Love the tool BTW,

https://www.redpacketsecurity.com/secretfinder-a-python-script-for-find-sensitive-data-apikeys-accesstoken-jwt-and-search-anything-on-javascript-files/?utm_source=rss&utm_medium=rss&utm_campaign=secretfinder-a-python-script-for-find-sensitive-data-apikeys-accesstoken-jwt-and-search-anything-on-javascript-files

This has some apikey regex's which would be useful.

This may be pretty useful since if a user gets an output that contains unwanted entries, they can easily tweak filtration settings.

https://projects.lukehaas.me/regexhub/
https://github.com/k4m4/dogecoin-regex
https://www.regextester.com/22
https://www.regextester.com/96683

As README says:

Imagine this: You come across some mysterious text 🧙‍♂️ 5f4dcc3b5aa765d61d8327deb882cf99 and you wonder what it is. What do you do?
Well, with what all you have to do is ask what "5f4dcc3b5aa765d61d8327deb882cf99" and what will tell you!

But 'what' does not tell me! It does not find anything.
Therefore, 5f4dcc3b5aa765d61d8327deb882cf99 should be replaced with something else.

Describe the bug

#127 added an optional dependency on orjson:

However, unless I'm missing something, this doesn't become truly optional for an end-user without adding an extra like:

[tool.poetry.extras]
orjson = ["orjson"]

To Reproduce

$ python3 -m venv venv
$ . .venv/bin/activate
$ pip install pywhat==3.4.0
$ pip freeze
click==7.1.2
colorama==0.4.4
commonmark==0.9.1
orjson==3.6.3
Pygments==2.10.0
pywhat==3.4.0
rich==10.7.0
$ curl -s https://pypi.org/pypi/pywhat/3.4.0/json | jq .info.requires_dist
[
  "click (>=7.1.2,<8.0.0)",
  "rich (>=9.9,<11.0)",
  "orjson (>=3.6.1,<4.0.0)"
]

Expected behavior

orjson to be an optional dep, only installed on request like pip install pywhat[orjson]

We have some regex which are very false positive trippy, we should move these to 0.0 and move the default rarity to 0.1

https://github.com/pre-commit/identify

They have a library where people can upvote regex, might be useful!

https://regex101.com/library?orderBy=MOST_POINTS

This repo:
https://translate.google.com/translate?sl=auto&tl=en&u=https://github.com/mgulener/turkiye-regex-kaliplari

Is described as:

Regex codes of some patterns used in Turkey. We can add some of these which we don't have already.

You can follow this guide:
https://github.com/bee-san/pyWhat/wiki/Adding-your-own-Regex

to add your own Regex! :) <3

https://github.com/tomnomnom/gf/tree/master/examples

Hi!

For this issue, we'd want you to go through the Regex in TomNomNom's gf repo, and if you think they'd be useful add them to PyWhat :)

How do you add them to PyWhat? We have documentation for that! https://github.com/bee-san/pyWhat/wiki/Adding-your-own-Regex

This is for like an open API that lets people use it!

Input:
pywhat [email protected] --json

Output:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.9/bin/pywhat", line 8, in <module>
    sys.exit(main())
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/pywhat/what.py", line 208, in main
    p.print_json(identified_output)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/pywhat/printer.py", line 82, in print_json
    self.console.print(json.dumps(text))
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/rich/console.py", line 1555, in print
    renderables = self._collect_renderables(
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/rich/console.py", line 1420, in _collect_renderables
    self.render_str(
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/rich/console.py", line 1311, in render_str
    rich_text = render_markup(text, style=style, emoji=emoji_enabled)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/rich/markup.py", line 148, in render
    raise MarkupError(
rich.errors.MarkupError: closing tag '[/?#]' at position 10409 doesn't match any open tag

https://github.com/hakluke/hakrawler/pull/87/files

I saw this used in a geocache once!

It would be great if what could identify the string as a phone number and provide information about it like country code, etc.

Regex fails if we use the SSN from : https://www.ssa.gov/history/ssn/misused.html

078-05-1120

It matches as a youtube video-id first. Ideally we:

• Move SSN physically up the JSON file
  So it matches on SSN first?

Alternatively a #29 filter system but I think physically moving the regex is fine?

Currently we only support ascii, unicode would be amazing!

When PyWhat is given longitude / latitude, it adds a Google Maps link to this.

It does this in the printing module. We should also return this in the Python API, so we'll need to turn this function into one used by both printing & API.

Should be able to filter by rarity and tags :-)

Not sure if this would be an appropriate functionality for this project. It doesn't seem to currently be supported, when I try running pywhat against a file containing a PGP public key, it says nothing found.

if this would be appropriate, I'd be happy to put up a PR implementing it :)

Your repo is just awsm keep rocking

Currently a few different network address types are supported, but MAC and other 48-bit addresses are not.

• What is a great tool for identifying anything, but it also supports file input such as .pcap
• Sometimes, we have loads of of files we want to scan for but it will take a long time to manually input each file into what

This is where the "folder" input comes in, give it a folder path and for each file / folder in there it will identify it

Currently, pywhat only uses regular expressions to identify stuff. However, we may often want to update the description based on a match or to filter out false positives.

