Abusing AWS S3 misconfigurations
Introduction
AWS S3 is a storage service by Amazon. Any kind of file. Permissions can be then given per object and per bucket.
Most often than not, AWS S3 buckets have been discovered with weak permissions on individual objects or the entire buckets itself. Files and folders which should not be public are made world readable and available to the world for inspection.
What are we going to cover?
This chapter covers the common attacks that can occur on misconfigured buckets and data leak that can occur due to this.
Attacking S3
AWS S3's public buckets (and in general storage units in other cloud providers as well) can all be configured to be reachable over HTTP. Most tools that find public S3 buckets, use DNS resolution combined with HTTP status codes to determine if a bucket is public or not.
For this exercise we will use buckets belonging to Appsecco, created specifically for this training.
AWSBucketDump
AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive.
We will use the following dictionary to search for S3 buckets. This file has been updated to contain words that can aid in finding buckets created for this class.
/home/cloudhacker/tools/AWSBucketDump/BucketNames.txtOn the attacker machine open Terminal, navigate to the ~/tools/AWSBucketDump folder and run the following commands
virtualenv -p python3 venv
source venv/bin/activate
python3 AWSBucketDump.pyCreate a zero byte grep file and provide it to AWSBucketDump. This is used by AWSBucketDump to grep through the results, but since here we create a 0 byte file, it will show everything (which is what we want).
The following command finds and downloads the contents of the buckets as well into local folders. You must use the options to restrict the maximum size of the files to be downloaded else you will run out of disk space.
touch s.txt
python3 AWSBucketDump.py -D -l BucketNames.txt -g s.txtTo see the results, open the interesting_file.txt to see the discovered content.
Did you find anything interesting in the bucket(s)?
GrayhatWarfare
Public Buckets by GrayhatWarfare is a service that scavenges the Internet for public buckets and objects. The service has a search functionality allowing users to search buckets and specific kind of files (Word documents, excel sheets etc.)
Registered and Paid users can search for specific extensions and an even larger database.
Additional references
Last updated