BSidesSLC 2016 -- Don't be stupid with Github - Even more Github fun -- Metacortex

[Music] higher performance communication resources and faster and more reliable technology higher performance communication resources and F first of all who am I this guy on stage metacortex or um you can know me as Danny either or which by the way what the hell hacker Community I am the only one on the program that's using a handle everybody else is using their real name this is lame Josh come here I have something for you real quick sorry and I also have what kind of kind of drinking game are we playing whatever you want for you and pick some keywords all right by day I am a threat analyst and By Night consultant do pentest work stuff I have a bunch of

CTS that are all expired so don't care um I like to hang Oh yay lost video that wasn't me drink maybe there we go all right I like to be active a little bit in the local hacker scene and uh yeah I speak at places here's a whole bunch of places that I have spoken at I am a stage [ __ ] I like to speak at things uh boisey and then I have Thon and noon coming up here in May so if you're going to be out in those areas come see this again oh Open West that one that one too all right Rules of Engagement for today be super informal be allowed to or

feel free to Heckle yell scream whatever I can't promise a witty comeback without some time to honestly think about it so there's the disclaimer for that what we're going to be talking about today we're going to find all the stupid [ __ ] that people put on GitHub and we're going to take it all and look at it oh sorry one more thing I forgot to put uh in the rules of engagement I may swear a little bit it's no reflection on you it's reflection of me cluck yeah so let's start this out let's tell a story shall we everything starts with a good story involving a female that is a female I'm really talking about her

not him this is an ex-girlfriend of mine that I dated during High School dated no she does not know and it's glorious oh you wait you wait I'm sorry about the projector fails anyway you saw her up there so we dated in high school we broke up not quite on speaking terms really anymore and I need that next slide there might be so I won't touch it all right so couple years go by and all of a sudden out of the blue I get a text message from a number I don't have in my phone book says hey how you doing that's not actual screenshot but I had no idea who this was so what's the first thing I

do I type it into Google see what's there so I start pouring through Google results and really nothing on the first slide a lot of data aggregate or things like that but I get to the the second page of Google and there's something really fun at the bottom it's right there and if you can't see it there I'll help you out with that hey look says Jen with phone number and mailing address and neighborhood so uh yeah her name was Jen by the way we'll just go back in the story and say that so that's her so I decided to click on it of course and I get this big Json file when you actually expand it and look at the

source that's really what it looks like it's much more than one line of code so we'll blow it up a little bit see if you can see it and if you can't Identify some things there you go they're somebody's email address neighborhood they live in actual phone number of stepen at F uh details about apartment size I thought that's really creepy phone number email address and like on and on and on there's tons of people in this so I did some hardcore data analytics on all of this data I swn a little over 1800 hardcore super hardcore so this is when I say oh [ __ ] I have to actually text her back so I said hey FYI I wasn't going to

text you back but all your personal data is out on the internet have fun he she some response something along the lines of oh this was a file that people were using to try and pair up rooms for people that were running in the Boston Marathon when the bombs went off all that it's very Noble very awesome but we're years after that I told her well get in contact whatever whoever this is get them to take it down bonus it's still up if you can find it so have fun fast forward a little bit and I'm running through Twitter and I see this little tweet out there from Mark Bernett awesome local guy who I actually just met this morning super

cool dude and as the clicker on everything on the internet I am I checked it out sure enough they gave a little bit of details you know you search for WP config on GitHub and sure [ __ ] there's a whole bunch of config files I said no way so I did it and there are so I started pouring through them you know if you can't see that there is a database password right there I can't remember if this thing was actually uh publicly accessible but there are plenty of those there we go blowed up so everybody who wants to get live creds there's your first one of the day so after discovering this I started

diving into GitHub and all its search features and everything that you can do I learned a couple things everything you put in the search bar is logical ends um there's no they strip all special characters so you can't do things like not this which kind of sucks but still you can get a lot of cool things out of it much like Google Dorking you know put in file names extensions path so if you're looking for a specific file that resides in a certain directory structure you can find that which in an example that I'll show you later is file name password path Etsy so I started you know diving what are other fun things you can find here

on guub well there's a lot of sensitive information there the one I just recently found and had a lot of fun with is Gmail SMTP configs that people put into things like Outlook or other male clients and all those passwords are clear text uh AWS credentials so we'll look at them a little bit ID RSA as the file name for some private keys and GitHub returns 4.6 million of those you know Etsy password 1.1k Shadow files those are a lot of fun and some of the more interesting ones that I like you know SFTP configs actually log into their servers because why not so after looking at all of this I decided hey um wouldn't that be cool if somebody

