BSides Glasgow 2018 - Paul Ritchie - Hacking with Git

Talk delivered at BSides Glasgow 2018 on the 27th of April.

Abstract - GitHub is a fantastic platform for enabling remote teams to collaborate on projects. I am researching GitHub for all kinds of applications to penetration testers.. The talk will include:-

Web Application Enumeration – finding not just the version a target is running i.e. Wordpress 4.9.2, but the specific COMMIT made to GitHub.

Exfiltration/Shells through restrictive proxies – Exfil of files up to 100MB is possible with a free GitHub account.

OSINT & Target Enumeration – Scraping public repos for passwords, AWS details etc. As well as moving a black-box into a white-box when you have the source. I will discuss options for how to do this.

Potential for Social Engineering – What can we learn about a person or an organisation based on their repositories? Can this help us target them with malware and how. Potential for lateral movement – If you compromise a developer PC what can you find that will help you?

The level of the talk should be accessible to most attendees. It will demonstrate real world threats and discuss your options as a pentester.