Exploring Misconfigured S3 Buckets through Diverse Enumeration tools Part 2.

Exploring Misconfigured S3 Buckets through Diverse Enumeration tools Part 2.

·

5 min read

INTRODUCTION

In the previous lab, we effectively set up both a secure and vulnerable S3 bucket. By conducting penetration testing, we obtained valuable insights into the vulnerabilities that can result from misconfigured AWS S3 buckets. The testing played a crucial role in identifying and highlighting cases of misconfiguration.

Lab objective

The lab series focuses on performing S3 bucket enumeration using a variety of S3 bucket enumeration tools, enabling ethical hackers and penetration testers to gather information effortlessly during the enumeration process.

Disclaimer

The S3 bucket enumeration tools provided in this lab are intended for educational purposes only and should not be utilized for illegal activities or unauthorized access to buckets or websites.

Things you for this lab

The following prerequisites are needed:

  • A Parrot Security virtual machine

  • Web browsers with an active Internet connection

  • Administrator privileges for executing the tools.

In this lab, you can utilize any of the two publicly accessible misconfigured buckets.

  1. flaws.cloud cloud security challenge game (Check Challenge Walkthrough)

  2. CEH publicly available S3 bucket

For this lab, our target domain for enumeration is flaws.cloud and CEH

Enumerate S3 buckets using lazys3

Lazys3 is a Ruby script utility designed for performing brute-force attacks on AWS S3 buckets through various permutations. With this tool, you can identify publicly accessible S3 buckets and conduct targeted searches on specific companies' S3 buckets by providing the company name.

  • Download and install lazys3 (GitHub) on your Linux system using the following command:
git clone https://github.com/nahamsec/lazys3.git

  • Navigate to lazys3.rb in the lazys3 folder using the command.
# switch user using 
$sudo su
$ls 
$cd lazys3

  • Now typeruby lazys3.rb and press Enter.

  • A list of public S3 buckets is displayed, as shown in the screenshot.

    Press Ctrl+Z to stop the script.

  • You can search the S3 buckets of a specific company. To do so, type ruby lazys3.rb [Company] and press Enter.

Note: Here, the target company name is flaws.cloud; you can enter the company name of your choice. ruby lazys3.rb flaws.cloud

Note: It will take some time to obtain a complete list of the available S3 buckets.

  • Press Ctrl+Z to stop running the script.

Enumerate S3 Buckets using S3Scanner

S3Scanner is a utility designed to identify accessible S3 buckets and extract their contents. It operates by taking a provided list of bucket names as input and outputs the discovered S3 buckets into a file. Additionally, the tool offers the capability to locally dump or list the contents of these "open" buckets.

  • Download S3Scanner (Github) using the following command:
git clone https://github.com/sa7mon/S3Scanner.git

  • Type the following command to navigate to the cloned repository:

Note: By default, the tool is cloned to your current working directory.

# cd S3Scanner/

  • In your S3Scanner folder, type and press Enter to install the required dependencies.

      pip3 install -r requirements.txt
    

  • After the successful installation of the dependencies, run the command to check the access permissions for flaws.cloud

      python3 -m S3Scanner scan --bucket flaws.cloud
    

Here, flaws.cloud bucket exists with READ access to All users (Everyone via the internet)

  • Next, create a directory called S3Dump and execute the command to dump (download) content from the flaws.cloud bucket.

    Type the following command as shown in the image below:

  • On your terminal, type the following command and press Enter:

    NB: Replace <with a name of your choice> ~/Desktop/*******/
    In this lab, S3Dump is the name of the Folder or Directory created on the Desktop.

      python3 -m S3Scanner dump --bucket flaws.cloud --dump-dir ~/Desktop/S3Dump/
    

  • Navigate to the S3Dump directory or folder
$cd S3Dump
$ls

Additionally, there are various tools available for S3 bucket enumeration, including:

These tools can be utilized to conduct S3 bucket enumeration for a specific website or organization.

Enumerate S3 Buckets using Google Chrome Extension

The Google Chrome extension called S3BucketList captures S3 buckets identified in requests and provides a list that includes their permissions. This tool enables us to determine the public or private status of an S3 bucket. In this case, we will employ the S3BucketList Google Chrome to discover S3 buckets associated with a specific website target.

S3BucketList Installation

https://github.com/AlecBlance/S3BucketList/tree/master#installation

  1. Download the S3BucketList zip

  2. Extract

  3. Go to Google Chrome's Settings (icon > Tools > Extensions).

  4. Enable Developer Mode ( toggle button in the top-right corner )

  5. Click "Load unpacked" and locate the extracted zip from the previous step

  • Download the tool .zip file from GitHub

  • Go to Google Chrome's Settings - icon > Tools > Extensions

  • Enable Developer Mode ( toggle button in the top-right corner )

  • Click "Load unpacked" then locate the extracted zip from the previous step and select it.

  • Open a new tab in the browser, in the address bar, type https://www.eccouncil.org and press Enter.

  • Click the S3 Bucket List icon present on the top-right of the browser window to view the recorded S3 buckets.

Based on the image provided, the denial of access indicates that either the domain eccouncil.org is not hosted in an S3 bucket, or the S3 bucket is properly configured.

NOTE: An open S3 bucket named "certifiedhacker1" was established by Eccouncil, granting unrestricted public access to all users via the Internet.

  • Now, click on the S3 Bucket List icon to view its permissions.

When S3 buckets are set to public, the content within them becomes accessible to any user on the internet. This misconfiguration can be exploited by attackers to their advantage.

Disclaimer: The tools provided in the lab for S3 bucket enumeration, as mentioned earlier, are intended solely for educational purposes. It is strictly prohibited to use these tools illegally or on unauthorized buckets or websites.

Did you find this article valuable?

Support Everything ~ Cloud Security by becoming a sponsor. Any amount is appreciated!