hacktricks/network-services-pentesting/pentesting-web/buckets/README.md
2023-04-25 20:35:28 +02:00

4.9 KiB

Buckets

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

You can use BBOT to enumerate storage buckets. Supported providers are: AWS, Google, Azure, DigitalOcean, and Firebase.

Buckets are discovered from web content and enumerated based on derivatives of discovered DNS names. For example, if your target is tesla.com and BBOT discovers a subdomain www.tesla.com, it will visit the website and extract bucket names from its HTML content. Additionally, it will try each of the following bucket names:

  • www.tesla.com
  • www.tesla
  • www-tesla-com
  • www-tesla
  • wwwteslacom
  • wwwtesla

For each bucket found, BBOT will check whether it's open (world-readable) and also whether it's vulnerable to subdomain takeover. Note that buckets discovered with the bucket_* modules are not guaranteed to be owned by the target.

# enumerate buckets for evilcorp.com
bbot -t evilcorp.com -f subdomain-enum cloud-enum

# single cloud provider + permutations (-dev, -test, etc.)
bbot -t evilcorp.com -m bucket_aws -c modules.bucket_aws.permutations=true

A good tool to review your configuration in several clouds is: https://github.com/nccgroup/ScoutSuite

AWS S3 hacking tricks

More info:

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