TSEC NEWS: 06.05.21 Cron-Job Fehlerhaft nach PHP Update + PWA mobile + Desktop / 04.05.21 - Android App von TSECURITY 28.04.21 - NEUER SERVER // 26.04.21 ++ Download the Electron-App für tsecurity.de // Über 550 Feed-Quellen


❈ Shhgit - Find GitHub Secrets In Real Time

IT Security Nachrichten feedproxy.google.com





Shhgit finds secrets and sensitive files across GitHub code and Gists committed in near real time by listening to the GitHub Events API.

NEW: LIVE VERSION. Find GitHub secrets straight from your browser!

Finding secrets in GitHub is nothing new. There are many great tools available to help with this depending on which side of the fence you sit. On the adversarial side, popular tools such as gitrob and truggleHog focus on digging in to commit history to find secret tokens from specific repositories, users or organisations. On the defensive side, GitHub themselves are actively scanning for secrets through their token scanning project. Their objective is to identify secret tokens within committed code in real-time and notify the service provider to action. So in theory if any AWS secret keys are committed to GitHub, Amazon will be notified and automatically revoke them.
I developed shhgit to raise awareness and bring to life the prevalence of this issue. I hope GitHub will do more to prevent bad actors using the treasure trove of information across the platform. I don't know the inner-workings of their token scanning project but delaying the real-time feed API until the pipeline has completed and posing SLAs on the providers seems like a step in the right direction.
With some tweaking of the signatures shhgit would make an awesome addition to your bug bounty toolkit.

Run from Docker
  1. Edit config.yaml and insert your github credentials
  2. $ docker run -v $(pwd)/config.yaml:/config.yaml:ro fnxpt/shhgit


Installation
You can use the precompiled binaries or build from source:
  1. Install Go for your platform.
  2. $ go get github.com/eth0izzle/shhgit will download and build shhgit.
  3. See usage.

Usage
shhgit needs to access the public GitHub API so you will need to obtain and provide an access token. The API has a hard rate limit of 5,000 requests per hour per account, regardless what token is used. The more account-unique tokens you provide, the faster you can process the events. Follow this guide to generate a token; it doesn't require any scopes or permissions. And then place it under github_access_tokens in config.yaml. Note that it is against the GitHub terms to bypass their rate limits. Use multiple tokens at your own risk.
Unlike other tools, you don't need to pass any targets with shhgit. Simply run $ shhgit to start watching GitHub commits and find secrets or sensitive files matching the included 120 signatures.
Alternatively, you can forgo the signatures and use shhgit with a search query, e.g. to find all AWS keys you could use shhgit --search-query AWS_ACCESS_KEY_ID=AKIA

Options
--clone-repository-timeout
Maximum time it should take to clone a repository in seconds (default 10)
--csv-path
Specify a path if you want to write found secrets to a CSV. Leave blank to disable
--debug
Print debugging information
--entropy-threshold
Finds high entropy strings in files. Higher threshold = more secret secrets, lower threshold = more false positives. Set to 0 to disable entropy checks (default 5.0)
--maximum-file-size
Maximum file size to process in KB (default 512)
--maximum-repository-size
Maximum repository size to download and process in KB) (default 5120)
--minimum-stars
Only clone repositories with this many stars or higher. Set to 0 to ignore star count (default 0)
--path-checks
Set to false to disable file name/path signature checking, i.e. just match regex patterns (default true)
--process-gists
Watch and proces s Gists in real time. Set to false to disable (default true)
--search-query
Specify a search string to ignore signatures and filter on files containing this string (regex compatible)
--silent
Suppress all output except for errors
--temp-directory
Directory to store repositories/matches (default "%temp%\shhgit")
--threads
Number of concurrent threads to use (default number of logical CPUs)

Config
The config.yaml file has 6 elements. A default is provided.
github_access_tokens: # provide at least one token
- 'token one'
- 'token two'
slack_webhook: '' # url to your slack webhook. Found secrets will be sent here
blacklisted_extensions: [] # list of extensions to ignore
blacklisted_paths: [] # list of paths to ignore
blacklisted_entropy_extensions: [] # additional extensions to ignore for entropy checks
signatures: # list of signatures to check
- part: '' # either filename, extension, path or contents
match: '' # simple text comparison (if no regex element)
regex: '' # regex pattern (if no match element)
name: '' # name of the signature

