Merge pull request #6865 from initstring/cloud-enum-implementation
DRAFT: Implementing cloud asset discoverypatch-1
commit
b942dfabc1
|
@ -0,0 +1,36 @@
|
|||
id: aws-app-enum
|
||||
|
||||
info:
|
||||
name: AWS Apps - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for AWS apps (WorkDocs, WorkMail, Connect, etc.)
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
tags: cloud,cloud-enum,aws
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "awsapps.com"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
|
||||
Host: {{wordlist}}.{{BaseDNS}}
|
||||
|
||||
redirects: false
|
||||
|
||||
attack: batteringram
|
||||
threads: 10
|
||||
|
||||
matchers:
|
||||
- type: status
|
||||
name: "Registered AWS App"
|
||||
status:
|
||||
- 200
|
||||
- 302
|
||||
condition: or
|
|
@ -0,0 +1,40 @@
|
|||
id: aws-s3-bucket-enum
|
||||
|
||||
info:
|
||||
name: AWS S3 Buckets - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for open and protected buckets in AWS S3
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
tags: cloud,cloud-enum,aws
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "s3.amazonaws.com"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1
|
||||
Host: {{wordlist}}.{{BaseDNS}}
|
||||
|
||||
redirects: false
|
||||
|
||||
attack: batteringram
|
||||
threads: 10
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: status
|
||||
name: "Open AWS S3 Bucket"
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: status
|
||||
name: "Protected AWS S3 Bucket"
|
||||
status:
|
||||
- 403
|
|
@ -0,0 +1,31 @@
|
|||
id: azure-db-enum
|
||||
|
||||
info:
|
||||
name: Azure Databases - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for Azure databases via their registered DNS names
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
tags: cloud,cloud-enum,azure
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "database.windows.net"
|
||||
|
||||
dns:
|
||||
- name: "{{wordlist}}.{{BaseDNS}}"
|
||||
type: A
|
||||
class: inet
|
||||
|
||||
recursion: true
|
||||
|
||||
attack: batteringram
|
||||
matchers:
|
||||
- type: word
|
||||
part: answer
|
||||
words:
|
||||
- "IN\tA"
|
|
@ -0,0 +1,64 @@
|
|||
id: azure-vm-cloud-enum
|
||||
|
||||
info:
|
||||
name: Azure Virtual Machines - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for Azure virtual machines via their registered DNS names.
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cloud,cloud-enum,azure
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "cloudapp.azure.com"
|
||||
regionname:
|
||||
- eastasia
|
||||
- southeastasia
|
||||
- centralus
|
||||
- eastus
|
||||
- eastus2
|
||||
- westus
|
||||
- northcentralus
|
||||
- southcentralus
|
||||
- northeurope
|
||||
- westeurope
|
||||
- japanwest
|
||||
- japaneast
|
||||
- brazilsouth
|
||||
- australiaeast
|
||||
- australiasoutheast
|
||||
- southindia
|
||||
- centralindia
|
||||
- westindia
|
||||
- canadacentral
|
||||
- canadaeast
|
||||
- uksouth
|
||||
- ukwest
|
||||
- westcentralus
|
||||
- westus2
|
||||
- koreacentral
|
||||
- koreasouth
|
||||
- francecentral
|
||||
- francesouth
|
||||
- australiacentral
|
||||
- australiacentral2
|
||||
- southafricanorth
|
||||
- southafricawest
|
||||
|
||||
dns:
|
||||
- name: "{{wordlist}}.{{regionname}}.{{BaseDNS}}"
|
||||
type: A
|
||||
class: inet
|
||||
|
||||
recursion: true
|
||||
|
||||
attack: batteringram
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: answer
|
||||
words:
|
||||
- "IN\tA"
|
|
@ -0,0 +1,35 @@
|
|||
id: azure-website-enum
|
||||
|
||||
info:
|
||||
name: Azure Websites - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for Azure websites that are registered and responding.
