AWS Enumeration

We utilize various search engines to conduct OSINT and gather information about leaked AWS Access & Secret Keys, as well as AWS S3 Bucket names that have been cached by crawlers.

AWS Cloud Services

*.s3.amazonaws.co
*.awsapps.com
https://[api-id].execute-api.[region].amazonaws.com/[stage]/

Javascript Files

Analyzing Javascript files for AWS Access/Secret key Disclosure & S3 Buckets

getjs --input targets.txt --complete --output js_links.txt
nuclei -l js_links.txt -t templates/aws-access-secret-key.yaml -silent -o aws-secrets.txt

nuclei -l js_links.txt -t templates/s3-bucket-detect.yaml -silent -o aws-s3-buckets.txt

Google Dorks

The below google dorks can be used to extract the information related with AWS S3:

site:s3.amazonaws.com "index of /"
inurl:s3.amazonaws.com intitle:"AWS S3 Explorer"
site:http://s3.amazonaws.com intitle:index.of.bucket ""
site:.s3.amazonaws.com "Company"
inurl:gitlab "AWS_SECRET_KEY"
inurl:pastebin "AWS_ACCESS_KEY"

Github Dorks

rds.amazonaws.com password
aws_access_key_id=
aws_bucket aws_key=
aws_secret=
aws_secret_access_key=
aws_secret_key=
aws_session_token=
aws_token=
bucketeer_aws_access_key_id
bucketeer_aws_secret_access_key
cache_s3_secret_key
lottie_s3_api_key
lottie_s3_secret_key
s3_access_key=
s3_access_key_id=
s3_secret_key=
sandbox_aws_access_key_id
sandbox_aws_secret_access_key
secret_key aws
aws_secretaccesskey=
secretkey aws

The process of searching manually for each keyword can be automated using github-aws-secrets-scanner as shown below:

python github-aws-secrets-scanner.py -t <github-token> -day 7 -o results.txt

grep.app

aws_access_key_id\s*=\s*['"]?AKIA[0-9A-Z]{16}['"]?
aws_secret_access_key="[A-Za-z0-9+/=]{40}"
AKIA[0-9A-Z]{16}

Hugging Face

aws_secret_access_key=

Shodan Query

According to Shodan, the data displayed are from the past 30 days of monitored data on the internet.

html:"AWS_ACCESS_KEY_ID"
html:"AWS_SECRET_ACCESS_KEY"
html:"AWS_SESSION_TOKEN"
html:"ListBucketResult"

Censys Query

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN

Fofa Query

body="AWS_ACCESS_KEY_ID"
body="AWS_SECRET_ACCESS_KEY"
body="AWS_SESSION_TOKEN"
app="amazon-AmazonS3"
body="ListBucketResult"

Using Uncover with Nuclei

uncover -q 'html:"ListBucketResult"' -pc config.yaml -silent | httpx -silent | nuclei -id aws-object-listing -silent

uncover -q 'html:"AWS_ACCESS_KEY_ID"' -pc config.yaml -silent -o uncover.txt
nuclei -l uncover.txt -t templates/aws-access-secret-key.yaml

Detecting AWS Website

nuclei -l targets.txt -id s3-detect

Using Nuclei / Cloud-Enum / S3Scanner for S3 Bucket Enum

nuclei -id aws-s3-bucket-enum -var wordlist=fuzz.txt -rl 1 -lfa

python cloud_enum.py -k keyword -k keyword2
python cloud_enum.py -kf fuzz.txt -qs

s3scanner -bucket-file fuzz.txt -provider aws -enumerate

Grayhatwarfare

GrayhatWarfare allows users to find open AWS S3 buckets.

Other Services

https://codepen.io/
https://publicwww.com/
https://searchcode.com/
https://gist.github.com/