# Cloud Info Gathering

## Azure IP Ranges

{% embed url="<https://azurerange.azurewebsites.net/>" %}

## AWS IP Range

Examples:

```bash
https://ip-ranges.amazonaws.com/ip-ranges.json
# Get creation date
jq .createDate < ip-ranges.json

# Get info for specific region
jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json

# Get all IPs
jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json
```

## Online services

```shellscript
https://viewdns.info/
https://securitytrails.com/
https://www.shodan.io/search?query=net%3A%2234.227.211.0%2F24%22
https://censys.io/ipv4?q=s3
```

## Azure AD Recon

```shellscript
https://github.com/dievus/Oh365UserFinder
```

## AWS Recon

```shellscript
https://github.com/righteousgambit/quiet-riot
```

## Google Dorks

```shellscript
site:.amazonaws.com -www "compute"
site:.amazonaws.com -www "compute" "ap-south-1"
site:pastebin.com "rds.amazonaws.com" "u " pass OR password
https://storage.googleapis.com/COMPANY
```

## Check certificate transparency logs

```shellscript
https://crt.sh
%.netfilx.com
```

## Find Cloud Services

```bash
python3 cloud_enum.py -k keywork
python3 CloudScraper.py -u https://example.com
```

## AWS Buckets

Dork:

```shellscript
site:*.s3.amazonaws.com ext:xls | ext:xlsx | ext:csv password|passwd|pass user|username|uid|email
```

## AWS discovering, stealing keys and endpoints

Nimbostratus - check against actual profile:

Example:

```bash
https://github.com/andresriancho/nimbostratus
python nimbostratus dump-credentials
```

ScoutSuite - audit AWS, GCP and Azure clouds:&#x20;

Example:

```bash
https://github.com/nccgroup/ScoutSuite
scout --provider aws --profile stolen
```

Prowler - AWS security assessment, auditing and hardening:&#x20;

```shellscript
https://github.com/toniblyx/prowler
```