Dears this is step by step walkthrough of techniques and patterns for GitHub recon to use it for exposing the secrets, credentials, API keys and very interesting information about our target.I will explain how and why about manual GitHub Recon especially Dorking.

So let's start Hunters

đŸ€”Why GitHub ?

Developers accidentally place the their secrets and files imof company on GitHub which reveals the internal endpoints, config files,API keys and emails password 🔑 etc. When we search about target,we face hundreds of codes ,repos on GitHub which really takes time but we can find out targeted credentials using some clever ways.I prefer manual recon because automate tools make it quick but miss a lot of valuable information.

đŸ’«Dorking

Dorking is just a targeted search. Instead of scanning everything blindly ,you express what you want to find using search operators and patterns which we will discuss deeply.A dork is nothing but a search recipe. So dork= Qualifier (Where to look)+Keyword (What to look) .

Qualifier: Where to look 🧐

When you want to say , O GitHub look me for me there(specific place) we will use a qualifier.

let's study the important qualifier, mostly used during GitHub recon

in : file

Search inside the actual file content.This is default but clear your search to GitHub.

e.g the following qualifier will find every file in GitHub that mentions "api_key" inside it's content.

in:file "api_ key"

filename:

This matches the name of the given file.It is powerful because certain files( like .env , config, setting.py) are common place if secrets.

filename: .env

The above will return every file with it's name .env with looking what is inside it.

extension

It find file with specific give extension like

extension: ymal "api_key"

It will find " api_key" in any ymal file

Org:

It scope to a specific organization .For instance if you want to find .env files on specific organization like Netflix so it will look like

org: Netflex filename: .env

language:

It filters your search by code type.

language:python "os.getenv"

Find python scripts that load environment variables.

The abc of Dorking we have learned that's enough now it's real part where we will take step to make dork step by step for special requirements using the abc we have learned above

Building dork using logic step by step đŸȘœ

let's take a target example.com.

step 1 -Broad search

in: file "example.com"

Show me any file which contains example.com

step 2-Focus on sensitive files

 in:file "example.com" filename: .env

Now it's finding .env files that contain examples.com

step 3-Combine with keywords

in:file "vidaxl.com" filename:.env ("API_KEY" OR "AWS_SECRET_ACCESS_KEY")

It finds the .env file mentioning example.com and contains the selected keywords.

step4- Touching config files

in:file "vidaxl.com" extension:yaml OR extension:json

To look for config files which mostly contain secrets.

step5- Using org

org:google filename:.env "API_KEY"

To search for .env files in Google organization repos that contain "API_KEY" keyword.

Now what are keywords

This is what to look for. These are the signals which indicate something interesting.

Examples:

Sensitive strings: "password", "apikey", "token", "secret", "AKIA", "PRIVATE KEY".

Domain names: "target.com", "api.target.com".

Variable names: "DB_PASS", "AWS_SECRET_ACCESS_KEY".

Error messages or configs: "localhost", "smtp", "ftp", "ssh".

We don't have to memorize but you must have to know what is working how and why.You must understand the logic behind everything as a security researcher.

This was a basic intro of manual GitHub recon. I will share every point of learning and finding in my journey .Ok hunters Happy Hacking ❀

Follow to learn from mistakes and grow up.