loading
loading
Discovery
Identify websites with publicly accessible .git repositories across a large host list.
overview
mass-gitfinder reads a file of hosts and checks each one for a publicly reachable .git directory. When a web server exposes its version control folder, anyone can pull the repository and recover source code, configuration, and secrets that were never meant to ship.
It is built for breadth. Point it at thousands of domains or subdomains and it walks them with multiple threads, flagging the ones that answer for the .git path. The result is a short, high-signal list of leak candidates pulled out of a large, noisy input.
Chain it after subdomain enumeration and an HTTP prober so it only runs against live hosts, then route its output to triage or to a dumper that recovers the exposed repositories.
use cases
Feed a full list of company subdomains and flag every host that serves a reachable .git directory, catching leaks before an attacker dumps the repository.
Run mass-gitfinder after subdomain discovery and HTTP probing so the .git check fires only against hosts that are confirmed live.
Schedule the scan against a maintained host list so newly deployed servers that ship their version control folder get caught soon after they go live.
Scan a target's published domains for accessible .git paths, then pull the leaked repository to read source, hardcoded credentials, and internal endpoints.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-file | FILE | -i | File of hosts to check for an exposed .git directory. |
| threads | STRING | -t | Number of concurrent threads for the sweep. |
Showing key inputs. mass-gitfinder exposes 2 inputs in total.
example
# mass-gitfinder: sweep hosts.txt for exposed .git with 40 threadsmass-gitfinder -i hosts.txt -t 40https://example.com/.git/https://staging.example.com/.git/https://dev.example.com/.git/https://old.example.com/.git/https://cdn-origin.example.com/.git/https://intranet.example.com/.git/# 6 hosts with accessible .git from 180 probedguidance
Reach for Mass-GitFinder when you have a list of hosts and want to know which ones leak a .git directory. It checks a single high-value exposure at scale, so run it after discovery and probing rather than as a general content scanner. For broad path and file discovery, use meg or ffuf instead.
Fetches many paths across many hosts while staying gentle on servers. Broader path coverage, not specialized for .git.
Wraps LinkFinder over a list of JS URLs to extract endpoints. A different leak surface, JavaScript rather than version control.
General-purpose content and directory fuzzer. Wire it to brute-force many paths, where Mass-GitFinder targets one.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A host list is probed by httpx for live targets, then Mass-GitFinder checks each one for an exposed .git directory and writes the leak candidates as a queryable output.
Facts on this page come from the live Trickest tool library.