diff --git a/cloud/enum/aws-app-enum.yaml b/cloud/enum/aws-app-enum.yaml new file mode 100644 index 0000000000..e5acefae11 --- /dev/null +++ b/cloud/enum/aws-app-enum.yaml @@ -0,0 +1,36 @@ +id: aws-app-enum + +info: + name: AWS Apps - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for AWS apps (WorkDocs, WorkMail, Connect, etc.) + metadata: + verified: true + max-request: 1 + tags: cloud,cloud-enum,aws + +self-contained: true + +variables: + BaseDNS: "awsapps.com" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: status + name: "Registered AWS App" + status: + - 200 + - 302 + condition: or \ No newline at end of file diff --git a/cloud/enum/aws-s3-bucket-enum.yaml b/cloud/enum/aws-s3-bucket-enum.yaml new file mode 100644 index 0000000000..7975ae475f --- /dev/null +++ b/cloud/enum/aws-s3-bucket-enum.yaml @@ -0,0 +1,40 @@ +id: aws-s3-bucket-enum + +info: + name: AWS S3 Buckets - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for open and protected buckets in AWS S3 + metadata: + verified: true + max-request: 1 + tags: cloud,cloud-enum,aws + +self-contained: true + +variables: + BaseDNS: "s3.amazonaws.com" + +http: + - raw: + - | + GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers-condition: or + matchers: + - type: status + name: "Open AWS S3 Bucket" + status: + - 200 + + - type: status + name: "Protected AWS S3 Bucket" + status: + - 403 diff --git a/cloud/enum/azure-db-enum.yaml b/cloud/enum/azure-db-enum.yaml new file mode 100644 index 0000000000..ddcc351f83 --- /dev/null +++ b/cloud/enum/azure-db-enum.yaml @@ -0,0 +1,31 @@ +id: azure-db-enum + +info: + name: Azure Databases - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for Azure databases via their registered DNS names + metadata: + verified: true + max-request: 1 + tags: cloud,cloud-enum,azure + +self-contained: true + +variables: + BaseDNS: "database.windows.net" + +dns: + - name: "{{wordlist}}.{{BaseDNS}}" + type: A + class: inet + + recursion: true + + attack: batteringram + matchers: + - type: word + part: answer + words: + - "IN\tA" \ No newline at end of file diff --git a/cloud/enum/azure-vm-cloud-enum.yaml b/cloud/enum/azure-vm-cloud-enum.yaml new file mode 100644 index 0000000000..f70cde8a4d --- /dev/null +++ b/cloud/enum/azure-vm-cloud-enum.yaml @@ -0,0 +1,64 @@ +id: azure-vm-cloud-enum + +info: + name: Azure Virtual Machines - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for Azure virtual machines via their registered DNS names. + metadata: + verified: true + tags: cloud,cloud-enum,azure + +self-contained: true + +variables: + BaseDNS: "cloudapp.azure.com" + regionname: + - eastasia + - southeastasia + - centralus + - eastus + - eastus2 + - westus + - northcentralus + - southcentralus + - northeurope + - westeurope + - japanwest + - japaneast + - brazilsouth + - australiaeast + - australiasoutheast + - southindia + - centralindia + - westindia + - canadacentral + - canadaeast + - uksouth + - ukwest + - westcentralus + - westus2 + - koreacentral + - koreasouth + - francecentral + - francesouth + - australiacentral + - australiacentral2 + - southafricanorth + - southafricawest + +dns: + - name: "{{wordlist}}.{{regionname}}.{{BaseDNS}}" + type: A + class: inet + + recursion: true + + attack: batteringram + + matchers: + - type: word + part: answer + words: + - "IN\tA" \ No newline at end of file diff --git a/cloud/enum/azure-website-enum.yaml b/cloud/enum/azure-website-enum.yaml new file mode 100644 index 0000000000..08d6c81c3f --- /dev/null +++ b/cloud/enum/azure-website-enum.yaml @@ -0,0 +1,35 @@ +id: azure-website-enum + +info: + name: Azure Websites - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for Azure websites that are registered and responding. + metadata: + verified: true + tags: cloud,azure + +self-contained: true + +variables: + BaseDNS: "azurewebsites.net" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: status + name: "Available Azure Website" + status: + - 200 + - 302 + condition: or \ No newline at end of file diff --git a/cloud/enum/gcp-app-engine-enum.yaml b/cloud/enum/gcp-app-engine-enum.yaml new file mode 100644 index 0000000000..33bd432799 --- /dev/null +++ b/cloud/enum/gcp-app-engine-enum.yaml @@ -0,0 +1,41 @@ +id: gcp-app-engine-enum + +info: + name: GCP App Engine (Appspot) - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for App Engine Apps in GCP. + metadata: + verified: true + tags: cloud,cloud-enum,gcp + +self-contained: true + +variables: + BaseDNS: "appspot.com" + loginRedirect: "accounts.google.com" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: dsl + name: "Open GCP App Engine App" + dsl: + - "status_code==200" + + - type: dsl + name: "Protected GCP App Engine App" + dsl: + - "status_code==302" + - contains(location, "login") + condition: and \ No newline at end of file diff --git a/cloud/enum/gcp-bucket-enum.yaml b/cloud/enum/gcp-bucket-enum.yaml new file mode 100644 index 0000000000..b9b80d18af --- /dev/null +++ b/cloud/enum/gcp-bucket-enum.yaml @@ -0,0 +1,38 @@ +id: gcp-bucket-enum + +info: + name: GCP Buckets - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for open and protected buckets in GCP. + metadata: + verified: true + tags: cloud,cloud-enum,gcp + +self-contained: true + +variables: + BaseDNS: "storage.googleapis.com" + +http: + - raw: + - | + GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: status + name: "Open GCP Bucket" + status: + - 200 + + - type: status + name: "Protected GCP Bucket" + status: + - 403 \ No newline at end of file diff --git a/cloud/enum/gcp-firebase-app-enum.yaml b/cloud/enum/gcp-firebase-app-enum.yaml new file mode 100644 index 0000000000..ee92f85506 --- /dev/null +++ b/cloud/enum/gcp-firebase-app-enum.yaml @@ -0,0 +1,33 @@ +id: gcp-firebase-app-enum + +info: + name: GCP Firebase Apps - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for Firebase Apps in GCP. + metadata: + verified: true + tags: cloud,cloud-enum,gcp + +self-contained: true + +variables: + BaseDNS: "firebaseapp.com" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers: + - type: status + name: "Open GCP Firebase App" + status: + - 200 \ No newline at end of file diff --git a/cloud/enum/gcp-firebase-rtdb-enum.yaml b/cloud/enum/gcp-firebase-rtdb-enum.yaml new file mode 100644 index 0000000000..2a38aaff56 --- /dev/null +++ b/cloud/enum/gcp-firebase-rtdb-enum.yaml @@ -0,0 +1,49 @@ +id: gcp-firebase-rtdb-enum + +info: + name: GCP Firebase Realtime Database - Cloud Enumeration + author: initstring + severity: info + description: | + Searches for Firebase Realtime Databases in GCP. + metadata: + verified: true + tags: cloud,cloud-enum,gcp + +self-contained: true + +variables: + BaseDNS: "firebaseio.com" + +http: + - raw: + - | + GET https://{{wordlist}}.{{BaseDNS}}/.json HTTP/1.1 + Host: {{wordlist}}.{{BaseDNS}} + + redirects: false + + attack: batteringram + threads: 10 + + matchers-condition: or + matchers: + - type: status + name: "Open GCP Firebase RTDB" + status: + - 200 + + - type: status + name: "Protected GCP Firebase RTDB" + status: + - 401 + + - type: status + name: "Payment GCP on Google Firebase RTDB" + status: + - 402 + + - type: status + name: "Deactivated GCP Firebase RTDB" + status: + - 423 \ No newline at end of file