salvacybersec/keyhunter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94238eb72b0c9d3008a7ded0fd298c0c5f8dc854
keyhunter/pkg/recon/sources/splunk.go
salvacybersec bc63ca1f2f feat(15-03): add Elasticsearch, Kibana, and Splunk ReconSource implementations 
- ElasticsearchSource: POST _search API with query_string, parse hits._source
- KibanaSource: GET saved_objects/_find API with kbn-xsrf header
- SplunkSource: GET search/jobs/export API with newline-delimited JSON parsing
- All sources use ciLogKeyPattern for key detection
- Tests use httptest mocks for each API endpoint
2026-04-06 16:31:05 +03:00

123 lines
3.0 KiB
Go
Raw Blame History

package sources
import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"strings"
"time"
"golang.org/x/time/rate"
"github.com/salvacybersec/keyhunter/pkg/providers"
"github.com/salvacybersec/keyhunter/pkg/recon"
)
// SplunkSource searches exposed Splunk instances for API keys in log data.
// Exposed Splunk Web interfaces may allow unauthenticated search via the
// REST API, especially in development or misconfigured environments.
type SplunkSource struct {
BaseURL string
Registry *providers.Registry
Limiters *recon.LimiterRegistry
Client *Client
}
var _ recon.ReconSource = (*SplunkSource)(nil)
func (s *SplunkSource) Name() string { return "splunk" }
func (s *SplunkSource) RateLimit() rate.Limit { return rate.Every(3 * time.Second) }
func (s *SplunkSource) Burst() int { return 2 }
func (s *SplunkSource) RespectsRobots() bool { return false }
func (s *SplunkSource) Enabled(_ recon.Config) bool { return true }
// splunkResult represents a single result row from Splunk search export.
type splunkResult struct {
Result json.RawMessage `json:"result"`
Raw string `json:"_raw"`
}
func (s *SplunkSource) Sweep(ctx context.Context, query string, out chan<- recon.Finding) error {
base := s.BaseURL
if base == "" {
base = "https://localhost:8089"
}
// If no explicit target was provided (still default) and query is not a URL, skip.
if base == "https://localhost:8089" && query != "" && !strings.HasPrefix(query, "http") {
return nil
}
client := s.Client
if client == nil {
client = NewClient()
}
queries := BuildQueries(s.Registry, "splunk")
if len(queries) == 0 {
return nil
}
for _, q := range queries {
if err := ctx.Err(); err != nil {
return err
}
if s.Limiters != nil {
if err := s.Limiters.Wait(ctx, s.Name(), s.RateLimit(), s.Burst(), false); err != nil {
return err
}
}
searchURL := fmt.Sprintf(
"%s/services/search/jobs/export?search=%s&output_mode=json&count=20",
base, url.QueryEscape("search "+q),
)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, searchURL, nil)
if err != nil {
continue
}
resp, err := client.Do(ctx, req)
if err != nil {
continue
}
data, err := io.ReadAll(io.LimitReader(resp.Body, 512*1024))
_ = resp.Body.Close()
if err != nil {
continue
}
// Splunk export returns newline-delimited JSON objects.
for _, line := range strings.Split(string(data), "\n") {
line = strings.TrimSpace(line)
if line == "" {
continue
}
var sr splunkResult
if err := json.Unmarshal([]byte(line), &sr); err != nil {
continue
}
content := sr.Raw
if content == "" {
content = string(sr.Result)
}
if ciLogKeyPattern.MatchString(content) {
out <- recon.Finding{
ProviderName: q,
Source: fmt.Sprintf("%s/services/search/jobs/export", base),
SourceType: "recon:splunk",
Confidence: "medium",
DetectedAt: time.Now(),
}
}
}
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink