diff --git a/cloud-enumeration/cloud-enum-aws-app.yaml b/cloud-enumeration/cloud-enum-aws-app.yaml deleted file mode 100644 index 5dacb8c399..0000000000 --- a/cloud-enumeration/cloud-enum-aws-app.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: cloud-enum-aws-app - -info: - name: Cloud Enumeration - AWS Apps - author: initstring - severity: info - description: Searches for AWS apps (WorkDocs, WorkMail, Connect, etc.) - reference: tba - tags: cloud,aws - -self-contained: true - -variables: - baseDNS: "awsapps.com" - -http: - - raw: - - | - GET https://{{wordlist}}.{{baseDNS}} HTTP/1.1 - Host: {{wordlist}}.{{baseDNS}} - redirects: false - attack: batteringram - threads: 10 - matchers: - - type: status - name: "Registered AWS App" - condition: or - status: - - 200 - - 302 \ No newline at end of file diff --git a/cloud-enumeration/cloud-enum-aws-s3-bucket.yaml b/cloud-enumeration/cloud-enum-aws-s3-bucket.yaml deleted file mode 100644 index dbb0328761..0000000000 --- a/cloud-enumeration/cloud-enum-aws-s3-bucket.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: cloud-enum-aws-s3-bucket - -info: - name: Cloud Enumeration - AWS S3 Buckets - author: initstring - severity: info - description: Searches for open and protected buckets in AWS S3 - reference: tba - tags: cloud,aws - -self-contained: true - -variables: - baseDNS: "s3.amazonaws.com" - -http: - - raw: - - | - GET http://{{wordlist}}.{{baseDNS}} HTTP/1.1 - Host: {{wordlist}}.{{baseDNS}} - redirects: false - attack: batteringram - threads: 10 - matchers: - - type: status - name: "Open AWS S3 Bucket" - status: - - 200 - - type: status - name: "Protected AWS S3 Bucket" - status: - - 403 \ No newline at end of file diff --git a/cloud-enumeration/cloud-enum-azure-db.yaml b/cloud-enumeration/cloud-enum-azure-db.yaml deleted file mode 100644 index 727d8987c2..0000000000 --- a/cloud-enumeration/cloud-enum-azure-db.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: cloud-enum-azure-db - -info: - name: Cloud Enumeration - Azure Databases - author: initstring - severity: info - description: Searches for Azure databases via their registered DNS names - reference: tba - tags: cloud,azure - -self-contained: true - -variables: - baseDNS: "database.windows.net" - -dns: - - name: "{{wordlist}}.{{baseDNS}}" - type: A - class: inet - recursion: true - attack: batteringram - #threads: 10 # TODO: uncomment when functionality implemented - matchers: - - type: word - part: answer - words: - # The response must contain an A record - - "IN\tA" \ No newline at end of file diff --git a/cloud-enumeration/cloud-enum-azure-website.yaml b/cloud-enumeration/cloud-enum-azure-website.yaml deleted file mode 100644 index 4743842947..0000000000 --- a/cloud-enumeration/cloud-enum-azure-website.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: cloud-enum-azure-website - -info: - name: Cloud Enumeration - Azure Websites - author: initstring - severity: info - description: Searches for Azure websites that are registered and responding - reference: tba - tags: cloud,azure - -self-contained: true - -variables: - baseDNS: "azurewebsites.net" - -http: - - raw: - - | - GET https://{{wordlist}}.{{baseDNS}} HTTP/1.1 - Host: {{wordlist}}.{{baseDNS}} - redirects: false - attack: batteringram - threads: 10 - matchers: - - type: status - name: "Available Azure Website" - condition: or - status: - - 200 - - 302 \ No newline at end of file diff --git a/cloud-enumeration/cloud-enum-gcp-app-engine.yaml b/cloud-enumeration/cloud-enum-gcp-app-engine.yaml deleted file mode 100644 index c66a9665f4..0000000000 --- a/cloud-enumeration/cloud-enum-gcp-app-engine.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: cloud-enum-gcp-app-engine - -info: - name: Cloud Enumeration - GCP App Engine (Appspot) - author: initstring - severity: info - description: Searches for App Engine Apps in GCP - reference: tba - tags: cloud,gcp - -self-contained: true - -variables: - baseDNS: "appspot.com" - loginRedirect: "accounts.google.com" - -http: - - raw: - - | - GET https://{{wordlist}}.{{baseDNS}} HTTP/1.1 - Host: {{wordlist}}.{{baseDNS}} - redirects: false - attack: batteringram - threads: 10 - matchers: - - type: status - name: "Open GCP App Engine App" - status: - - 200 - - type: dsl - name: "Protected GCP App Engine App" - condition: and - dsl: - - "status_code==302" - - contains(location, "login") \ No newline at end of file diff --git a/cloud-enumeration/cloud-enum-gcp-firebase-app.yaml b/cloud-enumeration/cloud-enum-gcp-firebase-app.yaml deleted file mode 100644 index e323aacb30..0000000000 --- a/cloud-enumeration/cloud-enum-gcp-firebase-app.