A new hacking tool designed for the discovery of leaked, paired private and public keys which may be harmful has been released to the open source community.
The software, dubbed ‘Driftwood’, was released by Truffle Security on November 8.
Driftwood is described as a tool to let “security professionals immediately know if an identified encryption key is a sensitive key” across online repositories.
Rising to the top
Over the years, collections of encryption keys have become complicated to manage and organize. If some end up leaked, it can be difficult to find out where, how, and whether or not their exposure poses a security risk.
In September, the cybersecurity firm released TruffleHog, a Chrome browser extension designed to find API Keys for software-as-a-service (SaaS) and cloud services that have accidentally made their way into JavaScript. During testing, dozens of private encryption keys were found.
Truffle Security co-founder Dylan Ayrey said Driftwood builds upon Trufflehog’s ability to find leaky keys by leveraging open ledgers of public keys.
The tool uses two sources: Google’s Certificate Transparency project, an open log of TLS certificates created after 2018, and GitHub SSH keys, which together create a database of billions of keys.
“Because GitHub lets you query these SSH keys for other users, we are able to use Driftwood to quickly figure out if a private key happens to pair with a GitHub user,” Truffle Security said.
Driftwood in action
In a blog post this week, Ayrey explained that Driftwood is able to take an asymmetric private key, extract the public key component, and then compare this key to the TLS/SSH key database to check if it pairs with a known, sensitive key.
During testing, a 50,000-strong sample revealed “dozens” of private GitHub user SSH keys containing push rights to hundreds of repositories including those owned by major tech firms, according to the cybersecurity outfit.
In addition, hundreds of certificates matching these keys – that were active and needed to be revoked – were found.
Approximately 2,500 private keys also appeared in the sample, encrypted with symmetric encryption keys, of which passwords could be guessed in 70% of cases.
Truffle Security has worked to have compromised certificates revoked and keys rotated ahead of the tool’s public release.
The firm’s Driftwood tool is available on GitHub. New key sources will be added in the future.
“The first step to remediating vulnerabilities is knowing about them,” Ayrey told The Daily Swig. “If people commit SSL keys today, it’s hard to know about it. This tool helps infosec professionals quickly find these vulnerabilities so they can get the affected certificates revoked asap.”
Source: https://portswigger.net/daily-swig/driftwood-debuts-new-open-source-tool-hunts-for-leaked-public-private-key-pairs