DRAFT: Implementing cloud asset discovery

cloud/enum/aws-app-enum.yaml

@@ -0,0 +1,36 @@
+id: aws-app-enum
+
+info:
+  name: AWS Apps - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for AWS apps (WorkDocs, WorkMail, Connect, etc.)
+  metadata:
+    verified: true
+    max-request: 1
+  tags: cloud,cloud-enum,aws
+
+self-contained: true
+
+variables:
+  BaseDNS: "awsapps.com"
+
+http:
+  - raw:
+      - |
+        GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
+        Host: {{wordlist}}.{{BaseDNS}}
+
+    redirects: false
+
+    attack: batteringram
+    threads: 10
+
+    matchers:
+      - type: status
+        name: "Registered AWS App"
+        status:
+          - 200
+          - 302
+        condition: or

cloud/enum/aws-s3-bucket-enum.yaml

@@ -0,0 +1,40 @@
+id: aws-s3-bucket-enum
+
+info:
+  name: AWS S3 Buckets - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for open and protected buckets in AWS S3
+  metadata:
+    verified: true
+    max-request: 1
+  tags: cloud,cloud-enum,aws
+
+self-contained: true
+
+variables:
+  BaseDNS: "s3.amazonaws.com"
+
+http:
+  - raw:
+      - |
+        GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1
+        Host: {{wordlist}}.{{BaseDNS}}
+
+    redirects: false
+
+    attack: batteringram
+    threads: 10
+
+    matchers-condition: or
+    matchers:
+      - type: status
+        name: "Open AWS S3 Bucket"
+        status:
+          - 200
+
+      - type: status
+        name: "Protected AWS S3 Bucket"
+        status:
+          - 403

cloud/enum/azure-db-enum.yaml

@@ -0,0 +1,31 @@
+id: azure-db-enum
+
+info:
+  name: Azure Databases - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for Azure databases via their registered DNS names
+  metadata:
+    verified: true
+    max-request: 1
+  tags: cloud,cloud-enum,azure
+
+self-contained: true
+
+variables:
+  BaseDNS: "database.windows.net"
+
+dns:
+  - name: "{{wordlist}}.{{BaseDNS}}"
+    type: A
+    class: inet
+
+    recursion: true
+
+    attack: batteringram
+    matchers:
+      - type: word
+        part: answer
+        words:
+          - "IN\tA"

cloud/enum/azure-vm-cloud-enum.yaml

@@ -0,0 +1,64 @@
+id: azure-vm-cloud-enum
+
+info:
+  name: Azure Virtual Machines - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for Azure virtual machines via their registered DNS names.
+  metadata:
+    verified: true
+  tags: cloud,cloud-enum,azure
+
+self-contained: true
+
+variables:
+  BaseDNS: "cloudapp.azure.com"
+  regionname:
+    - eastasia
+    - southeastasia
+    - centralus
+    - eastus
+    - eastus2
+    - westus
+    - northcentralus
+    - southcentralus
+    - northeurope
+    - westeurope
+    - japanwest
+    - japaneast
+    - brazilsouth
+    - australiaeast
+    - australiasoutheast
+    - southindia
+    - centralindia
+    - westindia
+    - canadacentral
+    - canadaeast
+    - uksouth
+    - ukwest
+    - westcentralus
+    - westus2
+    - koreacentral
+    - koreasouth
+    - francecentral
+    - francesouth
+    - australiacentral
+    - australiacentral2
+    - southafricanorth
+    - southafricawest
+
+dns:
+  - name: "{{wordlist}}.{{regionname}}.{{BaseDNS}}"
+    type: A
+    class: inet
+
+    recursion: true
+
+    attack: batteringram
+
+    matchers:
+      - type: word
+        part: answer
+        words:
+          - "IN\tA"

