AWS - S3 Unauthenticated Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

S3 Public Buckets

A bucket is considered “public” if mtumiaji yeyote anaweza kuorodhesha maudhui ya bucket, and “private” if the bucket's contents can only be listed or written by certain users.

Companies might have buckets permissions miss-configured giving access either to everything or to everyone authenticated in AWS in any account (so to anyone). Note, that even with such misconfigurations some actions might not be able to be performed as buckets might have their own access control lists (ACLs).

Learn about AWS-S3 misconfiguration here: http://flaws.cloud and http://flaws2.cloud/

Finding AWS Buckets

Different methods to find when a webpage is using AWS to storage some resources:

Enumeration & OSINT:

Using wappalyzer browser plugin
Using burp (spidering the web) or by manually navigating through the page all resources loaded will be save in the History.
Check for resources in domains like:

http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/

Check for CNAMES as resources.domain.com might have the CNAME bucket.s3.amazonaws.com
Check https://buckets.grayhatwarfare.com, a web with already discovered open buckets.
The bucket name and the bucket domain name needs to be the same.
flaws.cloud is in IP 52.92.181.107 and if you go there it redirects you to https://aws.amazon.com/s3/. Also, dig -x 52.92.181.107 gives s3-website-us-west-2.amazonaws.com.
To check it's a bucket you can also visit https://flaws.cloud.s3.amazonaws.com/.

Brute-Force

You can find buckets by brute-forcing names related to the company you are pentesting:

# Generate a wordlist to create permutations
curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt

# Generate a wordlist based on the domains and subdomains to test
## Write those domains and subdomains in subdomains.txt
cat subdomains.txt > /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt

# Create permutations based in a list with the domains and subdomains to attack
goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
## The previous tool is specialized increating permutations for subdomains, lets filter that list
### Remove lines ending with "."
cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
### Create list without TLD
cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
### Create list without dots
cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
### Create list without hyphens
cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5

## Generate the final wordlist
cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt

## Call s3scanner
s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt  | grep bucket_exists

Loot S3 Buckets

Given S3 open buckets, BucketLoot can automatically search for interesting information.

Find the Region

You can find all the supported regions by AWS in https://docs.aws.amazon.com/general/latest/gr/s3.html

By DNS

You can get the region of a bucket with a dig and nslookup by doing a DNS request of the discovered IP:

dig flaws.cloud
;; ANSWER SECTION:
flaws.cloud.    5    IN    A    52.218.192.11

nslookup 52.218.192.11
Non-authoritative answer:
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.

Check that the resolved domain have the word "website". You can access the static website going to: flaws.cloud.s3-website-us-west-2.amazonaws.com or you can access the bucket visiting: flaws.cloud.s3-us-west-2.amazonaws.com

By Trying

If you try to access a bucket, but in the domain name you specify another region (for example the bucket is in bucket.s3.amazonaws.com but you try to access bucket.s3-website-us-west-2.amazonaws.com, then you will be indicated to the correct location:

Enumerating the bucket

Ili kujaribu ufunguzi wa ndoo, mtumiaji anaweza tu kuingiza URL katika kivinjari chao cha wavuti. Ndoo ya kibinafsi itajibu na "Access Denied". Ndoo ya umma itataja vitu 1,000 vya kwanza ambavyo vimehifadhiwa.

Open to everyone:

Private:

You can also check this with the cli:

#Use --no-sign-request for check Everyones permissions
#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
#--recursive if you want list recursivelyls
#Opcionally you can select the region if you now it
aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]

Ikiwa bakuli haina jina la kikoa, unapojaribu kuhesabu, weka jina la bakuli tu na si kikoa zima cha AWSs3. Mfano: s3://<BUCKETNAME>

Kiolezo cha URL ya Umma

https://{user_provided}.s3.amazonaws.com

Pata Kitambulisho cha Akaunti kutoka kwa Baki ya Umma

Inawezekana kubaini akaunti ya AWS kwa kutumia faida ya S3:ResourceAccount Key ya Masharti ya Sera. Masharti haya yanapunguza ufikiaji kulingana na baki ya S3 ambayo akaunti iko ndani (sera nyingine zinazotegemea akaunti zinapunguza kulingana na akaunti ambayo kiongozi anayehitaji yuko ndani). Na kwa sababu sera inaweza kuwa na wildcards inawezekana kupata nambari ya akaunti nambari moja kwa wakati.

Chombo hiki kinara mchakato:

# Installation
pipx install s3-account-search
pip install s3-account-search
# With a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# With an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext

H technique hii pia inafanya kazi na API Gateway URLs, Lambda URLs, Data Exchange data sets na hata kupata thamani ya tags (ikiwa unajua ufunguo wa tag). Unaweza kupata maelezo zaidi katika utafiti wa asili na zana conditional-love ili kuendesha uhalifu huu.

Kuthibitisha kwamba bucket inamilikiwa na akaunti ya AWS

Kama ilivyoelezwa katika hiki kipande cha blog, ikiwa una ruhusa ya kuorodhesha bucket inawezekana kuthibitisha accountID ambayo bucket inamilikiwa kwa kutuma ombi kama:

curl -X GET "[bucketname].amazonaws.com/" \
-H "x-amz-expected-bucket-owner: [correct-account-id]"

<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult>

Ikiwa kosa ni "Access Denied" inamaanisha kuwa ID ya akaunti ilikuwa mbaya.

Kutumia Barua Pepe kama uainishaji wa akaunti ya mzizi

Kama ilivyoelezwa katika hiki kipande cha blogu, inawezekana kuangalia ikiwa anwani ya barua pepe inahusiana na akaunti yoyote ya AWS kwa kujaribu kutoa ruhusa kwa barua pepe juu ya S3 bucket kupitia ACLs. Ikiwa hii haitasababisha kosa, inamaanisha kuwa barua pepe hiyo ni mtumiaji wa mzizi wa akaunti fulani ya AWS:

s3_client.put_bucket_acl(
Bucket=bucket_name,
AccessControlPolicy={
'Grants': [
{
'Grantee': {
'EmailAddress': 'some@emailtotest.com',
'Type': 'AmazonCustomerByEmail',
},
'Permission': 'READ'
},
],
'Owner': {
'DisplayName': 'Whatever',
'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
}
}
)

References

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - SNS Unauthenticated Enum NextAzure Pentesting

Last updated 8 days ago