Cloud Pentesting

Manual Methods for Identifying S3 Buckets

Using Browser URL Inspection:

One of the simplest ways to check if a website is hosted on AWS is by entering the following in the browser URL bar:

Copy%c0

If you encounter an XML error the website is likely hosted on Amazon AWS. To verify further use browser extensions like Wappalyzer to check for AWS-related technologies.

Checking the Source Code

Inspect the website source code and search for "s3" to find any hidden S3 bucket URLs. if you found any just open and check if there bucket listing is enabled.

Google Dorking for AWS S3 Buckets

Google dorking helps uncover exposed S3 buckets. you can use the following dork to find open s3 buckets:

Copysite:s3.amazonaws.com "target.com"
site:*.s3.amazonaws.com "target.com"
site:s3-external-1.amazonaws.com "target.com"
site:s3.dualstack.us-east-1.amazonaws.com "target.com"
site:amazonaws.com inurl:s3.amazonaws.com 
site:s3.amazonaws.com intitle:"index of"  
site:s3.amazonaws.com inurl:".s3.amazonaws.com/"  
site:s3.amazonaws.com intitle:"index of" "bucket"

(site:*.s3.amazonaws.com OR site:*.s3-external-1.amazonaws.com OR site:*.s3.dualstack.us-east-1.amazonaws.com OR site:*.s3.ap-south-1.amazonaws.com) "target.com"

If bucket listing is enabled you'll be able to view the entire directory and its files. If you see an "Access Denied" message it means the bucket is private.

Automating Google Dorking with DorkEye

DorkEye automates Google dorking making reconnaissance faster by quickly extracting multiple AWS URLs for analysis.

GitHub - BullsEye0/dorks-eye: Dorks Eye Google Hacking Dork Scraping and Searching Script. Dorks…Dorks Eye Google Hacking Dork Scraping and Searching Script. Dorks Eye is a script I made in python 3. With this tool…github.com

Using S3Misconfig for Fast Bucket Enumeration

S3Misconfig scans a list of URLs for open S3 buckets with listing enabled and saves the results in a user friendly HTML format for easy review.

GitHub - Atharv834/S3BucketMisconfContribute to Atharv834/S3BucketMisconf development by creating an account on GitHub.github.com

Finding S3 Buckets with HTTPX and Nuclei

You can use the HTTPX command along with the Nuclei tool to quickly identify all S3 buckets across subdomains saving you significant time in recon.

Copyusing subfinder+HTTPX
subfinder -d target.com -all -silent | httpx-toolkit -sc -title -td | grep "Amazon S3"

Nuclei template:
subfinder -d target.com -all -silent | nuclei -t /home/coffinxp/.local/nuclei-templates/http/technologies/s3-detect.yaml

Extracting S3 URLs from JavaScript Files

Next we'll use the Katana tool to download JavaScript files from target subdomains and extract S3 URLs using the following grep command:

Copykatana -u https://site.com/ -d 5 -jc | grep '\.js$' | tee alljs.txt
cat alljs.txt | xargs -I {} curl -s {} | grep -oE 'http[s]?://[^"]*\.s3\.amazonaws\.com[^" ]*' | sort -u

GitHub - projectdiscovery/katana: A next-generation crawling and spidering framework.A next-generation crawling and spidering framework. - projectdiscovery/katanagithub.com

Using java2s3 tool to find s3 urls in js files

Alternatively you can use this powerful approach to extract all S3 URLs from JavaScript files of subdomains. First combine Subfinder and HTTPX to generate the final list of subdomains then run the java2s3 tool for extraction.

