search

Tools for finding public buckets

hashtag
Introduction

Due to the common mistakes that administrators and AWS users do, a lot of buckets get exposed to the Internet. In recent years, a lot of data has been revealed through open S3 buckets ranging from employee contracts, software code base, sensitive information like network diagram to usernames and passwords etc.

There are several tools to find and dump the contents of public buckets.

hashtag
What are we going to cover?

This chapter covers some popular tools that can be used find public buckets and dump data from within if required.

hashtag
AWS Buckets

The following is a list of valid S3 bucketnames on EC2

1. https://bucketname.s3.eu-west-1.amazonaws.com/file.txt
2. https://s3-eu-west-1.amazonaws.com/bucketname/file.txt
3. https://bucketname.s3.amazonaws.com/file.txt
4. https://s3.amazonaws.com/bucketname/file.txt

hashtag
Google dorking

Google is an extremely powerful search engine that can be used to find specific resources on the Internet

For example, the following dork can be used to find S3 buckets containing excel sheets which in turn contain potential passwords

Google dorking for Buckets

Other keywords can also be used to find other information

hashtag
Practice Exercise: DigiNinja Bucket Finder

Install ruby in the cloudhacker machine

sudo apt install ruby

Follow the below command to download the tool.

wget https://aws-training-iampolicies.s3.ap-south-1.amazonaws.com/bucket_finder.rb

Bucket finder is a ruby script that was written to work with discovering buckets with a provided dictionary.

If you want to download the contents of the discovered buckets then specify -d to enable file downloads

hashtag
Additional references

PreviousTechniques for OSINT for AWSNextHostnames and Google Cloud Naming Conventions

Last updated