侦察

查找受 CloudFlare(或 CloudFront)保护的网站源服务器

下载工具:

  • Cloud Flair

https://github.com/christophetd/CloudFlair

$ python cloudflair.py myvulnerable.site

[*] The target appears to be behind CloudFlare.
[*] Looking for certificates matching "myvulnerable.site" using Censys
[*] 75 certificates matching "myvulnerable.site" found.
[*] Looking for IPv4 hosts presenting these certificates...
[*] 10 IPv4 hosts presenting a certificate issued to "myvulnerable.site" were found.
  - 51.194.77.1
  - 223.172.21.75
  - 18.136.111.24
  - 127.200.220.231
  - 177.67.208.72
  - 137.67.239.174
  - 182.102.141.194
  - 8.154.231.164
  - 37.184.84.44
  - 78.25.205.83

[*] Retrieving target homepage at https://myvulnerable.site

[*] Testing candidate origin servers
  - 51.194.77.1
  - 223.172.21.75
  - 18.136.111.24
        responded with an unexpected HTTP status code 404
  - 127.200.220.231
        timed out after 3 seconds
  - 177.67.208.72
  - 137.67.239.174
  - 182.102.141.194
  - 8.154.231.164
  - 37.184.84.44
  - 78.25.205.83

[*] Found 2 likely origin servers of myvulnerable.site!
  - 177.67.208.72 (HTML content identical to myvulnerable.site)
  - 182.102.141.194 (HTML content identical to myvulnerable.site)

分析AWS环境

下载工具:

  • Cloud Mapper

https://github.com/duo-labs/cloudmapper

python cloudmapper.py collect --account my_account

Google 存储桶枚举

python GCPBucketBrute.py -d example.com -p projects.txt -n

枚举 AWS、Azure 和 Google Cloud 中的公共资源

下载工具:

  • Cloud Enum

https://github.com/initstring/cloud_enum

usage: cloud_enum.py [-h] -k KEYWORD [-m MUTATIONS] [-b BRUTE]

Multi-cloud enumeration utility. All hail OSINT!

optional arguments:
  -h, --help            show this help message and exit
  -k KEYWORD, --keyword KEYWORD
                        Keyword. Can use argument multiple times.
  -kf KEYFILE, --keyfile KEYFILE
                        Input file with a single keyword per line.
  -m MUTATIONS, --mutations MUTATIONS
                        Mutations. Default: enum_tools/fuzz.txt
  -b BRUTE, --brute BRUTE
                        List to brute-force Azure container names. Default: enum_tools/fuzz.txt
  -t THREADS, --threads THREADS
                        Threads for HTTP brute-force. Default = 5
  -ns NAMESERVER, --nameserver NAMESERVER
                        DNS server to use in brute-force.
  -l LOGFILE, --logfile LOGFILE
                        Will APPEND found items to specified file.
  -f FORMAT, --format FORMAT
                        Format for log file (text,json,csv - defaults to text)
  --disable-aws         Disable Amazon checks.
  --disable-azure       Disable Azure checks.
  --disable-gcp         Disable Google checks.
  -qs, --quickscan      Disable all mutations and second-level scans

搜索潜在的前置域

下载工具:

  • Find Frontable Domains

https://github.com/rvrsh3ll/FindFrontableDomains

python3 FindFrontableDomains.py --domain example.com --threads 20
python3 FindFrontableDomains.py --check ajax.microsoft.com

验证域前置是否可用

下载工具:

  • domain fronting tools

https://github.com/stevecoward/domain-fronting-tools

$ python cdn-search.py -h                                                                                           
usage: cdn-search.py [-h] [-d DOMAIN] [-p PAGES]

optional arguments:
  -h, --help            Show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Search censys for certs using domain
  -p PAGES, --pages PAGES
                        Number of pages to retrieve (100/page)
$ python validate-domains.py -h
usage: validate-domains.py [-h] [-f DOMAINS_FILE] [-s SSL] [-c CDN_DOMAIN]
                           [-o OUTPUT_FILE]

optional arguments:
  -h, --help            show this help message and exit
  -f DOMAINS_FILE, --domains-file DOMAINS_FILE
                        Path to list of potential frontable domains.
  -s SSL, --ssl SSL     Prepend domain from list with http or https.
  -c CDN_DOMAIN, --cdn-domain CDN_DOMAIN
                        CDN FQDN for C2.
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        Save results to file.

