Network Services Pentesting
Support HackTricks and get benefits!
To dump a .git folder from a URL use https://github.com/arthaud/git-dumperโ€‹
Use https://www.gitkraken.com/ to inspect the content
If a .git directory is found in a web application you can download all the content using wget -r http://web.com/.git. Then, you can see the changes made by using git diff.
The tools: Git-Money, DVCS-Pillage and GitTools can be used to retrieve the content of a git directory.
The tool https://github.com/cve-search/git-vuln-finder can be used to search for CVEs and security vulnerability messages inside commits messages.
The tool https://github.com/michenriksen/gitrob search for sensitive data in the repositories of an organisations and its employees.
โ€‹Repo security scanner is a command line-based tool that was written with a single goal: to help you discover GitHub secrets that developers accidentally made by pushing sensitive data. And like the others, it will help you find passwords, private keys, usernames, tokens and more.
โ€‹TruffleHog searches through GitHub repositories and digs through the commit history and branches, looking for accidentally committed secrets
Here you can find an study about github dorks: https://securitytrails.com/blog/github-dorksโ€‹
Support HackTricks and get benefits!
Copy link