Hello hackers. I hope you are well. I am Tamim Hasan a Security Researcher and Bug Bounty hunter From Bangladesh 🇧🇩..
Today I am going to talk about GitHub dork.
So what is Github?
GitHub is where over 56 million developers shape the future of software, together. Contribute to the open-source community, manage their Git repositories, and doing lots of stuff.
And sometimes the repository contains much sensitive information like api,db credentials,ftp credentials, and much more.
You can find sensitive information on github in 2 way
- Automation
- Manual
But we are going with the manual part.
So let's get started………
Today I am going to talk about GitHub dork.
So what is Github?
GitHub is where over 56 million developers shape the future of software, together. Contribute to the open-source community, manage their Git repositories, and doing lots of stuff.
And sometimes the repository contains much sensitive information like api,db credentials,ftp credentials, and much more.
You can find sensitive information on github in 2 way
- Automation
- Manual
But we are going with the manual part.
So let's get started………
1# Simple search
At first, you should just simply search your target like xyz.com to understand their repo architecture how many repos, commits, and what kind of languages are found stuff like that.
2#Sort
Use sort: Recently Indexed to see the latest code result. Not Best Match option because old credentials may not be working now especially 4–5 years old on the other hand company also prefer the latest one.
3# Dorks
This is the main thing for github recon. In my suggestion, you can start with some basic dorks fast.
Here are some basic dork which is shared by @El3ctr0Byt3s
api_key "api keys" authorization_bearer: oauth auth authentication client_secret api_token: "api token" client_id password user_password user_pass passcode client_secret secret password hash OTP user auth
#Some of the mine which I use generally
remove password root admin log trash token FTP_PORT FTP_PASSWORD DB_DATABASE= DB_HOST= DB_PORT= DB_PASSWORD= DB_PW= DB_USER= number
#3 Language
Use github dorks with language to get more effective result.
like: language:shell username language:sql username language:python ftp language:bash ftp
4#whildcard
use *(wildcard)for more result because sometime targeted website had .com or .net etc.In this case if you specify your github search like xyz.com then you may miss something of .net
You can also use *(wildcard) like *.xyz.com.
5#Url
you should also check URL (which looks important on your eyes)because some of the URL contains some important document like pdf ,ppt,xls file which may contain sensitive info.
(you can simple this with google dorks like site:xxyz.com ext:doc | ext:docx | ext:odt | ext:pdf | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv | ext:txt | ext:html | ext:php | ext:xls)
I said it because I found xls file on some website by doing this which contains user's details.
You can find some useful google dorks in my github repo.
6#NOT
Use NOT to filter your github search and get exact information from github ocean. like: xyz.com filename:prod.exs NOT prod.secret.exs.
#7 Social Media
Follow the developers and employees of your target on social media. They can do stuff like leak teams links that are open, leak feature releases, leak acquisitions ect.
#8 Some useful github dorks:
dotfiles filename:sftp-config.json password filename:.s3cfg filename:config.php dbpasswd filename:.bashrc password filename:.esmtprc password filename:.netrc password filename:_netrc password filename:.env MAIL_HOST=smtp.gmail.com filename:prod.exs NOT prod.secret.exs filename:.npmrc _auth filename:WebServers.xml filename:sftp-config.json filename:.esmtprc password filename:passwd path:etc filename:prod.secret.exs filename:sftp-config.json filename:proftpdpasswd filename:travis.yml filename:vim_settings.xml filename:sftp.json path:.vscode filename:secrets.yml password extension:sql mysql dump extension:sql mysql dump extension:sql mysql dump password extension:pem private extension:ppk private
#Automation:
The manual way is best for finding sensitive info from Github. But if you want to automate this process then I suggest you for GitDorker . While GitHub hunting sometimes I also use this tool.Though it is a bit slow because to prevent rate limits Gitdocker sends 30 requests per minute. But it gives you much fewer false-positive results than other tools.
You can find more github dorks on:
https://github.com/random-robbie/keywords/blob/master/keywords.txt https://gist.github.com/jhaddix/77253cea49bf4bd4bfd5d384a37ce7a4
Some awesome write-up about github dork/recon
https://orwaatyat.medium.com/your-full-map-to-github-recon-and-leaks
https://gist.github.com/EdOverflow/922549f610b258f459b219a32f92d10bhttps://medium.com/hackernoon/developers-are-unknowingly-posting-their-credentials-online-caa7626a6f84 https://shahjerry33.medium.com/github-recon-its-really-deep-6553d6dfbb1f
You can also search on twitter like
github dork #bugbounty
To know more about github dork. Here people share how they find sensitive info using github recon and what github dork they use.
