Skip to content
/ gitGraber Public

gitGraber is a tool developed in Python3 to monitor GitHub to search and find sensitive data for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe...

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rmarot/gitGraber

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
wordlists
wordlists
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
config.py
config.py
 
 
gitGraber.py
gitGraber.py
 
 
rawGitUrls.txt
rawGitUrls.txt
 
 
requirements.txt
requirements.txt
 
 
tokens.py
tokens.py
 
 

Repository files navigation

About gitGraber

gitGraber is a tool developed in Python3 to monitor GitHub to search and find sensitive data for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe...

demo

How it work ?

It's important to understand that gitGraber is not designed to check history of repositoriy, many tools can already doing this great. gitGraber was developed to monitor and to parse last indexed files on GitHub. If gitGraber find something interesting, you will receive a notification on your Slack channel. You can also use it to have results directly on the command line.

Regex are supposed to be the more precise than possible. Sometimes, maybe you will have false-positive, feel free to contribute to improve recon and add new regex for pattern detection.

We prefer to reduce false positive instead to send notification for every "standard" API key which could found by gitGraber but irrelevant for hunter.

How to use gitGraber ?

usage: gitGraber.py [-h] [-k KEYWORDSFILE] [-q QUERY] [-s] [-w WORDLIST]

optional arguments:
  -h, --help       show this help message and exit
  -k KEYWORDSFILE  Specify a keywords file (-k keywordsfile.txt)
  -q QUERY         Specify your query (-q "apikey")
  -s, --slack      Enable slack notifications
  -w WORDLIST      Create a wordlist that fills dynamically with discovered filenames on GitHub

Dependencies

gitGraber needs some dependencies, to install them on your environment:

pip3 install -r requirements.txt

Configuration

Before to start gitGraber you need to modify the configuration file config.py :

  • Add your own Github tokens : GITHUB_TOKENS = ['yourToken1Here','yourToken2Here']
  • Add your own Slack Webhook : SLACK_WEBHOOKURL = 'https://hooks.slack.com/services/TXXXX/BXXXX/XXXXXXX'

How to create Slack Webhook URL

To start and use gitGraber : python3 gitGraber.py -k wordlists/keywords.txt -q "uber" -s

We recommend creating a cron that will execute the script regulary:

*/10 * * * * cd /BugBounty/gitGraber/ && /usr/bin/python3 gitGraber.py -k wordlists/keywords.txt -q "uber" -s >/dev/null 2>&1

Wordlists & Resources

Some wordlists have been created by us and some others are inspired from other repo/researcher

TODO

  • Add more regex & patterns
  • Add multi threads
  • Add modules to verify the validity of API key
  • Add bearer token detections
  • Change token cleaning output
  • Add user and org names display in notifications

Authors

Disclaimer

This project is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. Developers assume no liability and are not responsible for any misuse or damage caused by this tool.

About

gitGraber is a tool developed in Python3 to monitor GitHub to search and find sensitive data for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe...

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages