praetorian-inc · bradlarsen · Apr 19, 2024 · Apr 18, 2024 · Apr 18, 2024 · Apr 19, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - A new `datastore export` command has been added ([#166](https://github.com/praetorian-inc/noseyparker/pull/166)).
   This command exports the essential content from a Nosey Parker datastore as a .tgz file that can be extracted wherever it is needed.
 
+- New rules have been added:
+
+  - AWS AppSync API Key ([#176](https://github.com/praetorian-inc/noseyparker/pull/176))
+  - Password Hash (Kerberos 5, etype 23, AS-REP) ([#176](https://github.com/praetorian-inc/noseyparker/pull/176))
+
 ### Changes
 
 - The vendored copy of Boost included in the internal `vectorscan-sys` crate has been removed in favor of using the system-provided Boost ([#150](https://github.com/praetorian-inc/noseyparker/pull/150) from @seqre).

diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information
 
 **Key features:**
 - It can natively scan files, directories, and Git repository history
-- It uses regular expression matching with a set of [139 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
+- It uses regular expression matching with a set of [141 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
 - It deduplicates its findings, grouping matches together that share the same secret, which in practice can reduce review burden by 100x or more
 - It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro
 - It scales: it has scanned inputs as large as 20TiB during security engagements

diff --git a/...oseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap b/...oseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap
@@ -2,5 +2,4 @@
 source: crates/noseyparker-cli/tests/rules/mod.rs
 expression: stdout
 ---
-139 rules and 3 rulesets: no issues detected
-
+141 rules and 3 rulesets: no issues detected
diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap
@@ -81,6 +81,23 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.appsync.1",
+      "structural_id": "1a653a8d9b81fd1ef03814630e219dfcd01d847b",
+      "name": "AWS AppSync API Key",
+      "syntax": {
+        "name": "AWS AppSync API Key",
+        "id": "np.appsync.1",
+        "pattern": "(?x)\n\\b\n(da2-[a-z0-9]{26})\n\\b\n",
+        "examples": [
+          "  aws_appsync_apiKey: 'da2-nmaqhbb63zabjactesiydcfuvu',"
+        ],
+        "negative_examples": [],
+        "references": [
+          "https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#api-key-authorization"
+        ]
+      }
+    },
     {
       "id": "np.arn.1",
       "structural_id": "9b6dbcab66d56d9b6b9b3abbe3269f0eefcfd7da",
@@ -1366,6 +1383,27 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.krb5.asrep.23.1",
+      "structural_id": "0026c7bd3577be46d947892edab1bde4e1c320a0",
+      "name": "Password Hash (Kerberos 5, etype 23, AS-REP)",
+      "syntax": {
+        "name": "Password Hash (Kerberos 5, etype 23, AS-REP)",
+        "id": "np.krb5.asrep.23.1",
+        "pattern": "(?x)\n(\n\\$ krb5asrep                          (?# magic )\n\\$ 23                                 (?# etype )\n\\$\n(?: [^:]+ : )?                        (?# user @ domain : )\n[0-9a-f]{32}                          (?# salt )\n\\$ [0-9a-f]{64,}                      (?# hash )\n)\n\\b\n",
+        "examples": [
+          "$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac",
+          "$krb5asrep$23$8cf8eb5287e28a4006c064892150c4fb$3e05ecc13548bec8e1eeb900dea5429cc6931bae9b8524490eb3a8801560871fe44355ed556202afbb39872e1bbb5c3c4f1b37dcd68fda89a23ebad917d4bbb0933edd94331598939e5d0c0c98c7e219a2e9dd6b877280d1bd7c51131413be577a167208bcc21e9fe7ae8f393278d740e72ca5c44c42d5cb0bf6bab0a36f1b88b7ddc4abbc6f152e652f6ba35c2955fb4132e11b7e566f3b422c3740f79847b77783d245a4e570b8a621b4ff6ff4815566446af70313ee78133707a76a4e4424783bd7c04920aa822a1a36b29f7e25cef186e6439fc46e42e23d6bd918969ef49b8388aef158e443b3a57dbde7ada631fbef7326f9046a9b",
+          "$krb5asrep$23$c447eddaebf22ebf006a8fc6f986488c$eb3a17eb56287b474cecad5d4e0490d949977ba3f5015220bcd3080444d5601d67b76c5453b678e8527624e40c273bea4cfe4a7303e136b9bc3b9e63b6fb492ee4b4d2f830c5fa5a55466b57a678f708438f6712354a2deb851792b09270f4941966b82a2fd5ad8fa1fbd95a60b0f9bcd57774b3e55467a02ffcb3f1379104c24e468342f83df20b571e6f34f9a9842b43735d58d94514dcefa76719c0f5c7c3a3bfa770380924625aa0a3472d7c02d10dbb278fd946f7efcfe59a4d4cb7bdb9c5dbddc027611fe333d3ac940ec5b4ed43b55ab54b03cd2df0a9a2a7b5d235c226b259bd5ff8e0e49680351d4f0c4d13e258bc8d383cad6fc2711be0",
+          "$krb5asrep$23$771adbc2397abddef676742924414f2b$2df6eb2d9c71820dc3fa2c098e071d920f0e412f5f12411632c5ee70e004da1be6f003b78661f8e4507e173552a52da751c45887c19bc1661ed334e0ccb4ef33975d4bd68b3d24746f281b4ca4fdf98fca0e50a8e845ad7d834e020c05b1495bc473b0295c6e9b94963cb912d3ff0f2f48c9075b0f52d9a31e5f4cc67c7af1d816b6ccfda0da5ccf35820a4d7d79073fa404726407ac840910357ef210fcf19ed81660106dfc3f4d9166a89d59d274f31619ddd9a1e2712c879a4e9c471965098842b44fae7ca6dd389d5d98b7fd7aca566ca399d072025e81cf0ef5075447687f80100307145fade7a8",
+          "$krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac"
+        ],
+        "negative_examples": [],
+        "references": [
+          "https://hashcat.net/wiki/doku.php?id=example_hashes"
+        ]
+      }
+    },
     {
       "id": "np.linkedin.1",
       "structural_id": "2fb4e1caf47a02501461f43476d779dc3c867f0f",
@@ -2784,7 +2822,7 @@ expression: stdout
     {
       "id": "default",
       "name": "Nosey Parker default rules",
-      "num_rules": 119
+      "num_rules": 120
     },
     {
       "id": "np.assets",
@@ -2794,7 +2832,7 @@ expression: stdout
     {
       "id": "np.hashes",
       "name": "Nosey Parker password hash rules",
-      "num_rules": 5
+      "num_rules": 6
     }
   ]
 }