.*\\.cfg$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^.*\\.config$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^.*\\.ini$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^.*\\.properties$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^.*\\.reg$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^.*\\.pol$", "relevance": "low", "accuracy": "low"},
# Known application configuration files, which might contain sensitive data.
{"search_location": "file_name", "category": "Configuration (.NET)", "search_pattern": "^applicationHost\\.config$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration (.NET)", "search_pattern": "^appsettings\\.json$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration (.NET)", "search_pattern": "^appsettings\\..*?\\.json$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^config\\.xml$", "relevance": "low", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration (Tomcat)", "search_pattern": "^server\\.xml$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration (Tomcat)", "search_pattern": "^tomcat-users(-\\d+)?\\.xml$", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^unattend\\.xml$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^web\\.config$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration (Tomcat Deployment Descriptor)", "search_pattern": "^web\\.xml$", "relevance": "low", "accuracy": "medium"},
{"search_location": "file_name", "category": "Configuration", "search_pattern": "^\\.htaccess$", "relevance": "medium", "accuracy": "high"},
# Emails might contain sensitive data.
{"search_location": "file_name", "category": "Email", "search_pattern": "^.*\\.edb$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Email", "search_pattern": "^.*\\.eml$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Email", "search_pattern": "^.*\\.msg$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Email", "search_pattern": "^.*\\.nsf$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Email", "search_pattern": "^.*\\.pst$", "relevance": "low", "accuracy": "low"},
# Files containing public/private keys.
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.asc$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.cer$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.key$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.pgp$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.gpg$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.ovpn$", "relevance": "high", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.pem$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.pub$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.pfx$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.ppk$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.p7b$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Key Material", "search_pattern": "^.*\\.p12$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_content", "category": "Key Material", "search_pattern": "^-+BEGIN.*?PRIVATE KEY-+", "relevance": "high", "accuracy": "high"},
# Log files.
{"search_location": "file_name", "category": "Log", "search_pattern": "^.*\\.log$", "relevance": "low", "accuracy": "low"},
# If there is an known_hosts file, then there might be also a private key and we know where is private key most likely works.
{"search_location": "file_name", "category": "Misc", "search_pattern": "^known_hosts$", "relevance": "low", "accuracy": "medium"},
{"search_location": "file_name", "category": "Misc", "search_pattern": "^shadow$", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_name", "category": "Misc", "search_pattern": "^passwd$", "relevance": "medium", "accuracy": "medium"},
# File extensions of password files
{"search_location": "file_name", "category": "Password Management", "search_pattern": "^.*\\.kdb$", "relevance": "high", "accuracy": "low"},
{"search_location": "file_name", "category": "Password Management", "search_pattern": "^.*\\.kdbx$", "relevance": "high", "accuracy": "low"},
{"search_location": "file_name", "category": "Password Management", "search_pattern": "^.*\\.geli$", "relevance": "high", "accuracy": "low"},
# Scripting files.
{"search_location": "file_name", "category": "Scripting", "search_pattern": "^.*\\.ps1$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Scripting", "search_pattern": "^.*\\.sh$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Scripting", "search_pattern": "^.*\\.vbs$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Scripting", "search_pattern": "^.*\\.bat$", "relevance": "low", "accuracy": "low"},
{"search_location": "file_name", "category": "Scripting", "search_pattern": "^.*\\.cmd$", "relevance": "low", "accuracy": "low"},
# Virtual machines might contain sensitive information like NTLM hashes in SAM files.
{"search_location": "file_name", "category": "Virtual Machine (VirtualBox)", "search_pattern": "^.*\\.((vbox)|(vdi))$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Virtual Machine (Hyper-V)", "search_pattern": "^.*\\.vhdx?$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Virtual Machine (VMware)", "search_pattern": "^.*\\.((vmdk)|(vmwarevm))$", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_name", "category": "Generic File Name Pattern", "search_pattern": "^.*((credential)|(secret)|(passwor[td])|(login)|(logon)).*$", "relevance": "medium", "accuracy": "low"},
{"search_location": "file_name", "category": "Generic File Name Pattern", "search_pattern": "^.*passw((ö)|(oe))rt.*$", "relevance": "medium", "accuracy": "low"},
{"search_location": "file_name", "category": "Generic File Name Pattern", "search_pattern": "^.*keepass.*$", "relevance": "medium", "accuracy": "low"},
