GitHub Recon

MITRE ATT&CK™ Data from Information Repositories - Technique T1213

Theory

Online repositories of code hold a window into an organization's technology stack, revealing the programming languages and frameworks they employ. In some rare instances, developers have unintentionally exposed sensitive information, including critical data and credentials, within public repositories. These inadvertent revelations may present a unique opportunity us.

Practice

Github Dorks & Sensitive Data Exposure

To automate the process of searching sensitives files and hardcoded credentials in Git repositories, we may use following tools

is a python tools used to search leaked secrets via github search. Its collection of Github dorks can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc.

# search a single repo
github-dork.py -r techgaun/github-dorks

# search all repos of a user
github-dork.py -u techgaun  

# search all repos of an organization
github-dork.py -u dev-nepal

Alternatively, we can manualy search for specific dorks, without using :

Examples of Github Dorks are :

Dork

Description

filename:.npmrc _auth

npm registry authentication data

filename:.dockercfg auth

docker registry authentication data

extension:pem private

private keys

extension:ppk private

puttygen private keys

filename:id_rsa or filename:id_dsa

private ssh keys

filename:wp-config.php

wordpress config files

filename:.env MAIL_HOST=smtp.gmail.com gmail

smtp configuration (try different smtp services too)

shodan_api_key language:python

Shodan API keys (try other languages too)

/"sk-[a-zA-Z0-9]{20,50}"/ language:Shell

Open AI API Keys

"api_hash" "api_id"

Telegram API token

# Basic Usage
git-hound --subdomain-file subdomains.txt
echo "\"example.com\"" | git-hound

# Searching for exposed API keys
echo "api.halcorp.biz" | githound --dig-files --dig-commits --many-results --rules halcorp-api-regexes.txt --results-only | python halapitester.py

# Bug Bounty Hunters: Searching for leaked employee API tokens
echo "\"uberinternal.com\"" | githound --dig-files --dig-commits --many-results --languages common-languages.txt --threads 100

# Scan a repo
noseyparker scan --datastore np.myDataStore --git-url <repo-url>

# Scan all repo of an user
noseyparker scan --datastore np.myDataStore --github-user <username>

# Scan all repo of an organization
noseyparker scan --datastore np.myDataStore --github-organization <NAME>

# Show result of a scan
noseyparker report -d np.myDataStore

# See available hunting modules
python GitHunt.py hunt -h

# Hunt for OpenAI API Keys
python GitHunt.py hunt -m OpenAI

# Export all valid OpenAI API keys found in a json 
python GitHunt.py db -m OpenAI -f json -o ~/export.json

./gitleaks detect -v -r=<GIT_REPO_URL>

# Run it !
# With <TARGET> an organization/user profile (i.e v4resk)
gitrob -github-access-token <TOKEN> <TARGET>

Resources

Last updated 3 months ago

Was this helpful?

Practice

Github Dorks & Sensitive Data Exposure

To automate the process of searching sensitives files and hardcoded credentials in Git repositories, we may use following tools

# search a single repo
github-dork.py -r techgaun/github-dorks

# search all repos of a user
github-dork.py -u techgaun  

# search all repos of an organization
github-dork.py -u dev-nepal

Alternatively, we can manualy search for specific dorks, without using :

Examples of Github Dorks are :

Dork

Description

filename:.npmrc _auth

npm registry authentication data

filename:.dockercfg auth

docker registry authentication data

extension:pem private

private keys

extension:ppk private

puttygen private keys

filename:id_rsa or filename:id_dsa

private ssh keys

filename:wp-config.php

wordpress config files

filename:.env MAIL_HOST=smtp.gmail.com gmail

smtp configuration (try different smtp services too)

shodan_api_key language:python

Shodan API keys (try other languages too)

/"sk-[a-zA-Z0-9]{20,50}"/ language:Shell

Open AI API Keys

"api_hash" "api_id"

Telegram API token

hunts down exposed API keys and other sensitive information on GitHub using GitHub code search, pattern matching, and commit history searching.

# Basic Usage
git-hound --subdomain-file subdomains.txt
echo "\"example.com\"" | git-hound

# Searching for exposed API keys
echo "api.halcorp.biz" | githound --dig-files --dig-commits --many-results --rules halcorp-api-regexes.txt --results-only | python halapitester.py

# Bug Bounty Hunters: Searching for leaked employee API tokens
echo "\"uberinternal.com\"" | githound --dig-files --dig-commits --many-results --languages common-languages.txt --threads 100

is a command-line program that finds secrets and sensitive information in textual data and Git history.

# Scan a repo
noseyparker scan --datastore np.myDataStore --git-url <repo-url>

# Scan all repo of an user
noseyparker scan --datastore np.myDataStore --github-user <username>

# Scan all repo of an organization
noseyparker scan --datastore np.myDataStore --github-organization <NAME>

# Show result of a scan
noseyparker report -d np.myDataStore

is a (Python) tool for detecting sensitive data exposure in GitHub repositories, leveraging GitHub's search functionality.

# See available hunting modules
python GitHunt.py hunt -h

# Hunt for OpenAI API Keys
python GitHunt.py hunt -m OpenAI

# Export all valid OpenAI API keys found in a json 
python GitHunt.py db -m OpenAI -f json -o ~/export.json

(Go) is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.

./gitleaks detect -v -r=<GIT_REPO_URL>

(Go) is a tool to help find potentially sensitive files pushed to public repositories on Github. It will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.

Gitrob will need a Github access token in order to interact with the Github API. See .

# Run it !
# With <TARGET> an organization/user profile (i.e v4resk)
gitrob -github-access-token <TOKEN> <TARGET>