• Stars
    star
    539
  • Rank 82,402 (Top 2 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 2 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GitHub Actions Pipeline Enumeration and Attack Tool

Supported Python versions

Gato (Github Attack TOolkit)

gato

Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization.

The tool also allows searching for and thoroughly enumerating public repositories that utilize self-hosted runners. GitHub recommends that self-hosted runners only be utilized for private repositories, however, there are thousands of organizations that utilize self-hosted runners.

Who is it for?

  • Security engineers who want to understand the level of access a compromised classic PAT could provide an attacker
  • Blue teams that want to build detections for self-hosted runner attacks
  • Red Teamers
  • Bug bounty hunters who want to try and prove RCE on organizations that are utilizing self-hosted runners

Features

  • GitHub Classic PAT Privilege Enumeration
  • GitHub Code Search API-based enumeration
  • GitHub Action Run Log Parsing to identify Self-Hosted Runners
  • Bulk Repo Sparse Clone Features
  • GitHub Action Workflow Parsing
  • Automated Command Execution Fork PR Creation
  • Automated Command Execution Workflow Creation
  • SOCKS5 Proxy Support
  • HTTPS Proxy Support

Getting Started

Installation

Gato supports OS X and Linux with at least Python 3.7.

In order to install the tool, simply clone the repository and use pip install. We recommend performing this within a virtual environment.

git clone https://github.com/praetorian-inc/gato
cd gato
python3 -m venv venv
source venv/bin/activate
pip install .

Gato also requires that git version 2.27 or above is installed and on the system's PATH. In order to run the fork PR attack module, sed must also be installed and present on the system's path.

Dev Branch

We maintain a development branch that contains newer Gato features that are not yet added to main. There is an increased chance you will run into bugs; however, we still run our integration test suite on the dev branch, so there should not be any blatant bugs.

If you want to use the dev branch, just check it out prior to running pip install - that's it!

If you do run into any for your specific use case, by all means open an issue!

Usage

After installing the tool, it can be launched by running gato or praetorian-gato.

We recommend viewing the parameters for the base tool using gato -h, and the parameters for each of the tool's modules by running the following:

  • gato search -h
  • gato enum -h
  • gato attack -h

The tool requires a GitHub classic PAT in order to function. To create one, log in to GitHub and go to GitHub Developer Settings and select Generate New Token and then Generate new token (classic).

After creating this token set the GH_TOKEN environment variable within your shell by running export GH_TOKEN=<YOUR_CREATED_TOKEN>. Alternatively, store the token within a secure password manager and enter it when the application prompts you.

For troubleshooting and additional details, such as installing in developer mode or running unit tests, please see the wiki.

Documentation

Please see the wiki. for detailed documentation, as well as OpSec considerations for the tool's various modules!

Bugs

If you believe you have identified a bug within the software, please open an issue containing the tool's output, along with the actions you were trying to conduct.

If you are unsure if the behavior is a bug, use the discussions section instead!

Contributing

Contributions are welcome! Please review our design methodology and coding standards before working on a new feature!

Additionally, if you are proposing significant changes to the tool, please open an issue open an issue to start a conversation about the motivation for the changes.

License

Gato is licensed under the Apache License, Version 2.0.

Copyright 2023 Praetorian Security, Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

More Repositories

1

gokart

A static analysis tool for securing Go code
Go
2,176
star
2

noseyparker

Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
Rust
1,657
star
3

Hob0Rules

Password cracking rules for Hashcat based on statistics and industry patterns
1,441
star
4

pentestly

Python and Powershell internal penetration testing framework
Python
717
star
5

purple-team-attack-automation

Praetorian's public release of our Metasploit automation of MITRE ATT&CKâ„¢ TTPs
Ruby
713
star
6

PortBender

TCP Port Redirection Utility
C
668
star
7

DVRF

The Damn Vulnerable Router Firmware Project
HTML
668
star
8

fingerprintx

Standalone utility for service discovery on open ports!
Go
561
star
9

trudy

A transparent proxy that can modify and drop traffic for arbitrary TCP connections.
Go
275
star
10

pyshell

PyShell makes interacting with web-based command injection less painful, emulating the feel of an interactive shell as much as possible.
Python
253
star
11

mitm-vm

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.
Shell
195
star
12

gladius

Automated Responder/secretsdump.py cracking
Python
181
star
13

snowcat

a tool to audit the istio service mesh
Go
173
star
14

vulcan

a tool to make it easy and fast to test various forms of injection
C++
172
star
15

ADFSRelay

Proof of Concept Utilities Developed to Research NTLM Relaying Attacks Targeting ADFS
Go
171
star
16

goffloader

A Go implementation of Cobalt Strike style BOF/COFF loaders.
Go
151
star
17

trident

automated password spraying tool
Go
145
star
18

NTLMRecon

A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
Go
79
star
19

epictreasure

radare, angr, pwndbg, binjitsu, ect in a box ready for pwning
Shell
75
star
20

INTRACTABLEGIRAFFE

A Proof of Concept Rootkit Demonstrating Keylogging and Virtual File System (VFS) Capabilities
C
73
star
21

hashcatJS

An implementation of the hashcat rules engine in javascript
JavaScript
47
star
22

proxylogon-exploit

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
Python
45
star
23

slack-c2bot

Slack C2bot that executes commands and returns the output.
Go
44
star
24

ruby_hashcat

Command line wrapper, Library, and Rest API for oclHashcat.
Ruby
40
star
25

dert

DNS Enumeration and Reconnaissance Tool
Ruby
37
star
26

Matryoshka

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
C
37
star
27

Okta_Watering_Hole

Next Generation Phishing Tool For Internal / Red Teams
Python
35
star
28

ctf-writeups

Collection of Praetorian solutions to CTF challenges
OpenEdge ABL
25
star
29

chariot-ui

Chariot Offensive Security Platform
TypeScript
21
star
30

konstellation

Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j.
Cypher
19
star
31

bsidesaustin

Python
14
star
32

chariot-launch-nuclei-templates

12
star
33

burp-wcf-gzip

Burp extension for decoding WCF-gzipped requests.
Python
12
star
34

gcloud-lockdown

Scripts to demonstrate VPC Service Controls between tenant and shared projects
Shell
12
star
35

highlight

Text file to BMP image with box drawing and blurring from the command line
C
9
star
36

log4j-detector

Log4j detector and reporting server for scalable detection of vulnerable running processes.
Go
7
star
37

sonicwall-nsv-decrypter

C
6
star
38

aws-labs

Shell
5
star
39

tpm_bound_sa_key

Go
5
star
40

rpi-setup

set up rpi for zbwardrive
Python
5
star
41

zeroqlik-detect

A Nuclei template to detect ZeroQlik (CVE-2023-41265 and CVE-2023-41266)
4
star
42

product-frontend-interview

JavaScript
3
star
43

product-backend-interview

Java
1
star
44

praetorian-cli

CLI and SDK for interacting with the Praetorian Chariot platform
Python
1
star