Technical

How to search for Open Amazon S3 Buckets and their contents

How to search for Open Amazon s3 Buckets and their contents — https://buckets.grayhatwarfare.com

GrayHatWarfare created https://buckets.grayhatwarfare.com/ a free tool that lists open s3 buckets and helps you search for interesting files.

For an intro on what Amazon open buckets are, please read the following: https://blog.rapid7.com/2013/03/27/open-s3-buckets/

In essence, many files are publicly accessible, some by design. These files sometimes include very sensitive data. https://github.com/nagwww/s3-leaks has a list of the biggest leaks recorded.

Another reason why application owners who provide backups solutions and cloud storage should be encrypting their data before placing it on S3.  Anything less is negligence on their part.

Since this was exposed, many projects have been created that can enumerate s3 buckets:

All these tools/projects have some common problems:

  • The real problem is where to find the list to brute-force for buckets,  and not actually doing the brute-force.
  • All tools/projects only scan the first page for results.
  • thebuckhacker.com includes uninteresting files and useful results tend to be lost in the noise. Also, the first 1000 results of each bucket are fairly limited.
  • The process is slow and not productive. It’s not very useful for pen-testers to run a tool to run for days, save the exports somewhere and then grep them whenever they want to search for something. What is better is a useful tool in front of a large database.

 

Now there is  http://buckets.grayhatwarfare.com/.  Which took the ideas of the many projects and tools previously mentioned above.

The project’s features are:

  • It is a searchable database of open buckets.
  • Includes millions of results within buckets (In the future might be more).
  • Cleaned up and removed uninteresting files like images. Most images names are auto-generated.
  • Currently has ~180.000.000 files. Included are all images that number would go up to a few billion, which is a completely different system.
  • As of today, 70 000 and growing buckets are listed (not all of them have “interesting” files)
  • Full-text search with binary logic (can search for keywords and also stopwords)
  • List of the buckets.
  • The user can browse the contents of the bucket.
  • Excluded a lot of other things that are not interesting like cloud-watch logs.
  • Found a solution to the problem on how to generate possible names for buckets. The process reviles some hundreds of new buckets per day.
  • Automated the process.

The project is currently free and running on servers paid by me. There are some limitations in place to protect resources, but otherwise pentesters can use this on their daily tasks.

Whats to come in grayhatwarfare.com

Lots of cool things:

  • Subdomains pointing to expired buckets which can lead to something like this: https://www.reddit.com/r/netsec/comments/8t0pb2/how_i_hacked_applecom/
  • Huge lists of exposed version control (.git) which can expose the website’s repository (Source, password files, log files etc).
  • Exposed cameras/IOT devices.
  • Huge resources like extremely large (actual) cracked password lists.

 

Ref Source

Privacy & Google Search Alternatives

When it comes to privacy, using Google search is not the best of ideas. When you use their search engine, Google is recording your IP address, search terms, user agent, and often a unique identifier, which is stored in cookies.

Here are a few Google search alternatives

 

DuckDuckGo is a US-based search engine that was started by Gabriel Weinberg in 2008. It generates search results from over 400 sources including Wikipedia, Bing, Yandex, and Yahoo. DuckDuckGo has a close partnership with Yahoo, which helps it to better filter search results. This is a great privacy-friendly Google alternative that doesn’t utilize tracking or targeted ads.

Searx is a very privacy-friendly and versatile open source metasearch engine that gathers results from other search engines while also respecting user privacy. One unique aspect with Searx is that you can run your own instance

Qwant – is a private search engine that is based in France and was started in 2013. Being based in Europe, the data privacy protections are much stricter, as compared to the United States.

