loading
loading
Static Code Analysis
Git ripper that can rip repositories even when directory browsing is turned off.
overview
dvcsripper-git reconstructs a full git repository from an exposed .git folder on a web server. When a site leaves its version-control directory reachable, the ripper walks the git object structure and pulls down the history, even if directory listing is disabled and you cannot browse the files directly.
It handles the awkward parts of a real target. Point it at a branch, send requests through a proxy, set a custom user agent, follow a bounded number of redirects, and run parallel tasks to speed up the fetch. It can guess the packed-refs name, or brute force it when guessing fails, and a Redis backend coordinates state across a larger rip.
On Trickest, dvcsripper-git is a Static Code Analysis node that takes a URL with a .git folder and writes a folder containing the reconstructed repository. Recover the source, then scan it for secrets and vulnerabilities downstream.
source github.com/kost/dvcs-ripper
use cases
Reconstruct a repository from a leaked .git folder so you can review the source and history of an application that should not have shipped it.
Walk the git object graph directly to pull the repo even when the server blocks browsing of the .git directory.
Hand the reconstructed repository to a credential scanner so hardcoded keys in the leaked history surface for remediation.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | URL with the exposed .git folder. |
| use-branch | STRING | -b | Branch to rip (default: master). |
| use-proxy | STRING | -p | Proxy host to use for connections. |
| use-agent | STRING | -a | User agent string to send. |
| number-of-parallel-tasks | STRING | -t | Number of parallel tasks to run. |
| guess-packed-refs-name | BOOLEAN | -g | Intelligently guess the name of packed refs. |
| dont-verify-ssl | BOOLEAN | -s | Do not verify the SSL certificate. |
| verbose | BOOLEAN | -v | Verbose mode. |
Showing key inputs. dvcsripper-git exposes 16 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | Url with .git folder. |
| verbose | BOOLEAN | -v | Verbose mode |
| use-agent | STRING | -a | Use agent <s> (default: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2) |
| use-proxy | STRING | -p | Use proxy <h> for connections |
| use-redis | STRING | -e | Use redis <s> server as server:port |
| use-branch | STRING | -b | Use branch <s> (default: master) |
| git-checkout-f | BOOLEAN | -c | perform 'git checkout -f' on end (default) |
| dont-verify-ssl | BOOLEAN | -s | Do not verify SSL cert |
| set-basic-auth-key | STRING | -ba | Set basic auth key |
| dont-override-files | BOOLEAN | -n | Do not overwrite files |
| guess-packed-refs-name | BOOLEAN | -g | Try to inteligently guess name of packed refs |
| use-session-name-redis | STRING | -k | Use session name <s> for redis (default: random) |
| brute-force-packed-refs | BOOLEAN | -x | Brute force packed refs (extremely slow!!) |
| max-number-of-redirects | STRING | -r | Specify max number of redirects (default: 0) |
| number-of-parallel-tasks | STRING | -t | Use <i> parallel tasks |
| mkdir-url-name-for-output | BOOLEAN | -m | Mkdir URL name when outputting (works good with -o) |
example
# rip an exposed .git folder with parallel tasks and packed-refs guess# dvcsripper-git (rip-git.pl)dvcsripper-git -u https://example.com/.git/ -b master -t 8 -g -v -cdvcsripper-git: fetching https://example.com/.git/[+] HEAD -> refs/heads/master[+] packed-refs guessed via -g[*] object 9f3a1c2b7d4e5f60a1b2c3d4e5f6a7b8c9d0e1f2[*] object a1b2c3d4e5f60718293a4b5c6d7e8f9012345678[*] parallel tasks: 8[+] checkout -f completeSummary: 318 objects recovered for example.comOutput: ./example.comguidance
Use dvcs-ripper when a target exposes its .git folder and you want the full source and history back, even with directory listing disabled. Once it reconstructs the repo, scan the result with dora or dumpsterdiver to find leaked credentials in the recovered code.
Scans the recovered repository for exposed API keys. A natural next step after the rip completes.
Hunts secrets across the reconstructed files by entropy and rules. Pair it after ripping.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
Inspect Go source code for security problems by scanning the Go AST.
A URL with an exposed .git folder feeds dvcs-ripper, which reconstructs the repository and passes it to dora so leaked keys land as a queryable output.
Facts on this page come from the live Trickest tool library.