Credential Harvester Pro · Auto-Detection & Validation Tool

⚡ Automated credential intelligence — discover exposed database passwords, FTP secrets, and SSH keys hidden in common configuration backups. Built for security researchers, pentesters, and blue teams with intelligent memory chunking and multithreading.

✨ Core capabilities

📁 10+ config patterns

WordPress (wp-config.php), Laravel .env, CodeIgniter database.php, SFTP/FTP json configs, Symfony DATABASE_URL, custom MySQL env vars.

🧠 Auto chunking & memory guard

Processes millions of domains by splitting into chunks, enforcing RAM limits, and automatic garbage collection. No crashes.

🌐 Multi-protocol validation

Tests MySQL, FTP (port 21), SSH/SFTP (port 22) credentials in real time using pymysql, ftplib, paramiko.

⚙️ Smart host resolution

Automatically resolves 'localhost' / '127.0.0.1' to target domain IP, fallback to domain name for external access.

🚀 Thread pool per chunk

Adjustable thread count (default 50) for maximum speed while respecting rate limits.

📄 Structured output

Separate files for all found credentials, valid MySQL, valid FTP, valid SSH – clean CSV-like format with metadata.

📦 Dependencies & installation

pip install requests paramiko pymysql colorama psutil

Requirements: Python 3.7+ · internet connectivity for HTTP requests & service validation.

✅ The script suppresses Paramiko & SSL warnings to keep console clean. For best performance, use on Linux/macOS with stable network.

🚀 Command-line usage

python cred_harvester.py -f domains.txt [options]

Argument	Description	Default
`-f, --file`	Required — path to domain list (one domain per line)	—
`-t, --threads`	Number of concurrent threads per chunk	50
`--limit`	Limit total domains to process (useful for testing)	None (all)
`--chunk-size`	Domains per chunk (controls memory footprint)	1000
`--mem, --memory-limit`	RAM ceiling in MB before forced GC	500

📌 Examples

# Basic scan with 100 threads, chunk 2000 domains

python harvest.py -f targets.txt -t 100 --chunk-size 2000

# Limit to first 5000 domains, memory limit 1GB

python harvest.py -f big_list.txt --limit 5000 --mem 1024

🧩 Workflow & detection logic

The script follows a systematic reconnaissance approach for each domain (both HTTP and HTTPS):

Probes backup/sensitive files like /wp-config.php~, /.env.bak, /sftp-config.json, etc.
Extracts credentials using framework-specific regex (WordPress, Laravel, CodeIgniter, raw MySQL env).
If credentials found, attempts live validation: MySQL connection, FTP login, SSH authentication with timeouts (3 sec).
Saves valid entries to categorized files and displays color-coded console stats.
Intelligent chunking + GC prevents memory bloat even with millions of domains.

🗂️ Detected config files (non exhaustive):
wp-config.php~, wp-config.php.bak, .env, .env.backup, .env.example, application/config/database.php~, config/database.php~, .vscode/sftp.json, ftp-config.json, settings.inc.php~, db.inc.php~, and 20+ more variations.

📁 Output files (auto-generated)

Filename	Content
`credential_found.txt`	All discovered credentials (MySQL, FTP/SFTP) with source, host, user, password, database, path
`mysql_valid.txt`	Working MySQL logins (tested connection success)
`ftp_valid.txt`	Valid FTP (port 21) credentials
`ssh_valid.txt`	Valid SSH / SFTP credentials (port 22, or custom port from config)

🏗️ Architecture & optimization

DomainChunker class — lazy iterator that yields slices of domains, enforces memory limit, calls gc.collect() after each chunk.
ThreadPoolExecutor — each chunk processed concurrently, request timeout 3 seconds, connection attempts 3s.
Connection fallback: for MySQL/FTP/SSH, if host is localhost/internal, script substitutes with domain name or resolved IP automatically.
Suppressed stderr – paramiko and socket errors hidden for clean terminal.
Real-time stats – uses thread-safe lock to update counters every 100 domains and shows RAM usage via psutil.

🔐 Validation logic (MySQL / FTP / SSH)

After extracting credentials, the tool attempts multiple connection strategies:

MySQL: tries original host, then domain name, then resolved IP addresses – useful for remote database access.
FTP (port 21): standard login attempt with 3-second timeout.
SSH/SFTP: paramiko client with password auth, disables host key checking and agent forwarding for speed.

⚠️ Legal & ethical notice: This tool is intended for authorized security assessments, bug bounty, and self-audit purposes only. Scanning domains without explicit permission may violate laws. Always obtain written consent before testing.

🛠️ Customization & extension

You can easily add new file paths or regex patterns inside the script. Look for dictionaries like wp_paths, env_paths, ci_paths and extend extraction functions (extract_wp_credentials, extract_env_credentials).

# Example: add custom CMS detection
custom_paths = ['/custom-config.inc', '/backup/db.txt']
for path in custom_paths:
    response = requests.get(f"{protocol}{domain}{path}", timeout=3)
    # parse accordingly

Thread count, chunk size and memory limit can be tuned depending on network speed and available RAM.

⚠️ Troubleshooting & tips

High memory usage → reduce chunk size (--chunk-size 500) or lower thread count.
Too many connection timeouts → increase timeout inside requests.get(..., timeout=5) for unstable networks.
Paramiko errors spam → the script already suppresses stderr; if needed, increase logging.CRITICAL.
No results on some domains → ensure domain list doesn't contain protocol prefixes (use example.com not https://example.com).
Performance: for large scans (>100k domains) use a VPS with decent bandwidth and adjust chunk size to 1500-2000.

📊 Real-time console output

[+] Found example.com | MySQL | FTP | SSH
[PROGRESS] Processed: 12,450 | Credentials Found: 342 | MySQL Valid: 98 | FTP Valid: 31 | SSH Valid: 19 | RAM: 312.45 MB
[CHUNK COMPLETE] RAM usage: 285.23 MB
[CHUNK] Processing Chunk 4/20 (1000 domains)

Color legend: MySQL (blue), FTP (green), SSH (yellow) if connection is alive — otherwise white.

📁 Sample output snippet

# credential_found.txt (example)
example.com | /wp-config.php~ | WordPress | db.example.com | wp_user | s3cr3tP@ss | wordpress_db | 3306
target.org | /.env | Laravel | 192.168.1.100 | laravel_user | MySecurePwd | app_db | 3306
site.io | /.vscode/sftp.json | Config | ftp.site.io | ftp_user | ftpPass123 | SFTP | 22

# mysql_valid.txt (validated connections)
example.com | /wp-config.php~ | WordPress | db.example.com | wp_user | s3cr3tP@ss | wordpress_db

📜 License & credits

This script is released for educational & defensive research. Built with Python libraries: requests, paramiko, pymysql, colorama, psutil. Feel free to modify and adapt under MIT terms.

💡 Pro tip: Combine with subdomain enumeration tools (amass, subfinder) to feed the domain list and discover forgotten configuration exposures across your organization.

⚡ Quick reference

Parameter	Recommended value	Use case
Threads	30–80	Higher = faster but may trigger WAF/rate limit
Chunk size	500–2000	Smaller chunks for low RAM systems
Memory limit	300–1024 MB	Prevents OOM killer on shared servers
Domain file format	plain text, one per line	example.com (without http://)

🔍 Credential Harvester Pro auto-chunk · multi-protocol v2.0