GitHub Recon

MITRE ATT&CK™ Data from Information Repositories - Technique T1213

Theory

Online repositories of code hold a window into an organization's technology stack, revealing the programming languages and frameworks they employ. In some rare instances, developers have unintentionally exposed sensitive information, including critical data and credentials, within public repositories. These inadvertent revelations may present a unique opportunity us.

Practice

Github Dorks & Sensitive Data Exposure

To automate the process of searching sensitives files and hardcoded credentials in Git repositories, we may use following tools

Github-dorks is a python tools used to search leaked secrets via github search. Its collection of Github dorks can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc.

# search a single repo
github-dork.py -r techgaun/github-dorks

# search all repos of a user
github-dork.py -u techgaun  

# search all repos of an organization
github-dork.py -u dev-nepal

Alternatively, we can manualy search for specific dorks, without using Github-dorks :

Examples of Github Dorks are :

Dork	Description
filename:.npmrc _auth	npm registry authentication data
filename:.dockercfg auth	docker registry authentication data
extension:pem private	private keys
extension:ppk private	puttygen private keys
filename:id_rsa or filename:id_dsa	private ssh keys
filename:wp-config.php	wordpress config files
filename:.env MAIL_HOST=smtp.gmail.com gmail	smtp configuration (try different smtp services too)
shodan_api_key language:python	Shodan API keys (try other languages too)
/"sk-[a-zA-Z0-9]{20,50}"/ language:Shell	Open AI API Keys
"api_hash" "api_id"	Telegram API token

Dork

Description

filename:.npmrc _auth

npm registry authentication data

filename:.dockercfg auth

docker registry authentication data

extension:pem private

private keys

extension:ppk private

puttygen private keys

filename:id_rsa or filename:id_dsa

private ssh keys

filename:wp-config.php

wordpress config files

filename:.env MAIL_HOST=smtp.gmail.com gmail

smtp configuration (try different smtp services too)

shodan_api_key language:python

Shodan API keys (try other languages too)

/"sk-[a-zA-Z0-9]{20,50}"/ language:Shell

Open AI API Keys

"api_hash" "api_id"

Telegram API token

Noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.

# Scan a repo
noseyparker scan --datastore np.myDataStore --git-url <repo-url>

# Scan all repo of an user
noseyparker scan --datastore np.myDataStore --github-user <username>

# Scan all repo of an organization
noseyparker scan --datastore np.myDataStore --github-organization <NAME>

# Show result of a scan
noseyparker report -d np.myDataStore

GitHunt is a (Python) tool for detecting sensitive data exposure in GitHub repositories, leveraging GitHub's search functionality.

# See available hunting modules
python GitHunt.py hunt -h

# Hunt for OpenAI API Keys
python GitHunt.py hunt -m OpenAI

# Export all valid OpenAI API keys found in a json 
python GitHunt.py db -m OpenAI -f json -o ~/export.json

Gitleaks (Go) is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.

./gitleaks detect -v -r=<GIT_REPO_URL>

Gitrob (Go) is a tool to help find potentially sensitive files pushed to public repositories on Github. It will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.

Gitrob will need a Github access token in order to interact with the Github API. See Create a personal access token.

# Run it !
# With <TARGET> an organization/user profile (i.e v4resk)
gitrob -github-access-token <TOKEN> <TARGET>

Resources

GitHub - techgaun/github-dorks: Find leaked secrets via github searchGitHub

Last updated 2 months ago