# Credentials in git repos

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

{% embed url="<https://github.com/m14r41/scan4secrets>" %}

## Using SSH Key to Clone Private Repo

```
ssh -i id_rsa git@github.com

GIT_SSH_COMMAND=”ssh -i id_rsa git clone git@github.com:<user>/<repo>
```

## GitHub Dorks

{% content-ref url="../git-dorks" %}
[git-dorks](https://0xss0rz.gitbook.io/0xss0rz/pentest/recon/git-dorks)
{% endcontent-ref %}

{% embed url="<https://infosecwriteups.com/github-recon-the-underrated-technique-to-discover-high-impact-leaks-in-bug-bounty-c4069894389a>" %}

{% embed url="<https://github.com/coffinxp/payloads/blob/main/github-dork.txt?source=post_page-----c4069894389a--------------------------------------->" %}

```
"example.com" password

#JSON format
"example.com" "password":

org:example "password":

"domain" AND ("api_key" OR "secret" OR "password" OR "access_token" OR "client_secret" OR "private_key" OR "AWS_SECRET_ACCESS_KEY" OR "DB_PASSWORD" OR "slack_token" OR "github_token" OR "BEGIN RSA PRIVATE KEY")

filename:.env "DB_PASSWORD"

extension:json "access_token"

path:/config filename:database.php       # Finds database.php inside any /config directory
path:/wp-config.php                      # Targets the WordPress config file
path:/src/secrets                        # Looks in typical config directories
path:/settings                           # Looks in typical settings directories
path:/.ssh                               # Searches hidden .ssh folder
path:/.git                               # Searches hidden .git folder
path:**/.env                             # Finds .env files in any nested directory
```

```
org: Target "bucket_name"
org: Target "aws_access_key"
org: Target "aws_secret_key"
org: Target "S3_BUCKET"
org: Target "S3_ACCESS_KEY_ID"
org: Target "S3_SECRET_ACCESS_KEY"
org: Target "S3_ENDPOINT"
org: Target "AWS_ACCESS_KEY_ID"
org: Target "list_aws_accounts"

"http://target.com" send_keys
"http://target.com" password
"http://target.com" api_key
"http://target.com" apikey
"http://target.com" jira_password
"http://target.com" root_password
"http://target.com" access_token
"http://target.com" config
"http://target.com" client_secret
"http://target.com" user auth
```

### Authent and secrets

```
api_key
access_token
client_secret
auth_token
authorizationToken
x-api-key
secret
SECRET_KEY
secret_token
credentials
token
secure
```

### Cloud Providers

```
AWS_SECRET_ACCESS_KEY
AWS_ACCESS_KEY_ID
aws_access_key_id
aws_secret_key
aws_token
GCP_SECRET
gcloud_api_key
firebase_url
shodan_api_key
```

### Database credentials

```
DB_PASSWORD
DATABASE_URL
db_password
db_pass
MYSQL_PASSWORD
POSTGRES_PASSWORD
mongo_uri
mongodb_password
```

### SSH

```
BEGIN RSA PRIVATE KEY
BEGIN OPENSSH PRIVATE KEY
BEGIN PGP PRIVATE KEY BLOCK
id_rsa
private_key
pem private
key
```

### Third Party Token

```
slack_token
discord_token
github_token
gitlab_token
twilio_auth_token
mailgun
stripe_secret
SF_USERNAME salesforce
```

### GitDorker

{% embed url="<https://github.com/obheda12/GitDorker>" %}

## Grep

Ex: mysql

```
grep -R "mysqli_connect" . 2> /dev/null
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F53kgvnShHnfVaoFgyvi5%2Fimage.png?alt=media&#x26;token=befafbf0-e592-4968-8c53-86eb85f51956" alt=""><figcaption></figcaption></figure>

## Restoring Deleted Files and File Structure Review <a href="#id-546d" id="id-546d"></a>

```
cd output_dir
git status
git restore .
git checkout .
```

## Git show

```
bandit28@bandit:/tmp/b28_0xss0rz/repo$ ls -la
total 16
drwxr-sr-x 3 bandit28 root 4096 May  8 16:05 .
drwxr-sr-x 3 bandit28 root 4096 May  8 16:05 ..
drwxr-sr-x 8 bandit28 root 4096 May  8 16:05 .git
-rw-r--r-- 1 bandit28 root  111 May  8 16:05 README.md
bandit28@bandit:/tmp/b28_0xss0rz/repo$ git show
commit edd935d60906b33f0619605abd1689808ccdd5ee
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:49 2020 +0200

    fix info leak

diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials

 - username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx
```

## Git diff