Signatures
shhgit comes with 120 signatures. You can remove or add more by editing config.yaml.
Chef private key, Potential Linux shadow file, Potential Linux passwd file, Docker configuration file, NPM configuration file, Environment configuration file, Contains a private key, AWS Access Key ID Value, AWS Access Key ID, AWS Account ID, AWS Secret Access Key, AWS Session Token, Artifactory, CodeClimate, Facebook access token, Google (GCM) Service account, Stripe API key, Google OAuth Key, Google Cloud API Key
Google OAuth Access Token, Picatic API key, Square Access Token, Square OAuth Secret, PayPal/Braintree Access Token, Amazon MWS Auth Token, Twilo API Key, MailGun API Key, MailChimp API Key, SSH Password, Outlook team, Sauce Token, Slack Token, Slack Webhook, SonarQube Docs API Key, HockeyApp, Username and password in URI, NuGet API Key, Potential cryptographic private key, Log file, Potential cryptographic key bundle, Potential cryptographic key bundle
Potential cryptographic key bundle, Potential cryptographic key bundle, Pidgin OTR private key, OpenVP N client configuration file, Azure service configuration schema file, Remote Desktop connection file, Microsoft SQL database file, Microsoft SQL server compact database file, SQLite database file, SQLite3 database file, Microsoft BitLocker recovery key file
Microsoft BitLocker Trusted Platform Module password file, Windows BitLocker full volume encrypted data file, Java keystore file, Password Safe database file, Ruby On Rails secret token configuration file, Carrierwave configuration file, Potential Ruby On Rails database configuration file, OmniAuth configuration file, Django configuration file
1Password password manager database file, Apple Keychain database file, Network traffic capture file, GnuCash database file, Jenkins publish over SSH plugin file, Potential Jenkins credentials file, KDE Wallet Manager database file, Potential MediaWiki configuration file, Tunnelblick VPN configuration file, Sequel Pro MySQL database manager bookmark file, Little Snitch firewall configuration file, Day One journal file, Potential jrnl journal file, Chef Knife configuration file, cPanel backup ProFTPd credentials file
Robomongo MongoDB manager configuration file, FileZilla FTP configuration file, FileZilla FTP recent servers file, Ventrilo server configuration file, Terraform variable config file, Shell configuration file, Shell configuration file, Shell configuration file, Private SSH key, Private SSH key, Private SSH key, Private SSH key, SSH configuration file, Potential cryptographic private key, Shell command history file
MySQL client command history file, PostgreSQL client command history file, PostgreSQL password file, Ruby IRB console history file, Pidgin chat client account configuration file, Hexchat/XChat IRC client server list configuration file, Irssi IRC client configuration file, Recon-ng web reconnaissance framework API key database, DBeaver SQL database manager configuration file, Mutt e-mail client configuration file, S3cmd configuration file, AWS CLI credentials file, SFTP connection configuration file, T command-line Twitter client configuration file, Shell configuration file
Shell profile configuration file, Shell command alias configuration file, PHP configuration file, GNOME Keyring database file, KeePass password manager database file, SQL dump file, Apache htpasswd file, Configuration file for auto-login process, Rubygems credentials file, Tugboat DigitalOcean management tool configuration, DigitalOcean doctl command-line client configuration file, git-credential-store helper credentials file, GitHub Hub command-line client configuration file, Git configuration file

Contributing
  1. Fork it, baby!
  2. Create your feature branch: git checkout -b my-new-feature
  3. Commit your changes: git commit -am 'Add some feature'
  4. Push to the branch: git push origin my-new-feature
  5. Submit a pull request.

Credits
Some code borrowed from Gitrob by Michael Henriksen.

Disclaimer
I take no responsibility for how you use this tool. Don't be a dick.


...


