Agenda
Today we are going to check s3 bucket security:
Install aws-cli and config aws credentials using the command:
aws configure
Create a python script to list out the s3-buckets (This is for blue team for security or you can skip this part otherwise) :
import boto3 s3 = boto3.resource('s3') for bucket in s3.buckets.all(): print(bucket.name)
- You'll get list of AWS s3 buckets on your AWS account.
As a curious attacker, we are going to exploit this:
Try to url grabbing using waybackurls, dirsearch or anything or just checkout the source code.
You might get the files link from the source code too open the files.
Simply, open the image on the webapp, you may get the s3 bucket name from all these process.
Let’s dig more now.
Try using this method, if you already got s3-bucket name
https://s3.ap-south-1.amazonaws.com/$s3-bucketname
If the s3 bucket is misconfiguration, it will display all data with documents on the page.
If the s3 bucket is configured, it will show access denied to third party.
List out all files in the s3 bucket:
aws s3 ls s3://$bucket_name/ --no-sign-request --region ap-south-1
Download all s3 bucket files from s3 to localhost using awscli:
aws s3 sync s3://$bucket_name/ ~/Documents/ab1sec --no-sign-request --region ap-south-1
Now this is how we can get many sensitive data from the company. This may lead to huge risk to the company.