cloud/enum/azure-website-enum.yaml

@@ -0,0 +1,35 @@
+id: azure-website-enum
+
+info:
+  name: Azure Websites - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for Azure websites that are registered and responding.
+  metadata:
+    verified: true
+  tags: cloud,azure
+
+self-contained: true
+
+variables:
+  BaseDNS: "azurewebsites.net"
+
+http:
+  - raw:
+      - |
+        GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
+        Host: {{wordlist}}.{{BaseDNS}}
+
+    redirects: false
+
+    attack: batteringram
+    threads: 10
+
+    matchers:
+      - type: status
+        name: "Available Azure Website"
+        status:
+          - 200
+          - 302
+        condition: or

cloud/enum/gcp-app-engine-enum.yaml

@@ -0,0 +1,41 @@
+id: gcp-app-engine-enum
+
+info:
+  name: GCP App Engine (Appspot) - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for App Engine Apps in GCP.
+  metadata:
+    verified: true
+  tags: cloud,cloud-enum,gcp
+
+self-contained: true
+
+variables:
+  BaseDNS: "appspot.com"
+  loginRedirect: "accounts.google.com"
+
+http:
+  - raw:
+      - |
+        GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
+        Host: {{wordlist}}.{{BaseDNS}}
+
+    redirects: false
+
+    attack: batteringram
+    threads: 10
+
+    matchers:
+      - type: dsl
+        name: "Open GCP App Engine App"
+        dsl:
+          - "status_code==200"
+
+      - type: dsl
+        name: "Protected GCP App Engine App"
+        dsl:
+          - "status_code==302"
+          - contains(location, "login")
+        condition: and

cloud/enum/gcp-bucket-enum.yaml

@@ -0,0 +1,38 @@
+id: gcp-bucket-enum
+
+info:
+  name: GCP Buckets - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for open and protected buckets in GCP.
+  metadata:
+    verified: true
+  tags: cloud,cloud-enum,gcp
+
+self-contained: true
+
+variables:
+  BaseDNS: "storage.googleapis.com"
+
+http:
+  - raw:
+      - |
+        GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1
+        Host: {{wordlist}}.{{BaseDNS}}
+
+    redirects: false
+
+    attack: batteringram
+    threads: 10
+
+    matchers:
+      - type: status
+        name: "Open GCP Bucket"
+        status:
+          - 200
+
+      - type: status
+        name: "Protected GCP Bucket"
+        status:
+          - 403

cloud/enum/gcp-firebase-app-enum.yaml

@@ -0,0 +1,33 @@
+id: gcp-firebase-app-enum
+
+info:
+  name: GCP Firebase Apps - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for Firebase Apps in GCP.
+  metadata:
+    verified: true
+  tags: cloud,cloud-enum,gcp
+
+self-contained: true
+
+variables:
+  BaseDNS: "firebaseapp.com"
+
+http:
+  - raw:
+      - |
+        GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
+        Host: {{wordlist}}.{{BaseDNS}}
+
+    redirects: false
+
+    attack: batteringram
+    threads: 10
+
+    matchers:
+      - type: status
+        name: "Open GCP Firebase App"
+        status:
+          - 200

cloud/enum/gcp-firebase-rtdb-enum.yaml

@@ -0,0 +1,49 @@
+id: gcp-firebase-rtdb-enum
+
+info:
+  name: GCP Firebase Realtime Database - Cloud Enumeration
+  author: initstring
+  severity: info
+  description: |
+    Searches for Firebase Realtime Databases in GCP.
+  metadata:
+    verified: true
+  tags: cloud,cloud-enum,gcp
+
+self-contained: true
+
+variables:
+  BaseDNS: "firebaseio.com"
+
+http:
+  - raw:
+      - |
+        GET https://{{wordlist}}.{{BaseDNS}}/.json HTTP/1.1
+        Host: {{wordlist}}.{{BaseDNS}}
+
+    redirects: false
+
+    attack: batteringram
+    threads: 10
+
+    matchers-condition: or
+    matchers:
+      - type: status
+        name: "Open GCP Firebase RTDB"
+        status:
+          - 200
+
+      - type: status
+        name: "Protected GCP Firebase RTDB"
+        status:
+          - 401
+
+      - type: status
+        name: "Payment GCP on Google Firebase RTDB"
+        status:
+          - 402
+
+      - type: status
+        name: "Deactivated GCP Firebase RTDB"
+        status:
+          - 423