Adventures In S3 Enumeration

Intro It all began with something funny (https://protoxin.net/holiday-message-2017-and-s3-buckets/). It then evolved into this: UPDATE: 335 more S3 buckets added to:https://t.co/AzZ1fEyQ6U Total number of unique S3 buckets: 9095#infosec #netsec— ProToxin (@protoxin_) 13 January 2018 It's truly amazing how far things have progressed in collecting S3 bucket names. When I decided to publish the list of bucket names, I was just over one thousand. At the time of writing, only a few weeks later, I am just shy of ten thousand unique bucket names. We've found a ton of sensitive data which has…

Read More

But What About WebApps? - SSH to the Rescue

So, there I was, on a penetration test and needed to see some web apps that a client had in-house. I had a PwnPro plugged in, however, the VPN proxy script provided was not working and my connection became wonky--and eventually FUBAR--when trying. In comes SSH to the rescue. As usual for these posts, this is really a personal instructional for later. That being said, you are more than welcome to use whatever you can. The Setup Just so there is an overview, I was recently on an internal penetration test. For this test, however, I was completely remote and…

Read More

A Quest For Data and The Adventure It Took Me On

Those that know me know that I love messing with data. For some time now, I've operated several collection nodes for data ranging from pastebin scraping, Twitter "stuff", open systems on the net, and more. Over the past weekend, I decided that I wanted to collect data from Twitter via specified keywords. Having done this numerous times, it was decided that things needed to be done a bit differently. This time, I was going to actually see my data. I'll try to make this as quick as possible. The Problem Perhaps a big problem with someone like me;…

Read More

Join EFF!