Recon Tool: SwaggerHole

by | Mar 24, 2022 | Tools

SwaggerHole

Post Views: 910

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 2 Minutes

Recon Tool: SwaggerHole

GitHub Link

 

Introduction

SwaggerHole by Liodeus, based on whispers tool is written to automate the process of retrieving secrets in the public APIs on swaggerHub. This tool is multithreaded and pipe mode is available which can be used in various flexible ways due to this, in order to detect and prevent sensitive information that can be found such as discovering API Keys, hardcoded credentials secrets like passwords, tokens within the code itself.

 

Requirements

  • python3 (sudo apt install python3)
  • pip3 (sudo apt install python3-pip)

 

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

Installation

 

pip3 install swaggerhole

 

or cloning this repository and running

 

git clone https://github.com/Liodeus/swaggerHole.git
pip3 install .

 

 

 

Usage

 

  / ___/| | /| / // __ `// __ `// __ `// _ \ / ___/
 (__  ) | |/ |/ // /_/ // /_/ // /_/ //  __// /    
/____/  |__/|__/ \__,_/ \__, / \__, / \___//_/     
    __  __        __   /____/ /____/               
   / / / /____   / /___                            
  / /_/ // __ \ / // _ \                           
 / __  // /_/ // //  __/                           
/_/ /_/ \____//_/ \___/                            
                                                   
usage: swaggerhole [-h] [-s SEARCH] [-o OUT] [-t THREADS] [-j] [-q] [-du] [-de]

optional arguments:
  -h, --help            show this help message and exit
  -s SEARCH, --search SEARCH
                        Term to search
  -o OUT, --out OUT     Output directory
  -t THREADS, --threads THREADS
                        Threads number (Default 25)
  -j, --json            Json ouput
  -q, --quiet           Remove banner
  -du, --deactivate_url
                        Deactivate the URL filtering
  -de, --deactivate_email
                        Deactivate the email filtering

 

 

See Also: Recon Tool: Uncover

 

Search for secret about a domain

swaggerHole -s test.com

echo test.com | swaggerHole

 

Search for secret about a domain and output to json

swaggerHole -s test.com --json

echo test.com | swaggerHole --json

 

 

Search for secret about a domain and do it fast

swaggerHole -s test.com -t 100

echo test.com | swaggerHole -t 100

 

 

Output explanation

 

Normal output

Finding_Type – Finding – [Swagger_Name][Date_Last_Update][Line:Number]

 

Json output

{“Finding_Type”: Finding, “File”: File_path, “Date”: Date_Last_Update, “Line”: Number}

 

Deactivate url/email

Using -du or -de remove the filtering done by the tool. There is more false positive with those options.

 

See Also: Hacking stories: MafiaBoy, the hacker who took down the Internet

 

Merch

 

Recent Tools

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This