Find leaked credentials and sensitive data (e.g., tokens, API keys) based on URL, Subdomain & JavaScript File Permutations.
Current Version: 2.01
- Subdomain Scan
- Internal URL Discovery
- Network Resource Detection (JavaScript, Configuration Files)
- Enhanced Credential Pattern Detection
- Smart URL Prioritization
- Multiprocessing based on CPU cores
- DDoS Prevention Instruments (e.g., time delays)
- Configurable URL Scan Limit (default: 100,000)
- URL Prioritization: URLs are prioritized based on their likelihood of containing sensitive data
- Pattern Categories:
- High-Risk Patterns (API keys, tokens, passwords)
- Cloud Service Credentials
- Database Connection Strings
- Authentication Tokens
- Infrastructure Secrets
The CSV file is created in the credentialthreat/data/output folder with the following columns:
- Base URL: URL with affected sensitive data candidate
- Affected Network Resource from Base URL
- Registered Domain of Base URL
- Credential Sensitive Data Candidate
git clone https://github.com/PAST2212/credentialthreat
cd credentialthreat
pip install -r requirements.txtBasic usage (default setting):
python3 credentialthreat.pyAdvanced usage (example command):
python3 credentialthreat.py --limit 200000Options:
--limit: Maximum number of URLs to be scanned (default: 100000)
cd credentialthreat
git pullIf you encounter a merge error, try:
git reset --hard
git pull- Add domain name to
credentialthreat/data/input/domains.txt
For updates, please see the Changelog.
Patrick Steinhoff - LinkedIn
- Part of credential patterns are based on Bug Bounty Hunter h4x0r-dz project: Leaked-Credentials