Initial (network) enumeration
Check where a service is hosted by quering the nameserver records for our target domain:
host -t ns $domain
Get more information / confirmation via a whois query to one previously found domain.
whois $previouslyFoundDomain
Check where a host is running:
host $domain
host $ipFromTheDomain
Check more domains of this organisation / of this domain:
dnsenum $domain --threads 100
Get more zone information:
dig $domain ANY
If there is a web service available: Check in the sources / network requests if there are requests to a cloud-based service. For example, if there are requests to AWS S3, you have a bucket name!
- If you have one, go to the root / check subdirectories if somewhere public listing is active.
- If the structure of a bucket give an indication for another bucket, check it out. E.g. if you have a bucket called
comp-dev-assets, trycomp-prod-assets, etc.
Try to enumerate with cloud_enum. A $keyword could be the name of a S3 bucket, an EC2 instance, etc. You could add multiple in an external file (e.g. with dev, test, prod, …) Disable other cloud providers or none.
cloud_enum -k $keyword --quickscan [--disable-aws --disable-azure --disable-gcp] // one keyword
cloud_enum -kf /tmp/keywords --quickscan [--disable-aws --disable-azure --disable-gcp] // multiple keywords in an external file
Leave a Reply
You must be logged in to post a comment.