AWS Enumeration Methods for Security Professionals

I recently noticed while building my Bug Bounty Hunting Framework (beta release @ DEFCON 33) that Cloud Enum isn't being actively maintained anymore, so I decided to fork/maintain it myself! https://lnkd.in/gvGfjDrk Here's a quick rundown of the improvements I've done so far: 🚀 Massive Service Expansion: AWS: Expanded from 2 to 14+ services (600% increase) Azure: Expanded from 17 to 24+ services (41% increase) GCP: Expanded from 5 to 15+ services (200% increase) 🌍 Global Region Coverage: AWS: Updated from 20 to 37+ regions with complete global coverage Azure: Expanded from 31 to 62+ regions including new European, Asian, and South American regions GCP: Updated from 19 to 45+ regions reflecting Google Cloud's infrastructure expansion ⚡ Advanced Controls: Service Selection: Target specific services with --aws-services, --azure-services, --gcp-services Region Filtering: Limit scans to specific regions with --aws-regions, --azure-regions, --gcp-regions Discovery Commands: Use --show-services and --show-regions to explore available options (no longer require -k flag) Verbose Mode: Comprehensive -v flag showing detailed enumeration process, FQDN formats, and testing methodology 🎯 Enhanced Mutation & Discovery: Three Optimized Wordlists: fuzz_small.txt (~100 words) - Default: Essential cloud terms for quick scans fuzz.txt (~1,100 words) - Comprehensive wordlist for thorough enumeration fuzz_large.txt (~1,800 words) - Extensive wordlist with service-specific terms Advanced Keyword Logic: New --keyword-logic flag with concurrent mode (default) for mutations between keywords Enhanced Mutations: Added underscore support increasing variations from 6 to 8 per keyword (33% more coverage) Region-Aware Testing: Proper region-specific enumeration for Cloud SQL, Spanner 🔧 Improved Response Handling: Service-appropriate HTTP response interpretation across all cloud providers Improved rate limiting detection and handling Better authentication requirement detection with new access levels More accurate public vs. protected resource classification Fixed critical error handling for edge-case HTTP responses Cross-platform Path Handling: Proper OS-specific path separators for Windows/Linux/macOS 🔥 S3 Bucket Enumeration Enhancements Authenticated Mode: When AWS credentials are available (via aws configure, environment variables, or --aws-access-key/--aws-secret-key), uses boto3 APIs for reliable bucket detection and content listing HTTP Fallback Mode: When no credentials are available, falls back to HTTP-based enumeration with intelligent redirect handling Proper 301 Redirect Handling: No longer treats HTTP 301 redirects as "open buckets" XML Response Parsing: Extracts correct regional endpoints from S3 error responses Follow-up Verification: Tests redirect endpoints separately to determine true accessibility (200 = Open, 403 = Protected) I hope it helps! 🍻 And HUGE shoutout to the original builder/maintainer https://lnkd.in/gAVdN7E4!

SkyEye: Cooperative IAM Enumeration! An open-source Identity and Access Management enumeration framework for AWS that introduces a new, cooperative multi-principal scanning model designed to expose the full extent of what users and roles can do in the cloud. Yes, even when that information is fragmented across multiple AWS credentials! We often collect multiple AWS credentials in cloud penetration testing or red teaming. But scanning each one individually leads to blind spots, permissions invisible in isolation, yet exploitable in combination. SkyEye uses a novel Cross-Principal IAM Enumeration Model (CPIEM) to correlate multiple active sessions and build a complete picture of what each principal (user or role) can truly access or assume: • Cross-Principal and Transitive Role Enumeration (TCREM) • Mapping AWS IAM actions (~20,000) to MITRE ATT&CK • Fuzzing & Simulation of permissions  • Visualized IAM trees and policy version diffs • Output logs and JSON for audit/integration Source: https://lnkd.in/gwDDGE_s What about understanding what actually happened, what’s risky, or what patterns emerge over time? Discover over 10+ essential data analysis techniques for effective threat hunting in my "Cyber Threat Hunt 101" YouTube series, explained simply: https://lnkd.in/gkVB6B2j Please share and subscribe if you enjoy the content! #cybersecurity #threathunting #threatdetection #blueteam #soc #socanalyst #skillsdevelopment #careergrowth #IR #DataAnalysis #IncidentResponse

🚀 Unlocking AWS Security: A Comprehensive Guide to Cloud Pentesting 🔥As more businesses move their critical operations to the cloud, Amazon Web Services (AWS) is becoming a prime target for cyber attackers. Understanding the nuances of AWS Pentesting is now more crucial than ever for maintaining a robust security posture. The cheatsheet I’ve reviewed dives deep into the essential tools and techniques every cybersecurity professional should master. 🔍 Key Takeaways: Identity & Access Management (IAM): Gain insights on privilege escalation, how to identify shadow admins, and enumerate IAM permissions effectively. Metadata Service Attacks: Learn to exploit metadata SSRF vulnerabilities in EC2 and Fargate to steal sensitive IAM credentials. Backdoors and Persistence: Explore advanced backdoor methods using IAM policies, Lambda functions, and IAM roles to maintain long-term access. SSRF and Instance Hijacking: Understand how Server-Side Request Forgery (SSRF) can be leveraged to hijack instances or gain administrative privileges. S3 Buckets & Data Exfiltration: Tips on discovering publicly exposed S3 buckets, conducting data exfiltration, and leveraging vulnerabilities in S3 policies. 💡 Tools of the Trade: Pacu for AWS exploitation and SkyArk for discovering privileged accounts. ScoutSuite for cloud environment security audits. Cloudsplaining to identify and remediate IAM security risks. CloudMapper for visualizing AWS infrastructure. WeirdAAL for AWS privilege escalation and persistence attacks. 🌐 AWS security requires constant vigilance and staying up-to-date with the latest pentesting strategies. If you’re looking to strengthen your AWS defenses, this guide is a must-read! #AWS #CloudSecurity #CloudPentesting #CyberSecurity #EthicalHacking #SSRF #IAMSecurity #CloudCompliance #PentestTools #DataExfiltration #Infosec #CyberDefense #Pentesting #RedTeam #BlueTeam #AWSIAM #LambdaSecurity #EC2Exploitation #CloudThreats

To go along with our announcement from earlier this week about free AWS cloud security 🧪 labs, I published a video walkthrough of our lab called "Introduction to AWS Secrets Manager Enumeration" ⬇️ Secrets Manager is a service that organizations can use to store their secrets, which makes it a juicy target for attackers. As security professionals, it’s our job to find potential weaknesses in our organization’s environments so that we can fix them *before* they get exploited by threat actors. In the video I show how to: 📌 Use Cybr's free hands-on labs 📌 Enumerate our user or role permissions 📌 List secrets stored in an AWS account 📌 Retrieve resource-based policies for those secrets 📌 Retrieve information about secrets (versions, KMS info, etc) 📌 Retrieve the actual secrets themselves This lab is a precursor for our IAM #PrivilegeEscalation course where we demonstrate how attackers can escalate privileges when #AWS environments are misconfigured in order to access secrets stored in the account, exfil data, etc... That way, you can look for and find these types of misconfigurations in your accounts (or your client's accounts) so they can be fixed 🙌 🔗 Video walkthrough: https://lnkd.in/gj7Wt9BR Happy learning! #cloudsecurity #secretsmanagement #handsonlearning #ethicalhacking