wrote a tool to take all of that and I did pretty much the night after I sent that tweet I started coding furiously in Python it took me all night because I'm not a coder but in the morning I came up with the first working copy the of get Harvester and what it does out of the box is you run it without any configuration whatsoever it'll just automatically pull WordPress configs parse them out dump username password and host to the screen and then I added a whole bunch of other features oh I actually have a slide for this added a couple other features where you can do custom GitHub searches custom rejects on those searches for so if you're trying to look

for something within that file specifically that you can't actually drill down with the GitHub search functionality uh you can write the match lines to a file or you can download the whole file and drop it into a directory let's go ahead and uh demo off a little bit of that shall we does anybody have a chicken to sacrifice so this works no damn it all right so show off basic functionality you run it like I said no parameters whatsoever it's going to start grabbing a whole bunch of credentials oh you can't see what I'm

doing all right

there we go everyone see that all

right so there's some live creds now do I have any volunteers that want to try that real quick no okay so these are all my SQL so you can log into you hit uh SQL shared2 phpf frog.com on 3306 right now no so right now it just runs and it scrapes get Hub so no input on it whatsoever and what it's going to do is it's going by default like I said it's going to just search WordPress config files parse everything out and dump it to the

screen so that's kind of neat now I have a couple other things so if we wanted to check out no just that line check out some RSA private keys let me actually walk through that command with you V for ver verbose mode U it's actually going to print out the URL of a match to the console so you can manually go there s is for custom search so you're going to see file name ID RSA and then R is the custom Rex so we're going to look for begin space RSA space private space key you run that and right now it's only going to return the first line of the match it'll be enough to show you that

we have a a whole bunch of private keys on there and if we want we can actually dump that to a directory so I can show you that I'm not lying to you right now we'll dump a

couple couple cat Star yay bunch of private keys I'll go over the numbers in a little bit of how many I've actually found in the past week while prepping for this but um September something like that I've done a couple of bug bug fixes on it and whatnot so I actually think uh no here let's grab this one this one's much more interesting Shadow

files hey there's root

hashes fantastic and then last but not least let's check out some SFTP passwords which in the configs of the SFTP stuff they also have a lot of publicly accessible IPS and domains and I have verified through a friend on the anonymous internet I have no idea who they are they have told me that many of these credentials are currently working uh one of which I was told you can get into the backend SQL database of a leather club in San Francisco I was told I do not

know I did not have access before the talk and it's dying out fantastic all right whatever let's get back to

awesome one am I looking for that one oh

yeah partially successful demo yay yeah yeah

please so yeah so ironically I am hosting it on GitHub and it's open so if uh I love this track so there's the URL to that so you can go ahead it's just a python script with a couple of imports um that you'll want to make sure that you have things like curl and beautiful soup for parsing the HTML so in the past week to see what's currently on there I spent hours grabbing everything that I could and those are some of the numbers of things that I have found you know lots of Wordpress database passwords uh 92 of them the unique were actually 366 so you'll see a lot of test environments that are people are putting

up there that aren't all 100% legitimate uh you know 61 public hosts with their databases exposed I haven't yet I was going to and I ran out of time for this week but they are there and I have confirmed that they are there which is lots of fun which by the way if you can find somebody's AWS token for one of their GPU rigs free password cracking so if you look at some of the actual passwords I spent you know little while parsing through all of them you know 197 blank passwords which is fine if they're you know uploading sample configs things like that you know pretty standard passwords that we've all heard hundreds of billions of times that these

are common but there are some that actually caught my eye that I thought were really awesome passwords you know true love weights fat and my actual uh spirit animal creger was in there along with Adolf Hitler noted then we look at some of the SFTP passwords that I found you know a lot of passwords as passwords you know again pretty standard a lot of Raspberry Pi stuff for you know Raspberry Pi images people throw up on GitHub um and here's some of the what I can but I I I don't know why there's 10 of them it it could be the same project multiple different files

uploaded um I'm actually not sure how GitHub returns that I'd have to look into that because I haven't actually looked at any of the branch stuff but what it does is it does the search and it takes every single item on the search and then goes through that scrapes it rexes it everything like that so these are the fun ones I found a lot of the fun ones were SFTP passwords a lot of long ones Illuminati 666 yeah Pizza YOLO swag

some fun Gmail passwords there weren't actually a whole bunch of um unique or many used Gmail passwords there's a lot of unique ones but not many mass used over and over and over like password probably that's a testament to Gmail's password policy I would imagine but I don't really know computers in here was probably my favorite so so tried hard I assumed that they are not ocp certified uh derp life at

one no one loves me yeah that was uh where was that one yeah no one love me so it's not no one loves me he's telling people do not love me yes the which one

