├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 7 Way Security 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # **Cloud OSINT** 2 | 3 | A repository with information related to different resources, tools, and techniques associated with Cloud OSINT 4 | 5 | ## **Cloud Infrastructure** 6 | 7 | ### **Azure Storage** 8 | 9 | * Blob storage: http://*mystorageaccount*.blob.core.windows.net 10 | * Table storage: http://*mystorageaccount*.table.core.windows.net 11 | * Queue storage: http://*mystorageaccount*.queue.core.windows.net 12 | * Azure Files: http://*mystorageaccount*.file.core.windows.net 13 | * Database: http://*mystorageaccount*.database.windows.net 14 | 15 | ### **AWS Regions** 16 | 17 | * af-south-1 18 | * ap-east-1 19 | * ap-northeast-1 20 | * ap-northeast-2 21 | * ap-northeast-3 22 | * ap-south-1 23 | * ap-south-2 24 | * ap-southeast-1 25 | * ap-southeast-2 26 | * ap-southeast-3 27 | * ap-southeast-4 28 | * ap-southeast-5 29 | * ap-southeast-7 30 | * ca-central-1 31 | * ca-west-1 32 | * cn-north-1 33 | * cn-northwest-1 34 | * eu-central-1 35 | * eu-central-2 36 | * eu-north-1 37 | * eu-south-1 38 | * eu-south-2 39 | * eu-west-1 40 | * eu-west-2 41 | * eu-west-3 42 | * il-central-1 43 | * me-central-1 44 | * me-south-1 45 | * mx-central-1 46 | * sa-east-1 47 | * us-east-1 48 | * us-east-2 49 | * us-gov-east-1 50 | * us-gov-west-1 51 | * us-west-1 52 | * us-west-2 53 | 54 | ### **AWS S3 Buckets** 55 | 56 | * https://[bucketname].s3.amazonaws.com 57 | * https://s3-[region].amazonaws/[bucketname]/ 58 | * https://[bucketname].s3-website-[region].amazonaws.com/ 59 | 60 | ### **AWS SQS** 61 | 62 | https://sqs.[region].amazonaws.com 63 | 64 | ### **GCP Technologies** 65 | * Technologies Cheatsheet - https://googlecloudcheatsheet.withgoogle.com 66 | * GCP Regions and Zones - https://cloud.google.com/compute/docs/regions-zones 67 | 68 | ### **IBM Cloud** 69 | * IBM Global Cloud Data Centers - https://www.ibm.com/cloud/data-centers 70 | * IBM Cloud IP ranges - https://cloud.ibm.com/docs/cloud-infrastructure?topic=cloud-infrastructure-ibm-cloud-ip-ranges 71 | 72 | ## **Google dorks** 73 | 74 | ### **Azure** 75 | 76 | ``` 77 | * site:blob.core.windows.net “keyword” 78 | * site:"blob.core.windows.net" and intext:"CONFIDENTIAL" 79 | * site:*.core.windows.net intext:"TLP:RED" 80 | * site:*.core.windows.net 81 | * site:*.core.windows.net +blob 82 | * site:*.core.windows.net +files -web -blob 83 | * site:*.core.windows.net -web 84 | * site:*.core.windows.net -web -blob -files 85 | * site:*.core.windows.net inurl:dsts.dsts 86 | * site:*.core.windows.net inurl:"term" -web 87 | * site:*.blob.core.windows.net ext:xls | ext:xlsx (login | password | username) 88 | * intext:connectionstring blob filetype:config 89 | * intext:accountkey windows.net filetype:xml 90 | * intext:storageaccountkey windows.net filetype:txt 91 | * Azure SAS Tokens - "bfqt&srt" 92 | ``` 93 | ### **AWS** 94 | 95 | ``` 96 | * site:"s3-external-1.amazonaws.com" and intext:CONFIDENTIAL 97 | * site:"s3.amazonaws.com" and intext:CONFIDENTIAL 98 | * site:"s3.dualstack.us-east-1.amazonaws.com" and intext:CONFIDENTIAL 99 | * site:"s3-external-1.amazonaws.com" and intext:"TOP SECRET" 100 | * site:"s3.amazonaws.com" and intext:"tlp:red" 101 | * site:"s3.amazonaws.com" and intext:"tlp:amber" 102 | * site:s3.amazonaws.com example 103 | * site:s3.amazonaws.com example.com 104 | * site:s3.amazonaws.com example-com 105 | * site:s3.amazonaws.com com.example 106 | * site:s3.amazonaws.com com-example 107 | * site:s3.amazonaws.com filetype:xls password 108 | * site:http://s3.amazonaws.com intitle:index.of.bucket 109 | * site:http://amazonaws.com inurl:".s3.amazonaws.com/" 110 | * s3 site:amazonaws.com filetype:log 111 | * site:http://trello.com "aws.amazon.com" "password" 112 | ``` 113 | ### **Google Cloud** 114 | 115 | ``` 116 | * site:googleapis.com +commondatastorage 117 | * site:.firebaseio.com "COMPANY NAME" 118 | * inurl:bc.googleusercontent.com intitle:index of 119 | * site:storage.googleapis.com 120 | * Bucket list for a project - site:console.cloud.google.com/storage/browser 121 | * Details for an object - site:console.cloud.google.com/storage/browser/_details 122 | * site:firebasestorage.googleapis.com 123 | ``` 124 | ### **IBM Cloud** 125 | ``` 126 | * site:appdomain.cloud 127 | * site:appdomain.cloud +s3 128 | * site:*cloud-object-storage.appdomain.cloud 129 | * site:codeengine.appdomain.cloud 130 | * site:containers.appdomain.cloud 131 | * site:clb.appdomain.cloud 132 | * site:apiconnect.appdomain.cloud 133 | * site:cdn.appdomain.cloud 134 | * site:lb.appdomain.cloud 135 | * site:vmware.cloud.ibm.com - VMware Cloud Director Availability 136 | * site:appid.cloud.ibm.com - IBM Cloud App ID Management Configuration APIs and AppID Authentication Portals 137 | * site:site:ibmmarketingcloud.com 138 | ``` 139 | ### **Miscellaneous Services** 140 | 141 | * site:notion.site "keyword" 142 | 143 | ## **Shodan Dorks** 144 | 145 | ### **Filter Reference** 146 | 147 | * cloud.provider 148 | * cloud.region 149 | * cloud.service 150 | 151 | ### **Azure** 152 | 153 | * cloud.service:"azureCloud" 154 | * cloud.service:"azureCloud" country:GB,US http.title:"swagger" http.status:200 - API Documentation 155 | * cloud.service:"azureCloud" http.status:200 country:GB,US -http.title:"Your Azure Function App is up and running." -http.title"IIS Windows Server“ - Web Services that are not default splash pages 156 | * cloud.provider:"Azure" country:GB,US http.status:200 http.title:"Index of /" ssl:true - Web Apps with directory listings enabled and SSL 157 | * cloud.provider:"Azure" country:GB,US http.status:200 http.title:"Index of /" - Web Apps with directory listings enabled 158 | * cloud.provider:"Azure" hostname:"cloudapp.net" http.status:200,302 - Cloud Apps 159 | * cloud.service:"AzureCloud" http.status:200 http.title:"api" - APIs 160 | 161 | ### **Amazon** 162 | 163 | * cloud.provider:"Amazon" 164 | * cloud.provider:"Amazon" http.status:200,302 http.title:"Index of /" 165 | 166 | ### Other Cloud Services 167 | 168 | * site:vps-*.vps.ovh.net 169 | 170 | ## **Web Cloud OSINT Resources** 171 | 172 | 1. Search Open Buckets - https://buckets.grayhatwarfare.com/ 173 | 2. Search cloud storage and buckets in different cloud providers - https://cse.google.com/cse?cx=002972716746423218710:veac6ui3rio#gsc.tab=0&gsc.q= 174 | 3. FullHunt - https://fullhunt.io/search?query=is_cloud%3Atrue+*domain* 175 | 4. Comand to download the results of URLs and buckets that contain a specific word and the file is .docx, xlsx and pdf - curl "https://buckets.grayhatwarfare.com/api/v1/files/[WORD TO SEARCH]?access_token=[access_token]&extensions=docx,xlsx,pdf" 176 | 5. Azure Tenant Information including subdomains and configuration - https://aadinternals.com/osint/ 177 | 6. Misconfigured servers containing sensitive data, including Azure Blob Storage, Amazon AWS S3 Buckets, and Google Buckets - https://socradar.io/labs/bluebleed 178 | 7. Cloud and other services key exposure - https://forager.trufflesecurity.com/explore 179 | 8. AWS Eye is an OSINT (Open Source Intelligence) tool designed to investigate Amazon Web Services (AWS) configurations. It specializes in identifying and analyzing publicly misconfigured resources such as S3 buckets, helping security researchers and OSINT enthusiasts uncover potential cloud exposures efficiently - https://awseye.com/ 180 | 181 | 182 | ## **Cloud OSINT Tools** 183 | 184 | 1. CloudEnum - https://github.com/initstring/cloud_enum 185 | 2. S3 Browser - https://s3browser.com - This is not properly a tool for OSINT tasks but is a Windows client for Amazon S3 and Amazon CloudFront that could help to browse some files. 186 | 187 | ## **Domain Identification** 188 | 189 | 1. https://spyse.com/tools/subdomain-finder domain and subdomain enumeration 190 | 2. https://crt.sh Finding domains and subdomains by SSL certificates through certificate transparency 191 | 3. https://dnsdumpster.com/ domain and subdomain enumeration 192 | 4. https://osint.sh/subdomain/ domain and subdomain enumeration 193 | 5. https://search.censys.io/?q= queries by domain, host, SSL certificate, among others 194 | 6. https://www.zoomeye.org/ domains and host exposed on the internet similar to Shodan 195 | 7. https://osint.sh/subdomain/ find subdomains 196 | 8. https://osint.sh/dnshistory/ History of a DNS record 197 | 198 | ## **Help to create your own dorks** 199 | 1. https://dorksearch.com/ 200 | 2. https://www.dorkgpt.com/ dorks with chatgpt 201 | 202 | ## **Others** 203 | 204 | 1. https://www.dedigger.com/# find exposed files in Google Drive, try search terms: AWS, azure, gcp, etc. 205 | 206 | --------------------------------------------------------------------------------