Hi everyone π
In this blog post, I will tell you how you can use github to search for sensitive information in repo or in whole organization. The trick is pretty simple.
- You need a github account for searching in code.
- Visit github and open search.
- Make own dorks according to target, scope etc and search for them.
- Look for interesting data on Code tab.
- Profit.
How to Make Github Dorks
You may already know about google dorks. Similarity, github also has dorks support.
Github dorks are in the form of prefix:text. prefix specifies on what basis will it search, text specifies what will it search.
Useful Prefixes
Here are some prefixes you can use for making dorks.
filename:FILE can be used to search for specific files. For example, filename:.php
will search for all php files, filename:confg.php
will search in files named config.php
.
extension:EXT will search for all files with given extension.
org:ORG can be used to limit search results to specific organization.
path:PATH can be used to search in specific directory.
language:LANG searches in secified programming language.
There are many more prefixes,
How To Hunt Using Github
Now once you know about basic prefixes, you can start searching for sensitive data.
You can combine multiple prefixes to narrow searches. You can also use same prefix multiple times to apply it twice. For example, following dork will search for all py
and csv
files in organization microsoft
.
org:microsoft extension:py extension:csv
Now itβs time to add keywords.
Many times developers just push sensitive credentials to github repos. If we search for specific keywords, we can get sometimes get sensitive data, credentials, logins, api keys etc.
To search for them, you need to guess how they are used in code, such as specific variable names, prefixes etc. Many times you can guess these by reading documentation.
Here are some common filenames which contain sensitive data, you can combine these with your own keywords and look for specific type of data.
.env
, .env.dev
, .env.prod
: Very popular, it holds various configs and credentials. Many times contains smtp info, api keys, mail access, database info etc.
config.php
, config.py
, config.js
, config.yaml
, config.env
etc: Config files many times contains api keys, database info and more.
.conf
: Config files.
.csv
, .xlsx
and other document types: Can contain sensitive data.
.sql
: Schema definitions, default users etc. Can be very useful for further pentesting.
id_rsa
, id_ed25519
, .pgp
: Private keys.
.pem
, .crt
: Certificates.
Similarly you can think of other files which contain sensitive information and use filename
or extension
prefix to search for those files in large repos. You will be surprised how often developers push these files with sensitive data.
Keywords
You can use keywords to search for specific types of credentials. You can combine them with prefixes or use directly as normal search.
Here is an example:
filename:.env org:microsoft DB_HOST
This will search for env
files in microsoft
org, for DB_HOST
text.
How I got that keyword? Simple, read documentation, read different code and see how they make things commonly. .env
file is generally used with laravel and if you read about it, you will see that to connect to database it uses this value mostly. So if you search for it you can find database details.
Here are some more keywords for ideas:
MAIL_HOST
, SMTP_HOST
, MAIL_SERVER
, SMTP_SERVER
etc: SMTP details, generally username and password are in same file as them. You can also try to login to email using same details.
SENDGRID_API_KEY
: Sendgrid API Keys.
mysql dump
: Database dumps.
AWS_SECRET_ACCESS_KEY
: AWS credentials.
Similarly you use more keywords and combine them with prefixes to create target-specific custom dorks.
I canβt post screenshots of this as it may reveal sensitive data. But you can try yourself on targets you are authorized to pentest.
Conclusion
Github searching can many times give sensitive data. If developers are not careful, they may push various credentials to github unknowingly.
You can make custom dorks by the method described above and gather additional data about your target.
If you have any questions, you can comment or dm me.
Suggestions and improvements are always welcome <3