During a security analysis, you often deal with outputs and look for secrets: Git repositories, logs, executables, and more. The first question to ask is: what kind of secrets am I looking for? A hidden password in code or a log file? Malware hidden on disk, or an IP address inside a discovered binary?

I will cover three well-known tools: shhgit, Yara, and the old-fashioned grep.

shhgit

Shhgit is a Go binary that handles both Git repositories and regular directories. It looks for filenames, extensions, or contents matching regexes for usernames, passwords, API tokens, and private keys.

Install

Install Go for your platform, then:

$ go get github.com/eth0izzle/shhgit

Download the default config file (pick a directory, here /opt/shhgit/):

$ curl -o /opt/shhgit/config.yaml \ https://raw.githubusercontent.com/eth0izzle/shhgit/master/config.yaml

Use

Scan the current directory recursively:

$ shhgit -local . -config-path /opt/shhgit/

Yara

Yara focuses on file content. Unlike shhgit, it's particularly effective with binaries and detecting malware — not just text-based secrets.

Install

# Debian/Ubuntu $ apt install yara # macOS $ brew install yara

You'll need some rules. Two good repositories:

# Default yara rules $ git clone https://github.com/Yara-Rules/rules # Signature-Base: YARA signatures and IOC database $ git clone https://github.com/Neo23x0/signature-base

Use

Useful flags: -r for recursive scanning of subdirectories, -s -m to display matching strings and rule metadata.

# Scan current directory with a rule $ yara -w -p 4 -e my_rule.yar . # Recursively $ yara -w -r -p 4 -e my_rule.yar . # Verbose output (matching strings + metadata) $ yara -w -p 4 -e -s -m my_rule.yar .

Examples

# Look for malware in your home directory $ find /opt/YARA/signature-base/yara/crime_* -name "*.yar" \ -exec yara -w -p 4 -e {} ~ \; 2>/dev/null # Extract all URLs recursively in the current directory $ yara -w -p 4 -r -s /opt/YARA/rules/utils/url.yar . \ | grep url_regex | awk '{print $2}' | sort -u

grep / egrep

Everyone knows grep — it's built-in and with the right regex it can be as powerful as any dedicated tool. I prefer egrep (extended regular expressions) for secret hunting.

Useful flags: -H displays the filename, -o extracts only the matching portion.

# All PDF files in current directory $ egrep -H -e 'REGEX' *.pdf # With find (all file types) $ find . -type f -exec egrep -H -e 'REGEX' {} \; # After a pipe (live log monitoring) $ tail -f /var/log/app.log | egrep -e 'REGEX'

Useful regexes

Prefix and suffix .{5} to extract 5 characters of context around a match — it helps eliminate false positives. Test and build your own patterns at regex101.com.

# IPv4 "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" # URL '(http|https)://[^/"]+' # Email "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" # MD5 hash (SHA1 is 40 chars) "[a-fA-F0-9]{32}" # Generic secrets (noisy) "pass|key|api|secret" # IBAN '[A-Z]{2}[0-9]{2}[A-Z0-9]{21}' # Base64 '[A-Za-z0-9+/]{4}*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)' # Find SQLite databases $ find . -name '*db' -o -name '*.sql[a-z]+' $ find . -type f -exec sh -c 'file "{}" | grep SQLite' \;