AWS - S3 Unauthenticated Enum
S3 Public Buckets
A bucket is considered “public” if any user can list the contents of the bucket, and “private” if the bucket's contents can only be listed or written by certain users.
Companies might have buckets permissions miss-configured giving access either to everything or to everyone authenticated in AWS in any account (so to anyone). Note, that even with such misconfigurations some actions might not be able to be performed as buckets might have their own access control lists (ACLs).
Learn about AWS-S3 misconfiguration here: http://flaws.cloud and http://flaws2.cloud/
Finding AWS Buckets
Different methods to find when a webpage is using AWS to storage some resources:
Enumeration & OSINT:
Using wappalyzer browser plugin
Using burp (spidering the web) or by manually navigating through the page all resources loaded will be save in the History.
Check for resources in domains like:
Check for CNAMES as
resources.domain.com
might have the CNAMEbucket.s3.amazonaws.com
Check https://buckets.grayhatwarfare.com, a web with already discovered open buckets.
The bucket name and the bucket domain name needs to be the same.
flaws.cloud is in IP 52.92.181.107 and if you go there it redirects you to https://aws.amazon.com/s3/. Also,
dig -x 52.92.181.107
givess3-website-us-west-2.amazonaws.com
.To check it's a bucket you can also visit https://flaws.cloud.s3.amazonaws.com/.
Brute-Force
You can find buckets by brute-forcing names related to the company you are pentesting:
https://github.com/jordanpotti/AWSBucketDump (Contains a list with potential bucket names)
Loot S3 Buckets
Given S3 open buckets, BucketLoot can automatically search for interesting information.
Find the Region
You can find all the supported regions by AWS in https://docs.aws.amazon.com/general/latest/gr/s3.html
By DNS
You can get the region of a bucket with a dig
and nslookup
by doing a DNS request of the discovered IP:
Check that the resolved domain have the word "website".
You can access the static website going to: flaws.cloud.s3-website-us-west-2.amazonaws.com
or you can access the bucket visiting: flaws.cloud.s3-us-west-2.amazonaws.com
By Trying
If you try to access a bucket, but in the domain name you specify another region (for example the bucket is in bucket.s3.amazonaws.com
but you try to access bucket.s3-website-us-west-2.amazonaws.com
, then you will be indicated to the correct location:
Enumerating the bucket
To test the openness of the bucket a user can just enter the URL in their web browser. A private bucket will respond with "Access Denied". A public bucket will list the first 1,000 objects that have been stored.
Open to everyone:
Private:
You can also check this with the cli:
If the bucket doesn't have a domain name, when trying to enumerate it, only put the bucket name and not the whole AWSs3 domain. Example: s3://<BUCKETNAME>
Public URL template
Get Account ID from public Bucket
It's possible to determine an AWS account by taking advantage of the new S3:ResourceAccount
Policy Condition Key. This condition restricts access based on the S3 bucket an account is in (other account-based policies restrict based on the account the requesting principal is in).
And because the policy can contain wildcards it's possible to find the account number just one number at a time.
This tool automates the process:
This technique also works with API Gateway URLs, Lambda URLs, Data Exchange data sets and even to get the value of tags (if you know the tag key). You can find more information in the original research and the tool conditional-love to automate this exploitation.
Confirming a bucket belongs to an AWS account
As explained in this blog post, if you have permissions to list a bucket it’s possible to confirm an accountID the bucket belongs to by sending a request like:
If the error is an “Access Denied” it means that the account ID was wrong.
Used Emails as root account enumeration
As explained in this blog post, it's possible to check if an email address is related to any AWS account by trying to grant an email permissions over a S3 bucket via ACLs. If this doesn't trigger an error, it means that the email is a root user of some AWS account:
References
Last updated