Auditing Fortinets Github with SecretMagpie
SecretMagpie is our opensource secret detection tool, and in this article we walk you through using it against an organisation’s public repositories.
What is source control, and what is SecretMagpie?
Modern development relies on version controlled source control software, typically provided by git or svn. These applications allow developers to collaborate on the same software, whilst keeping a history of their changes alongside useful messages such as what their changes were meant to achieve. Of the two, git is by far the most popular.
SecretMagpie can scan along this file history and look for leaked secrets, private keys, api keys and passwords.
Organisations use git services so developers can all work from the same git repository and keep up to date. Some examples of these services are Github, Gitlab, Bitbucket and AzureDevOps.
SecretMagpie can connect to all of these services and scan every repository the organisation has in the service, providing a full scan across all repositories.
Getting setup for scanning
Generate a Github PAT
We can scan the public repositories of any organisation on Github as long as we provide a personal access token (pat) to access the Github API.
First we need to go and get this pat.
Once logged into Github (create an account if you need to), go to https://github.com/settings/tokens to add a personal access token (classic).
If you want to scan public repositories, you don’t need any permissions checked.
If you want to scan the private repositories of your own organisation, check:
Get ready to run SecretMagpie
SecretMagpie is a python tool, but we package it into a docker image to make it easier to use. We will be using docker in this article.
We won’t tell you how to install docker here, but you can refer to Dockers getting started guide
Once you have Docker, you can pull the SecretMagpie image. This isn’t essential, but we add updates all the time so you should always pull the latest.
docker pull punksecurity/secretmagpie
Lets get scanning!
Running SecretMagpie in Docker is simple, but there are a lot of flags to use! Lets have a look at the full line, and then break it down.
docker run -d -v $PWD/results:/app/results punksecurity/secret-magpie github --org '<org>' --pat '<pat>' --out results/results --extra-context --parallel 10
We ask docker to mount the folder called results (in the current working directory) to the path /app/results/ inside the container. This allows us to get the results out. We also ask SecretMagpie to use this path by using “–out results/results”.
-v $PWD/results:/app/results ...SNIP... --out results/results
We use the Github provider, and provide the org and a personal access token.
github --org '<org>' --pat '<pat>'
We enable the extra_context output, which we will use later to rapidly work through the finding and we ask SecretMagpie to scan 10 repos at a time.
--extra-context --parallel 10
Phew! That’s all explained, lets look at the results!
We have 799 detections across 53 public repositories :)
____ __ _____ _ __ / __ \__ ______ / /__/ ___/___ _______ _______(_) /___ __ / /_/ / / / / __ \/ //_/\__ \/ _ \/ ___/ / / / ___/ / __/ / / / / ____/ /_/ / / / / ,< ___/ / __/ /__/ /_/ / / / / /_/ /_/ / /_/ \__,_/_/ /_/_/|_|/____/\___/\___/\__,_/_/ /_/\__/\__, / PRESENTS /____/ Secret-Magpie ✨ Scan all your github/bitbucket repos from one tool, with multiple tools! | Processed Repos: 53 | | Total secret detections: 799 | |================================= STATS ==================================| | Repo count | 53 | | Repos containing secrets | 11 | | Detections | 799 | | Unique Secrets | 32 | |==========================================================================| |=========================== DETECTIONS BY TOOL ===========================| | Source | Count | |==========================================================================| | gitleaks | 789 | | trufflehog | 10 | |==========================================================================| |========================= UNIQUE SECRETS BY TYPE =========================| | Type | Count | |==========================================================================| | generic-api-key | 22 | | aws-access-token | 4 | | VirusTotal | 3 | | AWS | 1 | | private-key | 1 | | Shortcut | 1 | |==========================================================================| |======================== DETECTIONS BY EXTENSION =========================| | Extension | Count | |==========================================================================| | | 716 | | json | 41 | | txt | 9 | | csv | 6 | | py | 4 | | xml | 4 | | example | 4 | | ini | 3 | | au3 | 3 | | key | 3 | | syn | 3 | | md | 2 | | tf | 1 | |==========================================================================| |======================== DETECTIONS BY REPOSITORY ========================| | Repository | Count | |==========================================================================| | fortigate-autoscale-aws | 636 | | autoscale-core | 89 | | ips-bph-framework | 20 | | quickstart-fortinet-fortigate-1 | 12 | | fortigate-terraform-deploy | 11 | | 4D-Demo | 9 | | fortigate-autoscale | 8 | | fortiadc-aws-autoscale | 6 | | fortigate-autoscale-aws-tgw | 6 | | fortiwebcloud-ansible | 1 | | azure-templates | 1 | |==========================================================================|
What we need to do now is start exploring these detections, eliminate the false positives and tackle the actual detections. We have a new feature coming to SecretMagpie which is going to make this really quick and easy, so check back for an update on that. For now here are my tips:
Open the CSV results in Excel and get a feel for the results. Don’t jump in straight away and start drilling into detections.
Enable column filters, so you can quickly see all the detections in a given repo or with the same filename. You can start to spot patterns.
Start to mark items as false positive at scale.
See a hash the recurs a lot? Look into it and if its a false positive you can mark the all of them as false positive in one go.
Do you see one file producing thousands of detections? It’s likely full of false positive guids, like a package lock file. Filter on it and quickly look down the secret column to confirm, and then mark them all as false positive.
We won’t go into detail on what we found at Fortinet as we didn’t attempt to make use of any identified private keys, aws keys or passwords. It looks like Fortinet have a good grasp on handling secret leaks now, but that wasn’t always the case. Overall though, they were in a reasonably good state with no obvious recent leaks.
We were able to audit Fortinets public repositories in around an hour. Source control repositories are potential gold mines for attackers and pen testers, and when its this easy to audit them we really hope more penetration testers will start including it in their scopes.