Introduction
Breaching TWOCAPITALS

BAWS 01 – Enumerating S3 Buckets

AWS Unauthenticated Enumeration

AWS (Amazon Web Services) enumeration is the process of identifying and locating AWS resources and endpoints within a given AWS environment or from outside of the environment (unauthenticated). This is an essential process for both legitimate administrative tasks and potentially malicious ones (such as penetration testing or hacking). Proper permission settings and security measures can prevent unauthorised enumeration.

OSINT

Use Google Dorks to find leaked AWS secrets in search engines such as Google:

<Target_Company> “AWS_ACCESS_KEY_ID” OR “AWS_ACCESS_SECRET_KEY”
<Target_Company> “AWS_ACCESS_KEY_ID” OR “AWS_ACCESS_SECRET_KEY” filetype:txt

Leverage the same technique to discover target AWS infrastructure cached by Google’s crawler:

site:http://amazonaws.com inurl:".s3.amazonaws.com/" "<Target_Company>”
site:.s3.amazonaws.com "Company" <Target_Company>
Intitle:index.of.bucket <Target_Company>

Use third party platforms that index S3 buckets and files hosted on them. Depending on the permission configuration S3 buckets can be left indexable, public and leak data.

GrayHatWarfare is a great tool to automate the OSINT process, register and leverage it to find Public S3 buckets at buckets.grayhatwarfare.com/buckets.

A screenshot of GrayHatWarfare

S3 Bucket Enumeration

Amazon S3 (Simple Storage Service) is a scalable storage service offered by Amazon Web Services (AWS). It is designed to make web-scale computing easier by providing secure, durable, and highly-scalable object storage. S3 allows you to store and retrieve any amount of data at any time, from anywhere on the web.

S3 URL Structure:

http://[bucketname].s3-website-[region].amazonaws.com/

Guess Naming Convention: Bucket Naming Conventions are often guessable. If you know an organisation’s main domain name or naming convention, you can guess the names of potential S3 buckets. It’s a common practice to use predictable naming patterns upon setting a new IT infrastructure it.twocapital.com, backup.twocapital.com, etc.

You can manually check the existence of a S3 bucket using the AWS CLI:

aws s3 ls s3://insert-bucket-name-example

The following error message is return when the S3 bucket does not exist:

Use automated tools such as cloud_enum and BucketFinder. An example command that searches for S3 buckets against containing the word “samplekeyword” in the Bucket’s name:

cloud_enum -k samplekeyword -t 10

Additional Tools

lesson-new Content
0% Complete 0/2 Steps