Tips and tools to search for an company assets that are hosted on a public cloud.

CloudScraper

CloudScraper is a Tool to spider and scrape targets in search of cloud resources. Plug in a URL and it will spider and search the source of spidered pages for strings such as 's3.amazonaws.com', 'windows.net' and 'digitaloceanspaces'. AWS, Azure, Digital Ocean resources are currently supported.

Link: https://github.com/RhinoSecurityLabs/CloudScraper

sni-ip-ranges

http://kaeferjaeger.gay/?dir=sni-ip-ranges

Find domains:

wget -O amazon_sni.txt <http://kaeferjaeger.gay/sni-ip-ranges/amazon/ipv4_merged_sni.txt>
wget -O digitalocean_sni.txt <http://kaeferjaeger.gay/sni-ip-ranges/digitalocean/ipv4_merged_sni.txt>
wget -O gcp_sni.txt <http://kaeferjaeger.gay/sni-ip-ranges/google/ipv4_merged_sni.txt>
wget -O azure_sni.txt <http://kaeferjaeger.gay/sni-ip-ranges/microsoft/ipv4_merged_sni.txt>
wget -O oracle_sni.txt <http://kaeferjaeger.gay/sni-ip-ranges/oracle/ipv4_merged_sni.txt>
grep -i REDACTED *.txt | cut -d'[' -f2 | cut -d']' -f1 | tr ' ' '\\n' | sort  | uniq
cat *.txt | grep -F ".TARGET.com" | awk -F'-- ' '{print $2}'| tr ' ' '\\n' | tr '[' ' '| sed 's/ //'| sed 's/\\]//'| grep -F ".TARGET.com" | sort -u

Amass

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

GitHub: https://github.com/OWASP/Amass

Search by organisation name:

amass intel -org ‘Tesla' -ip

Passive Search:

amass enum -passive -d owasp.org -ip

Active Search:

amass enum -active -d owasp.org -public-dns -brute -w /root/dns_lists/deepmagic.com-top50kprefixes.txt -src -ip -dir amass4owasp -config /root/amass/config.ini -o amass_results_owasp.txt

Once you found IP/Hostname check if they belong to any public cloud

If you get list of Hostnames or IPs use https://github.com/subfission/HostResolver, example: