Skip to content

reewardius/aws-enumeration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
aws-pentest
aws-pentest
 
 
exploitation
exploitation
 
 
google
google
 
 
microsoft
microsoft
 
 
templates
templates
 
 
README.md
README.md
 
 
fuzz.txt
fuzz.txt
 
 
github-aws-secrets-scanner.py
github-aws-secrets-scanner.py
 
 

Repository files navigation

AWS Enumeration

We utilize various search engines to conduct OSINT and gather information about leaked AWS Access & Secret Keys, as well as AWS S3 Bucket names that have been cached by crawlers.

AWS Cloud Services

*.s3.amazonaws.co
*.awsapps.com
https://[api-id].execute-api.[region].amazonaws.com/[stage]/

Javascript Files

Analyzing Javascript files for AWS Access/Secret key Disclosure & S3 Buckets

getjs --input targets.txt --complete --output js_links.txt
nuclei -l js_links.txt -t templates/aws-access-secret-key.yaml -silent -o aws-secrets.txt

image

nuclei -l js_links.txt -t templates/s3-bucket-detect.yaml -silent -o aws-s3-buckets.txt

image

Google Dorks

image

The below google dorks can be used to extract the information related with AWS S3:

site:s3.amazonaws.com "index of /"
inurl:s3.amazonaws.com intitle:"AWS S3 Explorer"
site:http://s3.amazonaws.com intitle:index.of.bucket ""
site:.s3.amazonaws.com "Company"
inurl:gitlab "AWS_SECRET_KEY"
inurl:pastebin "AWS_ACCESS_KEY"

Github Dorks

image

rds.amazonaws.com password
aws_access_key_id=
aws_bucket aws_key=
aws_secret=
aws_secret_access_key=
aws_secret_key=
aws_session_token=
aws_token=
bucketeer_aws_access_key_id
bucketeer_aws_secret_access_key
cache_s3_secret_key
lottie_s3_api_key
lottie_s3_secret_key
s3_access_key=
s3_access_key_id=
s3_secret_key=
sandbox_aws_access_key_id
sandbox_aws_secret_access_key
secret_key aws
aws_secretaccesskey=
secretkey aws

The process of searching manually for each keyword can be automated using github-aws-secrets-scanner as shown below:

python github-aws-secrets-scanner.py -t <github-token> -day 7 -o results.txt

image

grep.app

aws_access_key_id\s*=\s*['"]?AKIA[0-9A-Z]{16}['"]?
aws_secret_access_key="[A-Za-z0-9+/=]{40}"
AKIA[0-9A-Z]{16}

image

Hugging Face

aws_secret_access_key=

image

Shodan Query

According to Shodan, the data displayed are from the past 30 days of monitored data on the internet. image

html:"AWS_ACCESS_KEY_ID"
html:"AWS_SECRET_ACCESS_KEY"
html:"AWS_SESSION_TOKEN"
html:"ListBucketResult"

Censys Query

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN

image

image

Fofa Query

image

body="AWS_ACCESS_KEY_ID"
body="AWS_SECRET_ACCESS_KEY"
body="AWS_SESSION_TOKEN"
app="amazon-AmazonS3"
body="ListBucketResult"

Using Uncover with Nuclei

uncover -q 'html:"ListBucketResult"' -pc config.yaml -silent | httpx -silent | nuclei -id aws-object-listing -silent

image

uncover -q 'html:"AWS_ACCESS_KEY_ID"' -pc config.yaml -silent -o uncover.txt
nuclei -l uncover.txt -t templates/aws-access-secret-key.yaml

image

Detecting AWS Website

nuclei -l targets.txt -id s3-detect

image

Using Nuclei / Cloud-Enum / S3Scanner for S3 Bucket Enum

nuclei -id aws-s3-bucket-enum -var wordlist=fuzz.txt -rl 1 -lfa

image

python cloud_enum.py -k keyword -k keyword2
python cloud_enum.py -kf fuzz.txt -qs

image

s3scanner -bucket-file fuzz.txt -provider aws -enumerate

image

Grayhatwarfare

GrayhatWarfare allows users to find open AWS S3 buckets. image

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages