HackTricks CloudAWS - S3 Unauthenticated Enum
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
S3 Buckets za Umma
Bucket inachukuliwa kuwa “umma” ikiwa mtumiaji yeyote anaweza kuorodhesha yaliyomo kwenye bucket, na “binafsi” ikiwa yaliyomo kwenye bucket yanaweza kuorodhesha au kuandikwa tu na watumiaji fulani.
Kampuni zinaweza kuwa na bucket ambazo ruhusa zimesanidiwa vibaya, zikitoa ufikiaji au kwa kila kitu au kwa kila mtu aliye-authenticated kwenye AWS katika akaunti yoyote (hivyo kwa yeyote). Kumbuka, hata kwa mipangilio isiyo sahihi, vitendo vingine huenda haviwezi kufanywa kwa kuwa buckets zinaweza kuwa na access control lists zao (ACLs).
Jifunze kuhusu mipangilio isiyo sahihi ya AWS-S3 hapa: http://flaws.cloud na http://flaws2.cloud/
Kupata AWS Buckets
Njia tofauti za kugundua wakati ukurasa wa wavuti unatumia AWS kuhifadhi rasilimali:
Uorodheshaji & OSINT:
- Kutumia wappalyzer kiendelezi cha kivinjari
- Kutumia burp (spidering wavuti) au kwa kuvinjari kwa mikono kupitia ukurasa, rasilimali zote zilizopakiwa zitaokolewa katika History.
- Angalia rasilimali katika domaine kama:
http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/
- Angalia CNAMES kwa sababu
resources.domain.cominaweza kuwa na CNAMEbucket.s3.amazonaws.com - s3dns – Seva ya DNS nyepesi inayotambua kwa njia ya passiva cloud storage buckets (S3, GCP, Azure) kwa kuchambua trafiki ya DNS. Inagundua CNAMEs, inafuata mnyororo wa resolution, na inafananisha mifumo ya bucket, ikitoa mbadala tulivu kwa brute-force au ugunduzi unaotegemea API. Inafaa kwa kazi za recon na michakato ya OSINT.
- Angalia https://buckets.grayhatwarfare.com, tovuti yenye buckets wazi zilizogunduliwa tayari.
- Jina la bucket na jina la domain ya bucket lazima liwe sawa.
- flaws.cloud iko kwenye IP 52.92.181.107 na ukitembelea inakupeleka kwenye https://aws.amazon.com/s3/. Pia,
dig -x 52.92.181.107inatoas3-website-us-west-2.amazonaws.com. - Ili kuthibitisha ni bucket unaweza pia kutembelea https://flaws.cloud.s3.amazonaws.com/.
Brute-Force
Unaweza kupata buckets kwa brute-forcing majina yanayohusiana na kampuni unayofanya pentesting:
- https://github.com/sa7mon/S3Scanner
- https://github.com/clario-tech/s3-inspector
- https://github.com/jordanpotti/AWSBucketDump (Yanaorodhesha majina ya bucket yanayoweza kutumika)
- https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets
- https://github.com/smaranchand/bucky
- https://github.com/tomdev/teh_s3_bucketeers
- https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3
- https://github.com/Eilonh/s3crets_scanner
- https://github.com/belane/CloudHunter
# Generate a wordlist to create permutations
curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt
# Generate a wordlist based on the domains and subdomains to test
## Write those domains and subdomains in subdomains.txt
cat subdomains.txt > /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt
# Create permutations based in a list with the domains and subdomains to attack
goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
## The previous tool is specialized increating permutations for subdomains, lets filter that list
### Remove lines ending with "."
cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
### Create list without TLD
cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
### Create list without dots
cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
### Create list without hyphens
cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5
## Generate the final wordlist
cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt
## Call s3scanner
s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt | grep bucket_exists
Kuchota yaliyomo kwenye S3 Buckets
Kwa kuzingatia buckets za S3 zilizo wazi, BucketLoot inaweza kwa moja kwa moja kutafuta taarifa za kuvutia.
