forked from mirrors/kingfisher
66 lines
2 KiB
YAML
66 lines
2 KiB
YAML
rules:
|
|
- name: FileZilla base64 encoded password
|
|
id: kingfisher.filezilla.1
|
|
pattern: |
|
|
(?xis)
|
|
<FileZilla3\b[^>]*>
|
|
(?:.|[\n\r]){0,5000}?
|
|
<(?:RecentServers|Servers)\b[^>]*>
|
|
(?:.|[\n\r]){0,5000}?
|
|
<Server\b[^>]*>
|
|
(?:.|[\n\r]){0,3000}?
|
|
<Pass\b[^>]*\bencoding\s*=\s*"(?:base64|radix64)"[^>]*>
|
|
\s*
|
|
(
|
|
[A-Z0-9+/]{8,}={0,2}
|
|
)
|
|
\s*
|
|
</Pass>
|
|
min_entropy: 3.2
|
|
confidence: medium
|
|
pattern_requirements:
|
|
ignore_if_contains:
|
|
- "ZXhhbXBsZQ==" # "example" (base64)
|
|
- "cGFzc3dvcmQ=" # "password" (base64)
|
|
- "Y2hhbmdlbWU=" # "changeme" (base64)
|
|
examples:
|
|
- '<Pass encoding="base64">VGhpc0lzQVRlc3RQYXNzd29yZA==</Pass>'
|
|
- '<FileZilla3><RecentServers><Server><Pass encoding="base64">NjllNWU5ZWMwZDU0MmU5Y2QwOTY4MWM5YzZhMDdkYWVmNjg3OWE3MDMzM2Q4MWJmCg==</Pass></Server></RecentServers></FileZilla3>'
|
|
references:
|
|
- https://forum.filezilla-project.org/viewtopic.php?style=246&t=38820
|
|
- https://forum.filezilla-project.org/viewtopic.php?p=133138
|
|
- https://forum.filezilla-project.org/viewtopic.php?t=24758
|
|
|
|
- name: FileZilla stored password (Pass plaintext)
|
|
id: kingfisher.filezilla.2
|
|
pattern: |
|
|
(?xis)
|
|
<FileZilla3\b[^>]*>
|
|
(?:.|[\n\r]){0,5000}?
|
|
<(?:RecentServers|Servers)\b[^>]*>
|
|
(?:.|[\n\r]){0,5000}?
|
|
<Server\b[^>]*>
|
|
(?:.|[\n\r]){0,3000}?
|
|
<Pass\b(?![^>]*\bencoding\s*=)[^>]*>
|
|
\s*
|
|
(
|
|
[^<\r\n]{4,128}
|
|
)
|
|
\s*
|
|
</Pass>
|
|
min_entropy: 2.8
|
|
confidence: medium
|
|
pattern_requirements:
|
|
ignore_if_contains:
|
|
- example
|
|
- Example
|
|
- password
|
|
- Password
|
|
- changeme
|
|
- ChangeMe
|
|
examples:
|
|
- "<Pass>ExamplePas123</Pass>"
|
|
- "<FileZilla3><Servers><Server><Pass>superS3cret!</Pass></Server></Servers></FileZilla3>"
|
|
references:
|
|
- https://stackoverflow.com/questions/29790136/filezilla-plain-text-password
|
|
- https://forum.filezilla-project.org/viewtopic.php?t=24758
|