Cloud Resources

Even though cloud providers secure their infrastructure centrally, this does not mean that companies are free from vulnerabilities. The configurations made by the administrators may nevertheless make the company's cloud resources vulnerable. This often starts with the S3 buckets (AWS), blobs (Azure), cloud storage (GCP), which can be accessed without authentication if configured incorrectly.

Sometimes companies keep their cloud storage locations in DNS for easy administration. We can find that in the DNS record when we use dig.

We can also use google dorks to search for cloud links that belong to the company.

For AWS:

intext:company inurl:amazonaws.com

For Azure:

intext:company inurl:blob.core.windows.net

Such content is also often included in the source code of the web pages, from where the images, JavaScript codes, or CSS are loaded. This procedure often relieves the web server and does not store unnecessary content.

Once we have some links we can run them through third party providers domain.glass to dig deep into the domain informations.

Another very useful provider is GrayHatWarfare. We can do many different searches, discover AWS, Azure, and GCP cloud storage, and even sort and filter by file format. Therefore, once we have found them through Google, we can also search for them on GrayHatWarefare and passively discover what files are stored on the given cloud storage.

Sometimes we will find private and public SSH keys stored and leaked in cloud storages like S3, blob etc that will show here in the GrayHatWarfare search.