绕过 Cloudflare 的反爬虫页面

下载工具:

  • Cloud Scraper

https://github.com/VeNoMouS/cloudscraper

识别云环境中的提权路径

下载工具:

  • Purple Panda

https://github.com/carlospolop/PurplePanda

python3 main.py -e -p google,github,k8s --github-only-org --k8s-get-secret-values --gcp-get-secret-values

分析和可视化Azure和Azure Active Directory对象的图形

下载工具:

  • Stormspotter

https://github.com/Azure/Stormspotter

审核 AWS/GCP/Azure 基础设施安全状况

通过查看证书透明度日志查找 Amazon S3 存储桶

下载工具:

  • Bucket Stream

https://github.com/eth0izzle/bucket-stream

$ ruby lazys3.rb <COMPANY> 

将基础设施资产及其之间的关系整合

下载工具:

  • Cartography

https://github.com/lyft/cartography

发现开放的 S3 存储桶

下载工具:

  • FestIn

https://github.com/cr0hn/festin

$ festin -h
usage: __main__.py [-h] [--version] [-f FILE_DOMAINS] [-w] [-c CONCURRENCY] [--no-links] [-T HTTP_TIMEOUT] [-M HTTP_MAX_RECURSION] [-dr DOMAIN_REGEX] [-rr RESULT_FILE] [-rd DISCOVERED_DOMAINS] [-ra RAW_DISCOVERED_DOMAINS]
                   [--tor] [--debug] [--no-print] [-q] [--index] [--index-server INDEX_SERVER] [-dn] [-ds DNS_RESOLVER]
                   [domains [domains ...]]

Festin - the powered S3 bucket finder and content discover

positional arguments:
  domains

optional arguments:
  -h, --help            show this help message and exit
  --version             show version
  -f FILE_DOMAINS, --file-domains FILE_DOMAINS
                        file with domains
  -w, --watch           watch for new domains in file domains '-f' option
  -c CONCURRENCY, --concurrency CONCURRENCY
                        max concurrency

HTTP Probes:
  --no-links            extract web site links
  -T HTTP_TIMEOUT, --http-timeout HTTP_TIMEOUT
                        set timeout for http connections
  -M HTTP_MAX_RECURSION, --http-max-recursion HTTP_MAX_RECURSION
                        maximum recursison when follow links
  -dr DOMAIN_REGEX, --domain-regex DOMAIN_REGEX
                        only follow domains that matches this regex

Results:
  -rr RESULT_FILE, --result-file RESULT_FILE
                        results file
  -rd DISCOVERED_DOMAINS, --discovered-domains DISCOVERED_DOMAINS
                        file name for storing new discovered after apply filters
  -ra RAW_DISCOVERED_DOMAINS, --raw-discovered-domains RAW_DISCOVERED_DOMAINS
                        file name for storing any domain without filters

Connectivity:
  --tor                 Use Tor as proxy

Display options:
  --debug               enable debug mode
  --no-print            doesn't print results in screen
  -q, --quiet           Use quiet mode

Redis Search:
  --index               Download and index documents into Redis
  --index-server INDEX_SERVER
                        Redis Search ServerDefault: redis://localhost:6379

DNS options:
  -dn, --no-dnsdiscover
                        not follow dns cnames
  -ds DNS_RESOLVER, --dns-resolver DNS_RESOLVER
                        comma separated custom domain name servers