[Laughter] I am not surprised you know [Laughter] that so then I took a lot of the Shadow files and I spent about 10 hours last night cracking all of those and I got about 45% of them in the N9 hours with a 1.5 billion word list file you know pretty standard not real fun and those are some of the fun ones shells was awesome and I just got so giddy when I saw the only for you to see there there was just something so satisfying about that and God the the infamous God God would not be up this late she is up this late posting her passwords to get home so because why not I compiled everything

uniqued it all and posted all the passwords I found on ppin yeah I don't care so if you want to go check those out um they're pretty cool last time I gave this talk it actually got taken down since then or I haven't found it again they actually had the Chinese characters for password which was fantastic so a couple of concerns that I ran into while running all of this you can use a GitHub API or you can just search the web interface but either one will only give you a maximum 1,000 results back for whatever and there's a little support page in their fors saying they do this to keep you know performance down because if you're returning 4.6

Million results it's going to destroy their servers pretty quickly so and and how it's incremented is they actually have 10 results per page over 100 pages so I was looking into it to try and figure out how I could get more results and I noticed the sort by buttton where you can sort by oldest indexed newest indexed and best match whatever their algorithms do so potentially you could get 3,000 unique results back but in practice I've generally only get about, 1500 when I hit all three of those sorting options some other concerns is they have a little bit of rate limiting that I hit many many many times and that's the little pop-up they give you they don't do anything but you

know time you out for a little bit and then you can get back in the game and play the great thing about the script itself is if you're doing any kind of custom regx on it the Rex takes just long enough for you to skirt by this so it's it's actually really efficient and if you ever start running into the issues where python starts erroring out due to these these error messages then you know there's probably something wrong in the Rex or the search that you're doing so it's very instant feedback a little bit of shout out to this guy over here who I found his you know GitHub thing where he has a whole

ton of dorks in there which most a lot of them I knew already but there are some of them like the Gmail stuff that I did not know about and I think there's about 30 different dorks in there for certain different things yes what a dork so very similar to Google dorks so the keywords that you can use to find certain things so if you have a moment go check that out very much because there's a lot of good information that's not in these slides it's in in there that you can use get Harvester to find's

up so that is in the plans to start you know Auto searching things so you don't have to put in your own custom searches and rexes for it so you can go like you know I want private Keys it'll just automatically do it all for you what's up that guy

I don't know who that is if it was close yeah so I actually looked at that and that string is nowhere in the username of the email so I I have no idea what that's about I mean I have all the results we can hold up real quick um where is

my let's see whole bunch of stuff nope not that one Gmail creds all right yeah I'm trying to get it up for you quick drink drink please drink all right there like I have no idea how that password relates to that account whatsoever so I have friends on the internet that I do not know through the anonymous dark webs of the internet and they have told me that a tons of these Gmail credentials do work but Google is actually really good at noticing when you're logging in from an IP address that you haven't normally logged into and then they'll start forcing you to do two-step verification but you can verify that these are correct passwords because if

it's not the correct password you never do the two-step authentication so very quickly you know just trying it even though you don't get into the email address you can verify that they are correct

yeah that's a problem if you don't reuse your passwords for

sure yeah there's I did see one password that was 56 simultaneous exit that was fun yeah so if we want to like look at path there's oh there's the noon love there you go hot

rtop gmail.com yes

um again like if anyone wants to volunteer to try these to let the class know whether they work or not it would be much appreciated I've never gotten anyone to volunteer for that some some Nirvana there's a derp [Laughter]

life yeah there's some pretty decent passwords in there like and it doesn't matter how long it is if you're going to post it in clear

text calm [Laughter]

down I think that's actually a that's probably a false positive but anyway any questions more than what we've already been going over oh you're taking pictures here go go for it all

day what

that is a great feature suggestion um but there's a lot more work that I want to do in uh in this to kind of develop the tool a little bit more get a lot more features like grifter said you know you can straight up tell it what you want without giving it rex or custom searches which will be fantastic oh changed 16 days ago almost you're that close keep trying there's more in there all right yeah um I've seen a couple things a lot of people like because github's free storage bad developers are bad developers are bad I mean I've seen full directory like full os's you know the whole file system uploaded and I mean I guess it it's easy

you can just get P everything to reimage a a system but either that or maybe a misconfiguration that just pulls everything up

yeah exactly and if we can get user education in there somewhere I have no idea how to do that I just point at problems that's good

point that's not a bad idea yeah Fair yeah yeah just have it open in a different Gmail account that doesn't tie back to you at all yeah that makes sense yes my my friends on the dark web can do that for

me that was on that yes that was still her active current phone number and to prove to me what was her last name yep lean just found my exgirlfriend fantastic

[Laughter]

all right without any further questions I'm out of here [Applause]