Pentest Book
Search…
Cloud Info Gathering
1
# Azure IP Ranges
2
https://azurerange.azurewebsites.net/
3
4
# AWS IP Range
5
https://ip-ranges.amazonaws.com/ip-ranges.json
6
- Get creation date
7
jq .createDate < ip-ranges.json
8
- Get info for specific region
9
jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json
10
- Get all IPs
11
jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json
12
13
# Online services
14
https://viewdns.info/
15
https://securitytrails.com/
16
https://www.shodan.io/search?query=net%3A%2234.227.211.0%2F24%22
17
https://censys.io/ipv4?q=s3
18
19
# Google Dorks
20
site:*.amazonaws.com -www "compute"
21
site:*.amazonaws.com -www "compute" "ap-south-1"
22
site:pastebin.com "rds.amazonaws.com" "u " pass OR password
23
https://storage.googleapis.com/COMPANY
24
25
# Check certificate transparency logs
26
https://crt.sh
27
%.netfilx.com
28
29
# Find Cloud Services
30
python3 cloud_enum.py -k keywork
31
python3 CloudScraper.py -u https://example.com
32
33
# AWS Buckets
34
# Dork
35
site:*.s3.amazonaws.com ext:xls | ext:xlsx | ext:csv password|passwd|pass user|username|uid|email
36
37
# AWS discovering, stealing keys and endpoints
38
# Nimbostratus - check against acutal profile
39
https://github.com/andresriancho/nimbostratus
40
python nimbostratus dump-credentials
41
42
# ScoutSuite - audit AWS, GCP and Azure clouds
43
scout --provider aws --profile stolen
44
45
# Prowler - AWS security assessment, auditing and hardening
46
https://github.com/toniblyx/prowler
Copied!
Last modified 1yr ago
Export as PDF
Copy link