GitHub Recon

MITRE ATT&CK™ Data from Information Repositories - Technique T1213

Last updated 3 months ago

Was this helpful?

Practice

Github Dorks & Sensitive Data Exposure

To automate the process of searching sensitives files and hardcoded credentials in Git repositories, we may use following tools

is a python tools used to search leaked secrets via github search. Its collection of Github dorks can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc.

# search a single repo
github-dork.py -r techgaun/github-dorks

# search all repos of a user
github-dork.py -u techgaun  

# search all repos of an organization
github-dork.py -u dev-nepal

Alternatively, we can manualy search for specific dorks, without using :

Examples of Github Dorks are :

Dork

Description

filename:.npmrc _auth

npm registry authentication data

filename:.dockercfg auth

docker registry authentication data

extension:pem private

private keys

extension:ppk private

puttygen private keys

filename:id_rsa or filename:id_dsa

private ssh keys

filename:wp-config.php

wordpress config files

filename:.env MAIL_HOST=smtp.gmail.com gmail

smtp configuration (try different smtp services too)

shodan_api_key language:python

Shodan API keys (try other languages too)

/"sk-[a-zA-Z0-9]{20,50}"/ language:Shell

Open AI API Keys

"api_hash" "api_id"

Telegram API token

# Basic Usage
git-hound --subdomain-file subdomains.txt
echo "\"example.com\"" | git-hound

# Searching for exposed API keys
echo "api.halcorp.biz" | githound --dig-files --dig-commits --many-results --rules halcorp-api-regexes.txt --results-only | python halapitester.py

# Bug Bounty Hunters: Searching for leaked employee API tokens
echo "\"uberinternal.com\"" | githound --dig-files --dig-commits --many-results --languages common-languages.txt --threads 100

# Scan a repo
noseyparker scan --datastore np.myDataStore --git-url <repo-url>

# Scan all repo of an user
noseyparker scan --datastore np.myDataStore --github-user <username>

# Scan all repo of an organization
noseyparker scan --datastore np.myDataStore --github-organization <NAME>

# Show result of a scan
noseyparker report -d np.myDataStore

# See available hunting modules
python GitHunt.py hunt -h

# Hunt for OpenAI API Keys
python GitHunt.py hunt -m OpenAI

# Export all valid OpenAI API keys found in a json 
python GitHunt.py db -m OpenAI -f json -o ~/export.json

./gitleaks detect -v -r=<GIT_REPO_URL>

# Run it !
# With <TARGET> an organization/user profile (i.e v4resk)
gitrob -github-access-token <TOKEN> <TARGET>

Practice

Github Dorks & Sensitive Data Exposure

To automate the process of searching sensitives files and hardcoded credentials in Git repositories, we may use following tools

# search a single repo
github-dork.py -r techgaun/github-dorks

# search all repos of a user
github-dork.py -u techgaun  

# search all repos of an organization
github-dork.py -u dev-nepal

Alternatively, we can manualy search for specific dorks, without using :

Examples of Github Dorks are :

Dork

Description

filename:.npmrc _auth

npm registry authentication data

filename:.dockercfg auth

docker registry authentication data

extension:pem private

private keys

extension:ppk private

puttygen private keys

filename:id_rsa or filename:id_dsa

private ssh keys

filename:wp-config.php

wordpress config files

filename:.env MAIL_HOST=smtp.gmail.com gmail

smtp configuration (try different smtp services too)

shodan_api_key language:python

Shodan API keys (try other languages too)

/"sk-[a-zA-Z0-9]{20,50}"/ language:Shell

Open AI API Keys

"api_hash" "api_id"

Telegram API token

hunts down exposed API keys and other sensitive information on GitHub using GitHub code search, pattern matching, and commit history searching.

# Basic Usage
git-hound --subdomain-file subdomains.txt
echo "\"example.com\"" | git-hound

# Searching for exposed API keys
echo "api.halcorp.biz" | githound --dig-files --dig-commits --many-results --rules halcorp-api-regexes.txt --results-only | python halapitester.py

# Bug Bounty Hunters: Searching for leaked employee API tokens
echo "\"uberinternal.com\"" | githound --dig-files --dig-commits --many-results --languages common-languages.txt --threads 100

is a command-line program that finds secrets and sensitive information in textual data and Git history.

# Scan a repo
noseyparker scan --datastore np.myDataStore --git-url <repo-url>

# Scan all repo of an user
noseyparker scan --datastore np.myDataStore --github-user <username>

# Scan all repo of an organization
noseyparker scan --datastore np.myDataStore --github-organization <NAME>

# Show result of a scan
noseyparker report -d np.myDataStore

is a (Python) tool for detecting sensitive data exposure in GitHub repositories, leveraging GitHub's search functionality.

# See available hunting modules
python GitHunt.py hunt -h

# Hunt for OpenAI API Keys
python GitHunt.py hunt -m OpenAI

# Export all valid OpenAI API keys found in a json 
python GitHunt.py db -m OpenAI -f json -o ~/export.json

(Go) is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.

./gitleaks detect -v -r=<GIT_REPO_URL>

(Go) is a tool to help find potentially sensitive files pushed to public repositories on Github. It will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.

Gitrob will need a Github access token in order to interact with the Github API. See .

# Run it !
# With <TARGET> an organization/user profile (i.e v4resk)
gitrob -github-access-token <TOKEN> <TARGET>

GitHub Recon

GitHub Recon

Practice

Github Dorks & Sensitive Data Exposure

Resources

Practice

Github Dorks & Sensitive Data Exposure

Resources