Pillager
Sunday, Dec 20, 2020
Summary
After reading through a bit of the Blackhat Go book, I wanted to take a shot at creating a commandline tool to hunt for API tokens, basic auth credentials, and other sensitive information in files.
Pillager takes heavy inspiration from Gitleaks, but rather than being strictly for git repos, Pillager digs through any directories. This can be useful if you need to run scans on a web server, personal computer, container or whatever device where the leaked information may not be localized to the Git repo.
How does it work?
Pillager is designed to provide a simple means of leveraging Go’s strong concurrency model to recursively search directories for sensitive information in files. Once pillager finds files that match the supported patterns, the file is scanned using a series of concurrent workers that each take a line of the file from the job queue and hunt for patterns that match your rules.toml configuration.
How do I configure it?
Pillager provides full support for Gitleaks rules. This can either be passed in with a rules.toml file, or you can use the default ruleset by leaving the rules flag blank. Instead of a pre-baked set of regexes, Gitleaks rules empowers users to be in full control of their hunting patterns.
# rules.toml
title = "pillager rules"
[[rules]]
description = "AWS Access Key"
regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[[rules]]
description = "Email Address"
regex = '''(?i)([A-Za-z0-9!#$%&'*+\/=?^_{|.}~-]+@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)'''
tags = ["email", "User Info"]