token-forge
A tool built out of curiousity, for research purposes only!
Inspired by GitHub's blog about tokens and secret scanning.
Why
The internet is a scary place.
-- Abraham Lincoln
Why not?
- GitHub tokens have a schema; space of possible tokens is not
36^62
, rather 30^62
.
- GitHub has a lot of users and integrations; this means it is generating a lot of tokens; does a birthday attack become possible?
- GitHub's API
401
s upon failed authentication; GitHub's API rate limits also rise for authenticated clients.
- GitHub has an API to check your current rate limit; this API is not rate-limited.
- Token expiration:
- ghp: user-configurable expiration; forever tokens still supported.
- gho: no apparent expiration (unless not used within the last year).
- ghu: 8 hour expiration (or indefinite, depending on configuration).
- ghs: 1 hour expiration.
Caveats:
- Mafs; big numbers are still big.
- Secondary rate limits exist to temporarily ban-hammer abusive entities.
- I don't know what they are for
github.com
; values are undocumented and un-queryable.
- They are disabled by default for GitHub Enterprise Server.
- When enabled on GitHub Enterprise Server, the default values can be considered to be extremely high.
Is this a bug?
Not according to GitHub. This was submitted as a bug bounty, and the response was:
...we are aware of the behavior you are describing and consider it to be an abuse issue and not a security vulnerability. We take abuse and spam seriously and have a dedicated team that tracks down spammy users. As a result, this is not eligible for reward under the Bug Bounty program.
Warning
Tests for token validity are conducted against github.com
by default. If running these tests against github.com
, GitHub will very likely consider this interaction abuse. Proceed at your own risk!
This tool supports interacting with self-hosted GitHub Enterprise (by supplying the desired host as an argument). It is highly recommended to test against a GitHub Enterprise instance that you own or otherwise have authorization to test against.
Usage
Usage: token-forge <command>
A tool to 'work' with GitHub tokens.
Commands:
version Print version and exit.
generate (gen) Generate GitHub-like tokens.
disect (dis) Disect GitHub-like tokens.
login Test login with one or more tokens.
local Perform a local collision test.
ip-check (ip) Check resolved public ip address.
Flags:
-h, --help Show context-sensitive help.
Run "token-forge <command> --help" for more information on a command.
Usage: token-forge version
Print version and exit.
Flags:
-h, --help Show context-sensitive help.
Usage: token-forge generate (gen)
Generate GitHub-like tokens.
Flags:
-h, --help Show context-sensitive help.
--debug Enable debug mode
Token Params
-b, --batch-size=1000 When testing for collisions, the number of tokens to
test concurrently.
-n, --num-tokens=1 Number of tokens to test.
-p, --prefix=STRING Token prefix to use; if not specified, each generated
token will have a randomly selected prefix; only has
an effect when generating tokens.
Usage: token-forge disect (dis) --token=STRING --file=STRING --generated --no-auth
Disect GitHub-like tokens.
Flags:
-h, --help Show context-sensitive help.
--debug Enable debug mode
Source
-t, --token=STRING Token to use.
-f, --file=STRING Path to file with tokens.
-g, --generated Use one or more generated tokens.
-x, --no-auth Simply interact w/ the rate limit api with an
unauthenticated client.
Token Params
-b, --batch-size=1000 When testing for collisions, the number of tokens to
test concurrently.
-n, --num-tokens=1 Number of tokens to test.
-p, --prefix=STRING Token prefix to use; if not specified, each generated
token will have a randomly selected prefix; only has
an effect when generating tokens.
Usage: token-forge login --token=STRING --file=STRING --generated --no-auth
Test login with one or more tokens.
Flags:
-h, --help Show context-sensitive help.
--debug Enable debug mode
-c, --force-check Force a check of the logged in user so the rate limit is
decremented.
--host=STRING The GitHub Enterprise hostname to interact with; if not
specified, github.com is assumed.
Source
-t, --token=STRING Token to use.
-f, --file=STRING Path to file with tokens.
-g, --generated Use one or more generated tokens.
-x, --no-auth Simply interact w/ the rate limit api with an
unauthenticated client.
Token Params
-b, --batch-size=1000 When testing for collisions, the number of tokens to
test concurrently.
-n, --num-tokens=1 Number of tokens to test.
-p, --prefix=STRING Token prefix to use; if not specified, each generated
token will have a randomly selected prefix; only has
an effect when generating tokens.
Proxy Config
--proxy=STRING Proxy to use for outbound connections.
Usage: token-forge local
Perform a local collision test.
Flags:
-h, --help Show context-sensitive help.
--debug Enable debug mode
-t, --num-tests=1 Number of tokens to load into the test token database.
Token Params
-b, --batch-size=1000 When testing for collisions, the number of tokens to
test concurrently.
-n, --num-tokens=1 Number of tokens to test.
-p, --prefix=STRING Token prefix to use; if not specified, each generated
token will have a randomly selected prefix; only has
an effect when generating tokens.
Usage: token-forge ip-check (ip)
Check resolved public ip address.
Flags:
-h, --help Show context-sensitive help.
--debug Enable debug mode
Proxy Config
--proxy=STRING Proxy to use for outbound connections.
proxy
Breadcrumbs for a minimal local tor proxy are provided in the ./proxy
folder.
Build the proxy container:
./proxy/build.sh
Run the proxy container:
./proxy/run.sh
Extra private configurations can be placed in the ./proxy/priv.d
folder (e.g. bridges). All files in this folder will be copied into the container in a place where tor can detect them. If new files are added to this folder, or existing files are modified, the container must be rebuilt with ./proxy/build.sh
to be imported into the container image.
Dev
This code contains a lot of hackery, but it seems to work.
lint
Because you have to have at least some standards.
./scripts/lint.sh
build
Build output for each <platform>-<arch>
is written to the ./build
folder.
./scripts/build.sh
test
./scrips/test.sh
# and
./scripts/test.sh race
readme usage generation
./scripts/readme.sh