diff --git a/network-services-pentesting/pentesting-web/buckets/README.md b/network-services-pentesting/pentesting-web/buckets/README.md index 914676799..5535f0f94 100644 --- a/network-services-pentesting/pentesting-web/buckets/README.md +++ b/network-services-pentesting/pentesting-web/buckets/README.md @@ -16,6 +16,26 @@ +[BBOT](https://github.com/blacklanternsecurity/bbot) automates bucket enumeration. Supported cloud providers are: AWS, Google, Azure, DigitalOcean, and Firebase. + +Buckets are discovered based on web content and derivatives of discovered DNS names. For example, if your target is `tesla.com` and BBOT discovers a subdomain `www.tesla.com`, it will visit the website and extract bucket names from its HTML content. Additionally, it will try each of the following bucket names: +- `www.tesla.com` +- `www.tesla` +- `www-tesla-com` +- `www-tesla` +- `wwwteslacom` +- `wwwtesla` + +For each bucket found, BBOT will check whether it's open (world-readable) and also whether it's vulnerable to [subdomain hijacking](pentesting-web/domain-subdomain-takeover.md). Note that buckets discovered with the `bucket_*` modules are not guaranteed to be owned by the target. + +~~~bash +# enumerate buckets for evilcorp.com +bbot -t evilcorp.com -f subdomain-enum cloud-enum + +# single cloud provider + permutations (-dev, -test, etc.) +bbot -t evilcorp.com -m bucket_aws -c modules.bucket_aws.permutations=true +~~~ + A good tool to review your configuration in several clouds is: [https://github.com/nccgroup/ScoutSuite](https://github.com/nccgroup/ScoutSuite) [**AWS S3 hacking tricks**](broken-reference) diff --git a/pentesting-web/domain-subdomain-takeover.md b/pentesting-web/domain-subdomain-takeover.md index b8a54e9c2..d45d963f7 100644 --- a/pentesting-web/domain-subdomain-takeover.md +++ b/pentesting-web/domain-subdomain-takeover.md @@ -31,6 +31,7 @@ A subdomain of the company is pointing to a **third-party service with a name no There are several tools with dictionaries to check for possible takeovers: * [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz) +* [https://github.com/blacklanternsecurity/bbot](https://github.com/blacklanternsecurity/bbot) * [https://github.com/punk-security/dnsReaper](https://github.com/punk-security/dnsReaper) * [https://github.com/haccer/subjack](https://github.com/haccer/subjack) * [https://github.com/anshumanbh/tko-sub](https://github.com/anshumanbh/tko-subs) @@ -41,6 +42,12 @@ There are several tools with dictionaries to check for possible takeovers: * [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover) * [https://github.com/musana/mx-takeover](https://github.com/musana/mx-takeover) +#### Scanning for Hijackable Subdomains with [BBOT](https://github.com/blacklanternsecurity/bbot): +Subdomain takeover checks are included in BBOT's default subdomain enumeration. Signatures are pulled directly from [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz). +~~~bash +bbot -t evilcorp.com -f subdomain-enum +~~~ + ### Subdomain Takeover Generation via DNS Wildcard When DNS wildcard is used in a domain, any requested subdomain of that domain that doesn't have a different address explicitly will be **resolved to the same information**. This could be an A ip address, a CNAME...