yar: OSINT tool for reconnaissance of repositories/users/organizations on Github
(Y)et (A)nother (R)obber: Sail ye seas of git for booty is to be found
Yar is a tool for plunderin’ organizations, users and/or repositories…
In all seriousness though, yar is an OSINT tool for reconnaissance of repositories/users/organizations on Github. Yar clones repositories of users/organizations given to it and goes through the whole commit history in order of commit time, in search of secrets/tokens/passwords, essentially anything that shouldn’t be there. Whenever yar finds a secret, it will print it out for you to further assess.
Yar searches either by regex, entropy or both, the choice is yours. You can think of yar as a bigger and better truffleHog, it does everything that truffleHog does and more!
Install
go get github.com/Furduhlutur/yar
Use
Want to search for secrets in an organization?
yar -o orgname
Want to search for secrets in a user’s repository?
yar -u username
Want to search for secrets in a single repository?
yar -r repolink
or if you have already cloned the repository
yar -r repopath
Want to search for secrets in an organization, for a user and a repository?
yar -o orgname -u username -r reponame
Tutorial
Copyright (C) 2019 Furduhlutur