Recon / Initial Access / Enum

AWS - Initial Recon

ko-fi

Recon - AWS Eye

Found an account ID:

LogoAwseye - See Inside AWS Accountsawseye.com

AWS Extender - Burp Extension

LogoGitHub - VirtueSecurity/aws-extender: AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.GitHub

Credz in git repos

Credentials in git repos

Credz on Host - Hardcoded Secrets

Spray AWS Console IAM Logins

IAM User enumeration

Or see IAM part

GoAWSConsoleSpray

LogoGitHub - WhiteOakSecurity/GoAWSConsoleSpray: Tool to spray AWS Console IAM LoginsGitHub

To get the ACCOUNTID , run aws sts get-caller-identity with a known account

AWeSomeUserFinder

LogoGitHub - dievus/AWeSomeUserFinder: AWS IAM Username Enumerator and Password Spraying Tool in Python3GitHub

Subdomain Takeover

AWS Elastic Beanstalk

LogoUsing PD tools to find my first subdomain takeover — ProjectDiscovery BlogProjectDiscovery
LogoSubdomain takeover via AWS s3 bucketMedium
DNS (53)

CloudTap

LogoGitHub - PanosoikoGr/CloudTap: Comprehensive AWS cloud reconnaissance and privilege escalation toolkit written in Python. Features IAM, EC2, S3, Lambda, ECS, Secrets Manager, and more — with multi-region scanning and auto-suggested privilege escalation paths.GitHub

AWS Enumerator

Credentials found

LogoGitHub - shabarkin/aws-enumerator: The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.GitHub

Cloudfox

LogoGitHub - BishopFox/cloudfox: Automating situational awareness for cloud penetration tests.GitHub

Security Groups - Segmentation

LogoMy AWS “Segmentation Test” Methodology for Pentesters v1.0Medium
LogoGitHub - SherifTalaat/AWS-SG-Analyzer: Python script to analyze and extract all Security Groups informationGitHub

AWS Attack Path Management Tool

LogoGitHub - hotnops/apeman: AWS Attack Path Management Tool - Walking on the MoonGitHub

Authenticated Recon

ScoutSuite

LogoGitHub - nccgroup/ScoutSuite: Multi-Cloud Security Auditing ToolGitHub

Prowler

LogoGitHub - prowler-cloud/prowler: Prowler is the Open Cloud Security for AWS, Azure, GCP, Kubernetes, M365 and more. As agent-less, it helps for continuous monitoring, security assessments & audits, incident response, compliance, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, ENS and moreGitHub

White Box Recon

You must have the following privileges (these grant various read access of metadata):

  • arn:aws:iam::aws:policy/SecurityAudit

  • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

LogoGitHub - duo-labs/cloudmapper: CloudMapper helps you analyze your Amazon Web Services (AWS) environments.GitHub

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

PreviousAWSNextAWS CLI

Last updated