Identifying Public Resources

Methodology

Predictable domains make brute forcing public resources possible.
Cloud Enum Tool -

# Github repo
https://github.com/initstring/cloud_enum

# Running the tool
./cloud_enum.py -k somecompany -k somecompany.io -k blockchaindoohickey

Intricate resource names may go undiscovered.
After authenticating, leverage the CLI to enumerate all public resources.
Commands to list public resources and more in CloudPentestCheatsheets repo: https://github.com/dafthack/CloudPentestCheatsheets

List all EC2 IPs

while read r; do
	aws ec2 describe-instances --query=Reservations[].Instances[].PublicIpAddress --region $r | jq -r '.[]' >> ec2-public-ips.txt 
done < regions.txt
sort -u ec2-public-ips.txt -o ec2-public-ips.txt

List all ELB DNS Addresses

while read r; do
	aws elbv2 describe-load-balancers --query LoadBalancers[*].DNSName --region $r | jq -r '.[]' >> elb-public-dns.txt
	aws elb describe-load-balancers --query LoadBalancerDescriptions[*].DNSName --region $r | jq -r '.[]' >> elb-public-dns.txt
done < regions.txt
sort -u elb-public-dns.txt -o elb-public-dns.txt

List all RDS DNS Addresses

while read r; do
	aws rds describe-db-instances --query=DBInstances[*].Endpoint.Address --region $r | jq -r '.[]' >> rds-public-dns.txt
done < regions.txt
sort -u rds-public-dns.txt -o rds-public-dns.txt

REFERENCES

PreviousIAM Policy Enumeration NextS3 Buckets

Last updated 8 months ago

Was this helpful?