My recent #aws threads always startet with creds, but how to get these creds will be the topic over the next days.
#hacking #recon #cloud
Lets start here:
👇
#hacking #recon #cloud
Lets start here:
👇
Definitions first:
#aws creds: classic name and passwords e.g for IAM, or aws access and secret keys
Outside: no creds, and no connections in any way to the org and its aws cloud to be tested
#aws creds: classic name and passwords e.g for IAM, or aws access and secret keys
Outside: no creds, and no connections in any way to the org and its aws cloud to be tested
Interaction Point: Any potential point, application ressource, system, vulnerabilty etc, where there is a pawsibilty to gain #aws creds, can be a lot of things
lets do outside first: #hackers are cold, let them in.
lets do outside first: #hackers are cold, let them in.
Two things from outside:
1. Search for #aws creds leak
2. Identify and if possible abuse interaction points to gain #aws creds (future thread)
Leak search now, interactions points in a future thread
1. Search for #aws creds leak
2. Identify and if possible abuse interaction points to gain #aws creds (future thread)
Leak search now, interactions points in a future thread
Basically ANYTHING puplic where #aws creds were mistakenly posted.
Stuff like:
Anything git, github, gitlab etc
Any share-stuff
Any api-collections
Any stuff on developer plattforms
Anything you can find really
Stuff like:
Anything git, github, gitlab etc
Any share-stuff
Any api-collections
Any stuff on developer plattforms
Anything you can find really
Some already well known tools for this
buckets.grayhatwarfare.com/buckets
zoomeye.org
github.com/tillson/git-ho…
and a lot more tools like these ....
buckets.grayhatwarfare.com/buckets
zoomeye.org
github.com/tillson/git-ho…
and a lot more tools like these ....
TBH its not as easy to find creds as it used to be, creds are flagged, scanned for by orgs themselfes or contracters etc.
Selfhosted git or share-thingies sometimes still might be good tho, but don't expect to find #aws creds in pup git easily.
Selfhosted git or share-thingies sometimes still might be good tho, but don't expect to find #aws creds in pup git easily.
Sidenote: I purrsonaly am often more interested in terraform or cloudformation confs, even if they has no key, is super valuable information, about system arch, and interaction points. I yearn for the yaml! 
Sidenote: The last key I found from pure outside was not in repo but in commit-history, check those.
Also: Of course there is also darknet, markets, forums and payed-leaks, but these are for another time.
Also: Of course there is also darknet, markets, forums and payed-leaks, but these are for another time.
As always in reality all is more complex. Imagine you have rdp in an org, even tho you are technically inside, you have no cloud creds, so INSIDE is OUTSIDE meow!
Do the same, look for share, git, scripts, jobs etc. all of it. Inside might not be auto scanning/tagging for #aws keys. Recent example the #uber hack, White found a script, then pam, then cloud creds:
Don't tunnelvision on ad 2 much fellows.
Don't tunnelvision on ad 2 much fellows.
Next up Interaction points, general stuff and technical examples. And yes you can support me by sending me cute animals and illegaly dirty techno.
@threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
