AWS - S3 Unauthenticated Enum

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE)
Az Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

• Abonelik planlarını kontrol edin!
• Katılın 💬 Discord group veya telegram group veya Twitter’da bizi takip edin 🐦 @hacktricks_live.
• PR göndererek hacking tricks paylaşın: HackTricks ve HackTricks Cloud github repos.

S3 Public Buckets

A bucket is considered “public” if any user can list the contents of the bucket, and “private” if the bucket’s contents can only be listed or written by certain users.

Companies might have buckets permissions miss-configured giving access either to everything or to everyone authenticated in AWS in any account (so to anyone). Note, that even with such misconfigurations some actions might not be able to be performed as buckets might have their own access control lists (ACLs).

Learn about AWS-S3 misconfiguration here: http://flaws.cloud and http://flaws2.cloud/

Finding AWS Buckets

Different methods to find when a webpage is using AWS to storage some resources:

Enumeration & OSINT:

• Using wappalyzer browser plugin
• Using burp (spidering the web) or by manually navigating through the page all resources loaded will be save in the History.
• Check for resources in domains like:

http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/

• Check for CNAMES as resources.domain.com might have the CNAME bucket.s3.amazonaws.com
• s3dns – A lightweight DNS server that passively identifies cloud storage buckets (S3, GCP, Azure) by analyzing DNS traffic. It detects CNAMEs, follows resolution chains, and matches bucket patterns, offering a quiet alternative to brute-force or API-based discovery. Perfect for recon and OSINT workflows.
• Check https://buckets.grayhatwarfare.com, a web with already discovered open buckets.
• The bucket name and the bucket domain name needs to be the same.
• flaws.cloud is in IP 52.92.181.107 and if you go there it redirects you to https://aws.amazon.com/s3/. Also, dig -x 52.92.181.107 gives s3-website-us-west-2.amazonaws.com.
• To check it’s a bucket you can also visit https://flaws.cloud.s3.amazonaws.com/.

Brute-Force

You can find buckets by brute-forcing names related to the company you are pentesting:

• https://github.com/sa7mon/S3Scanner
• https://github.com/clario-tech/s3-inspector
• https://github.com/jordanpotti/AWSBucketDump (Contains a list with potential bucket names)
• https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets
• https://github.com/smaranchand/bucky
• https://github.com/tomdev/teh_s3_bucketeers
• https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3
• https://github.com/Eilonh/s3crets_scanner
• https://github.com/belane/CloudHunter

# Generate a wordlist to create permutations
curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt

# Generate a wordlist based on the domains and subdomains to test
## Write those domains and subdomains in subdomains.txt
cat subdomains.txt > /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt

# Create permutations based in a list with the domains and subdomains to attack
goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
## The previous tool is specialized increating permutations for subdomains, lets filter that list
### Remove lines ending with "."
cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
### Create list without TLD
cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
### Create list without dots
cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
### Create list without hyphens
cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5

## Generate the final wordlist
cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt

## Call s3scanner
s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt  | grep bucket_exists

Loot S3 Buckets

Given S3 open buckets, BucketLoot can automatically search for interesting information.

Find the Region

You can find all the supported regions by AWS in https://docs.aws.amazon.com/general/latest/gr/s3.html

By DNS

You can get the region of a bucket with a dig and nslookup by doing a DNS request of the discovered IP:

dig flaws.cloud
;; ANSWER SECTION:
flaws.cloud.    5    IN    A    52.218.192.11

nslookup 52.218.192.11
Non-authoritative answer:
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.

Check that the resolved domain have the word “website”.
Statik siteye şu adresten erişebilirsiniz: flaws.cloud.s3-website-us-west-2.amazonaws.com
ya da bucket’e şu adresten erişebilirsiniz: flaws.cloud.s3-us-west-2.amazonaws.com

Deneyerek

Eğer bir bucket’e erişmeye çalışırsanız, fakat alan adında başka bir bölge belirtirseniz (örneğin bucket bucket.s3.amazonaws.com içinde ama siz bucket.s3-website-us-west-2.amazonaws.com adresine erişmeye çalışırsanız), size doğru konum gösterilecektir:

Bucket’ı listeleme

Bucket’ın açıklığını test etmek için kullanıcı URL’yi web tarayıcısına girebilir. Özel bir bucket “Access Denied” ile yanıt verir. Herkese açık bir bucket, depolanan ilk 1.000 öğeyi listeler.

Herkese açık:

Özel:

Bunu ayrıca cli ile de kontrol edebilirsiniz:

#Use --no-sign-request for check Everyones permissions
#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
#--recursive if you want list recursivelyls
#Opcionally you can select the region if you now it
aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]

Eğer Bucket’ın bir alan adı yoksa, enumerate etmeye çalışırken, sadece bucket adını koyun ve tüm AWSs3 domainini koymayın. Örnek: s3://<BUCKETNAME>

Genel URL şablonu

https://{user_provided}.s3.amazonaws.com

public Bucket’tan Account ID alma

Yeni S3:ResourceAccount Policy Condition Key’i kullanarak bir AWS hesabını belirlemek mümkün. Bu koşul S3 bucket’a göre erişimi kısıtlar (diğer hesap-temelli politikalar ise istekte bulunan principal’in bulunduğu hesaba göre kısıtlar).
Ve politika wildcards içerebildiği için hesap numarasını her seferinde tek bir rakam olarak bulmak mümkün.

Bu araç süreci otomatikleştirir:

# Installation
pipx install s3-account-search
pip install s3-account-search
# With a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# With an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext

Bu teknik API Gateway URL’leri, Lambda URL’leri, Data Exchange veri setleri ile de çalışır ve hatta tags değerini almak için (tag anahtarını biliyorsanız) kullanılabilir. Bu istismarı otomatikleştirmek için daha fazla bilgiyi original research ve aracı conditional-love adresinde bulabilirsiniz.

Bir bucket’ın bir AWS hesabına ait olduğunu doğrulama

As explained in this blog post, eğer bir bucket’ı listeleme iznine sahipseniz bucket’ın ait olduğu accountID’yi aşağıdaki gibi bir istek göndererek doğrulayabilirsiniz:

curl -X GET "[bucketname].amazonaws.com/" \
-H "x-amz-expected-bucket-owner: [correct-account-id]"

<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult>

Eğer hata “Access Denied” ise bu, hesap ID’sinin yanlış olduğu anlamına gelir.

root account enumeration için kullanılan e-posta adresleri

As explained in this blog post, bir e-posta adresinin herhangi bir AWS hesabıyla ilişkili olup olmadığını S3 bucket üzerinde ACLs aracılığıyla bir e-posta adresine izin vermeyi denemek suretiyle kontrol etmek mümkündür. Eğer bu bir hata tetiklemezse, bu e-postanın bazı AWS hesabının root user’ı olduğu anlamına gelir:

s3_client.put_bucket_acl(
Bucket=bucket_name,
AccessControlPolicy={
'Grants': [
{
'Grantee': {
'EmailAddress': 'some@emailtotest.com',
'Type': 'AmazonCustomerByEmail',
},
'Permission': 'READ'
},
],
'Owner': {
'DisplayName': 'Whatever',
'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
}
}
)

Referanslar

• https://www.youtube.com/watch?v=8ZXRw4Ry3mQ
• https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE)
Az Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

• Abonelik planlarını kontrol edin!
• Katılın 💬 Discord group veya telegram group veya Twitter’da bizi takip edin 🐦 @hacktricks_live.
• PR göndererek hacking tricks paylaşın: HackTricks ve HackTricks Cloud github repos.