Pata Region
Unaweza kupata regions zote zinazotungwa na AWS kwenye https://docs.aws.amazon.com/general/latest/gr/s3.html
Kwa DNS
Unaweza kupata region ya bucket kwa kutumia dig na nslookup kwa kufanya ombi la DNS la IP uliogundua:
dig flaws.cloud
;; ANSWER SECTION:
flaws.cloud. 5 IN A 52.218.192.11
nslookup 52.218.192.11
Non-authoritative answer:
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
Hakiki kwamba domain iliyotatuliwa ina neno "website".
Unaweza kupata static website kwa kwenda: flaws.cloud.s3-website-us-west-2.amazonaws.com
au unaweza kufikia bucket kwa kutembelea: flaws.cloud.s3-us-west-2.amazonaws.com
Kwa Kuijaribu
Ikiwa utajaribu kufikia bucket, lakini katika jina la kikoa unaotaja eneo tofauti (kwa mfano bucket iko katika bucket.s3.amazonaws.com lakini unajaribu kufikia bucket.s3-website-us-west-2.amazonaws.com), basi utaonyeshwa eneo sahihi:
.png)
Kuorodhesha bucket
Ili kujaribu uwazi wa bucket mtumiaji anaweza kuingiza tu URL katika kivinjari chao. Bucket ya kibinafsi itajibu kwa "Access Denied". Bucket ya umma itaorodhesha vitu 1,000 vya kwanza vilivyohifadhiwa.
Imeguswa kwa kila mtu:
.png)
Binafsi:
.png)
Unaweza pia kuangalia hili kwa cli:
#Use --no-sign-request for check Everyones permissions
#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
#--recursive if you want list recursivelyls
#Opcionally you can select the region if you now it
aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]
Ikiwa bucket haina jina la domain, unapo jaribu enumerate yake, weka tu bucket name na sio domain yote ya AWSs3. Mfano: s3://<BUCKETNAME>
Kiolezo la URL ya Umma
https://{user_provided}.s3.amazonaws.com
Pata ID ya Akaunti kutoka Bucket ya umma
Inawezekana kubaini akaunti ya AWS kwa kutumia S3:ResourceAccount Kifunguo cha Masharti cha Sera kipya.
Sharti hili linazuia upatikanaji kulingana na S3 bucket ambayo akaunti iko ndani yake (sera nyingine zinazotegemea akaunti huzuia kulingana na akaunti ambayo mhusika anayetoa ombi yuko).
Na kwa sababu sera inaweza kuwa na wildcards, inawezekana kupata nambari ya akaunti nambari moja tu kwa wakati.
Zana hii inaotomatisha mchakato:
# Installation
pipx install s3-account-search
pip install s3-account-search
# With a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# With an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext
Mbinu hii pia inafanya kazi na API Gateway URLs, Lambda URLs, Data Exchange data sets na hata kupata thamani ya tags (ikiwa unajua tag key). Unaweza kupata taarifa zaidi katika original research na zana conditional-love za kuendesha exploitation hii kiotomatiki.
Kuhakiki kuwa bucket inamhusu akaunti ya AWS
Kama ilivyoelezwa katika this blog post, ikiwa una ruhusa za kuorodhesha bucket inawezekana kuthibitisha accountID ambayo bucket inamhusu kwa kutuma ombi kama:
curl -X GET "[bucketname].amazonaws.com/" \
-H "x-amz-expected-bucket-owner: [correct-account-id]"
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult>
Ikiwa hitilafu ni “Access Denied” inaonyesha kuwa account ID haikuwa sahihi.
Kutumia Emails kama root account enumeration
Kama ilivyoelezwa katika this blog post, inawezekana kukagua kama anwani ya email inahusiana na AWS account yoyote kwa kujaribu kumpa email ruhusa juu ya S3 bucket kupitia ACLs. Ikiwa hii haitasababisha kosa, inamaanisha kwamba email ni root user wa baadhi ya AWS account:
s3_client.put_bucket_acl(
Bucket=bucket_name,
AccessControlPolicy={
'Grants': [
{
'Grantee': {
'EmailAddress': 'some@emailtotest.com',
'Type': 'AmazonCustomerByEmail',
},
'Permission': 'READ'
},
],
'Owner': {
'DisplayName': 'Whatever',
'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
}
}
)
Marejeo
- https://www.youtube.com/watch?v=8ZXRw4Ry3mQ
- https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.