# GitHub Dorks {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} GitHub has become a **treasure trove for hackers and security researchers** alike. While it serves as an essential platform for developers, it is also home to **a vast amount of exposed credentials, API keys, and sensitive corporate data**. This guide will uncover **how hackers use GitHub Dorks to find leaks** and how you can **protect your repositories** from unintended exposure.

## Understanding GitHub Dorks GitHub Dorking refers to the practice of using **advanced search queries** to locate **exposed sensitive data** within public repositories. Many developers unknowingly commit **API keys, passwords, SSH credentials, and database connection strings**, making GitHub an easy hunting ground for attackers. By utilizing **GitHub’s advanced search operators**, security researchers and malicious actors can filter through billions of repositories to find leaked credentials. ## How Hackers Use GitHub Dorks to Find Sensitive Data ### Step 1: Understanding GitHub Search Operators GitHub provides powerful search capabilities that allow users to filter content using **specific search queries**. Some of the most commonly used operators include: * **`filename:`** – Searches for specific file names. * **`extension:`** – Filters results based on file type. * **`path:`** – Searches for files in a particular directory structure. * **`org:`** – Limits results to a specific organization. * **`repo:`** – Focuses on a particular repository. Using these operators, attackers can efficiently **pinpoint valuable data** hidden within repositories. ## Step 2: Common GitHub Dorks Used for Finding Leaks Here are some **powerful GitHub Dork queries** commonly used to uncover sensitive data: ### API Keys and Credentials: ``` filename:.env DB_PASSWORD filename:config.json AWS_ACCESS_KEY_ID filename:settings.py SECRET_KEY ``` ### Database Connection Strings: ``` filename:.env MYSQL_PASSWORD filename:database.yml production filename:wp-config.php DB_PASSWORD ``` ### SSH Keys and Private Keys: ``` filename:id_rsa extension:pem private filename:config in:path/.ssh ``` ### Cloud and Service Credentials: ``` filename:.dockercfg auth filename:credentials aws_access_key_id extension:json google_api_key ``` These dorks enable attackers to **easily retrieve sensitive credentials** and gain unauthorized access to services. ## Real-World Examples of GitHub Leaks ### 1. AWS Keys Exposed in Public Repositories Several companies have suffered **data breaches** due to **AWS keys leaked on GitHub**. Attackers use GitHub Dorks to find these keys and **gain full control over cloud infrastructure**, leading to massive security incidents. ### 2. Database Credentials Leading to Data Breaches Hackers often find **hardcoded database credentials** in public repositories, allowing them to **access and dump entire databases**. This can lead to **financial losses, GDPR violations, and reputational damage**. ### 3. Hardcoded SSH Keys Allowing Server Access When developers mistakenly **commit private SSH keys**, attackers can **gain full access to critical servers**, compromising entire infrastructures. ## How to Protect Your Data on GitHub ### 1. Use `.gitignore` to Exclude Sensitive Files Ensure that sensitive files are never committed by adding them to `.gitignore`: ``` # Ignore environment files .env *.pem config.json database.yml ``` ### 2. Enable GitHub Secret Scanning GitHub provides **secret scanning** to detect **leaked credentials** before they become an issue. Enable this feature to receive alerts when sensitive data is exposed. ### 3. Rotate Exposed Keys Immediately If you accidentally push sensitive information, **revoke and rotate the credentials** immediately to prevent misuse. ### 4. Regularly Audit Repositories Use tools like **GitLeaks**, **TruffleHog**, and **GitGuardian** to scan repositories for **accidentally committed sensitive data**. ### 5. Encrypt Sensitive Data Never store sensitive credentials in plain text. Instead, use **environment variables** or **secret management services** like AWS Secrets Manager, HashiCorp Vault, or GitHub Actions Secrets. ## Essential Tools for Detecting GitHub Leaks * **#My favorite** * * * * * * * * * * ## List of dorks I am using: ``` ".mlab.com password" "access_key" "access_token" "amazonaws" "api.googlemaps AIza" "api_key" "api_secret" "apidocs" "apikey" "apiSecret" "app_key" "app_secret" "appkey" "appkeysecret" "application_key" "appsecret" "appspot" "auth" "auth_token" "authorizationToken" "aws_access" "aws_access_key_id" "aws_key" "aws_secret" "aws_token" "AWSSecretKey" "bashrc password" "bucket_password" "client_secret" "cloudfront" "codecov_token" "config" "conn.login" "connectionstring" "consumer_key" "credentials" "database_password" "db_password" "db_username" "dbpasswd" "dbpassword" "dbuser" "dot-files" "dotfiles" "encryption_key" "fabricApiSecret" "fb_secret" "firebase" "ftp" "gh_token" "github_key" "github_token" "gitlab" "gmail_password" "gmail_username" "herokuapp" "internal" "irc_pass" "JEKYLL_GITHUB_TOKEN" "key" "keyPassword" "ldap_password" "ldap_username" "login" "mailchimp" "mailgun" "master_key" "mydotfiles" "mysql" "node_env" "npmrc _auth" "oauth_token" "pass" "passwd" "password" "passwords" "pem private" "preprod" "private_key" "prod" "pwd" "pwds" "rds.amazonaws.com password" "redis_password" "root_password" "secret" "secret.password" "secret_access_key" "secret_key" "secret_token" "secrets" "secure" "security_credentials" "send.keys" "send_keys" "sendkeys" "SF_USERNAME salesforce" "sf_username" "site.com" FIREBASE_API_JSON= "site.com" vim_settings.xml "slack_api" "slack_token" "sql_password" "ssh" "ssh2_auth_password" "sshpass" "staging" "stg" "storePassword" "stripe" "swagger" "testuser" "token" "x-api-key" "xoxb " "xoxp" [WFClient] Password= extension:ica access_key bucket_password dbpassword dbuser extension:avastlic "support.avast.com" extension:bat extension:cfg extension:env extension:exs extension:ini extension:json api.forecast.io extension:json googleusercontent client_secret extension:json mongolab.com extension:pem extension:pem private extension:ppk extension:ppk private extension:properties extension:sh extension:sls extension:sql extension:sql mysql dump extension:sql mysql dump password extension:yaml mongolab.com extension:zsh filename:.bash_history filename:.bash_history DOMAIN-NAME filename:.bash_profile aws filename:.bashrc mailchimp filename:.bashrc password filename:.cshrc filename:.dockercfg auth filename:.env DB_USERNAME NOT homestead filename:.env MAIL_HOST=smtp.gmail.com filename:.esmtprc password filename:.ftpconfig filename:.git-credentials filename:.history filename:.htpasswd filename:.netrc password filename:.npmrc _auth filename:.pgpass filename:.remote-sync.json filename:.s3cfg filename:.sh_history filename:.tugboat NOT _tugboat filename:_netrc password filename:apikey filename:bash filename:bash_history filename:bash_profile filename:bashrc filename:beanstalkd.yml filename:CCCam.cfg filename:composer.json filename:config filename:config irc_pass filename:config.json auths filename:config.php dbpasswd filename:configuration.php JConfig password filename:connections filename:connections.xml filename:constants filename:credentials filename:credentials aws_access_key_id filename:cshrc filename:database filename:dbeaver-data-sources.xml filename:deployment-config.json filename:dhcpd.conf filename:dockercfg filename:environment filename:express.conf filename:express.conf path:.openshift filename:filezilla.xml filename:filezilla.xml Pass filename:git-credentials filename:gitconfig filename:global filename:history filename:htpasswd filename:hub oauth_token filename:id_dsa filename:id_rsa filename:id_rsa or filename:id_dsa filename:idea14.key filename:known_hosts filename:logins.json filename:makefile filename:master.key path:config filename:netrc filename:npmrc filename:pass filename:passwd path:etc filename:pgpass filename:prod.exs filename:prod.exs NOT prod.secret.exs filename:prod.secret.exs filename:proftpdpasswd filename:recentservers.xml filename:recentservers.xml Pass filename:robomongo.json filename:s3cfg filename:secrets.yml password filename:server.cfg filename:server.cfg rcon password filename:settings filename:settings.py SECRET_KEY filename:sftp-config.json filename:sftp-config.json password filename:sftp.json path:.vscode filename:shadow filename:shadow path:etc filename:spec filename:sshd_config filename:token filename:tugboat filename:ventrilo_srv.ini filename:WebServers.xml filename:wp-config filename:wp-config.php filename:zhrc HEROKU_API_KEY language:json HEROKU_API_KEY language:shell HOMEBREW_GITHUB_API_TOKEN language:shell jsforce extension:js conn.login language:yaml -filename:travis msg nickserv identify filename:config org:Target "AWS_ACCESS_KEY_ID" org:Target "list_aws_accounts" org:Target "aws_access_key" org:Target "aws_secret_key" org:Target "bucket_name" org:Target "S3_ACCESS_KEY_ID" org:Target "S3_BUCKET" org:Target "S3_ENDPOINT" org:Target "S3_SECRET_ACCESS_KEY" password path:sites databases password private -language:java PT_TOKEN language:bash redis_password root_password secret_access_key SECRET_KEY_BASE= shodan_api_key language:python WORDPRESS_DB_PASSWORD= xoxp OR xoxb OR xoxa s3.yml .exs beanstalkd.yml deploy.rake .sls AWS_SECRET_ACCESS_KEY API KEY API SECRET API TOKEN ROOT PASSWORD ADMIN PASSWORD GCP SECRET AWS SECRET "private" extension:pgp ``` ## Final Thoughts — Stay Ahead of GitHub Leaks GitHub Dorking is a **double-edged sword** — while security researchers use it for **responsible disclosure**, hackers exploit it for malicious purposes. The best way to protect your organization is by **implementing strict security measures, scanning for leaks proactively, and training developers to follow security best practices**. {% hint style="success" %} Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)

Support VeryLazyTech 🎉

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

{% endhint %}