5. Cloud

Cloud Assets & Identity

Cloud Discovery & Exploration

• Discovery:

  • CloudEnum: python3 cloudenum.py -k example (Finds Azure Blobs, S3 Buckets, GCP Buckets).

  • MicroBurst: Invoke-EnumerateAzureBlobs -Base example

  • Naming Conventions: Search for example-dev, example-storage, test-example, example-backup.

• Tenant & Account Identification:

  • Azure/O365: Get-AADIntTenantID -Domain example.com (Retrieve Tenant ID via AADInternals).

  • AWS: Use pacu (Identity enumeration) or s3-inspector for bucket permission audits.

  • GCP: gcp_scanner to find accessible resources or gcp_check_access.

Cloud Storage Exfiltration (Unauthenticated)

• AWS S3: aws s3 ls s3://example-bucket --no-sign-request

• Azure Blobs: Attempt anonymous container access via MicroBurst.

• GCP: gsutil ls -r gs://example-bucket (Check for allUsers permissions).

Identity & Authentication

• Email Discovery:

  • Hunter.io / Phonebook.cz: Find email formats and existing addresses.

  • theHarvester: theHarvester -d example.com -b all

• Identity Enumeration (AWS/GCP):

  • AWS: aws-inventory or enum4aws.

  • GCP: Use gcp_recon to enumerate users via API keys found in JS files.

• Password Spraying (Tactical):

  • FireProx: AWS API Gateway rotation to bypass blocklists.

  • Spray365 / MSOLSpray: Invoke-PasswordSprayO365 -UserList users.txt -Password "Spring2025!"

  • Note: Monitor lockout policies (e.g., 10 attempts per hour).