# Abusing AWS S3 misconfigurations ## Introduction AWS S3 is a storage service by Amazon. Any kind of file. Permissions can be then given per object and per bucket. Most often than not, AWS S3 buckets have been discovered with weak permissions on individual objects or the entire buckets itself. Files and folders which should not be public are made world readable and available to the world for inspection. ## What are we going to cover? This chapter covers the common attacks that can occur on misconfigured buckets and data leak that can occur due to this. ## Attacking S3 AWS S3's public buckets (and in general storage units in other cloud providers as well) can all be configured to be reachable over HTTP. Most tools that find public S3 buckets, use DNS resolution combined with HTTP status codes to determine if a bucket is public or not. For this exercise we will use buckets belonging to Appsecco, created specifically for this training. ### AWSBucketDump [AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive. We will use the following dictionary to search for S3 buckets. This file has been updated to contain words that can aid in finding buckets created for this class. ``` /home/cloudhacker/tools/AWSBucketDump/BucketNames.txt ``` On the attacker machine open Terminal, navigate to the `~/tools/AWSBucketDump` folder and run the following commands ``` virtualenv -p python3 venv source venv/bin/activate python3 AWSBucketDump.py ``` Create a zero byte grep file and provide it to AWSBucketDump. This is used by AWSBucketDump to grep through the results, but since here we create a 0 byte file, it will show everything (which is what we want). The following command finds and downloads the contents of the buckets as well into local folders. You must use the options to restrict the maximum size of the files to be downloaded else you will run out of disk space. ``` touch s.txt python3 AWSBucketDump.py -D -l BucketNames.txt -g s.txt ``` To see the results, open the `interesting_file.txt` to see the discovered content. Did you find anything interesting in the bucket(s)? ### GrayhatWarfare [Public Buckets by GrayhatWarfare](https://buckets.grayhatwarfare.com) is a service that scavenges the Internet for public buckets and objects. The service has a search functionality allowing users to search buckets and specific kind of files (Word documents, excel sheets etc.) ![](/files/Psd6GbrMhxYN5wMtEpwu) Registered and Paid users can search for specific extensions and an even larger database. ![](/files/xHXi7Zw4uMQsyN7wbOQR) ## Additional references * [Digi Ninja Bucket Finder](https://digi.ninja/projects/bucket_finder.php) * [AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) * [A deep dive into AWS S3 access controls](https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xcriminal.gitbook.io/about-me/cloudsec/cloud-storage-with-aws/cloud-storage/abusing-aws-s3-misconfigurations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.