Day 14/100 Hack and Improvement

1 minute read

Simplifying Shodan with Shodanish

From Sam (CoffeeJunkie) and Rajesh Ranjan. Recon can be very fruitful if assets can be found with interesting software running in the backend. In this case Shodanish by Aziz Hakim. This tool will help us out to simplify shodan dorks by giving the domain name of the company. This will be helpful in order to filter exact results in shodan in order to get results just from the company that you want to test.

nmap scan

Once the hash is given, these are the results well filtered for the target.

nmap scan

As you can see, once the results are filtered, ther are 622 total results. Look closely in this case when the results are NOT filtered.

nmap scan

As you can see, when the results are not filtered, there are 1313 total results. Therefore Shodanish will save us time by looking to the hosts that we want to search.

Expanding while simplifying Github Recon with GitHound

Companies all over the world have data exposed in Github. Attackers nowadays, can easily find AWS, secret keys, secret tokens, usernames, passwords and so on. There is a tool that automate the process of GitHub Recon such as GitHound by Tillson Galloway. Depending on the tester, some people prefer to do this manually, or automatically, some prefer to mix them.

As an example of things that are possible to find in GitHub, there is a file that contains recent copy pasted strings encoded in base64, the filename is vim_settings.xml. There is a great way to exploit this file where we are able to find the entire copy-paste history. Clone the repository and run the following code in python:

from pydriller import RepositoryMining
import re
import base64

foundSet = set()
for commit in RepositoryMining('./').traverse_commits():
  for mod in commit.modifications:
    if mod.source_code_before != None:
      regex = re.findall(r"<text encoding=\"base64\">[^>]+</text>", mod.source_code_before)
      for result in regex:
        based = str(base64.b64decode(result[len("<text encoding='base64'>"):-len("</text>")]))
        if based not in foundSet:
          foundSet.add(based + "\n")

Improving Recon with GitHub

By the usage of GitHub Dorks, there is a great way to find more results by providing the subdomains of the target. As a curious fact, there is a good chance to find configuration files from second-level subdomains.


Recon is a key base in any pentesting assestment. Depending wether is for web application or network testing. Recon will open new doors and possibilities in the attacker path.

Leave a comment