Lädt...

📰 Git-Hound v1.1 - GitHound Pinpoints Exposed API Keys On GitHub Using Pattern Matching, Commit History Searching, And A Unique Result Scoring System


Nachrichtenbereich: 📰 IT Security Nachrichten
🔗 Quelle: feedproxy.google.com


A batch-catching, pattern-matching, patch-attacking secret snatcher.

GitHound pinpoints exposed API keys and other sensitive information on GitHub using pattern matching, commit history searching, and a unique result scoring system. GitHound has earned me over $7500 applied to Bug Bounty research. Corporate and Bug Bounty Hunter use cases are outlined below.

Features
  • GitHub/Gist code searching. This enables GitHound to locate sensitive information exposed across all of GitHub, uploaded by any user.
  • Generic API key detection using pattern matching, context, and Shannon entropy.
  • Commit history digging to find improperly deleted sensitive information (for repositories with <6 stars)..
  • Scoring system to emphasize confident results, filter out common false positives, and to optimize intensive repo digging.
  • Base64 detection and decoding
  • Options to build GitHound into your workflow, like custom regexes and results-only output mode.

Usage
echo "tillsongalloway.com" | git-hound or git-hound --subdomain-file subdomains.txt

Setup
  1. Download the latest release of GitHound
  2. Create a ./config.yml or ~/.githound/config.yml with your GitHub username and password (2FA accounts are not supported). See config.example.yml.
    1. If it's your first time using the account on the system, you may receieve an account verification email.
  3. echo "tillsongalloway.com" | git-hound

Use cases

Corporate: Searching for exposed customer API keys
Knowing the pattern for a specific service's API keys enables you to search GitHub for these keys. You can then pipe matches for your custom key regex into your own script to test the API key against the service and to identify the at-risk account.
echo "api.halcorp.biz" | githound --dig --many-results --regex-file halcorp-api-regexes.txt --results-only | python halapitester.py
For detecting future API key leaks, GitHub offers Push Token Scanning to immediately detect API keys as they are posted.

Bug Bounty Hunters: Searching for leaked employee API tokens
My primary use for GitHound is for finding sensitive information for Bug Bounty programs. For high-profile targets, the --many-results hack and --languages flag are useful for scraping >100 pages of results.
echo "uberinternal.com" | githound --dig --many-results --languages common-languages.txt --threads 100

Flags
  • --subdomain-file - The file with the subdomains
  • --dig-files - Clone and search the repo's files for results
  • --dig-commits - Clone and search the repo's commit history for results
  • --many-results - Use result sorting and filtering hack to scrape more than 100 pages of results
  • --results-only - Print only regexed results to stdout. Useful for piping custom regex matches into another script
  • --no-repos - Don't search repos
  • --no-gists - Don't search Gists
  • --threads - Specify max number of threads for the commit digger to use.
  • --regex-file - Supply a custom regex file
  • --language-file - Supply a custom file with languages to search.
  • --config-file - Custom config file (default is config.yml)
  • --pages - Max pages to search (default is 100, the page maximum)
  • --no-scoring - Don't use scoring to filter out false positives
  • --no-api-keys - Don't perform generic API key searching. GitHound uses common API key patterns, context clues, and a Shannon entropy filter to find potential exposed API keys.
  • --no-files - Don't flag interesting file extensions
  • --only-filtered - Only search filtered queries (languages)
  • --debug - Print verbose debug messages.

Related tools
  • GitRob is an excellent tool that specifically targets an organization or user's repositories for exposed credentials and displays them on a beautiful web interface.


...

🔧 C# Pattern Matching Inside Out: Kompakter und prägnanter C#-Code durch Pattern Matching


📈 57.32 Punkte
🔧 Programmierung

🔧 “Good Commit” vs “Your Commit”: How to Write a Perfect Git Commit Message


📈 53.31 Punkte
🔧 Programmierung

🔧 What is the difference between git commit -m and git commit -am?


📈 48.85 Punkte
🔧 Programmierung

🕵️ High CVE-2018-3785: Git-dummy-commit project Git-dummy-commit


📈 47.22 Punkte
🕵️ Sicherheitslücken

🔧 Good Commit ✅ vs Bad Commit❎: Commit Message Comparisons🧭


📈 44.56 Punkte
🔧 Programmierung

🐧 Git’s database internals II: commit history queries (GitHub blog)


📈 39.6 Punkte
🐧 Linux Tipps

🎥 Git Commit 101: Dominando los Fundamentos de Git y GitHub


📈 39.3 Punkte
🎥 Video | Youtube

🔧 How to Commit Multiline Messages in git commit


📈 38.46 Punkte
🔧 Programmierung

🔧 git commit -m is a lie! How to commit like a pro


📈 38.46 Punkte
🔧 Programmierung

🔧 Git revert commit – Come rimuovere l'ultimo commit fatto


📈 38.46 Punkte
🔧 Programmierung

🔧 Good Commit ✔ VS. Bad Commit ❌: Best Practices for Git


📈 38.46 Punkte
🔧 Programmierung

🔧 Automatically Prefix JIRA Issue ID to Git Commit Messages using Git Hooks


📈 37.02 Punkte
🔧 Programmierung

🔧 GitHub Commits Color Scheme: Lets commit to commit.


📈 36.64 Punkte
🔧 Programmierung

🐧 Hot keys for Chrome or a better browser for searching w/hot keys


📈 34.77 Punkte
🐧 Linux Tipps

🔧 Improving API Error Responses With the Result Pattern


📈 33.39 Punkte
🔧 Programmierung

📰 truffleHog – Search Git for High Entropy Strings with Commit History


📈 32.66 Punkte
📰 IT Security Nachrichten

🔧 Squashing Git Commits for a Cleaner Commit History


📈 32.66 Punkte
🔧 Programmierung

🐧 Will Linux ever rewrite its git commit history?


📈 32.66 Punkte
🐧 Linux Tipps

🔧 Mastering Git Rebase: Streamlining Your Commit History


📈 32.66 Punkte
🔧 Programmierung

🔧 How to delete entire git commit history?


📈 32.66 Punkte
🔧 Programmierung

🐧 Check Git Commit History


📈 32.66 Punkte
🐧 Linux Tipps

📰 Git-Vuln-Finder - Finding Potential Software Vulnerabilities From Git Commit Messages


📈 32.36 Punkte
📰 IT Security Nachrichten

🐧 Git Commit: Snapshots erstellen in Git


📈 32.36 Punkte
🐧 Server

🔧 git commit -p (a cool git command)


📈 32.36 Punkte
🔧 Programmierung

🐧 Git Tutorial | What is GitHub | What is GIT | GitHub Tutorial From Serv...


📈 31.39 Punkte
🐧 Linux Tipps

🔧 Pre-commit checks to format your files and commit messages


📈 31.34 Punkte
🔧 Programmierung

🕵️ FetLife: Able to see highest poll result without voting or view result


📈 30.7 Punkte
🕵️ Sicherheitslücken

📰 Visual Studio 2022 Version 17.9: GitHub Copilot erstellt Git Commit Messages


📈 30.55 Punkte
📰 IT Nachrichten

🔧 Visual Studio 2022 Version 17.9: GitHub Copilot erstellt Git Commit Messages


📈 30.55 Punkte
🔧 Programmierung

📰 Visual Studio 2022 Version 17.9: GitHub Copilot erstellt Git Commit Messages


📈 30.55 Punkte
📰 IT Nachrichten

🎥 Git Commit 101: IA y GitHub Copilot Revolucionando la Programación


📈 30.55 Punkte
🎥 Video | Youtube

🔧 Debugging Tips and Tricks for Python Structural Pattern Matching


📈 30.29 Punkte
🔧 Programmierung

matomo