diff --git a/src/binary-exploitation/ios-exploiting/README.md b/src/binary-exploitation/ios-exploiting/README.md index ec1aafa63d4..023a769d909 100644 --- a/src/binary-exploitation/ios-exploiting/README.md +++ b/src/binary-exploitation/ios-exploiting/README.md @@ -1148,7 +1148,7 @@ These are the defenses built into modern userland xzone: --- If you like, I can also generate a cheat-sheet or diagram of xzone internals for your book. Do you want me to do that next? -::contentReference[oaicite:20]{index=20} +::contentReference[oai:20]{index=20} --- diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md b/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md index 329e520d271..bba558c8201 100644 --- a/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md +++ b/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md @@ -12,14 +12,73 @@ - [https://github.com/JaimePolop/RExpository](https://github.com/JaimePolop/RExpository) - [https://github.com/Yelp/detect-secrets](https://github.com/Yelp/detect-secrets) - [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) -- [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit) +- https://github.com/eth0izzle/shhgit (unmaintained) - [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) -- [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob) -- [https://github.com/anshumanbh/git-all-secrets](https://github.com/anshumanbh/git-all-secrets) +- https://github.com/michenriksen/gitrob (archived) +- https://github.com/anshumanbh/git-all-secrets (archived) - [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets) - [https://github.com/kootenpv/gittyleaks](https://github.com/kootenpv/gittyleaks) - [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) +> Notes +> - TruffleHog v3 can verify many credentials live and scan GitHub orgs, issues/PRs, gists, and wikis. Example: `trufflehog github --org --results=verified`. +> - Gitleaks v8 supports scanning git history, directories and archives: `gitleaks detect -v --source .` or `gitleaks detect --source --log-opts="--all"`. +> - Nosey Parker focuses on high-throughput scanning with curated rules and has an Explorer UI for triage. Example: `noseyparker scan --datastore np.db ` then `noseyparker report --datastore np.db`. +> - ggshield (GitGuardian CLI) provides pre-commit/CI hooks and Docker image scanning: `ggshield secret scan repo `. + +### Where secrets commonly leak in GitHub + +- Repository files in default and non-default branches (search `repo:owner/name@branch` in the UI). +- Full git history and other branches/tags (clone and scan with gitleaks/trufflehog; GitHub search focuses on indexed content). +- Issues, pull requests, comments, and descriptions (TruffleHog GitHub source supports these via flags like `--issue-comments`, `--pr-comments`). +- Actions logs and artifacts of public repositories (masking is best-effort; review logs/artifacts if visible). +- Wikis and release assets. +- Gists (search with tooling or the UI; some tools can include gists). + +> Gotchas +> - GitHub’s REST code search API is legacy and does not support regex; prefer the Web UI for regex searches. The gh CLI uses the legacy API. +> - Only files below a certain size are indexed for search. To be thorough, clone and scan locally with a secrets scanner. + +### Programmatic org-wide scanning + +- TruffleHog (GitHub source): +```bash +export GITHUB_TOKEN= +trufflehog github --org Target --results=verified \ + --include-wikis --issue-comments --pr-comments --gist-comments +``` +- Gitleaks over all org repos (clone shallow and scan): +```bash +gh repo list Target --limit 1000 --json nameWithOwner,url \ +| jq -r '.[].url' | while read -r r; do + tmp=$(mktemp -d); git clone --depth 1 "$r" "$tmp" && \ + gitleaks detect --source "$tmp" -v || true; rm -rf "$tmp"; +done +``` +- Nosey Parker over a mono checkout: +```bash +# after cloning many repos beneath ./org +noseyparker scan --datastore np.db org/ && noseyparker report --datastore np.db +``` +- ggshield quick scans: +```bash +# current working tree +ggshield secret scan path -r . +# full git history of a repo +ggshield secret scan repo +``` + +> Tip: For git history, prefer scanners that parse `git log -p --all` to catch removed secrets. + +### Updated dorks for modern tokens + +- GitHub tokens: `ghp_` `gho_` `ghu_` `ghs_` `ghr_` `github_pat_` +- Slack tokens: `xoxb-` `xoxp-` `xoxa-` `xoxs-` `xoxc-` `xoxe-` +- Cloud and general: + - `AWS_ACCESS_KEY_ID` `AWS_SECRET_ACCESS_KEY` `aws_session_token` + - `GOOGLE_API_KEY` `AZURE_TENANT_ID` `AZURE_CLIENT_SECRET` + - `OPENAI_API_KEY` `ANTHROPIC_API_KEY` + ### **Dorks** ```bash @@ -304,7 +363,15 @@ AWS SECRET "private" extension:pgp ``` -{{#include ../../banners/hacktricks-training.md}} +{{#ref}} +wide-source-code-search.md +{{#endref}} + +## References + +- Keeping secrets out of public repositories (GitHub Blog, Feb 29, 2024): https://github.blog/news-insights/product-news/keeping-secrets-out-of-public-repositories/ +- TruffleHog v3 – Find, verify, and analyze leaked credentials: https://github.com/trufflesecurity/trufflehog +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md index 1a7d3208f67..f7319a38ac5 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md @@ -131,10 +131,10 @@ pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphon # imjtool (https://newandroidbook.com/tools/imjtool.html) imjtool _img_name_ [extract] -# disarm (you can use it directly on the IMG4 file) - https://newandroidbook.com/tools/disarm.html +# disarm (you can use it directly on the IMG4 file) - [https://newandroidbook.com/tools/disarm.html](https://newandroidbook.com/tools/disarm.html) disarm -L kernelcache.release.v57 # From unzip ipsw -# disamer (extract specific parts, e.g. filesets) - https://newandroidbook.com/tools/disarm.html +# disamer (extract specific parts, e.g. filesets) - [https://newandroidbook.com/tools/disarm.html](https://newandroidbook.com/tools/disarm.html) disarm -e filesets kernelcache.release.d23 ``` diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md index 73bb894b98a..e1ec5eae728 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md @@ -447,18 +447,5 @@ __END_DECLS - [**\*OS Internals Volume III**](https://newosxbook.com/home.html) -{{#include ../../../banners/hacktricks-training.md}} - - - - - - -on system boot, IMage4, AMFI and Sandbox are fisrt to load - -AMFI registers label #1 - attacher to the creds stores the entielements of process - -during kern_exec.c -> exec_actovate_image -> macho activation (loader) -> load_code_signature --> hook vnode_check_signature - -this will offload all of the \ No newline at end of file +{{#include ../../../banners/hacktricks-training.md}}