For read reports about github dork you can use some simple google dorks like github dork site:hackerone.com github dork site:medium.com
That's all for today guys. Hope It's helpful for you. Let me know if I made any mistakes in my write-up or if you have any suggestions for me.
You can follow me on Youtube | Github | Twitter | Linkedin | Facebook
Thank you😀😀
1# Simple search
At first, you should just simply search your target like xyz.com to understand their repo architecture how many repos, commits, and what kind of languages are found stuff like that.
2#Sort
Use sort: Recently Indexed to see the latest code result. Not Best Match option because old credentials may not be working now especially 4–5 years old on the other hand company also prefer the latest one.
3# Dorks
This is the main thing for github recon. In my suggestion, you can start with some basic dorks fast.
Here are some basic dork which is shared by @El3ctr0Byt3s
api_key "api keys" authorization_bearer: oauth auth authentication client_secret api_token: "api token" client_id password user_password user_pass passcode client_secret secret password hash OTP user auth
#Some of the mine which I use generally
remove password root admin log trash token FTP_PORT FTP_PASSWORD DB_DATABASE= DB_HOST= DB_PORT= DB_PASSWORD= DB_PW= DB_USER= number
#3 Language
Use github dorks with language to get more effective result.
like: language:shell username language:sql username language:python ftp language:bash ftp
4#whildcard
use *(wildcard)for more result because sometime targeted website had .com or .net etc.In this case if you specify your github search like xyz.com then you may miss something of .net
You can also use *(wildcard) like *.xyz.com.
5#Url
you should also check URL (which looks important on your eyes)because some of the URL contains some important document like pdf ,ppt,xls file which may contain sensitive info.
(you can simple this with google dorks like site:xxyz.com ext:doc | ext:docx | ext:odt | ext:pdf | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv | ext:txt | ext:html | ext:php | ext:xls)
I said it because I found xls file on some website by doing this which contains user's details.
You can find some useful google dorks in my github repo.
6#NOT
Use NOT to filter your github search and get exact information from github ocean. like: xyz.com filename:prod.exs NOT prod.secret.exs.
#7 Social Media
Follow the developers and employees of your target on social media. They can do stuff like leak teams links that are open, leak feature releases, leak acquisitions ect.
#8 Some useful github dorks:
dotfiles filename:sftp-config.json password filename:.s3cfg filename:config.php dbpasswd filename:.bashrc password filename:.esmtprc password filename:.netrc password filename:_netrc password filename:.env MAIL_HOST=smtp.gmail.com filename:prod.exs NOT prod.secret.exs filename:.npmrc _auth filename:WebServers.xml filename:sftp-config.json filename:.esmtprc password filename:passwd path:etc filename:prod.secret.exs filename:sftp-config.json filename:proftpdpasswd filename:travis.yml filename:vim_settings.xml filename:sftp.json path:.vscode filename:secrets.yml password extension:sql mysql dump extension:sql mysql dump extension:sql mysql dump password extension:pem private extension:ppk private
#Automation:
The manual way is best for finding sensitive info from Github. But if you want to automate this process then I suggest you for GitDorker . While GitHub hunting sometimes I also use this tool.Though it is a bit slow because to prevent rate limits Gitdocker sends 30 requests per minute. But it gives you much fewer false-positive results than other tools.
You can find more github dorks on:
https://github.com/random-robbie/keywords/blob/master/keywords.txt https://gist.github.com/jhaddix/77253cea49bf4bd4bfd5d384a37ce7a4
Some awesome write-up about github dork/recon
https://orwaatyat.medium.com/your-full-map-to-github-recon-and-leaks
https://gist.github.com/EdOverflow/922549f610b258f459b219a32f92d10bhttps://medium.com/hackernoon/developers-are-unknowingly-posting-their-credentials-online-caa7626a6f84 https://shahjerry33.medium.com/github-recon-its-really-deep-6553d6dfbb1f
You can also search on twitter like
github dork #bugbounty
To know more about github dork. Here people share how they find sensitive info using github recon and what github dork they use.
For read reports about github dork you can use some simple google dorks like github dork site:hackerone.com github dork site:medium.com
That's all for today guys. Hope It's helpful for you. Let me know if I made any mistakes in my write-up or if you have any suggestions for me.
You can follow me on Youtube | Github | Twitter | Linkedin | Facebook