This post is cross-posted here for longevity. The original was published on the GitLab Security Tech Notes site.
Enumerating Public Cloud Resources With Nuclei
Nuclei, the open-source vulnerability scanner, now supports enumerating public cloud resources. New templates were added that can discover the following:
- AWS Apps
- AWS S3 buckets
- Azure databases
- Azure virtual machines
- GCP AppEngine
- GCP cloud storage buckets
- GCP Firebase applications
- GCP Firebase RTDBs
Using the cloud/enum templates
You can see the templates here, or in ~/nuclei-templates/cloud/enum on a system with Nuclei installed.
These templates are self-contained, meaning they do not operate against a list of hosts like most Nuclei templates. Instead, you provide a list of keywords to perform brute-force discovery.
Basic usage
The simplest usage of these templates is to check a single service for a single keyword. For example, to find a GCP storage bucket called “test-storage-bucket”, run the following command:
nuclei -t "cloud/enum/gcp-bucket-enum.yaml" \
-var wordlist="test-storage-bucket"
If you’d like to check all enumeration templates for any cloud resources with the exact name “test-cloud-resource”, you could run the following command:
nuclei -t "cloud/enum/*" \
-var wordlist="test-cloud-resource"
The examples above aren’t that useful, as they require you to already know what you’re looking for. In reality, you want to make a lot of guesses based on a list of words. To do this, you simply provide the path to a text file as the wordlist variable and Nuclei handles the rest.
nuclei -lfa -t "cloud/enum/*" \
-var wordlist="/path/to/wordlist.txt"
Generating wordlists with alterx
We can use another ProjectDiscovery tool, alterx, to generate wordlists for us by mutating one or more base terms. That tool is meant to produce subdomains, but we can make it work with some slight customization.
First, create a custom alterx patterns file called patterns.txt. It should contain the following text:
{{base}}{{mutation}}
{{base}}-{{mutation}}
{{base}}.{{mutation}}
{{mutation}}{{base}}
{{mutation}}-{{base}}
{{mutation}}.{{base}}
Then, get yourself a nice wordlist of mutations. You can start with the fuzz.txt file from the cloud-enum tool here.
You can then run the following command to fuzz cloud resources related to the term mysecretcompany:
# First generate a wordlist
echo "null" | alterx \
-pp base="mysecretcompany" \
-pp mutation=fuzz.txt \
-p patterns.txt > wordlist.txt
# Then run all cloud enum templates across that wordlist
nuclei -lfa -t "cloud/enum/*" \
-var wordlist=wordlist.txt
If you want to provide it several base terms, you can put those in a file called terms.txt and use the following commands instead:
# First generate a wordlist
echo "null" | alterx \
-pp base=terms.txt \
-pp mutation=fuzz.txt \
-p patterns.txt > wordlist.txt
# Then run all cloud enum templates across that wordlist
nuclei -lfa -t "cloud/enum/*" \
-var wordlist=wordlist.txt
Tips for better results
Nuclei is a popular tool, which means it is used by a lot of folks with the default settings. You should definitely try it this way, as it allows you to see what many others will also be seeing. However, if you want to find new things that others have not yet found you will need to customize your approach. The means creating your own patterns and permutations.
Special thanks
Special thanks to the ProjectDiscovery team, who worked hard to add functionality to Nuclei to make these new templates possible. You can view the original pull request here, which was an effort to port the functionality of a single-purpose enumeration utility over to Nuclei. Leveraging Nuclei as the engine allows security folks to focus on what matters, saving many hours and lines of code.
If you’d like to add support for additional cloud resources, you can contribute directly to the nuclei-templates project.