Token Exploiter is a tool designed to analyze GitHub Personal Access Tokens. It provides a comprehensive overview of the permissions and data accessible with a given token, making it useful for security audits and penetration testing.
- Analyze GitHub Personal Access Tokens
- Display user information, repositories, organizations, gists, SSH keys, GPG keys, emails, followers, following, and webhooks
- Export all gathered information to a well-formatted PDF
- Web-based interface with real-time progress updates
- Copy functionality for repository clone commands
- Download functionality for SSH and GPG keys
- Visual representation of token permissions in a tree structure
- Rate limit handling and user notifications
-
Clone the repository:
git clone https://github.com/psyray/token-exploiter.git cd token-exploiter -
Install the package:
pipx install .
-
Run the Token Exploiter:
token-exploiter -
Open the provided URL in your web browser.
-
Enter a GitHub Personal Access Token and click "Analyze".
-
View the results and use the "Export PDF" button to download a comprehensive report.
- Debug mode:
token-exploiter -d - Custom host and port:
token-exploiter -l IP:PORT
- This tool is intended for authorized security testing and auditing purposes only. Always ensure you have permission to analyze tokens and respect GitHub's terms of service and API usage limits.
- SSH and GPG keys are sensitive information. Handle downloaded keys with caution.
- The tool sanitizes key data before download to remove potentially harmful characters.
The PDF export now includes:
- A dedicated page for Token Permissions and Quick Stats
- A visual tree structure for permissions
- Truncated versions of SSH and GPG keys for privacy
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the GNU GPL 3 License - see the LICENSE file for details.