W-RECON-GITHUB-DORKReconnaissance

GitHub / GitLab Dorking

Search public repos for org email, internal hostnames, JWT secrets, AWS keys, private keys.

§ Where this technique fits

W-RECON-GITHUB-DORK is catalogued under the Reconnaissance tactic of the offensive-security kill-chain. It appears in 14 approved dossiers in the registry, typically at step 1.1 on average.

§ Dossiers chaining this technique

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
step 1 / 7
Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)
Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.
step 1 / 7
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
step 1 / 5
Build-system implant → signed supply-chain backdoor (SolarWinds-class)
Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.
step 1 / 7
Leaked GitHub PAT → org takeover → supply-chain push
A maintainer's PAT lands in a public Gist (or a Docker image layer). The token has repo + workflow scopes — push a malicious commit to a popular package, fire the auto-publish workflow.
step 1 / 6
Slack token in CI log → DM history → vendor mailbox compromise
A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.
step 1 / 6
Compromised extension auto-update → fleet compromise
Take over a popular extension's developer account (credential stuffing on the store, abandoned email domain). Push a malicious version — every existing install runs attacker code on next launch.
step 1 / 5
Vishing → helpdesk MFA reset → account takeover
Pose as a panicked employee locked out before a meeting. Helpdesk resets MFA based on partial PII (employee ID + date of birth from LinkedIn). Attacker registers their own factor.
step 1 / 6
SharePoint / OneDrive public link enumeration → data dump
Bing / Grayhat Warfare reveals corporate SharePoint files shared 'with anyone' — financial docs, contracts, credentials in plaintext, etc.
step 1 / 4
Self-hosted runner takeover → persistent CI compromise
A public repo with self-hosted GitHub runners accepts external PRs. First malicious PR runs on the runner; the workflow drops a runner-hook that fires before every future job.
step 1 / 6
Secret echoed to public build log → cloud takeover
A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.
step 1 / 6
pull_request_target injection → secrets → cloud takeover
A GitHub Actions workflow runs on pull_request_target and checks out the PR's head SHA. The attacker's PR injects code that runs with the base repo's secrets, including a cloud deploy role.
step 1 / 7
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
step 2 / 6
Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
step 2 / 6

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 2×
02
0ktapus SMS-Phish Sweep
APT-OKTASS-0KTAPUS · Initial Access
seen 1×
03
Exploit Public-Facing Application
T1190 · Initial Access
seen 1×
04
GitHub Personal Access Token Leak
SAAS-GH-PAT-LEAK · Credential Access
seen 1×
05
Insider Admin-Panel Coercion (Twitter 2020)
APT-INSIDER-PANEL · Initial Access
seen 1×
06
Package Maintainer Takeover
SUP-PACKAGE-TAKEOVER · Initial Access
seen 1×
07
Pretexting
SE-PRETEXT · Initial Access
seen 1×
08
Secret Echo to Build Log
CI-SECRET-IN-LOG · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

Insider admin panel coercion → mass account takeover (Twitter 2020)

Build-system implant → signed supply-chain backdoor (SolarWinds-class)

Leaked GitHub PAT → org takeover → supply-chain push

Slack token in CI log → DM history → vendor mailbox compromise

Compromised extension auto-update → fleet compromise

Vishing → helpdesk MFA reset → account takeover

SharePoint / OneDrive public link enumeration → data dump

Self-hosted runner takeover → persistent CI compromise

Secret echoed to public build log → cloud takeover

pull_request_target injection → secrets → cloud takeover

Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

§ What commonly comes next