This document discusses techniques for finding and stealing source code from unprotected Git repositories, including cloning exposed repositories, exploiting path and file disclosures, recovering deleted files and credentials from commit logs, and using tools to conduct aggressive cloning attacks. It warns developers to secure access to Git configurations and repositories and not check in sensitive data, and cautions attackers to carefully inspect exposed repositories for hostnames, paths, files and credentials that could be abused.

1. GITMONEYSTEALINGSOURCETREES
finding exposed repositories to retrieve source trees, gold
chains and other j00lz what belongs to other people.
Where What Who
Ruxmon Melbourne Stealing Source Trees Tim Noise

2. tIMNOISE
• twitter/dnoiz1
• github/dnoiz1
• mIRC/dnz
• streetz/notorious D N Z
• tim@drkns.net
Avid computer user and internet skater

3. VERSIONCONTROL
• GIT
• SVN
• HG (mercurial)
• CVS
• TFS (git support)
• darcs
• Others
Keeping track of versions, and controlling them

4. WORKFLOW
• Initial code commit
• Master / Main branch is release
• Dev branch for main development
• Ability for feature or hot fix
branches
• Push releases to CI (continuous
integration) for testing and final
deployment
How software developers plan on using git

5. 2pAcWAscloned*
• Not just taking a copy of the latest code
• Exact replica of the repository
• Cloned repositories can be used to update remotes
• Changes in remote repositories can be pulled into clones
• Can clone over Git (tcp/9418), SSH, HTTP(s), FTP, rsync or fs
• Generally authenticated via SSH key
• Can be authenticated via HTTPS basic auth
"Git money nigga - Yeah - aw yeah" -Tupac Shakur
*4pac

6. GITSTRUCTURE
• Configuration
• Commit Logs
• Current State
• Previous States
• References to
commits and
remotes
dat booty

7. GITCONFIG
• branches
• remote urls
can contain
usernames and
disclose
internal hosts
Some disclosure

8. GITOBJECTS
4 types:
• Blob (content)
• Source Tree
• Commit Data
• Tags
The Money

9. PLEASEIgnore
• .gitignore
• Untracked files
• Served as text
• Path disclosure
• Paths in repo
• Similar vector
to robots.txt
Look for:
• YAML
• SQL
• JSON
• Logs
• Cache
• etc
Dayum son, where'd you find this?

10. badcommits
Commits that contain sensitive data
• API Keys
• Credentials
• Cache
• Logs / stack traces
!
Deleted files can be rolled back!
git crimes for which you will be judged and so judge others

11. badcommitsdemo
youtu.be/eJX4IfUn6JA

12. AOLKEYWORDS
• Common
• Easy to find
• Some false positives
• Easy to retrieve non-referenced /
dangling objects / packs
• Directory indexes allow for wget -m
• Someone else probably found it first
Y0un9 m0n3y k-r4d sk1ddy m0de

13. GITBlindedwith your locs on indoors at night time

14. GITNUMBERSGITNAMESGot a $100 bill y'all

15. GITNUMBERSGITNAMESGot a $100 bill y'all

16. AGGRESSIVECLONING
• LFI / file reads + filter output
!
!
!
• cmd injection to clone from filesystem
!
!
Want dat cheddar.

17. DEMO

18. youtu.be/u2QE7l-7xKg
youtu.be/o9UaGK-c8Ik

19. MOMONEY
Tools
• Git
• gin (index parsing)
• Acunetix / prob others
• greedy git
Further Information
• git-scm.com
• help.github.com
• lmgtfy.com/?q=git
Other tools

20. TAKEAWAYDevelopers
• Deny access to . and configs
• Don't leave version control in production
• Don't check in sensitive data
• Don't expose your sekrit repositories
Attackers
• Check for repositories
• Look for host disclosure (config)
• Look for file/path disclosure (.gitignore)
• Look for credentials (commits/history)
• Make use of recovered source Where What Who
Ruxmon Melbourne Stealing Source Trees Tim Noise
Any y'all wanna hamburger??