```
$ git diff HEAD

diff --git a/Dockerfile.ghost b/Dockerfile.ghost
new file mode 100644
index 0000000..50864e0
--- /dev/null
+++ b/Dockerfile.ghost
@@ -0,0 +1,16 @@
+FROM ghost:5.58.0
+
+# Copy the config
+COPY config.production.json /var/lib/ghost/config.production.json
+
+# Prevent installing packages
+RUN rm -rf /var/lib/apt/lists/* /etc/apt/sources.list* /usr/bin/apt-get /usr/bin/apt /usr/bin/dpkg /usr/sbin/dpkg /usr/bin/dpkg-deb /usr/sbin/dpkg-deb
+
+# Wait for the db to be ready first
+COPY wait-for-it.sh /var/lib/ghost/wait-for-it.sh
+COPY entry.sh /entry.sh
+RUN chmod +x /var/lib/ghost/wait-for-it.sh
+RUN chmod +x /entry.sh
+
+ENTRYPOINT ["/entry.sh"]
+CMD ["node", "current/index.js"]
diff --git a/ghost/core/test/regression/api/admin/authentication.test.js b/ghost/core/test/regression/api/admin/authentication.test.js
index 2735588..e654b0e 100644
--- a/ghost/core/test/regression/api/admin/authentication.test.js
+++ b/ghost/core/test/regression/api/admin/authentication.test.js
@@ -53,7 +53,7 @@ describe('Authentication API', function () {
 
         it('complete setup', async function () {
             const email = 'test@example.com';
-            const password = 'thisissupersafe';
+            const password = 'thenewpassword';
 
             const requestMock = nock('https://api.github.com')
                 .get('/repos/tryghost/dawn/zipball')

```

## Git log

```
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git log
commit 208f463b5b3992906eabf23c562eda3277fea912
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    fix username

commit 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    initial commit of README.md
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git show 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
commit 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    initial commit of README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..2da2f39
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+# Bandit Notes
+Some notes for bandit30 of bandit.
+
+## credentials
+
+- username: bandit29
+- password: <no passwords in production!>
+
```

## Git branch

```
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git branch
* master
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git branch -r
  origin/HEAD -> origin/master
  origin/dev
  origin/master
  origin/sploits-dev
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git branch
* dev
  master
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git log
commit bc833286fca18a3948aec989f7025e23ffc16c07
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:52 2020 +0200

    add data needed for development

commit 8e6c203f885bd4cd77602f8b9a9ea479929ffa57
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    add gif2ascii

commit 208f463b5b3992906eabf23c562eda3277fea912
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    fix username

commit 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    initial commit of README.md
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git show bc833286fca18a3948aec989f7025e23ffc16c07
commit bc833286fca18a3948aec989f7025e23ffc16c07
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:52 2020 +0200

    add data needed for development

diff --git a/README.md b/README.md
index 1af21d3..39b87a8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
 ## credentials

 - username: bandit30
-- password: <no passwords in production!>
+- password: 5b90576bedb2cc04c86a9e924ce42faf

bandit29@bandit:/tmp/b29_0xss0rz/repo$
```

## Git tag

```
bandit30@bandit:/tmp/b30_0xss0rz/repo$ git tag
secret
bandit30@bandit:/tmp/b30_0xss0rz/repo$ git show secret
47e603bb428404d265f59c42920d81e5
bandit30@bandit:/tmp/b30_0xss0rz/repo$
```

## Deleted Files

{% embed url="<https://medium.com/@sharon.brizinov/how-i-made-64k-from-deleted-files-a-bug-bounty-story-c5bd3a6f5f9b>" %}

## Tools

### GitHound

{% embed url="<https://github.com/tillson/git-hound>" %}

```
echo "uberinternal.com" | ./git-hound --dig-files --dig-commits

echo "uber.com" | ./git-hound --dig-files --language-file languages.txt --dig-commits

echo "uber.box.net" | ./git-hound --dig-files --dig-commits
```

### Gixposed

{% embed url="<https://github.com/WH1T3-E4GL3/gixposed>" %}

### TruffleHog

{% embed url="<https://github.com/trufflesecurity/truffleHog>" %}

