id: server-private-keys info: name: Detect Private SSH and TLS Keys author: geeknik severity: high requests: - method: GET path: - "{{BaseURL}}/host.key" - "{{BaseURL}}/www.key" - "{{BaseURL}}/private-key" - "{{BaseURL}}/privatekey.key" - "{{BaseURL}}/server.key" - "{{BaseURL}}/my.key" - "{{BaseURL}}/key.pem" - "{{BaseURL}}/id_rsa" - "{{BaseURL}}/id_dsa" - "{{BaseURL}}/.ssh/id_rsa" - "{{BaseURL}}/.ssh/id_dsa" - "{{BaseURL}}/.ssh/known_hosts.old" - "{{BaseURL}}/.ssh/authorized_keys" - "{{BaseURL}}/_/.ssh/authorized_keys" - "{{BaseURL}}/.ssh/known_hosts" - "{{BaseURL}}/{{Hostname}}.key" - "{{BaseURL}}/{{Hostname}}.pem" matchers-condition: and matchers: - type: word words: - "BEGIN OPENSSH PRIVATE KEY" - "BEGIN PRIVATE KEY" - "BEGIN RSA PRIVATE KEY" - "BEGIN DSA PRIVATE KEY" - "BEGIN EC PRIVATE KEY" - "BEGIN PGP PRIVATE KEY BLOCK" - "ssh-rsa" condition: or - type: status status: - 200