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cloud,azure
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "azurewebsites.net"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
|
||||
Host: {{wordlist}}.{{BaseDNS}}
|
||||
|
||||
redirects: false
|
||||
|
||||
attack: batteringram
|
||||
threads: 10
|
||||
|
||||
matchers:
|
||||
- type: status
|
||||
name: "Available Azure Website"
|
||||
status:
|
||||
- 200
|
||||
- 302
|
||||
condition: or
|
|
@ -0,0 +1,41 @@
|
|||
id: gcp-app-engine-enum
|
||||
|
||||
info:
|
||||
name: GCP App Engine (Appspot) - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for App Engine Apps in GCP.
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cloud,cloud-enum,gcp
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "appspot.com"
|
||||
loginRedirect: "accounts.google.com"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
|
||||
Host: {{wordlist}}.{{BaseDNS}}
|
||||
|
||||
redirects: false
|
||||
|
||||
attack: batteringram
|
||||
threads: 10
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
name: "Open GCP App Engine App"
|
||||
dsl:
|
||||
- "status_code==200"
|
||||
|
||||
- type: dsl
|
||||
name: "Protected GCP App Engine App"
|
||||
dsl:
|
||||
- "status_code==302"
|
||||
- contains(location, "login")
|
||||
condition: and
|
|
@ -0,0 +1,38 @@
|
|||
id: gcp-bucket-enum
|
||||
|
||||
info:
|
||||
name: GCP Buckets - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for open and protected buckets in GCP.
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cloud,cloud-enum,gcp
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "storage.googleapis.com"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1
|
||||
Host: {{wordlist}}.{{BaseDNS}}
|
||||
|
||||
redirects: false
|
||||
|
||||
attack: batteringram
|
||||
threads: 10
|
||||
|
||||
matchers:
|
||||
- type: status
|
||||
name: "Open GCP Bucket"
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: status
|
||||
name: "Protected GCP Bucket"
|
||||
status:
|
||||
- 403
|
|
@ -0,0 +1,33 @@
|
|||
id: gcp-firebase-app-enum
|
||||
|
||||
info:
|
||||
name: GCP Firebase Apps - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for Firebase Apps in GCP.
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cloud,cloud-enum,gcp
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "firebaseapp.com"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
|
||||
Host: {{wordlist}}.{{BaseDNS}}
|
||||
|
||||
redirects: false
|
||||
|
||||
attack: batteringram
|
||||
threads: 10
|
||||
|
||||
matchers:
|
||||
- type: status
|
||||
name: "Open GCP Firebase App"
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,49 @@
|
|||
id: gcp-firebase-rtdb-enum
|
||||
|
||||
info:
|
||||
name: GCP Firebase Realtime Database - Cloud Enumeration
|
||||
author: initstring
|
||||
severity: info
|
||||
description: |
|
||||
Searches for Firebase Realtime Databases in GCP.
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cloud,cloud-enum,gcp
|
||||
|
||||
self-contained: true
|
||||
|
||||
variables:
|
||||
BaseDNS: "firebaseio.com"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET https://{{wordlist}}.{{BaseDNS}}/.json HTTP/1.1
|
||||
Host: {{wordlist}}.{{BaseDNS}}
|
||||
|
||||
redirects: false
|
||||
|
||||
attack: batteringram
|
||||
threads: 10
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: status
|
||||
name: "Open GCP Firebase RTDB"
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: status
|
||||
name: "Protected GCP Firebase RTDB"
|
||||
status:
|
||||
- 401
|
||||
|
||||
- type: status
|
||||
name: "Payment GCP on Google Firebase RTDB"
|
||||
status:
|
||||
- 402
|
||||
|
||||
- type: status
|
||||
name: "Deactivated GCP Firebase RTDB"
|
||||
status:
|
||||
- 423
|
Loading…
Reference in New Issue