Detect database passwords, for example for ODBC and/or JDBC

[clach04]

I just tried this on a directory where I purposefully embedded some ODBC connection strings with a password attribute and Kingfisher didn't see it.

But, thanks to https://github.com/mongodb/kingfisher/blob/main/docs/RULES.md I put together a quick and dirty rule that seemed to work (but it maybe too greedy?)

# kingfisher rule - ODBC/JDBC PWD / password test
# https://github.com/mongodb/kingfisher/blob/main/docs/RULES.md

rules:
  - name: Database_password
    id:   database_password
    pattern: |
      (?x)
      (?i)
      pwd\=
      \b
      (
        [a-z0-9]*
      )
      \b
    #min_entropy: 3.5
    #confidence: medium
    examples:
      - PWD="ij1mut5oe606wlrf5z4u8u31264z3gag"

Which seemed to work for:

kingfisher scan  --rules-path c:\tmp\test_rule.yaml .

output:

 INFO kingfisher::update: Checking for updates…
 INFO kingfisher::update: Kingfisher 1.14.0 is up to date
 INFO kingfisher: Launching with 40 concurrent scan jobs. Use --num-jobs to override.
 INFO kingfisher::rule_loader: Loaded 192 rules
  Scanning files and git repository content... 3.58 MiB [00:00:00]                                                       INFO kingfisher::scanner::runner: Starting secret validation phase...
\ Validating secrets… [========================================] 1/1 (100%) [00:00:00]                                  Validation complete – 0 succeeded, 0 failed
DATABASE_PASSWORD => [DATABASE_PASSWORD]
 |Finding.......: mypassword
 |Fingerprint...: 8441531920018910002
 |Confidence....: medium
 |Entropy.......: 3.12
 |Validation....: Not Attempted
 |Language......: Python
 |Line Num......: 57
 |Path..........: .\anyingres.py



==========================================
Scan Summary:
==========================================
 |Findings....................: 1
 |__Successful Validations....: 0
 |__Failed Validations........: 0
 |Rules Applied...............: 192
 |__Blobs Scanned.............: 180
 |Bytes Scanned...............: 3.58 MiB
 |Scan Duration...............: 36ms 512us 100ns

test content:

ipy.exe sample.py "Driver={SQL Server};Server=myserver;Database=databasename;uid=myusername;pwd=mypassword"

I'm not super confident in the rule itself, so this maybe useful as a starting point/reference than a rule to use for production?

I literally spent a few mins on this, likely spent more time typing up this report than anything 😁

Cool tool, thanks for sharing!

[clach04]

Just found

kingfisher/data/rules/odbc.yml

Line 8 in b1f22ca

(?: Password | Pwd) \s*=\s* ([^\t\ ;]{3,100}) \s* (?: [;] | $)

This did not fire for me with:

kingfisher 1.14.0

downloaded from https://github.com/mongodb/kingfisher/releases/tag/v1.14.0

[clach04]

C:\code\py\sample>kingfisher rules list|rg -i odbc
 INFO kingfisher::update: Checking for updates…
 INFO kingfisher::update: Kingfisher 1.14.0 is up to date
 INFO kingfisher::rule_loader: Loaded 191 rules
Credentials in ODBC Connection String                   │ kingfisher.odbc.1                  │ Medium     │ (?x)(?i)... INFO kingfisher: Kingfisher 1.14.0 is up to date

[mickgmdb]

Thank you @clach04 ! I'll review this and will add it likely tomorrow!

[mickgmdb]

Does this ODBC rule work as you expect?
https://github.com/mongodb/kingfisher/blob/main/data/rules/odbc.yml

It's built into v1.15.0