The Complexities of Hoarding S3 Buckets

The Complexities of Hoarding S3 Buckets

I originally was interested in S3 Buckets because I continually saw all the places getting breached and suffering data leaks. I thought to myself "how cool would it be to find one of these and report it ?!" A noble idea at the time. I then realised that there were few resources to actually just find buckets. Sure, there were tools to collect the names, but few place to actually search through discovered buckets. That all led to my searchable list of S3 Buckets. I then realised that several other researchers felt the same way. Sure, they were collecting…

Read More

Adventures In S3 Enumeration

Intro It all began with something funny (https://protoxin.net/holiday-message-2017-and-s3-buckets/). It then evolved into this: UPDATE: 335 more S3 buckets added to:https://t.co/AzZ1fEyQ6U Total number of unique S3 buckets: 9095#infosec #netsec— ProToxin (@protoxin_) 13 January 2018 It's truly amazing how far things have progressed in collecting S3 bucket names. When I decided to publish the list of bucket names, I was just over one thousand. At the time of writing, only a few weeks later, I am just shy of ten thousand unique bucket names. We've found a ton of sensitive data which has…

Read More

Holiday Message 2017 + S3 Buckets

Good Morning Readers, I know that I have not exactly been the most active blogger...I'm working on it. While I may not have been active, that does not mean that I would ignore my annual holiday message. I would like to wish all of you an amazing and wonderful Christmas. To those already celebrating, I hope you have a wonderful and safe Chanukah. Things have been insane over here...new job, new home, and working on being a better me. What would a holiday message be without a gift? I have always wanted to have a list of enumerated…

Read More

But What About WebApps? - SSH to the Rescue

So, there I was, on a penetration test and needed to see some web apps that a client had in-house. I had a PwnPro plugged in, however, the VPN proxy script provided was not working and my connection became wonky--and eventually FUBAR--when trying. In comes SSH to the rescue. As usual for these posts, this is really a personal instructional for later. That being said, you are more than welcome to use whatever you can. The Setup Just so there is an overview, I was recently on an internal penetration test. For this test, however, I was completely remote and…

Read More

Veil Evasion + Code Signing = ???

On a recent assessment, it was brought to my attention that in order for most binaries to run, they had to be code signed. I knew what code signing was at a conceptual level, however, how the heck was I actually going to sign my generated payload?! Per the usual, there are probably things I could do better/differently. This was all made up on the spot during an assessment. The Situation As mentioned in the brief abstract at the top, I was recently on an assessment where binaries on the system had to have a digital signature in order…

Read More

Evasion is Getting Easier?

This is a bit of an odd one. While on an assessment, I was tasked with evading detection from an external perspective. I noticed some weird things this industry is doing to make external evasion easier for us attackers. As usual, I could be entirely wrong. Noise Perhaps one of the largest issues when it comes to SIEM is noise. In other words, a ton of offenses that are false positives or not of any business concern. Generally speaking, this is where companies will 'tune' a SIEM. This involves creating rule sets, specifying thresholds, etc. When it comes to the…

Read More

Basic Pivoting With Meterpreter

While this topic has been discussed extensively online, it seems that few people pay attention to markup language and/or links on their posts. How annoying is that?! Really, this post is for my own reference, however, you are more than welcome to use it. ;) The Situation In a recent assessment, I was asked to please ensure that if I infect a host that I use said host to tunnel subsequent meterpreter sessions through. One of the reasons for this was to replicate an attacker pivoting systems to further scan, infect, etc. other systems on the network and other subnets.…

Read More

My Data Quest Continued

A few days ago, I wrote a post about a Twitter data collection project that I've slowly been working on: https://protoxin.net/a-quest-for-data/ ^ that one. Now that it has been a few weeks, where have I been? Well, not too far. Unfortunately, life has been hectic over here (I work for a living, man). Over here, we have been collecting infosec related tweets to not only provide data for our teams, but also to see how things are going in the infosec realm. 1 Million Our first goal was to successfully hit 100,000 tweets collected. After a few…

Read More

Join EFF!