Metager – is a private search engine based in Germany, implementation of free access to knowledge and digital democracy. Ref: https://metager.de/en/about

StartPage – StartPage gives you Google search results, but without the tracking.
Ref: https://classic.startpage.com/eng/protect-privacy.html#hmb

 

vSphere Integrated Containers

vSphere Integrated Containers provides critical enterprise container infrastructure to help IT Operating teams run both traditional and containerized applications providing a number of benefits:

  • security
  • isolation
  • management
  • speed
  • agility

I am looking forward to getting my hands on this and expanding my knowledge on how vSphere Integrated Containers (VIC) works in the real world. vSphere Integrated Containers includes the following three major components:

  • vSphere Integrated Container EngineDocker Remote API-compatible engine deeply integrated into vSphere for instantiating container images that are run as VMs
  • Container Management PortalPortal for apps teams to manage the container repositories, images, hosts, and running container instances
  • Container RegistrySecurely stores container images with built-in RBAC and image replication.

For now its research time; later I get to have some hands-on fun. Here are some interesting links:

How to: Disable the Windows Store

 

One of the features of Windows 10, is the Windows Store.  The Windows Store is a digital distribution platform for Microsoft Windows. It started as an app store for Windows 8 and Windows Server 2012 as the primary means of distributing Universal Windows Platform apps.

Ref: https://en.wikipedia.org/wiki/Microsoft_Store_(digital)

As system configurators and administrators, this may be problematic as it introduces new configuration that was not expected or supported by the IT Staff.  To mitigate this the following steps can be used to disable the Windows Store.

This can be disabled via local group policy or via active directory domain services group policy.

Type gpedit in the search bar to find and start Group Policy Editor.

In the console tree of the snap-in, click Computer Configuration, click Administrative Templates, click Windows Components, and then click Store.

In the Setting pane, click Turn off Store application and then click Edit policy setting.

On the Turn off Store application setting page, click Enabled, and then click OK.

 

Considerations:

These policies are applicable to users of the Enterprise and Education editions only. ref: https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy

 

Configure preferred geo data location in Office 365

 

GDPR had me thinking about Multi-Geo in Office 365

By default, Office 365 resources for your users are located in the same geo as your Azure AD tenant. So, if your tenant is located in North America, then the users’ Exchange mailboxes, OneDrive is also located in North America. For a multinational organization, this might not be optimal for various reasons.

Reasons such as

  • Performance and
  • Data residency requirements for data-at-rest

Multi-Geo enables a single Office 365 tenant to span across multiple Office 365 data-center geographies (geos) and gives customers the ability to store their Exchange and OneDrive data, at-rest, on a per-user basis, in their chosen geos

By setting the attribute preferredDataLocation, you can define a user’s geo

A list of all geos for Office 365 can be found here or long URL format: https://products.office.com/en-us/where-is-your-data-located?geo=All

These values can be set in your Office 365 tenant via PowerShell or Azure AD Connect.

In PowerShell – 

# Connect to Office 365 – by Jermal Smith (@jermsmit)
Set-ExecutionPolicy RemoteSigned
# Get-Credential – You will be asked for username / password
$credential = Get-Credential
# Import-Module MsOnline
Import-Module MsOnline
# If this step fails in error – Install-Module MsOnline
# Connect to MsolService using supplied credentials
Connect-MsolService -Credential $credential

Then use the command: Set-MsolCompanyAllowedDataLocation followed by service type and location.

Ref: https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanyalloweddatalocation?view=azureadps-1.0

After you have assigned Data Locations you can then set users to the location by issue the following example command:

Set-MsolUser -UserPrincipalName jsmith@jermsmit.com -PreferredDataLocation EUR

Then confirming with:

Get-MsolUser -UserPrincipalName jsmith@jermsmit.com | Select PreferredDataLocation

The above works well for new users, but for existing user’s you will need to trigger a migration with the following command:

Start-SPOUserAndContentMove -UserPrincipalName jsmith@jermsmit.com -DestinationDataLocation EUR

Ref: https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/start-spouserandcontentmove?view=sharepoint-ps

Lastly… “To be eligible for Multi-Geo, you must have at least 5,000 seats in your Office 365 subscription” As this is just getting released I am confident more information will be known soon.