SHARE
Github Dorks :  Collection of Github Dorks & Helper Tool

Github search is quite powerful and useful feature and can be used to search sensitive data on the repositories. Collection of github dorks that can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc.

This list is supposed to be useful for assessing security and performing pen-testing of systems.

github-dork.py is a simple python tool that can search through your repository or your organization/user repositories. Its not a perfect tool at the moment but provides a basic functionality to automate the search on your repositories against the dorks specified in text file.

Installation

This tool uses github3.py to talk with GitHub Search API.

Clone this repository and run:

pip install -r requirements.txt

Also Read – Trivy : Simple & Comprehensive Vulnerability Scanner

Usage

GH_USER – Environment variable to specify github user
GH_PWD – Environment variable to specify password
GH_TOKEN – Environment variable to specify github token
GH_URL – Environment variable to specify GitHub Enterprise base URL

Some example usages are listed below:

python github-dork.py -r techgaun/github-dorks
# search single repo

python github-dork.py -u techgaun
# search all repos of user

python github-dork.py -u dev-nepal
# search all repos of an organization

GH_USER=techgaun GH_PWD=<mypass> python github-dork.py -u dev-nepal
# search as authenticated user

GH_TOKEN=<github_token> python github-dork.py -u dev-nepal
# search using auth token

GH_URL=https://github.example.com python github-dork.py -u dev-nepal
# search a GitHub Enterprise instance

Limitations

  • Authenticated requests get a higher rate limit. But, since this tool waits for the api rate limit to be reset (which is usually less than a minute), it can be slightly slow.
  • Output formatting is not great. PR welcome
  • Handle rate limit and retry. PR welcome

List of Dorks

I am not categorizing at the moment. Instead I am going to just the list of dorks with a description. Many of the dorks can be modified to make the search more specific or generic. You can see more options here.

DorkDescription
filename:.npmrc _authnpm registry authentication data
filename:.dockercfg authdocker registry authentication data
extension:pem privateprivate keys
extension:ppk privateputtygen private keys
filename:id_rsa or filename:id_dsaprivate ssh keys
extension:sql mysql dumpmysql dump
extension:sql mysql dump passwordmysql dump look for password; you can try varieties
filename:credentials aws_access_key_idmight return false negatives with dummy values
filename:.s3cfgmight return false negatives with dummy values
filename:wp-config.phpwordpress config files
filename:.htpasswdhtpasswd files
filename:.env DB_USERNAME NOT homesteadlaravel .env (CI, various ruby based frameworks too)
filename:.env MAIL_HOST=smtp.gmail.comgmail smtp configuration (try different smtp services too)
filename:.git-credentialsgit credentials store, add NOT username for more valid results
PT_TOKEN language:bashpivotaltracker tokens
filename:.bashrc passwordsearch for passwords, etc. in .bashrc (try with .bash_profile too)
filename:.bashrc mailchimpvariation of above (try more variations)
filename:.bash_profile awsaws access and secret keys
rds.amazonaws.com passwordAmazon RDS possible credentials
extension:json api.forecast.iotry variations, find api keys/secrets
extension:json mongolab.commongolab credentials in json configs
extension:yaml mongolab.commongolab credentials in yaml configs (try with yml)
jsforce extension:js conn.loginpossible salesforce credentials in nodejs projects
SF_USERNAME salesforcepossible salesforce credentials
filename:.tugboat NOT _tugboatDigital Ocean tugboat config
HEROKU_API_KEY language:shellHeroku api keys
HEROKU_API_KEY language:jsonHeroku api keys in json files
filename:.netrc passwordnetrc that possibly holds sensitive credentials
filename:_netrc passwordnetrc that possibly holds sensitive credentials
filename:hub oauth_tokenhub config that stores github tokens
filename:robomongo.jsonmongodb credentials file used by robomongo
filename:filezilla.xml Passfilezilla config file with possible user/pass to ftp
filename:recentservers.xml Passfilezilla config file with possible user/pass to ftp
filename:config.json authsdocker registry authentication data
filename:idea14.keyIntelliJ Idea 14 key, try variations for other versions
filename:config irc_passpossible IRC config
filename:connections.xmlpossible db connections configuration, try variations to be specific
filename:express.conf path:.openshiftopenshift config, only email and server thou
filename:.pgpassPostgreSQL file which can contain passwords
filename:proftpdpasswdUsernames and passwords of proftpd created by cpanel
filename:ventrilo_srv.iniVentrilo configuration
[WFClient] Password= extension:icaWinFrame-Client infos needed by users to connect toCitrix Application Servers
filename:server.cfg rcon passwordCounter Strike RCON Passwords
JEKYLL_GITHUB_TOKENGithub tokens used for jekyll
filename:.bash_historyBash history file
filename:.cshrcRC file for csh shell
filename:.historyhistory file (often used by many tools)
filename:.sh_historykorn shell history
filename:sshd_configOpenSSH server config
filename:dhcpd.confDHCP service config
filename:prod.exs NOT prod.secret.exsPhoenix prod configuration file
filename:prod.secret.exsPhoenix prod secret
filename:configuration.php JConfig passwordJoomla configuration file
filename:config.php dbpasswdPHP application database password (e.g., phpBB forum software)
path:sites databases passwordDrupal website database credentials
shodan_api_key language:pythonShodan API keys (try other languages too)
filename:shadow path:etcContains encrypted passwords and account information of new unix systems
filename:passwd path:etcContains user account information including encrypted passwords of traditional unix systems
extension:avastlic “support.avast.com”Contains license keys for Avast! Antivirus
filename:dbeaver-data-sources.xmlDBeaver config containing MySQL Credentials
filename:.esmtprc passwordesmtp configuration
extension:json googleusercontent client_secretOAuth credentials for accessing Google APIs
HOMEBREW_GITHUB_API_TOKEN language:shellGithub token usually set by homebrew users
xoxp OR xoxbSlack bot and private tokens
.mlab.com passwordMLAB Hosted MongoDB Credentials
filename:logins.jsonFirefox saved password collection (key3.db usually in same repo)
filename:CCCam.cfgCCCam Server config file
msg nickserv identify filename:configPossible IRC login passwords
filename:settings.py SECRET_KEYDjango secret keys (usually allows for session hijacking, RCE, etc)
filename:secrets.yml passwordUsernames/passwords, Rails applications
filename:master.key path:configRails master key (used for decrypting credentials.yml.enc for Rails 5.2+)
filename:deployment-config.jsonCreated by sftp-deployment for Atom, contains server details and credentials
filename:.ftpconfigCreated by remote-ssh for Atom, contains SFTP/SSH server details and credentials
filename:.remote-sync.jsonCreated by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials
filename:sftp.json path:.vscodeCreated by vscode-sftp for VSCode, contains SFTP/SSH server details and credentails
filename:sftp-config.jsonCreated by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials
filename:WebServers.xmlCreated by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!)