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: cloud-enum-gcp-firebase-app - -info: - name: Cloud Enumeration - GCP Firebase Apps - author: initstring - severity: info - description: Searches for Firebase Apps in GCP - reference: tba - tags: cloud,gcp - -self-contained: true - -variables: - baseDNS: "firebaseapp.com" - -http: - - raw: - - | - GET https://{{wordlist}}.{{baseDNS}} HTTP/1.1 - Host: {{wordlist}}.{{baseDNS}} - redirects: false - attack: batteringram - threads: 10 - matchers: - - type: status - name: "Open GCP Firebase App" - status: - - 200 \ No newline at end of file diff --git a/cloud/enum/aws-app-enum.yaml b/cloud/enum/aws-app-enum.yaml new file mode 100644 index 0000000000..e5acefae11 --- /dev/null +++ b/cloud/enum/aws-app-enum.yaml @@ -0,0 +1,36 @@ +id: aws-app-enum + +info: + name: AWS Apps - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for AWS apps (WorkDocs, WorkMail, Connect, etc.) + metadata: + verified: true + max-request: 1 + tags: cloud,cloud-enum,aws + +self-contained: true + +variables: + BaseDNS: "awsapps.com" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: status + name: "Registered AWS App" + status: + - 200 + - 302 + condition: or \ No newline at end of file diff --git a/cloud/enum/aws-s3-bucket-enum.yaml b/cloud/enum/aws-s3-bucket-enum.yaml new file mode 100644 index 0000000000..7975ae475f --- /dev/null +++ b/cloud/enum/aws-s3-bucket-enum.yaml @@ -0,0 +1,40 @@ +id: aws-s3-bucket-enum + +info: + name: AWS S3 Buckets - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for open and protected buckets in AWS S3 + metadata: + verified: true + max-request: 1 + tags: cloud,cloud-enum,aws + +self-contained: true + +variables: + BaseDNS: "s3.amazonaws.com" + +http: + - raw: + - | + GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers-condition: or + matchers: + - type: status + name: "Open AWS S3 Bucket" + status: + - 200 + + - type: status + name: "Protected AWS S3 Bucket" + status: + - 403 diff --git a/cloud/enum/azure-db-enum.yaml b/cloud/enum/azure-db-enum.yaml new file mode 100644 index 0000000000..ddcc351f83 --- /dev/null +++ b/cloud/enum/azure-db-enum.yaml @@ -0,0 +1,31 @@ +id: azure-db-enum + +info: + name: Azure Databases - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for Azure databases via their registered DNS names + metadata: + verified: true + max-request: 1 + tags: cloud,cloud-enum,azure + +self-contained: true + +variables: + BaseDNS: "database.windows.net" + +dns: + - name: "{{wordlist}}.{{BaseDNS}}" + type: A + class: inet + + recursion: true + + attack: batteringram + matchers: + - type: word + part: answer + words: + - "IN\tA" \ No newline at end of file diff --git a/cloud-enumeration/cloud-enum-azure-vm.yaml b/cloud/enum/azure-vm-cloud-enum.yaml similarity index 60% rename from cloud-enumeration/cloud-enum-azure-vm.yaml rename to cloud/enum/azure-vm-cloud-enum.yaml index 07910f9b0a..f70cde8a4d 100644 --- a/cloud-enumeration/cloud-enum-azure-vm.yaml +++ b/cloud/enum/azure-vm-cloud-enum.yaml @@ -1,18 +1,20 @@ -id: cloud-enum-azure-vm +id: azure-vm-cloud-enum info: - name: Cloud Enumeration - Azure Virtual Machines + name: Azure Virtual Machines - Cloud Enumeration author: initstring severity: info - description: Searches for Azure virtual machines via their registered DNS names - reference: tba - tags: cloud,azure + description: | + Searches for Azure virtual machines via their registered DNS names. + metadata: + verified: true + tags: cloud,cloud-enum,azure self-contained: true variables: - baseDNS: "cloudapp.azure.com" - regionName: + BaseDNS: "cloudapp.azure.com" + regionname: - eastasia - southeastasia - centralus @@ -47,15 +49,16 @@ variables: - southafricawest dns: - - name: "{{wordlist}}.{{regionName}}.{{baseDNS}}" + - name: "{{wordlist}}.{{regionname}}.