Credentials in git repos

Secrets leak in github repos: dorks and tools

LogoGitHub - m14r41/scan4secrets: SAST and DAST Scan Supported with 400 plus rules available for secrets and allow you add your own wordlist as well. lightweight source code scanner and for URL that detects hardcoded secrets like API keys, credentials, and sensitive information across files and folders.GitHub

Using SSH Key to Clone Private Repo

ssh -i id_rsa git@github.com

GIT_SSH_COMMAND=”ssh -i id_rsa git clone git@github.com:<user>/<repo>

GitHub Dorks

Git Dorks
LogoGitHub Recon: The Underrated Technique to Discover High-Impact Leaks in Bug BountyInfoSec Write-ups
Logopayloads/github-dork.txt at main · coffinxp/payloadsGitHub
"example.com" password

#JSON format
"example.com" "password":

org:example "password":

"domain" AND ("api_key" OR "secret" OR "password" OR "access_token" OR "client_secret" OR "private_key" OR "AWS_SECRET_ACCESS_KEY" OR "DB_PASSWORD" OR "slack_token" OR "github_token" OR "BEGIN RSA PRIVATE KEY")

filename:.env "DB_PASSWORD"

extension:json "access_token"

path:/config filename:database.php       # Finds database.php inside any /config directory
path:/wp-config.php                      # Targets the WordPress config file
path:/src/secrets                        # Looks in typical config directories
path:/settings                           # Looks in typical settings directories
path:/.ssh                               # Searches hidden .ssh folder
path:/.git                               # Searches hidden .git folder
path:**/.env                             # Finds .env files in any nested directory
org: Target "bucket_name"
org: Target "aws_access_key"
org: Target "aws_secret_key"
org: Target "S3_BUCKET"
org: Target "S3_ACCESS_KEY_ID"
org: Target "S3_SECRET_ACCESS_KEY"
org: Target "S3_ENDPOINT"
org: Target "AWS_ACCESS_KEY_ID"
org: Target "list_aws_accounts"

"http://target.com" send_keys
"http://target.com" password
"http://target.com" api_key
"http://target.com" apikey
"http://target.com" jira_password
"http://target.com" root_password
"http://target.com" access_token
"http://target.com" config
"http://target.com" client_secret
"http://target.com" user auth

Authent and secrets

api_key
access_token
client_secret
auth_token
authorizationToken
x-api-key
secret
SECRET_KEY
secret_token
credentials
token
secure

Cloud Providers

AWS_SECRET_ACCESS_KEY
AWS_ACCESS_KEY_ID
aws_access_key_id
aws_secret_key
aws_token
GCP_SECRET
gcloud_api_key
firebase_url
shodan_api_key

Database credentials

DB_PASSWORD
DATABASE_URL
db_password
db_pass
MYSQL_PASSWORD
POSTGRES_PASSWORD
mongo_uri
mongodb_password

SSH

BEGIN RSA PRIVATE KEY
BEGIN OPENSSH PRIVATE KEY
BEGIN PGP PRIVATE KEY BLOCK
id_rsa
private_key
pem private
key

Third Party Token

slack_token
discord_token
github_token
gitlab_token
twilio_auth_token
mailgun
stripe_secret
SF_USERNAME salesforce

GitDorker

LogoGitHub - obheda12/GitDorker: A Python program to scrape secrets from GitHub through usage of a large repository of dorks.GitHub

Grep

Ex: mysql

grep -R "mysqli_connect" . 2> /dev/null

Restoring Deleted Files and File Structure Review

cd output_dir
git status
git restore .
git checkout .

Git show

bandit28@bandit:/tmp/b28_0xss0rz/repo$ ls -la
total 16
drwxr-sr-x 3 bandit28 root 4096 May  8 16:05 .
drwxr-sr-x 3 bandit28 root 4096 May  8 16:05 ..
drwxr-sr-x 8 bandit28 root 4096 May  8 16:05 .git
-rw-r--r-- 1 bandit28 root  111 May  8 16:05 README.md
bandit28@bandit:/tmp/b28_0xss0rz/repo$ git show
commit edd935d60906b33f0619605abd1689808ccdd5ee
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:49 2020 +0200

    fix info leak

diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials

 - username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx

Git diff

$ git diff HEAD

diff --git a/Dockerfile.ghost b/Dockerfile.ghost
new file mode 100644
index 0000000..50864e0
--- /dev/null
+++ b/Dockerfile.ghost
@@ -0,0 +1,16 @@
+FROM ghost:5.58.0
+
+# Copy the config
+COPY config.production.json /var/lib/ghost/config.production.json
+
+# Prevent installing packages
+RUN rm -rf /var/lib/apt/lists/* /etc/apt/sources.list* /usr/bin/apt-get /usr/bin/apt /usr/bin/dpkg /usr/sbin/dpkg /usr/bin/dpkg-deb /usr/sbin/dpkg-deb
+
+# Wait for the db to be ready first
+COPY wait-for-it.sh /var/lib/ghost/wait-for-it.sh
+COPY entry.sh /entry.sh
+RUN chmod +x /var/lib/ghost/wait-for-it.sh
+RUN chmod +x /entry.sh
+
+ENTRYPOINT ["/entry.sh"]
+CMD ["node", "current/index.js"]
diff --git a/ghost/core/test/regression/api/admin/authentication.test.js b/ghost/core/test/regression/api/admin/authentication.test.js
index 2735588..e654b0e 100644
--- a/ghost/core/test/regression/api/admin/authentication.test.js
+++ b/ghost/core/test/regression/api/admin/authentication.test.js
@@ -53,7 +53,7 @@ describe('Authentication API', function () {
 
         it('complete setup', async function () {
             const email = 'test@example.com';
-            const password = 'thisissupersafe';
+            const password = 'thenewpassword';
 
             const requestMock = nock('https://api.github.com')
                 .get('/repos/tryghost/dawn/zipball')