# These are very specific regular expressions of high accuracy. They match before any other rule of the same relevance.
{"search_location": "full_path", "category": "Group Policy Startup Script", "search_pattern": "^.*/((Machine)|(User))/Scripts/(ps)?scripts\\.ini$", "relevance": "medium", "accuracy": "high"},
{"search_location": "file_content", "category": "Group Policy Password", "search_pattern": "<properties\\s.*?\\scpassword=[\"'].*[\"'].*?/>", "relevance": "high", "accuracy": "high"},
{"search_location": "file_content", "category": "Group Policy Auto Login", "search_pattern": "<registry\\s.*?\\skey=[\"']SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon[\"'].*/>", "relevance": "high", "accuracy": "high"},
{"search_location": "file_content", "category": ".NET Application Database Connection String (XML)", "search_pattern": "connectionString=[\"'].*password\\s*=", "relevance": "high", "accuracy": "high"},
{"search_location": "file_content", "category": ".NET Application Database Connection String (JSON)", "search_pattern": "Connection[\"']\\s*:\\s*[\"'].*?password\\s*=", "relevance": "high", "accuracy": "high"},
{"search_location": "file_content", "category": "PowerShell Cmdlet", "search_pattern": "ConvertTo-SecureString\\s+", "relevance": "high", "accuracy": "high"},
{"search_location": "file_content", "category": "", "search_pattern": "jdbc\\.password\\s*[=:]", "relevance": "high", "accuracy": "high"},
# Password pattern that does not finish with a whitespace. This shall prevent the classification of patterns like 'This is a secure password' as high.
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "[a-z0-9]*password[a-z0-9]*\\s*[=:><\"',]", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "[a-z0-9]*passwd[a-z0-9]*\\s*[=:><\"',]", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "[a-z0-9]*pass[a-z0-9]*\\s*[=:><\"',]", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "[a-z0-9]*pwd[a-z0-9]*\\s*[=:s><\"',]", "relevance": "high", "accuracy": "medium"},
# Password patterns that start and stop with a whitespace. If they do, then they are most likely false positives and consequently do not have a high relevance.
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s[a-z0-9]*password[a-z0-9]*\\s", "relevance": "medium", "accuracy": "low"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s[a-z0-9]*passwd[a-z0-9]*\\s", "relevance": "medium", "accuracy": "low"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s[a-z0-9]*pass[a-z0-9]*\\s", "relevance": "medium", "accuracy": "low"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s[a-z0-9]*pwd[a-z0-9]*\\s", "relevance": "medium", "accuracy": "low"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "login[a-z0-9]*\\s*[=:\\s><\"']", "relevance": "medium", "accuracy": "medium"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "logon[a-z0-9]*\\s*[=:\\s><\"']", "relevance": "medium", "accuracy": "medium"},
# Pattern identify potential password command line arguments like --password
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s+-{1,2}[a-z0-9]*password[a-z0-9]*[\\s:=,]", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s+-{1,2}[a-z0-9]*passwd[a-z0-9]*[\\s:=,]", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s+-{1,2}[a-z0-9]*pass[a-z0-9]*[\\s:=,]", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s+-{1,2}[a-z0-9]*pwd[a-z0-9]*[\\s:=,]", "relevance": "high", "accuracy": "medium"},
{"search_location": "file_content", "category": "Generic Password Pattern", "search_pattern": "\\s+-p[a-z0-9\\s:=,]", "relevance": "medium", "accuracy": "low"}
]
[setup]
scripts = ["filehunter.py"]
kali_packages = ["python3-magic", "unzip", "unrar", "p7zip-full"]