Cloud reconnaissance refers to the initial phase of a cyberattack targeting cloud environments. This phase involves gathering as much information as possible about the target’s cloud infrastructure, services, and potential vulnerabilities. The goal is to understand the landscape, identify weak points, and plan subsequent attacks. This article delves into the techniques, tools, and strategies used in cloud

Below are some of the tools that can be used for cloud reconnaissance;

1. DNSDumpster: is an online service that performs DNS enumeration, helping users map out domain names, subdomains, and their associated DNS records.

• visit https://dnsdumpster.com/
• Enter the target domain (e.g., example.com)

See the below screenshot for sample output.

2. Censys: is a powerful search engine for internet-connected devices. It can provide additional insights about IP addresses and potential cloud resources associated with a target.

• Visit https://search.censys.io/
• Search for the target domain or IP address.

3. Google Dorking: involves using advanced search operators to find specific information across the web.

Effective Dorking Queries:

• intitle:”index of” “s3.amazonaws.com”
• site:s3.amazonaws.com
• site:amazonaws.com inurl:s3 “index of”
• intitle:”index of” “elb.amazonaws.com”
• intitle:”index of” “blob.core.windows.net”
• site:blob.core.windows.net
• intitle:”index of” “azurewebsites.net”

4. Git Dorking: is a technique used to search through GitHub repositories for sensitive information, such as API keys, passwords, and other credentials that may have been accidentally committed to a repository.

Setup commands using docker:

git clone https://github.com/obheda12/GitDorker.git
cd GitDorker
docker build -t gitdorker .

Create a tokens file with your GitHub API tokens and run the docker container like below:

docker run -it -v $(pwd)/tf:/tf gitdorker -tf tf/TOKENSFILE -q tesla.com -d dorks/DORKFILE -o tesla

5. CloudHunter: is a potent reconnaissance tool designed for discovering and investigating security vulnerabilities in cloud storage buckets across providers.

Installation and setup:

git clone https://github.com/belane/CloudHunter.git
cd CloudHunter
pip install -r requirements.txt
python3 cloudhunter.py COMPANY_NAME

Cloudhunter CLI options:

• --permutations-file file: Provide a file with bucket name permutations.
• --services aws,google,azure,alibaba: Name your intended cloud services.
• --write-test: Enable write test to determine read permissions.
• --resolvers file: Provide a file containing DNS resolvers.
• --threads num: Set the number of threads for simultaneous processes.
• --crawl-deep num: Determine how many more pages to crawl after the first.
• --base-only: Examine just the base name without generational permutations.
• --disable-bruteforce: Disable the discovery process with force.
• --verbose: Enable verbose logs.
• --open-only: Show only open buckets.