Everything you need to know about GitHub Recon (P1 Severity)

G1tHub R3c0n

Hello everyone, this is my first write-up and I came up with this great blog as a part of recon because recon is an effective way for security engineers to find weakly secured mechanisms in a web application and patch them before a malicious actor finds them. I hope you guys will like it.

What is GitHub ?

GitHub is a Git repository hosting service, but it adds many of its own features. While Git is a command line tool, GitHub provides a Web-based graphical interface.

GitHub

Apart from this it also contains API keys, passwords, customer data etc. Basically it contains a lot of sensitive information which can be useful for an attacker. This sensitive information leaks can cost a company thousand dollars of damage. Let’s see the basic concept first of GitHub recon.

This blog contains two ways of GitHub Recon :

  1. Manual (Code Search OR GitHub Dorking)

2. Automated (Using Tools)

  1. Manual - Code Search || GitHub Dorking

Code search is nothing but the use of keywords that helps you to find sensitive things like passwords, API keys, database files etc.

The code within a particular repository or organization can be searched. You must be signed in to a GitHub account to search for code across all public repositories. GitHub provides “rich code searching” that scans public GitHub repositories.

GitHub Search
GitHub Search

Here are the steps to do a recon on GitHub:

  1. You can use simple queries like Facebook.com or google.com etc. to search for a particular company.
Facebook Search

2. You can also use multi-word strings like “API Tokens”

Multi-Word String Search

You can open a repository and search for the API Token or cookies or any other sensitive information.

3. You can search for specific filenames like “filename:vim_settings.XML”

XML File Search

4. You can search for specific languages like “language:PHP”

Search as per Language

Apart from repositories you can also check for code, commits, issues, discussions, packages, marketplace, topics, wikis and users.

Search for Target Company

Apart from using GitHub Dorks, you can directly search for the source. For doing that you need to find the your target company’s GitHub page and from there you can find all their developers and monitor their accounts.

Target Companies GitHub Page

Now you will need to manually go through each repositories one by one and look for sensitive information and this can take long time. You should be looking for urls, API keys, usernames, passwords etc.

GitHub Dork List :

GitHub Dorks for Finding Files

filename:manifest.xml
filename:travis.yml
filename:vim_settings.xml
filename:database
filename:prod.exs NOT prod.secret.exs
filename:prod.secret.exs
filename:.npmrc _auth
filename:.dockercfg auth
filename:WebServers.xml
filename:.bash_history <Domain name>
filename:sftp-config.json
filename:sftp.json path:.vscode
filename:secrets.yml password
filename:.esmtprc password
filename:passwd path:etc
filename:dbeaver-data-sources.xml
path:sites databases password
filename:config.php dbpasswd
filename:prod.secret.exs
filename:configuration.php JConfig password
filename:.sh_history
shodan_api_key language:python
filename:shadow path:etc
JEKYLL_GITHUB_TOKEN
filename:proftpdpasswd
filename:.pgpass
filename:idea14.key
filename:hub oauth_token
HEROKU_API_KEY language:json
HEROKU_API_KEY language:shell
SF_USERNAME salesforce
filename:.bash_profile aws
extension:json api.forecast.io
filename:.env MAIL_HOST=smtp.gmail.com
filename:wp-config.php
extension:sql mysql dump
filename:credentials aws_access_key_id
filename:id_rsa or filename:id_dsa

GitHub Dorks for Finding Languages

language:python username
language:php username
language:sql username
language:html password
language:perl password
language:shell username
language:java api
HOMEBREW_GITHUB_API_TOKEN language:shell

GiHub Dorks for Finding API Keys, Tokens and Passwords

api_key
“api keys”
authorization_bearer:
oauth
auth
authentication
client_secret
api_token:
“api token”
client_id
password
user_password
user_pass
passcode
client_secret
secret
password hash
OTP
user auth

GitHub Dorks for Finding Usernames

user:name (user:admin)
org:name (org:google type:users)
in:login (<username> in:login)
in:name (<username> in:name)
fullname:firstname lastname (fullname:<name> <surname>)
in:email (data in:email)

GitHub Dorks for Finding Information using Dates

created:<2012–04–05
created:>=2011–06–12
created:2016–02–07 location:iceland
created:2011–04–06..2013–01–14 <user> in:username

GitHub Dorks for Finding Information using Extension

extension:pem private
extension:ppk private
extension:sql mysql dump
extension:sql mysql dump password
extension:json api.forecast.io
extension:json mongolab.com
extension:yaml mongolab.com
[WFClient] Password= extension:ica
extension:avastlic “support.avast.com”
extension:json googleusercontent client_secret

So this was all about manual technique to find sensitive information on GitHub, lets move to some automated technique.

2. Automated Technique — Using Tools

However automation makes this tedious process easy and fast but it also has it’s own drawback of false-positive results. Here are some automated tools that will help you find sensitive information on GitHub.

  1. TruggleHog :

This tool is easy to use. It searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.

How to use it ?

  1. Go to https://github.com/dxa4481/truffleHog and download it.
  2. Use to below given command to find for sensitive information

Command : python3 trufflehog.py — regex — entropy=False https://github.com/<yourTargetRepository>

TruffleHog

2. Github-Dorks :

It is a simple python tool that can search through your repository or your organization/user repositories.

How to use it ?

  1. Go to https://github.com/techgaun/github-dorks and download it.
  2. Install all the given requirements.
  3. Use the below given command to search for all the repositories of a single user.

Command : python github-dork.py -u <username>

Github-Dork.py
User Information Leaked

3. Watchtower :

AI-powered scanner to detect API keys, secrets, sensitive information. Watchtower Radar API lets you integrate with GitHub public or private repository, AWS, GitLab, Twilio, etc. The scan results are available on a web interface or CLI output. You can read more about it here : https://radar.nightfall.ai/docs#get-results. Basically it is a web application that helps you to scan github repositories.

How to use it ?

  1. Go to https://radar.nightfall.ai/ and login with your github account.
  2. Simply add your github’s target URL on the left top section for scanning
Target Scanning

3. After the scan is completed click on results to view the information and you’ll be redirected to another page like below one

Scan Completed

4. Now click on GitHub to see the leaked information on github

Result

Some other automated tools for scanning GitHub Repositories :

https://github.com/BishopFox/GitGot
https://github.com/Talkaboutcybersecurity/GitMonitor
https://github.com/michenriksen/gitrob
https://github.com/tillson/git-hound
https://github.com/kootenpv/gittyleaks
https://github.com/awslabs/git-secrets https://git-secret.io/

Well if you love this write-up drop a clap 👏, let’s connect then:

Twitter: https://twitter.com/yashkoradia1

Instagram: https://www.instagram.com/yash_koradia/

LinkedIn: https://www.linkedin.com/in/yash-koradia/

Email: yashkoradia1998@gmail.com

Disclaimer

The Blog Content has been made available for informational and educational purposes only.

I hereby disclaim any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of the Blog Content is solely responsible by the readers.

Peace ✌️ !!!