Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Overview


Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

go-report-card workflows ubuntu-build win10-build pr-welcome
Mainteinance yes ask me anything gobadge license-GPL3
Coded with ๐Ÿ’™ by edoardottt.
Share on Twitter!

Preview โ€ข Install โ€ข Get Started โ€ข Examples โ€ข Contributing

Preview ๐Ÿ“Š

asciicast

Installation ๐Ÿ“ก

You need Go.

  • Linux

    • git clone https://github.com/edoardottt/cariddi.git
    • cd cariddi
    • go get
    • make linux (to install)
    • make unlinux (to uninstall)

    Or in one line: git clone https://github.com/edoardottt/cariddi.git; cd cariddi; go get; make linux

  • Windows (executable works only in cariddi folder.)

    • git clone https://github.com/edoardottt/cariddi.git
    • cd cariddi
    • go get
    • .\make.bat windows (to install)
    • .\make.bat unwindows (to uninstall)

Get Started ๐ŸŽ‰

cariddi help prints the help in the command line.

Usage of cariddi:
  -c int
    	Concurrency level. (default 20)
  -d int
    	Delay between a page crawled and another.
  -e	Hunt for juicy endpoints.
  -ef string
    	Use an external file (txt, one per line) to use custom parameters for endpoints hunting.
  -examples
    	Print the examples.
  -ext int
    	Hunt for juicy file extensions. Integer from 1(juicy) to 7(not juicy).
  -h	Print the help.
  -oh string
    	Write the output into an HTML file.
  -ot string
    	Write the output into a TXT file.
  -plain
    	Print only the results.
  -s	Hunt for secrets.
  -sf string
    	Use an external file (txt, one per line) to use custom regexes for secrets hunting.
  -version
    	Print the version.

Examples ๐Ÿ’ก

  • cat urls | cariddi -version (Print the version)

  • cat urls | cariddi -h (Print the help)

  • cat urls | cariddi -s (Hunt for secrets)

  • cat urls | cariddi -d 2 (2 seconds between a page crawled and another)

  • cat urls | cariddi -c 200 (Set the concurrency level to 200)

  • cat urls | cariddi -e (Hunt for juicy endpoints)

  • cat urls | cariddi -plain (Print only useful things)

  • cat urls | cariddi -ot target_name (Results in txt file)

  • cat urls | cariddi -oh target_name (Results in html file)

  • cat urls | cariddi -ext 2 (Hunt for juicy (level 2 of 7) files)

  • cat urls | cariddi -e -ef endpoints_file (Hunt for custom endpoints)

  • cat urls | cariddi -s -sf secrets_file (Hunt for custom secrets)

  • For Windows use powershell.exe -Command "cat urls | .\cariddi.exe"

Contributing ๐Ÿ› 

Just open an issue/pull request. See also CONTRIBUTING.md and CODE OF CONDUCT.md

Help me building this!

A special thanks to:

To do:

  • Tests ( ๐Ÿ˜‚ )

  • Tor support

  • Proxy support

  • Plain output (print only results)

  • HTML output

  • Build an Input Struct and use it as parameter

  • Output color

  • Endpoints (parameters) scan

  • Secrets scan

  • Extensions scan

  • TXT output

License ๐Ÿ“

This repository is under GNU General Public License v3.0.
edoardoottavianelli.it to contact me.

Issues
  • Panic while compiling some regex during a find the secrets run

    Panic while compiling some regex during a find the secrets run

    Describe the bug Panic while compiling some regex during a find the secrets (-s) run. It also happens with the -e flag as well.

    panic: regexp: Compile(`*`): error parsing regexp: missing argument to repetition operator: `*`
    
    goroutine 1 [running]:
    regexp.MustCompile(0x14fb20a, 0x1, 0x0)
    	/usr/local/Cellar/go/1.16.4/libexec/src/regexp/regexp.go:311 +0x157
    github.com/edoardottt/cariddi/crawler.Crawler(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x14, 0x1, 0x0, ...)
    	/Users/sean/repos/cariddi/crawler/colly.go:54 +0x1ce
    main.main()
    	/Users/sean/repos/cariddi/main.go:91 +0x3cf
    

    To Reproduce Steps to reproduce the behavior:

    1. Create urls file with a valid url in it
    2. Run the following command: cat urls|./cariddi -d 2 -s
    3. See stack trace shortly after launching

    Expected behavior Cariddi should process the provided site and find any/all secrets

    Desktop (please complete the following information):

    • OS: Mac OS
    • Version: 11.4 (Bug Sur)
    opened by CSBaum 4
Owner
gilfoyle97
MSc Cybersecurity Student | @python | @golang | Linux | Bash
gilfoyle97
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with ?? by edoardottt. Share on Twitter! P

gilfoyle97 34 Jun 15, 2021
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

null 1k Jun 9, 2021
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Paul 3.2k Jun 21, 2021
Not Yet Another Password Manager written in Go using libsodium

secrets Secure and simple passwords manager written in Go. It aims to be NYAPM (Not Yet Another Password Manager), but tries to be different from othe

Jarmo Pertman 25 Apr 12, 2021
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

HashiCorp 21.3k Jun 10, 2021
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 6k Jun 12, 2021
Cossack Labs 763 Jun 13, 2021
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

ProjectDiscovery 1.3k Jun 14, 2021
Cameradar hacks its way into RTSP videosurveillance cameras

Cameradar An RTSP stream access tool that comes with its library Cameradar allows you to Detect open RTSP hosts on any accessible target host Detect w

Brendan Le Glaunec 2.6k Jun 12, 2021
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 10.2k Jun 14, 2021
Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

Easy and Powerful TLS Automation The same library used by the Caddy Web Server Caddy's automagic TLS featuresโ€”now for your own Go programsโ€”in one powe

Caddy 3.4k Jun 12, 2021
The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!

Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments, build and deploy repeatable infrastructure focussed on

pry0cc 2.1k Jun 14, 2021
Telling tales on you for leaking secrets!

Squealer Telling tales on you for leaking secrets! Squealer scans a local git repository for secrets that are being leaked deep within the commit hist

Owen Rumney 106 Jun 8, 2021
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Filippo Valsorda 6.2k Jun 20, 2021