{{BaseDNS}}" type: A class: inet + recursion: true - #attack: batteringram # TODO: uncomment when functionality implemented - #threads: 10 # TODO: uncomment when functionality implemented + + attack: batteringram + matchers: - type: word part: answer words: - # The response must contain an A record - "IN\tA" \ No newline at end of file diff --git a/cloud/enum/azure-website-enum.yaml b/cloud/enum/azure-website-enum.yaml new file mode 100644 index 0000000000..08d6c81c3f --- /dev/null +++ b/cloud/enum/azure-website-enum.yaml @@ -0,0 +1,35 @@ +id: azure-website-enum + +info: + name: Azure Websites - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for Azure websites that are registered and responding. + metadata: + verified: true + tags: cloud,azure + +self-contained: true + +variables: + BaseDNS: "azurewebsites.net" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: status + name: "Available Azure Website" + status: + - 200 + - 302 + condition: or \ No newline at end of file diff --git a/cloud/enum/gcp-app-engine-enum.yaml b/cloud/enum/gcp-app-engine-enum.yaml new file mode 100644 index 0000000000..33bd432799 --- /dev/null +++ b/cloud/enum/gcp-app-engine-enum.yaml @@ -0,0 +1,41 @@ +id: gcp-app-engine-enum + +info: + name: GCP App Engine (Appspot) - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for App Engine Apps in GCP. + metadata: + verified: true + tags: cloud,cloud-enum,gcp + +self-contained: true + +variables: + BaseDNS: "appspot.com" + loginRedirect: "accounts.google.com" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: dsl + name: "Open GCP App Engine App" + dsl: + - "status_code==200" + + - type: dsl + name: "Protected GCP App Engine App" + dsl: + - "status_code==302" + - contains(location, "login") + condition: and \ No newline at end of file diff --git a/cloud-enumeration/cloud-enum-gcp-bucket.yaml b/cloud/enum/gcp-bucket-enum.yaml similarity index 50% rename from cloud-enumeration/cloud-enum-gcp-bucket.yaml rename to cloud/enum/gcp-bucket-enum.yaml index 56309cafc9..b9b80d18af 100644 --- a/cloud-enumeration/cloud-enum-gcp-bucket.yaml +++ b/cloud/enum/gcp-bucket-enum.yaml @@ -1,31 +1,37 @@ -id: cloud-enum-gcp-bucket +id: gcp-bucket-enum info: - name: Cloud Enumeration - GCP Buckets + name: GCP Buckets - Cloud Enumeration author: initstring severity: info - description: Searches for open and protected buckets in GCP - reference: tba - tags: cloud,gcp + description: | + Searches for open and protected buckets in GCP. + metadata: + verified: true + tags: cloud,cloud-enum,gcp self-contained: true variables: - baseDNS: "storage.googleapis.com" + BaseDNS: "storage.googleapis.com" http: - raw: - | - GET http://{{wordlist}}.{{baseDNS}} HTTP/1.1 - Host: {{wordlist}}.{{baseDNS}} + GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + redirects: false + attack: batteringram threads: 10 + matchers: - type: status name: "Open GCP Bucket" status: - 200 + - type: status name: "Protected GCP Bucket" status: diff --git a/cloud/enum/gcp-firebase-app-enum.yaml b/cloud/enum/gcp-firebase-app-enum.yaml new file mode 100644 index 0000000000..ee92f85506 --- /dev/null +++ b/cloud/enum/gcp-firebase-app-enum.yaml @@ -0,0 +1,33 @@ +id: gcp-firebase-app-enum + +info: + name: GCP Firebase Apps - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for Firebase Apps in GCP. + metadata: + verified: true + tags: cloud,cloud-enum,gcp + +self-contained: true + +variables: + BaseDNS: "firebaseapp.com" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: status + name: "Open GCP Firebase App" + status: + - 200 \ No newline at end of file diff --git a/cloud-enumeration/cloud-enum-gcp-firebase-rtdb.yaml b/cloud/enum/gcp-firebase-rtdb-enum.yaml similarity index 58% rename from cloud-enumeration/cloud-enum-gcp-firebase-rtdb.yaml rename to cloud/enum/gcp-firebase-rtdb-enum.yaml index 7527b6ffb8..2a38aaff56 100644 --- a/cloud-enumeration/cloud-enum-gcp-firebase-rtdb.yaml +++ b/cloud/enum/gcp-firebase-rtdb-enum.yaml @@ -1,39 +1,48 @@ -id: cloud-enum-gcp-firebase-rtdb +id: gcp-firebase-rtdb-enum info: - name: Cloud Enumeration - GCP Firebase Realtime Database + name: GCP Firebase Realtime Database - Cloud Enumeration author: initstring severity: info - description: Searches for Firebase Realtime Databases in GCP - reference: tba - tags: cloud,gcp + description: | + Searches for Firebase Realtime Databases in GCP. + metadata: + verified: true + tags: cloud,cloud-enum,gcp self-contained: true variables: - baseDNS: "firebaseio.com" + BaseDNS: "firebaseio.com" http: - raw: - | - GET https://{{wordlist}}.{{baseDNS}}/.json HTTP/1.1 - Host: {{wordlist}}.{{baseDNS}} + GET https://{{wordlist}}.{{BaseDNS}}/.json HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + redirects: false + attack: batteringram threads: 10 + + matchers-condition: or matchers: - type: status name: "Open GCP Firebase RTDB" status: - 200 + - type: status name: "Protected GCP Firebase RTDB" status: - 401 + - type: status name: "Payment GCP on Google Firebase RTDB" status: - 402 + - type: status name: "Deactivated GCP Firebase RTDB" status: