AWS Cloud Penetration Testing - Enumeration and Discovery

J Cache

3 min read
AWS Cloud Penetration Testing - Enumeration and Discovery
Photo by Timothy Ah Koy / Unsplash

I recently conducted a penetration test for an AWS environment and learned a few new tricks for cloud penetration testing.  AWS resources such as S3 buckets often inadvertently expose sensitive information so the external enumeration phase is very important.

The scope of the assessment included a few S3 Buckets, database servers and a few web servers but I started the enumeration process with very little information--just like a real threat actor. I conducted reconnaissance knowing only the application and the organization name. Here are all the tools and resources that I used for the enumeration phase:

cloud_enum.py

Cloud_enum.py tries common cloud subdomains and iterations of the keywords you provide to identify potential cloud assets. It is essentially sublist3r.py but with cloud keywords. Keep in mind this tool will return a lot of resources that belong to organizations other than your client. Therefore, it is essential for you to present the output to the client for scope confirmation (You don't want to be pentesting someone else's cloud assets!!).

GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. - GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cl...
GitHubinitstring

Grayhat Warfare

This site searches for publicly exposed S3 buckets. You can get some good information with just the free tier.

Public Buckets by GrayhatWarfare
logo

S3Sec Tool

GitHub - 0xmoot/s3sec: Check AWS S3 instances for read/write/delete access
Check AWS S3 instances for read/write/delete access - GitHub - 0xmoot/s3sec: Check AWS S3 instances for read/write/delete access
GitHub0xmoot

S3Scanner

GitHub - sa7mon/S3Scanner: Scan for open S3 buckets and dump the contents
Scan for open S3 buckets and dump the contents. Contribute to sa7mon/S3Scanner development by creating an account on GitHub.
GitHubsa7mon

Amass (or some other subdomain discovery tool)

GitHub - OWASP/Amass: In-depth Attack Surface Mapping and Asset Discovery
In-depth Attack Surface Mapping and Asset Discovery - GitHub - OWASP/Amass: In-depth Attack Surface Mapping and Asset Discovery
GitHubOWASP

Censys.io

Censys Search
Censys helps organizations, individuals, and researchers find and monitor every server on the Internet to reduce exposure and improve security.
Censys

Censys.io is very similar to Shodan in how it indexes public IPs across the internet. However, Censys.io has a few features that Shodan does not have. It has a feature where it maps common certificates to identify additional organization resources. This is helpful when enumerating cloud resources and helping clients take inventory of their threat surface.

Manual Web Browsing

Don't get too caught up in the tooling. Sometimes you can learn a lot and find some exposed data just by manually browsing to the buckets or resources in question. You should expect to see an "Access Denied" message in XML for closed S3 buckets.

Stay tuned for a future post about cloud privilege escalation attempts.