gitGraber is a device evolved in Python3 to observe GitHub to look and to find delicate information for various on-line products and services similar to: Google, Amazon, Paypal, Github, Mailgun, Fb, Twitter, Heroku, Stripe…
don’t come best from the organizations themselves, but in addition from provider suppliers and staff, who don’t essentially have a “profile” indicating that they paintings for a specific group. .
Regex are meant to be the extra exact than imaginable. Every so often, perhaps you’re going to have false-positive, be happy to give a contribution to enhance recon and upload new regex for trend detection.
We want to cut back false effective as an alternative to ship notification for each and every “usual” API key which might discovered by way of gitGraber however beside the point for hunter.
Tips on how to use gitGraber ?
utilization: gitGraber.py [-h] [-k KEYWORDSFILE] [-q QUERY] [-s] [-w WORDLIST]
not obligatory arguments:
-h, --help display this assist message and go out
-k KEYWORDSFILE, --keyword KEYWORDSFILE
Specify a key phrases record (-k keywordsfile.txt)
-q QUERY, --query QUERY
Specify your question (-q "apikey")
-s, --slack Permit slack notifications
-w WORDLIST, --wordlist WORDLIST
Create a that fills dynamically with
found out filenames on GitHub
gitGraber wishes some dependencies, to put in them to your setting:
pip3 set up -r necessities.txt
Ahead of to begin gitGraber you wish to have to switch the configuration record
- Upload your personal Github tokens :
GITHUB_TOKENS = ['yourToken1Here','yourToken2Here']
- Upload your personal Slack
SLACK_WEBHOOKURL = 'https://hooks.slack.com/products and services/TXXXX/BXXXX/XXXXXXX' :
To start out and use gitGraber :
python3 gitGraber.py -k wordlists/key phrases.txt -q "uber" -s
We advise making a cron that can execute the script regulary:
*/10 * * * * cd /BugBounty/gitGraber/ && /usr/bin/python3 gitGraber.py -k wordlists/key phrases.txt -q "uber" -s >/dev/null 2>&1
Wordlists & Assets
Some were created by way of us and a few others are impressed from different repo/researcher
- Hyperlink :
- Hyperlink :
- Upload extra regex & patterns
- Upload a “combo test” module (for products and services like Twilio that require two tokens)
- Upload multi threads
- Upload bearer token detections
- Alternate token cleansing output
- Upload person and org names show in notifications
This undertaking is made for academic and moral functions best. Utilization of this device for attacking objectives with out prior mutual consent is prohibited. Builders think no legal responsibility and aren’t accountable for any misuse or harm led to by way of this device.