Kompletten Artikel lesen (externe Quelle: http://feedproxy.google.com/~r/PentestTools/~3/PHsUtb-C5vE/shhgit-find-github-secrets-in-real-time.html)

Zur Startseite

➤ Weitere Beiträge von Team Security | IT Sicherheit (tsecurity.de)

Thank you, Visual Studio docs contributors (March 2020)

vom 889.2 Punkte
We want to say a big thank you to everyone who contributed to the docs in March of 2020! You are helping make the Visual Studio docs clearer, more complete, and more understandable for everyone. We love that our community takes the time to get involve

Exegol - Exegol Is A Kali Light Base With A Few Useful Additional Tools And Some Basic Configuration

vom 864.9 Punkte
Exegol is a fully configured kali light base with a few useful additional tools (~50), a few useful resources (scripts and binaries for privesc, credential theft etc.) and some configuration (oh-my-zsh, history, aliases, colourized output for some tools). I

Shhgit - Find GitHub Secrets In Real Time

vom 832.53 Punkte
Shhgit finds secrets and sensitive files across GitHub code and Gists committed in near real time by listening to the GitHub Events API.NEW: LIVE VERSION. Find GitHub secrets straight from your browser!Finding secrets in GitHub is nothing new. There are many great too

PowerSharpPack - Many usefull offensive CSharp Projects wraped into Powershell for easy usage

vom 655.38 Punkte
Many usefull offensive CSharp Projects wraped into Powershell for easy usage. Why? In my personal opinion offensive Powershell is not dead because of AMSI, Script-block-logging, Constrained Language Mode or other protection features. Any of these mechanisms can b

Some-Tools - Install And Keep Up To Date Some Pentesting Tools

vom 584.35 Punkte
Some-ToolsWhyI was looking for a way to manage and keep up to date some tools that are not include in Kali-Linux. For exemple, I was looking for an easy way to manage privilege escalation scripts. One day I saw sec-tools from eugenekolo (which you can see at the bottom of the page) and it gave me the motivation to start working on mine right away.But keep in mind that is different. I built this for people that are working with Kali. Should work on others d

PowerSharpPack - Many usefull offensive CSharp Projects wraped into Powershell for easy usage

vom 556.71 Punkte
Many usefull offensive CSharp Projects wraped into Powershell for easy usage.Why? In my personal opinion offensive Powershell is not dead because of AMSI, Script-block-logging, Constrained Language Mode or other protection features. Any of these mechanisms can

Crypton - Library Consisting Of Explanation And Implementation Of All The Existing Attacks On Various Encryption Systems, Digital Signatures, Hashing Algorithms

vom 501.11 Punkte
Crypton is an educational library to learn and practice Offensive and Defensive Cryptography. It is basically a collection of explanation and implementation of all the existing vulnerabilities and attacks on various Encryption Systems (Symmetric and Asymmetric), Digital Signatures, Message Authentication Codes and Authenticated

Git All The Payloads! A Collection Of Web Attack Payloads

vom 430.2 Punkte
Git All the Payloads! A collection of web attack payloads. Pull requests are welcome!Usagerun ./get.sh to download external payloads and unzip any payload files that are compressed.Payload Creditsfuzzdb - https://github.com/fuzzdb-project/fuzzdbSec

Lockdoor Framework - A Penetration Testing Framework With Cyber Security Resources

vom 422.52 Punkte
Lockdoor Framework : A Penetration Testing Framework With Cyber Security Resources.09/2019 : 1.0Beta Information Gathring Tools (21) Web Hacking Tools(15) Reverse Engineering Tools (15) Exploitation Tools (6) Pentesting & Security Assessment Findings Report Temp

Web Hacker's Weapons - A Collection Of Cool Tools Used By Web Hackers

vom 414.95 Punkte
A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting.WeaponsType Name DescriptionArmy-Knife/ALL BurpSuite the BurpSuite project Army-Knife/SCAN jaeles The Swiss Army knife for automated Web Application Testing Army

KITT-Lite - Python-Based Pentesting CLI Tool

vom 394.68 Punkte
The KITT Penetration Testing Framework was developed as an open source solution for pentesters and programmers alike to compile the tools they use with what they know into an open source project. With KITT, users are able to easily access a list of commonl

Docker for Pentest - Image With The More Used Tools To Create A Pentest Environment Easily And Quickly

vom 374.94 Punkte
Docker for pentest is an image with the more used tools to create an pentest environment easily and quickly.FeaturesOS, networking, developing and pentesting tools installed.Connection to HTB (Hack the Box) vpn to access HTB machines.Popular wordlists i

Team Security Diskussion über Shhgit - Find GitHub Secrets In Real Time