Github Dork

3 years ago 177
BOOK THIS SPACE FOR AD
ARTICLE AD

Use Github Dork For Finding Sensitive Information

Tamim Hasan

Hello Guys, How are you hope you are well. Today I am going to talk about GitHub dork.

GitHub is where over 56 million developers shape the future of software, together. Contribute to the open-source community, manage their Git repositories, and doing lots of stuff.

And sometimes the repository contains much sensitive information like api,db credentials,ftp credentials, and much more.

You can find sensitive information on github by 2 way

AutomationManual

But we are going with the manual part.

So let's get started………

1# Simple search

At first, you should just simply search your target like xyz.com to understand their repo architecture how many repos, commits, and what kind of languages are found stuff like that.

2#Sort

Use sort: Recently Indexed to see the latest code result. Not Best Match option because old credentials may not be working now especially 4–5 years old on the other hand company also prefer the latest one.

3# Dorks

This is the main thing for github recon. In my suggestion, you can start with some basic dorks fast.

Here are some basic dork which is shared by @El3ctr0Byt3s

api_key
“api keys”
authorization_bearer:
oauth
auth
authentication
client_secret
api_token:
“api token”
client_id
password
user_password
user_pass
passcode
client_secret
secret
password hash
OTP
user auth

#Some of the mine which I use generally

remove password
root
admin
log
trash
token
FTP_PORT
FTP_PASSWORD
DB_DATABASE=
DB_HOST=
DB_PORT=
DB_PASSWORD=
DB_PW=
DB_USER=
number

#3 Language

Use github dorks with language to get more effective result.

like: language:shell username
language:sql username
language:python ftp
language:bash ftp

4#whildcard

use *(wildcard)for more result because sometime targeted website had .com or .net etc.In this case if you specify your github search like xyz.com then you may miss something of .net

You can also use *(wildcard) like *.xyz.com.

5#Url

you should also check URL (which looks important on your eyes)because some of the URL contains some important document like pdf ,ppt,xls file which may contains sensitive info.

(you may also do this simple with google dork site:xxyz.com ext:doc | ext:docx | ext:odt | ext:pdf | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv | ext:txt | ext:html | ext:php | ext:xls)

I said it because I found xls file on some website by doing this which contains users details.

You can find some useful google dorks in my github repo.

6#NOT

Use NOT to filter your github search and get exact information from github ocean. like: xyz.com filename:prod.exs NOT prod.secret.exs.

#7 Social Media

Follow the developers and employees of your target on social media. They can do stuff like leak teams links that are open, leak feature releases, leak acquisitions ect.

#8 Some useful github dorks:

dotfiles
filename:sftp-config.json password
filename:.s3cfg
filename:config.php dbpasswd
filename:.bashrc password
filename:.esmtprc password
filename:.netrc password
filename:_netrc password
filename:.env MAIL_HOST=smtp.gmail.com
filename:prod.exs NOT prod.secret.exs
filename:.npmrc _auth
filename:WebServers.xml
filename:sftp-config.json
filename:.esmtprc password
filename:passwd path:etc
filename:prod.secret.exs
filename:sftp-config.json
filename:proftpdpasswd
filename:travis.yml
filename:vim_settings.xml
filename:sftp.json path:.vscode
filename:secrets.yml password
extension:sql mysql dump
extension:sql mysql dump
extension:sql mysql dump password
extension:pem private
extension:ppk private

#Automation:

The manual way is best for finding sensitive info from Github. But if you want to automate this process then you can use GitDorker tool. While GitHub hunting sometimes I also you this tool.Though it is a bit slow because to prevent rate limits Gitdocker sends 30 requests per minute. But it gives you much fewer false-positive results than other tools.

You can find more github dorks on:

https://github.com/random-robbie/keywords/blob/master/keywords.txt
https://gist.github.com/jhaddix/77253cea49bf4bd4bfd5d384a37ce7a4

Some awesome write-up about github dork/recon

https://orwaatyat.medium.com/your-full-map-to-github-recon-and-leaks-exposure-860c37ca2c82
https://medium.com/hackernoon/developers-are-unknowingly-posting-their-credentials-online-caa7626a6f84
https://shahjerry33.medium.com/github-recon-its-really-deep-6553d6dfbb1f

You can also search on twitter like github dork to get more about github dork.Here people share how can they find sensitive info using github recon and what github dork they use.

To read the report about this use a simple google dork github dork site:hackerone.com.

That's all for today guys. Hope It’s helpful for you. Let me know if I made any mistakes in my write-up or you have any suggestions for me.

You can follow me on Github | Twitter | Linkedin | Facebook

Read Entire Article