Some examples:

• Pinging URLs to check if it is responding or if a certain resource exists, etc.
• Parsing timestamps (#234) (1637093119.558717 to November 16, 2021 8:05:19 PM)
• Changing rarity based on a match
• And many more

How it should be implemented?

I think the best idea would be to write a class for every regex pattern (so that it can save the state between several matches). That class should have a method like process() that gets a match object and can alter it and return it or return None to filter it out.

Example:

class URLProcessor:
    def process(match):
        if "http://trashurl.it" in match["url"]: # Or maybe we should create an actual Match class and do match.url
            return None

This one seems to be an older repo:
https://github.com/blackthorne/Codetective

Currently regex have boundaries which mean they only match if the text matches exactly.

I suggest we implement a mode for changing these boundaries and allowing people to use find_all(regex) to find "regex within strings".

Example:

abc192.168.0.1xzy

Does not work because the IP address regex has boundaries, whereas:

192.168.0.1

does work.

I'd also suggest implementing this with filtering, so we can disable the boundaries on regex that match a filter, for example:

All regex with rarity over 0.6 will have no boundaries

Because the boundaries are hard-coded in, like:

"^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$",

I'm not sure on the best method to go around doing this? Ideally we have a conditional to remove the boundaries or not. Perhaps we want something like:

{
"Name": "Bitcoin (₿) Wallet Address",       
"Regex": "^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$",
"Regex_Without_Boundary": "[13][a-km-zA-HJ-NP-Z1-9]{25,34}"
}

Suggestions are welcome, I'm not 100% sure on the best way :-)

See compiled files, write tests for this

Clicking on a badge does not open a specific website. Instead, it opens a page that only contains the badge I have clicked on. Only the Twitter badge works; however, it still opens the page with that badge only.

If there is 2 matching regex it will only return the first one.

#! python3

print("hello)

thm{"Can you guess what this is, now?"}

0x52908400098527886E0F7030069857D2E4169EE7

Fails.

Some regex have sub-categories, for example:

• Mastercard numbers -- the first 4 digits represent what company that card belongs to.
• Phone numbers. If they start with +44 or 07, it's the UK!

As such, I propose we change our code into:

    {
       "Name": "MasterCard Number",
       "Regex": "^(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}$",
       "plural_name": false,
       "Description": null,
       "Rarity": 0.5,
       "Tags": [
          "Credit Card",
          "Finance"
       ],
        "Children": [
            {
                "Name": "BarclayCard",
                "Regex:" "5117.*"
                Same value as the parent above
            }
        ]
    },

We want to keep the same object for each child in case we have anything special to add like a website or a cool description etc. It doesn't cost us much to do this, but it is helpful!

Also, our regex for the children can be much broader. Read it as:

1. When I pass the mastercard regex
2. When I pass the barclaycard regex (which just checks to see if the first few numbers are equal to 5117)
3. Return
   Because the children only run when the parents do, the child regex can be lighter.

As an aside, Mastercard have very helpfully provided a CSV table of all the companies and what their Mastercard subrange is:
https://www.mastercard.us/en-us/business/issuers/get-support/simplified-bin-account-range-table.html

	HTTPusername = re.search(b'log|login|wpname|ahd_username|unickname|nickname|user|user_name|alias|pseudo|email|username|_username|userid|form_loginname|loginname|login_id|loginid|session_key|sessionkey|pop_login|uid|id|user_id|screename|uname|ulogin|acctname|account|member|mailaddress|membername|login_username|login_email|loginusername|loginemail|uin|sign-in|j_username', decoded['data'])
	if HTTPusername:
		user = re.findall(b'(%s=[^&]+)' % HTTPusername.group(0), decoded['data'], re.IGNORECASE)
		if user:
			HTTPUser = user

	HTTPPasswd = re.search(b'ahd_password|pass|password|_password|passwd|session_password|sessionpassword|login_password|loginpassword|form_pw|pw|userpassword|pwd|upassword|login_passwordpasswort|passwrd|wppassword|upasswd|j_password', decoded['data'])
	if HTTPPasswd:
		passw = re.findall(b'(%s=[^&]+)' % HTTPPasswd.group(0), decoded['data'], re.IGNORECASE)
		if passw:
			HTTPass = passw

	SMTPAuth = re.search(b'AUTH LOGIN|AUTH PLAIN', decoded['data'])
	Basic64 = re.findall(b'(?<=Authorization: Basic )[^\n]*', decoded['data'])
	FTPUser = re.findall(b'(?<=USER )[^\r]*', decoded['data'])
	FTPPass = re.findall(b'(?<=PASS )[^\r]*', decoded['data'])
	HTTPNTLM2 = re.findall(b'(?<=WWW-Authenticate: NTLM )[^\\r]*', decoded['data'])
	HTTPNTLM3 = re.findall(b'(?<=Authorization: NTLM )[^\\r]*', decoded['data'])
	NTLMSSP1 = re.findall(b'NTLMSSP\x00\x01\x00\x00\x00.*[^EOF]*', decoded['data'])
	NTLMSSP2 = re.findall(b'NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL)
	NTLMSSP3 = re.findall(b'NTLMSSP\x00\x03\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL)