Git log

bandit29@bandit:/tmp/b29_0xss0rz/repo$ git log
commit 208f463b5b3992906eabf23c562eda3277fea912
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    fix username

commit 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    initial commit of README.md
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git show 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
commit 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    initial commit of README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..2da2f39
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+# Bandit Notes
+Some notes for bandit30 of bandit.
+
+## credentials
+
+- username: bandit29
+- password: <no passwords in production!>
+

Git branch

bandit29@bandit:/tmp/b29_0xss0rz/repo$ git branch
* master
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git branch -r
  origin/HEAD -> origin/master
  origin/dev
  origin/master
  origin/sploits-dev
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git branch
* dev
  master
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git log
commit bc833286fca18a3948aec989f7025e23ffc16c07
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:52 2020 +0200

    add data needed for development

commit 8e6c203f885bd4cd77602f8b9a9ea479929ffa57
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    add gif2ascii

commit 208f463b5b3992906eabf23c562eda3277fea912
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    fix username

commit 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:51 2020 +0200

    initial commit of README.md
bandit29@bandit:/tmp/b29_0xss0rz/repo$ git show bc833286fca18a3948aec989f7025e23ffc16c07
commit bc833286fca18a3948aec989f7025e23ffc16c07
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:52 2020 +0200

    add data needed for development

diff --git a/README.md b/README.md
index 1af21d3..39b87a8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
 ## credentials

 - username: bandit30
-- password: <no passwords in production!>
+- password: 5b90576bedb2cc04c86a9e924ce42faf

bandit29@bandit:/tmp/b29_0xss0rz/repo$

Git tag

bandit30@bandit:/tmp/b30_0xss0rz/repo$ git tag
secret
bandit30@bandit:/tmp/b30_0xss0rz/repo$ git show secret
47e603bb428404d265f59c42920d81e5
bandit30@bandit:/tmp/b30_0xss0rz/repo$

Deleted Files

LogoHow I made $64k from deleted files — a bug bounty storyMedium

Tools

GitHound

LogoGitHub - tillson/git-hound: Reconnaissance tool for GitHub code search. Finds exposed API keys using pattern matching, commit history searching, and a unique result scoring system.GitHub
echo "uberinternal.com" | ./git-hound --dig-files --dig-commits

echo "uber.com" | ./git-hound --dig-files --language-file languages.txt --dig-commits

echo "uber.box.net" | ./git-hound --dig-files --dig-commits

Gixposed

LogoGitHub - WH1T3-E4GL3/gixposed: Gixposed is a powerful command-line tool designed to search the commit history of Git repositories for sensitive information, such as API keys and access tokens. Its purpose is to help developers and security professionals quickly identify and remediate exposed sensitive informations in their codebases.GitHub

TruffleHog

LogoGitHub - trufflesecurity/truffleHog: Searches through git repositories for high entropy strings and secrets, digging deep into commit historyGitHub
# Scan a local Git repository
trufflehog git file:///home/user/my-repo

# Scan a public GitHub repository
trufflehog git https://github.com/username/repo.git

# Scan with filtering results to show only verified and unknown findings
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown

# Scan and format output as JSON using jq for readability
trufflehog git https://github.com/trufflesecurity/test_keys --results=verified,unknown --json | jq

# Scan a GitHub repository and include issue and PR comments in the scan
trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments

# Scan all repositories in a GitHub organization using a personal access token
trufflehog github --org=nasa --token=yourgithubtoken

# Scan a specific GitHub repository (basic usage)
trufflehog github --repo=https://github.com/username/repo
trufflehog --regex --entropy=False repo/

# With URL
trufflehog https://github.com/name/repo --max_depth 2

Nosey Parker

Find secrets and sensitive information in textual data and Git history.

LogoGitHub - praetorian-inc/noseyparker: Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.GitHub

Gitleaks

LogoGitHub - gitleaks/gitleaks: Protect and discover secrets using Gitleaks 🔑GitHub

Git-secrets

LogoGitHub - awslabs/git-secrets: Prevents you from committing secrets and credentials into git repositoriesGitHub
git clone https://github.com/awslabs/git-secrets
cd git-secrets
make install

Move to the repo

$ git secrets --install
$ git secrets --register-aws
$ git secrets --scan
$ git secrets --scan-history

GitGot

LogoGitHub - BishopFox/GitGot: Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.GitHub

GitRob

LogoGitHub - michenriksen/gitrob: Reconnaissance tool for GitHub organizationsGitHub

GitGraber

LogoGitHub - hisxo/gitGraber: gitGraber: monitor GitHub to search and find sensitive data in real time for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe...GitHub
# Search for sensitive data related to the entire organization
python3 gitGraber.py -k wordlists/keywords.txt -q nasa.gov -s

# Search for sensitive data related strictly to the domain
python3 gitGraber.py -k wordlists/keywords.txt -q "nasa.gov" -s

GitMiner

LogoGitHub - UnkL4b/GitMiner: Tool for advanced mining for content on GithubGitHub

Regex

$ git clone <url>
$ cd repo_name
$ grep -rP "(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]" .

Validate different API keys found

LogoGitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.GitHub
LogoGitHub - daffainfo/Key-Checker: Go scripts for checking API key / access token validityGitHub

Resources

LogoGitHub Recon: The Underrated Technique to Discover High-Impact Leaks in Bug BountyInfoSec Write-ups

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousCode Search (Gitlab / Github)NextGitHub - finding vulnerabilities

Last updated