This edition of the Tricky Thursday will bring you a set of resources, OSINT tricks and benign hacks for researching all things on Github – from repositories, users, organisations… to some secrets!
Let’s roll with it.
Github account search
Github uses a simple, predictable and enumeration-friendly naming convention format for user and organisation accounts:
Further, this can be very helpful when iterating through users who belong to a specific organisation – simply replace the $company part below with the name of your organisation of interest:
Contributors to a given public project can be viewed by iterating the $company and $project values in a URL, for example:
Obviously, not all Github accounts are made equal. For searching Github accounts, organisations and repositories based on their star rating, you can use Gitstar Ranking.
Most active users in a specific geographical location can also be found by using Commits Top – it lists the most active GitHub users in different countries.
Browser extensions / add-ons
There are a number of browser extensions and add-ons that can be installed to make the Github OSINT experience smoother and more effective. I’m going to list some I personally tested and found useful.
- Aspose GitHub DocViewer – for viewing various document files within Github.
- EmailOnGitHub – allows you to discover an email associated with a user’s Github profile.
- GitHub Downloader – allows you to download single files from Github repos.
- Github Email Hunter – for locating email addresses associated with users and repos.
- GitHub Highlight Selected – highlights selected word in Github source view like Sublime Text. Good for keyword searches – as a visual aid.
- GitHub Isometric Contributions – enables an isometric pixel view of Github contribution graphs. Useful for high level visualisation of activity.
- OctoLinker – for navigating repositories and linking relative files.
Various Github OSINT tips and tricks
These are mainly concentrated around one my favourite OSINT techniques – the URL manipulation.
- To view an enlarged profile image, add .png behind the username in the URL.
- Likewise, public SSH / GPG keys can be displayed by adding .keys or .gpg behind the username.
- You can find email addresses of users linked to public commit pull requests. To view, add .patch to the URL string of an individual pull request. Example: https://github.com/bitcoin/bitcoin/pull/25306
- Email addresses can also be found within the public Github Events API. More detailed instructions on how to leverage this resource for automation can be found in the Github Docs.
- You can search for blocks of code on Github using an external web based tool – Searchcode.
Octosuite is described by its creators as “an open-source lightweight yet advanced osint framework that targets GitHub users and organizations”.
It can be used to identify various metadata for a Github profile, like the created / updated date, follower count, links and so on.
It has several useful features, including the command line based search option for repos, issues, topics and commits.
Gitrecon is a dedicated Github OSINT Python tool for user accounts, with some basic and some advanced features.
Its additional utility is the detection of email addresses that were unintentionally leaked while making public commits.
And it can bring back the public SSH-RSA keys, if there are any associated with an account.
TruffleHog is a more targeted OSINT tool – you won’t be using it for looking up users or organisations. Instead, TruffleHog can scan Github repos for unintentionally disclosed information.
The usage is straightforward – after installation, simply point TruffleHog at the target repository. Note that the repo must be publicly available for this to work.
For using some more advanced arguments, visit the help page.
There are a lot of other tools for searching Github that I haven’t tried or tested, but might get to them in the unspecified future. While I am not sure of how useful they are, I decided to include them here based on third party recommendations I have received in the past (nonetheless, caveat emptor).
- Detect Secrets: https://github.com/Yelp/detect-secrets
- Git Hound: https://github.com/ezekg/git-hound
- Git Secrets: https://github.com/awslabs/git-secrets
- Gittyleaks: https://github.com/kootenpv/gittyleaks
- Repo Supervisor: https://github.com/auth0/repo-supervisor
- Secret Bridge: https://github.com/duo-labs/secret-bridge
- Workflow Telemetry: https://github.com/thundra-io/workflow-telemetry-action
- Zen: https://github.com/s0md3v/Zen