Search the Community

When you pentest a website an it's ok to "make a lot of noise" you can use the nmap script at http-enum.nse , that basicaly uses another script http-fingerprints.lua to find any common folders on a system, bruteforce but works. This most of the time returs folders like admin, tmp and others, but the one in particular we will discuss right now is the /.git folder. Now we need to get the /.git folder. Using git clone to download the sources will fail, so since directory listing is turned on we can download it using wget. $ mkdir git-test $ cd git-test $ wget --mirror --include-directories=/.git http://www.target.com/.git That'll take some time, depending on the size of the repository. When it's all done, go into the folder that wget created and use git --reset: $ cd www.site.com $ git reset --hard HEAD is now at [...] Then look around - you have their entire codebase! $ ls db doc robots.txt scripts test Browse this for interesting scripts (like test scripts?), passwords, configuration details, deployment, addresses, and more! You just turned your blackbox pentest into a whitebox one, and maybe you got some passwords in the deal! You can also use "git log" to get commit messages, "git remote" to get a list of interesting servers, "git branch -a" to get a list of branches, etc. Why does this happen? When you clone a git repository, it creates a folder for git's metadata - .git - in the folder where you check it out. This is what lets you do a simple "git pull" to get new versions of your files, and can make deployment/upgrades a breeze. There are a few ways to prevent this: Remove the .git folder after you check it out Use a .htaccess file (or apache configuration file) to block access to .git Keep the .git folder one level up - in a folder that's not available to the Web server Use a framework - like Rails or .NET - where you don't give users access to the filesystem Finding this in an automated way You can quickly scan an entire network by using a command like: nmap -sS -PS80,81,443,8080,8081 -p80,81,443,8080,8081 --script=http-git <target> The output for an affected host will look something like: PORT STATE SERVICE 80/tcp open http | http-git: | Potential Git repository found at 206.220.193.152:80/.git/ (found 5 of 6 expected files) | Repository description: Unnamed repository; edit this file 'description' to name the... | Remote: https://github.com/skullspace/skullspace.ca.git |_ -> Source might be at https://github.com/skullspace/skullspace.ca Credits: SkullSecurity ? Blog Archive ? Using "Git Clone" to get Pwn3D