Merge pull request #1493 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_external-recon-methodology_github-leaked-secrets_20251016_082732

carlospolop · web-flow · commit 80341ec175fe · 2025-10-16T11:11:18.000+02:00
Research Update Enhanced src/generic-methodologies-and-resou...
diff --git a/src/binary-exploitation/ios-exploiting/README.md b/src/binary-exploitation/ios-exploiting/README.md
@@ -1148,7 +1148,7 @@ These are the defenses built into modern userland xzone:
 ---
 
 If you like, I can also generate a cheat-sheet or diagram of xzone internals for your book. Do you want me to do that next?
-::contentReference[oaicite:20]{index=20}
+::contentReference[oai:20]{index=20}
 
 
 ---
diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md b/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md
@@ -12,14 +12,73 @@
 - [https://github.com/JaimePolop/RExpository](https://github.com/JaimePolop/RExpository)
 - [https://github.com/Yelp/detect-secrets](https://github.com/Yelp/detect-secrets)
 - [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber)
-- [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
+- https://github.com/eth0izzle/shhgit (unmaintained)
 - [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks)
-- [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob)
-- [https://github.com/anshumanbh/git-all-secrets](https://github.com/anshumanbh/git-all-secrets)
+- https://github.com/michenriksen/gitrob (archived)
+- https://github.com/anshumanbh/git-all-secrets (archived)
 - [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
 - [https://github.com/kootenpv/gittyleaks](https://github.com/kootenpv/gittyleaks)
 - [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker)
 
+> Notes
+> - TruffleHog v3 can verify many credentials live and scan GitHub orgs, issues/PRs, gists, and wikis. Example: `trufflehog github --org <ORG> --results=verified`.
+> - Gitleaks v8 supports scanning git history, directories and archives: `gitleaks detect -v --source .` or `gitleaks detect --source <repo> --log-opts="--all"`.
+> - Nosey Parker focuses on high-throughput scanning with curated rules and has an Explorer UI for triage. Example: `noseyparker scan --datastore np.db <path|repo>` then `noseyparker report --datastore np.db`.
+> - ggshield (GitGuardian CLI) provides pre-commit/CI hooks and Docker image scanning: `ggshield secret scan repo <path-or-url>`.
+
+### Where secrets commonly leak in GitHub
+
+- Repository files in default and non-default branches (search `repo:owner/name@branch` in the UI).
+- Full git history and other branches/tags (clone and scan with gitleaks/trufflehog; GitHub search focuses on indexed content).
+- Issues, pull requests, comments, and descriptions (TruffleHog GitHub source supports these via flags like `--issue-comments`, `--pr-comments`).
+- Actions logs and artifacts of public repositories (masking is best-effort; review logs/artifacts if visible).
+- Wikis and release assets.
+- Gists (search with tooling or the UI; some tools can include gists).
+
+> Gotchas
+> - GitHub’s REST code search API is legacy and does not support regex; prefer the Web UI for regex searches. The gh CLI uses the legacy API.
+> - Only files below a certain size are indexed for search. To be thorough, clone and scan locally with a secrets scanner.
+
+### Programmatic org-wide scanning
+
+- TruffleHog (GitHub source):
+```bash
+export GITHUB_TOKEN=<token>
+trufflehog github --org Target --results=verified \
+  --include-wikis --issue-comments --pr-comments --gist-comments
+```
+- Gitleaks over all org repos (clone shallow and scan):
+```bash
+gh repo list Target --limit 1000 --json nameWithOwner,url \
+| jq -r '.[].url' | while read -r r; do
+  tmp=$(mktemp -d); git clone --depth 1 "$r" "$tmp" && \
+  gitleaks detect --source "$tmp" -v || true; rm -rf "$tmp";
+done
+```
+- Nosey Parker over a mono checkout:
+```bash
+# after cloning many repos beneath ./org
+noseyparker scan --datastore np.db org/ && noseyparker report --datastore np.db
+```
+- ggshield quick scans:
+```bash
+# current working tree
+ggshield secret scan path -r .
+# full git history of a repo
+ggshield secret scan repo <path-or-url>
+```
+
+> Tip: For git history, prefer scanners that parse `git log -p --all` to catch removed secrets.
+
+### Updated dorks for modern tokens
+
+- GitHub tokens: `ghp_` `gho_` `ghu_` `ghs_` `ghr_` `github_pat_`
+- Slack tokens: `xoxb-` `xoxp-` `xoxa-` `xoxs-` `xoxc-` `xoxe-`
+- Cloud and general:
+  - `AWS_ACCESS_KEY_ID` `AWS_SECRET_ACCESS_KEY` `aws_session_token`
+  - `GOOGLE_API_KEY` `AZURE_TENANT_ID` `AZURE_CLIENT_SECRET`
+  - `OPENAI_API_KEY` `ANTHROPIC_API_KEY`
+
 ### **Dorks**
 
 ```bash
@@ -304,7 +363,15 @@ AWS SECRET
 "private" extension:pgp
 ```
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#ref}}
+wide-source-code-search.md
+{{#endref}}
+
 
 
 
+## References
+
+- Keeping secrets out of public repositories (GitHub Blog, Feb 29, 2024): https://github.blog/news-insights/product-news/keeping-secrets-out-of-public-repositories/
+- TruffleHog v3 – Find, verify, and analyze leaked credentials: https://github.com/trufflesecurity/trufflehog
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@@ -131,10 +131,10 @@ pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphon
 # imjtool (https://newandroidbook.com/tools/imjtool.html)
 imjtool _img_name_ [extract]
 
-# disarm (you can use it directly on the IMG4 file) - https://newandroidbook.com/tools/disarm.html
+# disarm (you can use it directly on the IMG4 file) - [https://newandroidbook.com/tools/disarm.html](https://newandroidbook.com/tools/disarm.html)
 disarm -L kernelcache.release.v57 # From unzip ipsw
 
-# disamer (extract specific parts, e.g. filesets) - https://newandroidbook.com/tools/disarm.html
+# disamer (extract specific parts, e.g. filesets) - [https://newandroidbook.com/tools/disarm.html](https://newandroidbook.com/tools/disarm.html)
 disarm -e filesets kernelcache.release.d23 
 ```
 
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md
@@ -447,18 +447,5 @@ __END_DECLS
 
 - [**\*OS Internals Volume III**](https://newosxbook.com/home.html)
 
-{{#include ../../../banners/hacktricks-training.md}}
-
-
-
-
-
 
-
-on system boot, IMage4, AMFI and Sandbox are fisrt to load
-
-AMFI registers label #1 - attacher to the creds stores the entielements of process
-
-during kern_exec.c -> exec_actovate_image -> macho activation (loader) -> load_code_signature --> hook vnode_check_signature
-
-this will offload all of the 
+{{#include ../../../banners/hacktricks-training.md}}
