Passive Detection

Enable passive detection via --passive or -G option.

This part used to detection common pattern in the request and execute on every request after detection part done.

Default passive signatures can be found here

First time you run jaeles, it will installed passive to ~/.jaeles/passives.

Add new passive signature as single file in ~/.jaeles/passives folder or just add new rule to exist passive signature in rules section.

Syntax

Jaeles look for passive signature in file and rules in single signatures. id and reason used for Usage of detections section is same from the detection.

Sample passive signature

name: "secret pattern"
desc: "grep for secret pattern"
risk: "High"
level: 1
rules:
  - id: secret-base64-01
    reason: "Base64"
    detections:
      - >-
                RegexSearch("response", '([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}')

  ### Private key
  - id: secret-key-01
    reason: "Private key & Private key base64"
    detections:
      - >-
                RegexSearch("response", "-----BEGIN [ A-Za-z0-9]*PRIVATE KEY[ A-Za-z0-9]*-----")
      - >-
                RegexSearch("response", "-----BEGIN .{3,100}-----")
      - >-
                RegexSearch("response", "-----BEGIN PGP PRIVATE KEY BLOCK-----")
      - >-
                RegexSearch("response", "LS0tLS1CRUdJTiBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tL[%a-zA-Z0-9+/]+={0,2}")
      - >-
                RegexSearch("response", "-----BEGIN RSA PRIVATE KEY-----")
      - >-
                RegexSearch("response", "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tL[%a-zA-Z0-9+/]+={0,2}")
      - >-
                RegexSearch("response", "-----BEGIN DSA PRIVATE KEY-----")
      - >-
                RegexSearch("response", "LS0tLS1CRUdJTiBEU0EgUFJJVkFURSBLRVktLS0tL[%a-zA-Z0-9+/]+={0,2}")
      - >-
                RegexSearch("response", "-----BEGIN EC PRIVATE KEY-----")
      - >-
                RegexSearch("response", "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0t[%a-zA-Z0-9+/]+={0,2}")
      - >-
                RegexSearch("response", "-----BEGIN OPENSSH PRIVATE KEY-----")
      - >-
                RegexSearch("response", "LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS[%a-zA-Z0-9+/]+={0,2}")

Using passive check inside active (normal) signatures

you can enable passive by adding passive: true at the beginning of normal signature.

id: passive-only
passive: true
info:
  name: Passive only

params:
  - root: '{{.Raw}}'

requests:
  - method: 'GET'
    url: >-
            {{.root}}
    headers:
      - User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55'

you can enable passive check with some condition like this signature.

id: passive-on-success
info:
  name: Passive on success HTTP

params:
  - root: '{{.Raw}}'
  - me: 'GET'

requests:
  - method: GET
    url: >-
            {{.root}}
    headers:
      - User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55'
    # Only do passive check if response is 200
    detections:
      - >-
                StatusCode() == 200 && ContentLength("body") > 100 && DoPassive()

Usage

Enable passive check for all request

cat urls.txt | jaeles scan -G -s <selector> ...

or rely on your active signatures like some examples above

jaeles scan -s <selector> ...