Github search is quite powerful and useful feature and can be used to search sensitive data on the repositories. Collection of github dorks that can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc. This list is supposed to be useful for assessing security and performing pen-testing of systems.
github-dork.py is a simple python tool that can search through your repository or your organization/user repositories. Its not a perfect tool at the moment but provides a basic functionality to automate the search on your repositories against the dorks specified in text file.
This tool uses github3.py to talk with GitHub Search API.
Clone this repository and run:
pip install -r requirements.txtGH_USER - Environment variable to specify github user
GH_PWD - Environment variable to specify password
GH_TOKEN - Environment variable to specify github token
GH_URL - Environment variable to specify GitHub Enterprise base URL
Some example usages are listed below:
python github-dork.py -r techgaun/github-dorks # search single repo
python github-dork.py -u techgaun # search all repos of user
python github-dork.py -u dev-nepal # search all repos of an organization
GH_USER=techgaun GH_PWD=<mypass> python github-dork.py -u dev-nepal # search as authenticated user
GH_TOKEN=<github_token> python github-dork.py -u dev-nepal # search using auth token
GH_URL=https://github.example.com python github-dork.py -u dev-nepal # search a GitHub Enterprise instance- Authenticated requests get a higher rate limit. But, since this tool waits for the api rate limit to be reset (which is usually less than a minute), it can be slightly slow.
- Output formatting is not great. PR welcome
Handle rate limit and retry. PR welcome
Please consider contributing the dorks that can reveal potentially sensitive information in github.
I am not categorizing at the moment. Instead I am going to just the list of dorks with a description. Many of the dorks can be modified to make the search more specific or generic. You can see more options here.
| Dork | Description |
|---|---|
| rds.amazonaws.com password | Amazon RDS possible credentials |
| filename:.bash_profile aws | aws access and secret keys |
| filename:.bash_history | Bash history file |
| filename:CCCam.cfg | CCCam Server config file |
| filename:shadow path:etc | Contains encrypted passwords and account information of new unix systems |
| extension:avastlic | Contains license keys for Avast! Antivirus |
| filename:passwd path:etc | Contains user account information including encrypted passwords of traditional unix systems |
| filename:server.cfg rcon password | Counter Strike RCON Passwords |
| extension:dbeaver-data-sources.xml | DBeaver config containing MySQL Credentials |
| filename:dhcpd.conf | DHCP service config |
| filename:.tugboat NOT _tugboat | Digital Ocean tugboat config |
| filename:settings.py SECRET_KEY | Django secret keys (usually allows for session hijacking, RCE, etc) |
| filename:config.json auths | docker registry authentication data |
| filename:.dockercfg auth | docker registry authentication data |
| path:sites databases password | Drupal website database credentials |
| filename:.esmtprc password | esmtp configuration |
| filename:filezilla.xml Pass | filezilla config file with possible user/pass to ftp |
| filename:recentservers.xml Pass | filezilla config file with possible user/pass to ftp |
| filename:logins.json | Firefox saved password collection (key3.db usually in same repo) |
| filename:.git-credentials | git credentials store, add NOT username for more valid results |
| JEKYLL_GITHUB_TOKEN | Github tokens used for jekyll |
| HOMEBREW_GITHUB_API_TOKEN language:shell | Github token usually set by homebrew users |
| filename:.env MAIL_HOST=smtp.gmail.com | gmail smtp configuration (try different smtp services too) |
| HEROKU_API_KEY language:shell | Heroku api keys |
| HEROKU_API_KEY language:json | Heroku api keys in json files |
| filename:.history | history file (often used by many tools) |
| filename:.htpasswd | htpasswd files |
| filename:hub oauth_token | hub config that stores github tokens |
| filename:idea14.key | IntelliJ Idea 14 key, try variations for other versions |
| filename:configuration.php JConfig password | Joomla configuration file |
| filename:.sh_history | korn shell history |
| filename:.env DB_USERNAME NOT homestead | laravel .env (CI, various ruby based frameworks too) |
| filename:credentials aws_access_key_id | might return false negatives with dummy values |
| filename:.s3cfg | might return false negatives with dummy values |
| .mlab.com password | MLAB Hosted MongoDB Credentials |
| filename:robomongo.json | mongodb credentials file used by robomongo |
| extension:json mongolab.com | mongolab credentials in json configs |
| extension:yaml mongolab.com | mongolab credentials in yaml configs (try with yml) |
| extension:sql mysql dump | mysql dump |
| extension:sql mysql dump password | mysql dump look for password; you can try varieties |
| filename:_netrc password | netrc that possibly holds sensitive credentials |
| filename:.netrc password | netrc that possibly holds sensitive credentials |
| filename:.npmrc _auth | npm registry authentication data |
| extension:json googleusercontent client_secret | OAuth credentials for accessing Google APIs |
| filename:express.conf path:.openshift | openshift config, only email and server thou |
| filename:sshd_config | OpenSSH server config |
| filename:prod.exs NOT prod.secret.exs | Phoenix prod configuration file |
| filename:prod.secret.exs | Phoenix prod secret |
| filename:config.php dbpasswd | PHP application database password (e.g., phpBB forum software) |
| PT_TOKEN language:bash | pivotaltracker tokens |
| filename:connections.xml | possible db connections configuration, try variations to be specific |
| filename:config irc_pass | possible IRC config |
| msg nickserv identify filename:config | Possible IRC login passwords |
| SF_USERNAME salesforce | possible salesforce credentials |
| jsforce extension:js conn.login | possible salesforce credentials in nodejs projects |
| filename:.pgpass | PostgreSQL file which can contain passwords |
| extension:pem private | private keys |
| filename:id_rsa or filename:id_dsa | private ssh keys |
| extension:ppk private | puttygen private keys |
| filename:.cshrc | RC file for csh shell |
| filename:.bashrc password | search for passwords, etc. in .bashrc (try with .bash_profile too) |
| shodan_api_key language:python | Shodan API keys (try other languages too) |
| xoxp OR xoxb | Slack bot and private tokens |
| extension:json api.forecast.io | try variations, find api keys/secrets |
| filename:proftpdpasswd | Usernames and passwords of proftpd created by cpanel |
| filename:.bashrc mailchimp | variation of above (try more variations) |
| filename:ventrilo_srv.ini | Ventrilo configuration |
| [WFClient] Password= extension:ica | WinFrame-Client infos needed by users to connect toCitrix Application Servers |
| filename:wp-config.php | wordpress config files |
| filename:configuration.php JConfig password | Joomla configuration file |
| filename:config.php dbpasswd | PHP application database password (e.g., phpBB forum software) |
| path:sites databases password | Drupal website database credentials |
| filename:secrets.yml password | Rails uses file secrets.yml to hold API keys and passwords |