Copysubfinder -d target.com -all -silent | httpx-toolkit -o file.txt
cat file.txt | grep -oP '(?<=https?:\/\/).*'
python java2s3.py input.txt target.com output.txt
cat output3.txt | grep -E "S3 Buckets: \['[^]]+"
cat output.txt | grep -oP 'https?://[a-zA-Z0-9.-]*s3(\.dualstack)?\.ap-[a-z0-9-]+\.amazonaws\.com/[^\s"<>]+' | sort -u
cat output3.txt | grep -oP '([a-zA-Z0-9.-]+\.s3(\.dualstack)?\.[a-z0-9-]+\.amazonaws\.com)' | sort -u

after this you can use use the S3Misconfig tool to identify publicly accessible S3 buckets with listing enabled by sending all these s3 urls to the tool

GitHub - mexploit30/java2s3Contribute to mexploit30/java2s3 development by creating an account on GitHub.github.com

Brute-Forcing S3 Bucket with LazyS3

You can also use this LazyS3 tool — it's basically a brute force tool for AWS S3 buckets using different permutations. you can run the following command by specifying the target domain

Copyruby lazys3.rb <COMPANY>

GitHub - nahamsec/lazys3Contribute to nahamsec/lazys3 development by creating an account on GitHub.github.com

Using Cewl + S3Scanner to find open buckets

Next use the Cewl tool to generate a custom wordlist from the target domain. Then run S3Scanner with the list to identify valid and invalid S3 buckets. Finally use a grep command to filter valid buckets based on permissions and size and inspect their contents using the AWS CLI.

Copycewl https://site.com/ -d 3 -w file.txt

s3scanner -bucket-file file.txt -enumerate -threads 10 | grep -aE 'AllUsers: \[.*(READ|WRITE|FULL).*]'

GitHub - sa7mon/S3Scanner: Scan for misconfigured S3 buckets across S3-compatible APIs!Scan for misconfigured S3 buckets across S3-compatible APIs! - sa7mon/S3Scannergithub.com

Extracting S3 Buckets from GitHub Repositories

Use GitHub dorks to find AmazonAWS results in public repositories. Check S3 URLs for bucket listings and verify access with AWS CLI. If you discover sensitive data report it to bug bounty programs.

Copyorg:target "amazonaws"
org:target "bucket_name" 
org:target "aws_access_key"
org:target "aws_access_key_id"
org:target "aws_key"
org:target "aws_secret"
org:target "aws_secret_key"
org:target "S3_BUCKET"

Websites for Public S3 Bucket Discovery

Use these websites to search for files in public AWS buckets by keyword. Download and inspect the contents and if you find any sensitive files report them responsibly:

grayhatwarfare:

Public Buckets by GrayhatWarfareEdit descriptiongrayhatwarfare.com

osint.sh

https://osint.sh/buckets/

Finding Hidden S3 URLs with Extensions

The S3BucketList Chrome extension scans web pages for exposed S3 URLs helping researchers quickly identify misconfigured buckets without manually inspecting the source code

S3BucketList - Chrome Web StoreSearch, lists, and checks S3 Buckets found in network requestsgoogle.com

AWS S3 Bucket Listing & File Management

Easily manage AWS S3 buckets with these AWS CLI commands. These commands help security researchers, penetration testers and cloud administrators list, copy, delete and download files for efficient storage management and security assessments.

Reading Files:

Copyaws s3 ls s3://[bucketname] --no-sign-request

Copying Files:

Copyaws s3 cp file.txt s3://[bucketname] --no-sign-request

Deleting Files:

Copyaws s3 rm s3://[bucketname]/file.txt --no-sign-request

Downloading All Files:

Copyaws s3 cp s3://[bucketname]/ ./ --recursive --no-sign-request

Buckets with "Full Control" permission allow file uploads and deletions which could lead to security risks. Always follow responsible disclosure policies when reporting vulnerabilities.

PreviousPage 1 NextAPI Traning

Last updated 1 month ago

hashtagManual Methods for Identifying S3 Buckets

hashtagChecking the Source Code

hashtagGoogle Dorking for AWS S3 Buckets

hashtagAutomating Google Dorking with DorkEye

hashtagUsing S3Misconfig for Fast Bucket Enumeration

hashtagFinding S3 Buckets with HTTPX and Nuclei

hashtagExtracting S3 URLs from JavaScript Files

hashtagUsing java2s3 tool to find s3 urls in js files

hashtagBrute-Forcing S3 Bucket with LazyS3

hashtagUsing Cewl + S3Scanner to find open buckets

hashtagExtracting S3 Buckets from GitHub Repositories

hashtagWebsites for Public S3 Bucket Discovery

hashtagFinding Hidden S3 URLs with Extensions

hashtagAWS S3 Bucket Listing & File Management