```
# Scan a local Git repository
trufflehog git file:///home/user/my-repo

# Scan a public GitHub repository
trufflehog git https://github.com/username/repo.git

# Scan with filtering results to show only verified and unknown findings
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown

# Scan and format output as JSON using jq for readability
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown --json | jq

# Scan a GitHub repository and include issue and PR comments in the scan
trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments

# Scan all repositories in a GitHub organization using a personal access token
trufflehog github --org=nasa --token=yourgithubtoken

# Scan a specific GitHub repository (basic usage)
trufflehog github --repo=https://github.com/username/repo
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FnBcQGSjn7lKrf1qCXYox%2FGZx0FqbbwAA2ONF.jpg?alt=media&#x26;token=39faa677-cf35-4eae-be3e-98163ef15a0a" alt=""><figcaption></figcaption></figure>

```
trufflehog --regex --entropy=False repo/

# With URL
trufflehog https://github.com/name/repo --max_depth 2
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FMoNytiDuggV9hkc3PS41%2Fimage.png?alt=media&#x26;token=aecff774-0935-4f84-af18-9e44fd49144f" alt=""><figcaption></figcaption></figure>

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FQcwUziXwMk8eMmS1Geo3%2Fimage.png?alt=media&#x26;token=0e33193a-d153-4931-973f-09bdfc7dd26e" alt=""><figcaption></figcaption></figure>

### Nosey Parker

Find secrets and sensitive information in textual data and **Git history**.

{% embed url="<https://github.com/praetorian-inc/noseyparker>" %}

### Gitleaks

{% embed url="<https://github.com/gitleaks/gitleaks>" %}

### Git-secrets

{% embed url="<https://github.com/awslabs/git-secrets>" %}

```
git clone https://github.com/awslabs/git-secrets
cd git-secrets
make install
```

Move to the repo

```
$ git secrets --install
$ git secrets --register-aws
$ git secrets --scan
$ git secrets --scan-history

```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FNAWO4rNCec1ni6l077Xt%2Fimage.png?alt=media&#x26;token=e9f27ef4-8f46-4e5a-8a85-a7c7a0adaa0b" alt=""><figcaption></figcaption></figure>

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F3xWFyzcsaAAHKjkNh35K%2Fimage.png?alt=media&#x26;token=c1eae924-0e54-43cd-9f9b-be25fec351ec" alt=""><figcaption></figcaption></figure>

### GitGot

{% embed url="<https://github.com/BishopFox/GitGot>" %}

### GitRob

{% embed url="<https://github.com/michenriksen/gitrob>" %}

### GitGraber

{% embed url="<https://github.com/hisxo/gitGraber>" %}

```
# Search for sensitive data related to the entire organization
python3 gitGraber.py -k wordlists/keywords.txt -q nasa.gov -s

# Search for sensitive data related strictly to the domain
python3 gitGraber.py -k wordlists/keywords.txt -q "nasa.gov" -s
```

### GitMiner

{% embed url="<https://github.com/UnkL4b/GitMiner>" %}

## Regex

```
$ git clone <url>
$ cd repo_name
$ grep -rP "(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]" .
```

{% embed url="<https://gist.github.com/h4x0r-dz/be69c7533075ab0d3f0c9b97f7c93a59>" %}

## Validate different API keys found

{% embed url="<https://github.com/streaak/keyhacks>" %}

{% embed url="<https://github.com/daffainfo/Key-Checker>" %}

## Resources

{% embed url="<https://infosecwriteups.com/github-recon-the-underrated-technique-to-discover-high-impact-leaks-in-bug-bounty-c4069894389a>" %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FtT3srZzbUxV8iN6zjNrl%2Fimage.png?alt=media&#x26;token=962e4759-e8b9-4e26-b998-6df524fdfaf8" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="../../../interesting-books" %}
[interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Open Source Intelligence Techniques**](https://www.amazon.fr/dp/169903530X?tag=0xss0rz-21)\
  Learn how to gather data using OSINT tools and strategies.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/recon/osint/credentials-in-git-repos.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.