	CTX1_USR = re.findall(b'<UserName>(.*?)</UserName><Password encoding="ctx1">', decoded['data'])
	CTX1_PWD = re.findall(b'<Password encoding="ctx1">(.*?)</Password>', decoded['data'])

	if CTX1_USR and CTX1_PWD:
		HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
		try:
			CTX1_USR = CTX1_USR[0]
			CTX1_PWD = ParseCTX1Hash(CTX1_PWD[0])
			CTX1_CREDS = CTX1_USR + ':' + CTX1_PWD
			Message = 'Found CTX1 encoded password: %s\n'%CTX1_CREDS
			print(HeadMessage + '\n' + Message)
		except:
			pass

credit card (do luhn check)

		CCMatch = re.findall(b'.{30}[^\d][3456][0-9]{3}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[^\d]', decoded['data'],re.DOTALL)
		CC = re.findall(b'[^\d][456][0-9]{3}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[^\d]', decoded['data'])

Currently there is no docs :-( It might be confusing! And there's no API docs showing multiple tags either :-(

Here is la regex :
[N]([a-zA-Z0-9]{23})\.([a-zA-Z0-9]{6})\.([a-zA-Z0-9]{27})

Currently, CI does not perform some important checks:

• Black + isort
• regex.json file (are entries correctly sorted?, do all regexes have ^(regex)$ format?)

So it should look inside binary files too

We do not match on:

google.com

Because there is no HTTPS at the start.

The solution is to build a list of all top level domains ( see https://data.iana.org/TLD/tlds-alpha-by-domain.txt for all of them in a neat text file) and match only if the end matches a TLD.

An example regex is:

.*\.com|\.org

Which matches:

tryhackme.com

One thing I immediately thought about when I saw this was "wow, now I can quickly identify unknown checksums offline" and then Nothing found! happened. Would be nice to support range of formats like https://www.onlinehashcrack.com/hash-identification.php

Describe the bug
When we check regex like:

{
      "Name": "Facebook Secret Key",
      "Regex": "(?i)^(facebook|fb)(.{0,20})?(?-i)['\\\"][0-9a-f]{32}['\\\"]",
      "plural_name": false,
      "Description": null,
      "Exploit": null,
      "Rarity": 1,
      "URL": null,
      "Tags": [
         "API Keys",
         "Bug Bounty",
         "Credentials"
      ]
   },
  {
      "Name": "LinkedIn Client ID",
      "Regex": "(?i)^linkedin(.{0,20})?(?-i)[0-9a-z]{12}$",
      "plural_name": false,
      "Description": null,
      "Exploit": null,
      "Rarity": 1,
      "URL": null,
      "Tags": [
         "Bug Bounty"
      ]
   },

Because of the (?-i) it messes up during boundaryless regex conversion. This is a bug :-( We should be able to handle this!

For example:

I would like it to return both google.co and google.com. Sadly, it may be impossible considering the way regular expressions work. Thus, it would be amazing to match the longest string (pywhat google.com/help should return google.com/help). It is crucial for implementing URL subcategories properly(#51). Btw, URL regex is too long, I do not think that valid TLDs should be checked, so it may be shortened.

• Positional Arguments
• JSON output, Python Dict API
• Pretty printing of results
• Run regex within regex
• Magic Numbers
• LangDetect
• Credit card
• Name that hash
• #6
• #5
• Add strings #3
• Add more regex #1
• https://github.com/regexhq
• Add categories / tabs

It would be great if pywhat could identify data from a webpage.

Since we have filtration, it is logical to assume that sorting should be supported, too.
Therefore, I propose the following changes to API:

from pywhat import *
id = Identifier()
out = id.identify('fixtures/file', key=keys.rarity, reversed=True) # out[0] has the highest rarity
out = id.identify('fixtures/file', key=keys.matched) # sort alphabetically by matched string
out = id.identify('fixtures/file', key=keys.name) # sort by regex name

Also, as with distributions, it would be great to make it possible to specify keys while instantiating Identifier.
Something like that:

id = Identifier(key=keys.name)
id.identify('fixtures/file') # identical to id.identify('fixtures/file', key=keys.name)

Awesome project, congrats!

A time ago, I try discover the code used by the uber gift card, just for validation. But without success, probably is a custom code.

Another detectors, nice to have, is the follow:

ULID: 01ERJ58HMWDN3VTRRHZQV2T5R5
UUID: b2ced6f5-2542-4f7d-b131-e3ada95d8b75
GUID: f0b93a8a-b808-4b92-9ba1-6acb977be8d1
ObjectID: 5fc7c33a7ef88b139122a38a

This is my personal ToDo list, if you see something you think you can do please take it from me :-)

• Add filtration system using distributions
• Remove language checking stuff
• Check speed of regex with no boundaries, potentially make all regex boundary-less

For IP addresses we can do:

• ipv4
• ipv6

etc

This is so users can hand-select what regex they want via the tag system :D