Token-Hunter - Collect OSINT For GitLab Groups And Members And Search The Group And Group Members' Snippets, Issues, And Issue Discussions For Sensitive Data That May Be Included In These Assets

Token-Hunter - Collect OSINT For GitLab Groups And Members And Search The Group And Group Members' Snippets, Issues, And Issue Discussions For Sensitive Data That May Be Included In These Assets
2021-01-18 20:30:00 Author: www.blogger.com(查看原文) 阅读量:110 收藏

tag:blogger.com,1999:blog-8317222231133660547.post-78222992957235518652021-01-18T08:30:00.006-03:002021-01-18T08:30:06.245-03:00Token-Hunter - Collect OSINT For GitLab Groups And Members And Search The Group And Group Members' Snippets, Issues, And Issue Discussions For Sensitive Data That May Be Included In These Assets<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-CQi2hv4nrPs/X_u6C2h_NnI/AAAAAAAAU_Q/o2IKYB4S5i81eV09osQvuALsOHQLYZzcwCNcBGAsYHQ/s800/gitlab_hacks.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="391" data-original-width="800" height="312" src="https://1.bp.blogspot.com/-CQi2hv4nrPs/X_u6C2h_NnI/AAAAAAAAU_Q/o2IKYB4S5i81eV09osQvuALsOHQLYZzcwCNcBGAsYHQ/w640-h312/gitlab_hacks.png" width="640" /></a></div> Collect OSINT for <a href="https://docs.gitlab.com/ee/user/group/" rel="nofollow" target="_blank" title="GitLab groups">GitLab groups</a> and <a href="https://docs.gitlab.com/ee/user/project/members/#share-project-with-group" rel="nofollow" target="_blank" title="members">members</a> and search the group and group members' <a href="https://docs.gitlab.com/ee/user/snippets.html" rel="nofollow" target="_blank" title="snippets">snippets</a>, <a href="https://docs.gitlab.com/ee/user/project/issues/" rel="nofollow" target="_blank" title="issues">issues</a>, and <a href="https://docs.gitlab.com/ee/api/discussions.html#discussions-api" rel="nofollow" target="_blank" title="issue discussions">issue discussions</a> for sensitive data that may be included in these assets. The information gathered is intended to compliment and inform the use of additional tools such as <a href="https://github.com/dxa4481/truffleHog" rel="nofollow" target="_blank" title="TruffleHog">TruffleHog</a> or <a href="https://github.com/michenriksen/gitrob" rel="nofollow" target="_blank" title="GitRob">GitRob</a>, which search git commit history using a similar technique of regular expression matching.<a name='more'></a><div> </div>How the tool works Start by providing a group ID for a specific group on GitLab. You can find the group ID underneath the group name in the GitLab UI. Token-Hunter will use the GitLab group ID to find all associated projects for that group and, optionally, the groups members personal projects. Configure the tool to look for sensitive data in assets related to the projects it finds. Token-Hunter uses the <a href="https://github.com/dxa4481/truffleHogRegexes" rel="nofollow" target="_blank" title="same set of">same set of </a><a href="https://www.kitploit.com/search/label/Regular%20Expressions" target="_blank" title="regular expressions">regular expressions</a> as TruffleHog with a few additions for GitLab specific tokens. Token-Hunter depends on these <a href="https://gitlab.com/gitlab-com/gl-security/gl-redteam/token-hunter/blob/master/regexes.json" rel="nofollow" target="_blank" title="easily configurable regular expressions">easily configurable regular expressions</a> for <a href="https://www .kitploit.com/search/label/Accuracy" target="_blank" title="accuracy">accuracy</a> and effectiveness. Currently, the tool supports GitLab snippets, issues, and issue discussions with plans for future expansion to other assets. The tool is intended to be very configurable to allow for efficient <a href="https://www.kitploit.com/search/label/Discovery" target="_blank" title="discovery">discovery</a> of sensitive data in the assets you're specifically interested in. Usage Before running the tool, you will need to <a href="https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html" rel="nofollow" target="_blank" title="generate a GitLab Personal">generate a GitLab Personal </a><a href="https://www.kitploit.com/search/label/Access%20Token" target="_blank" title="Access Token">Access Token</a> (PAT) and export it as an environment variable. This can be done as shown below (please select <code>api</code> in the <code>scopes</code> section): <pre><code>export GITLAB_API_TOKEN=xxxxx </code></pre> Next, clone the repository and install dependencies with: <pre><code>git clone https://gitlab.com/gitlab-com/gl-security/gl-redteam/token-hunter.git pip3 install -r ./requirements.txt </code></pre> Then, you can run the tool and specify your options as follows: <pre><code>usage: token-hunter.py [-h] -g GROUP [-u URL] [-m] [-s] [-i] [-r] [-t] [-p PROXY] [-c CERT] [-l LOGFILE] Collect OSINT for GitLab groups and members. Optionally search the group and group members snippets, project issues, and issue discussions/comments for sensitive data. optional arguments: -h, --help show this help message and exit -u URL, --url URL An optional argument to specify the base URL of your GitLab instance. If the argument is not supplied, its defaulted to 'https://gitlab.com' -m, --members Include group members personal projects and their related assets in the searchfor sensitive data. -s, --snippets Searches found projects for GitLab Snippets with sensitive data. -i, --issues Searches found projects for GitLab Issues and discussions/comments with sensitive data. -r, --mergerequests Searches found projects for GitLab Merge Requests and discussions/comments with sensitive data. -t, --timestamp Disables display of start/finish times and originating IP to the output -p PROXY, --proxy PROXY Proxies all requests using the provided URI matching the scheme: http(s)://user:[email protected]:8000 -c CERT, --cert CERT Used in tandem with -p (--proxy), this switch provides a fully qualified path to a certificate to verify TLS connections. Provide a fully qualified path to the <a href="https://www.kitploit.com/search/label/Dynamic" target="_blank" title="dynamic">dynamic</a> cert. Example: /Users/<username>/owasp_zap_root_ca.cer. -l LOGFILE, --logfile LOGFILE Will APPEND all output to specified file. required arguments: -g GROUP, --group GROUP ID or HTML encoded name of a GitLab group. This option, by itself, will display group projects and member names only. </code></pre> Usage Examples <code>./token-hunter.py -g 123456</code> The simplest use case is to return all the project URLs associated with a group by providing the group ID with the <code>-g</code> switch. You can find the group ID underneath the group name in the GitLab UI. No token searches are performed with this configuration. <code>./token-hunter.py -g 123456 -m</code> Finds all projects for group 123456 as well as all of the personal projects for the group members. No token searches are performed with this configuration. <code>./token-hunter.py -g 123456 -ms</code> Finds all projects for group 123456 as well as all of the personal projects for the group members. The <code>-s</code> switch tells Token-Hunter to search GitLab snippets associated with each found project for sensitive data. <code>./token-hunter.py -g 123456 -msir</code> Finds all projects for group 123456 as well as all of the personal projects for the group members. The <code>-s</code> switch tells Token-Hunter to search GitLab snippets associated with each found project for sensitive data. The <code>-i</code> switch tells Token-Hunter to also search issues and discussions for each of the found projects for sensitive data. The <code>-r</code> switch tells Token-Hunter to also search merge requests and merge request discussions for each of the found projects. CAUTION: This configuration has the potential to pull a lot of data! <code>./token-hunter.py -g 123456 -msit -u https://mygitlab-instance.com -p http://127.0.01:8080 -c /Users/hacker/owasp_zap_ca_cert.cer -l ./appended-output.txt</code> Performs the same asset searches as the previous example against a self-hosted installation of GitLab running at <code>https://mygitlab-instance.com</code>. Requests and responses that the tool generates are proxied through <code>http://127.0.01:8080</code> using the certificate defined at the fully qualified path <code>/Users/hacker/owasp_zap_ca_cert.cer</code> to decrypt the TLS traffic. Timestamps and origin IP are excluded from the output with the <code>-t</code> switch. Output is APPENDED to the <code>./appended-output.txt</code> file with the <code>-l</code> switch. Contributing Contributions are welcome from the community. You can find and add to the issue list, submit merge requests, and add to the existing discussions. Token-Hunter is written in python 3. To make a code contribution: <ol> <li><a href="https://realpython.com/installing-python/" rel="nofollow" target="_blank" title="Install python version 3">Install python version 3</a></li> <li>Install pip version 3 to manage dependencies using the guide above.</li> <li>Clone the repository</li> <li>In the root directory, install dependencies with <code>pip3 install -r ./requirements.txt</code></li> <li><a href="https://docs.gitlab.com/ee/gitlab-basics/create-branch.html" rel="nofollow" target="_blank" title="Create a branch">Create a branch</a> for the changes you'd like to make.</li> <li>Modify or add test coverage in the existing <code>./test_*</code> files, adding new files as needed.</li> <li>Execute tests, written in <a href="http://doc.pytest.org/" rel="nofollow" target="_blank" title="pytest">pytest</a>, with <code>pytest -v</code> to make sure they pass.</li> <li>Create a merge requests for your changes and tag <code>@gitlab-red-team</code> to review and merge it.</li> <li>Repeat!</li> </ol> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/codeEmitter/token-hunter" rel="nofollow" target="_blank" title="Download Token-Hunter">Download Token-Hunter</a></div>Zion3R[email protected]

文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/7822299295723551865
如有侵权请联系:admin#unsafe.sh