Cloud DNS Enumeration

python -d

Cloud Service Enumeration

cloudmapper collect --account example_account

Cloud Storage Bucket Enumeration

python -d -p projects.txt -n

Cloud Application Enumeration

nmap -p 80,443,8080

Cloud Metadata Enumeration

python -d

Cloud Provider Enumration

python3 -u

Scan a Single Domain(Search for potential frontable domains)

python3 -d

Scan a List of Domains from a File(Search for potential frontable domains)

python3 -f domains.txt

Domain Fronting

python -d DOMAIN

Scrape a Single Website

python3 --url

Scrape a Website with Proxy Support:

python3 --url --proxy

Enumerate Cloud Providers for a Specific Domain

python --domain

Enumerate Cloud Providers from a List of Domains in a File

python --file domains.txt

Identify privilege escalation paths and dangerous permissions in the cloud/saas configurations

python3 -e -p google,github,k8s --github-only-org --k8s-get-secret-values --gcp-get-secret-values # Enumerate google, github and k8s

BloodHound in Cloud

install.bat C:\project\BloodHound

Graphing Azure Active Directory objects

python3 ./

To run DigitalOcean Audit

python -env digitalocean

Attempts to find public S3 buckets from permutations of the certificates domain name python ‍‍‍

ruby lazys3.rb <COMPANY> 

Scan and Generate Graph Database(Consolidates infrastructure assets and the relationships):

cartography --connect aws --inventory-only --neo4j-uri bolt://localhost:7687 --neo4j-username <USERNAME> --neo4j-password <PASSWORD>

Export Data to JSON Format(Consolidates infrastructure assets and the relationships):

cartography --export-file cartography.json

Run a Custom Plugin(Consolidates infrastructure assets and the relationships):

cartography --connect aws --custom-plugin

Discovering open S3 Buckets



Enumerate EC2 Instances:

python3 -m enumeration.enum_ec2


run enumeration/ec2_instances

Enumerate S3 Buckets:

python3 -m enumeration.enum_s3


run enumeration/s3_buckets

Enumerate IAM Users:

python3 -m enumeration.enum_iam_users


run enumeration/iam_users

Enumerate RDS Instances:

python3 -m enumeration.enum_rds


run enumeration/rds_instances

Scan for Open Elasticsearch Instances:

python3 -m enumeration.enum_elasticsearch


run enumeration/elasticsearch_instances

Checks the permissions of the bucket

php s3-buckets-bruteforcer.php --bucket gwen001-test002

List all instances in a region:

aws ec2 describe-instances

Create a new EC2 instance:

aws ec2 run-instances --image-id ami-0c55b159cbfafe1f0 --count 1 --instance-type t2.micro --key-name my-key-pair --security-group-ids sg-903004f8 --subnet-id subnet-6e7f829e --associate-public-ip-address

Create a new S3 bucket:

aws s3 mb s3://my-bucket-name

To run AWS Audit

python -env aws

Google Cloud SDK

List all instances in a project:

gcloud compute instances list

Create a new VM instance:

gcloud compute instances create example-instance --machine-type=n1-standard-1 --image-project=debian-cloud --image-family=debian-10 --zone us-central1-a

Create a new Cloud Storage bucket:

gsutil mb -p my-project-id gs://my-bucket-name

Scan for buckets using the keyword “test” while completely unauthenticated

python3 -k test -u

To run GCP Audit

python -env gcp -pId <project_name>

Microsoft Azure CLI

List all virtual machines in a resource group:

az vm list -g my-resource-group

Create a new virtual machine:

az vm create --resource-group my-resource-group --name my-vm --image UbuntuLTS --admin-username azureuser --generate-ssh-keys

Create a new storage account:

az storage account create --name mystorageaccount --resource-group myresourcegroup --location eastus --sku Standard_LRS

AzureStealth Scan

(1) Import-Module .\SkyArk.ps1 -force
(2) Start-AzureStealth

AWStealth Scan

(1) Import-Module .\SkyArk.ps1 -force
(2) Start-AWStealth

To run Azure Audit

python -env azure

S3 bucket misconfigurations

Check if a bucket is publicly accessible:

aws s3api get-bucket-acl --bucket [bucket-name]

Check if bucket logging is enabled:

aws s3api get-bucket-logging --bucket [bucket-name]

Check if server-side encryption is enabled

aws s3api get-bucket-encryption --bucket [bucket-name]

IAM misconfigurations

Check for unused IAM users and roles:

aws iam list-users and aws iam list-roles

Check for unused IAM access keys:

aws iam list-access-keys --user-name [user-name]

Check for unused IAM permissions:

aws iam get-policy --policy-arn [policy-arn]

Security Group misconfigurations

Check for open ports in a security group:

aws ec2 describe-security-groups --group-id [security-group-id]

Check for unrestricted outbound traffic:

aws ec2 describe-security-groups --filters Name=ip-permission.protocol,Values=all Name=ip-permission.cidr,Values=

Check for unrestricted inbound traffic from specific IP ranges:

aws ec2 describe-security-groups --filters Name=ip-permission.protocol,Values=tcp Name=ip-permission.cidr,Values=[ip-range]/32

VPC misconfigurations

Check for unused VPCs:

aws ec2 describe-vpcs

Check for unrestricted peering:

aws ec2 describe-vpc-peering-connections --filters Name=status-code,Values=active Name=requester-vpc-info.vpc-id,Values=[vpc-id]

Last updated