Git

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

To dump a .git folder from a URL use https://github.com/arthaud/git-dumper

Use https://www.gitkraken.com/ to inspect the content

If a .git directory is found in a web application you can download all the content using wget -r http://web.com/.git. Then, you can see the changes made by using git diff.

The tools: Git-Money, DVCS-Pillage and GitTools can be used to retrieve the content of a git directory.

The tool https://github.com/cve-search/git-vuln-finder can be used to search for CVEs and security vulnerability messages inside commits messages.

The tool https://github.com/michenriksen/gitrob search for sensitive data in the repositories of an organisations and its employees.

Repo security scanner is a command line-based tool that was written with a single goal: to help you discover GitHub secrets that developers accidentally made by pushing sensitive data. And like the others, it will help you find passwords, private keys, usernames, tokens and more.

Here you can find an study about github dorks: https://securitytrails.com/blog/github-dorks

Faster /.git dumping & dirlisting bypass (2024–2026)

• holly-hacker/git-dumper is a 2024 rewrite of the classic GitTools dumper with parallel fetching (>10x speedup). Example: python3 git-dumper.py https://victim/.git/ out && cd out && git checkout -- .
• Ebryx/GitDump brute-forces object names from .git/index, packed-refs, etc. to recover repos even when directory traversal is disabled: python3 git-dump.py https://victim/.git/ dump && cd dump && git checkout -- .

Quick post-dump triage

cd dumpdir
# reconstruct working tree
git checkout -- .
# show branch/commit map
git log --graph --oneline --decorate --all
# list suspicious config/remotes/hooks
git config -l
ls .git/hooks

Secret/credential hunting (current tooling)

• TruffleHog v3+: entropy+regex with automatic Git history traversal. trufflehog git file://$PWD --only-verified --json > secrets.json
• Gitleaks (v8+): fast regex ruleset, can scan unpacked tree or full history. gitleaks detect -v --source . --report-format json --report-path gitleaks.json

References

• holly-hacker/git-dumper – parallel fast /.git dumper
• Ebryx/GitDump

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.