PwnDelorean
PwnDelorean is a credential seeker. It allows users to search local and remote git repositories history for
any developer secrets that were left over and in addition searches filesystems for the same secrets.
Prerequisities
Requires Go runtime, currently using go version 1.8.3
Getting Started
brew install libgit2
go get
go build .
./PwnDelorean -url https://github.com/k4ch0w/PwnDelorean.git
Scan filesystem
./PwnDelorean -directory ~/Workspace
Scan Organization
./PwnDelorean -organization GitHub
Scan repo with Creds
Plaintext
export GIT_USER=k4ch0w
export GIT_PASS=*********
./PwnDelorean -url https://github.com/k4ch0w/PwnDeloreanRepo.git -creds=plaintext
SSH
export GIT_USER=k4ch0w
export GIT_PRIV_KEY=~/.ssh/id_rsa
export GIT_PUB_KEY=~/.ssh/id_rsa.pub
#If needed
export GIT_PASSPHRASE=******
./PwnDelorean -url https://github.com/k4ch0w/PwnDeloreanRepo.git -creds=ssh
Additional Flags
- csv - The filename to output results in CSV format to I.E ~/results.csv
- fileNamesOnly - Only look for interesting filenames instead of parsing each file
- ignoreForkedRepos - When scanning an organization ignore repos they forked
- ignoreHighFalsePositives - Ignore searching for patterns that generally cause false positives, be careful with this flag it will miss things like AWS keys and Azure keys
Authors
- Paul Ganea - Initial work
License
This project is licensed under the MIT License - see the LICENSE.md file for details