Sandcastle – AWS S3 Bucket Enumeration Tool – 10 minute mail

Sandcastle is a Python-based Amazon AWS S3 Bucket Enumeration Tool, formerly known as bucketCrawler. The script takes a target’s name as the stem argument (e.g. shopify) and iterates through a file of bucket name permutations.

Sandcastle - AWS S3 Bucket Enumeration Tool

Amazon S3 [Simple Storage Service] is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.

In terms of implementation, buckets and objects are resources, and Amazon S3 provides APIs for you to manage them.

Examples of the kinds of bucket names it would look for:

  • -training
  • -bucket
  • -dev
  • -attachments
  • -photos
  • -elasticsearch
  • […]

You can find the example bucket names file here.

Using Sandcastle – AWS S3 Bucket Enumeration Tool

Here’s how to get started:

  • Clone this repo (PyPi distribution temporarily disabled).
  • Run sandcastle.py with a target name and input file (grab an example from this repo)
  • Matching bucket permutations will be identified, and read permissions tested.

Status codes and testing for Sandcastle – AWS S3 Bucket Enumeration Tool

  • 404 – Bucket Not Found – Not a target for analysis (hidden by default)
  • 403 – Access Denied – Potential target for analysis via the CLI
  • 200 – Publicly Accessible – Potential target for analysis via the CLI

You can download Sandcastle here:

sandcastle-1.2.3.zip

Or read more here.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hackers Attack Amazon Web Services Server – Disposable mail news


A group of sophisticated hackers slammed Amazon Web Services (AWS) servers. The hackers established a rootkit that let them manually command the servers and directed sensitive stolen corporate date to its home servers C2 (command and control). The attackers breached a variety of Windows and Linux OS within the AWS data center.
A recent report published by Sophos (from Britain) last week has raised doubts and suspicions among the cybersecurity industry.

According to Sophos reports, the hackers were able to avoid Amazon Web Services SG (security groups) easily. Security Groups are supposed to work as a security check to ensure that no malicious actor ever breaches the EC2 instance (it is a virtual server used by AWS to run the application).
The anonymous victim of this attack had already set up a perfectly tuned SG. But due to the rootkit installed in AWS servers, the hackers obtained remote access meanwhile the Linux OS was still looking for inbound connections, and that is when Sophos intervened.
Sophos said that the victim could have been anyone, not just the AWS.

The problem was not with AWS, this piggybacking method could have breached any firewall, if not all. According to cybersecurity experts’ conclusion, the hackers are likely to be state-sponsored. The incident is named as “Cloud Snooper.” A cybersecurity expert even termed it as a beautiful piece of work (from a technical POV). These things happen all the time, it only came to notice because it happened with a fancy organization, he says. There are still unanswered questions about the hack, but the most important one that how the hackers were able to manage this attack is cleared.


About the attack 


“An analysis of this system revealed the presence of a rootkit that granted the malware’s operators the ability to remotely control the server through the AWS SGs. But this rootkit’s capabilities are not limited to doing this in the Amazon cloud: It also could be used to communicate with, and remotely control, malware on any server behind any boundary firewall, even an on-premises server.
By unwinding other elements of this attack, we further identified other Linux hosts, infected with the same or a similar rootkit,” said Sophos.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

AWS S3 Misconfiguration Explained – And How To Fix It – 10 minute mail

A technical write-up explaining AWS S3 misconfiguration is available on our Labs blog.

AWS Simple Storage Service (often shortened to S3) is used by companies that don’t want to build and maintain their own storage repositories. By using Amazon Simple Storage Service, they can store objects and files on a virtual server instead of on physical racks – in simple terms, the service is basically “A Dropbox for IT and Tech teams”. After the user has created their bucket, they can start storing their source code, certificates, passwords, content, databases and other data. While AWS promise safely stored data and secure up-and downloads, the security community has for a long time pointed out severe misconfigurations. If you are vulnerable, attackers could get full access to your S3 bucket, allowing them to download, upload and overwrite files.

The Disposable mail Team has taken a deep dive into AWS asset controls, and will explain how easy it is for hackers to exploit the misconfigurations. Continue reading if you want to know how you can prevent this from happening.

How it is done

The S3 bucket name is not a secret, and there are many ways to figure it out. Once the attacker knows it, there are multiple misconfigurations that can be used to either access or modify information, leading to three different scenarios. By using the AWS Command Line to talk to Amazon’s API, the attacker can:

  • get access to list and read files in S3 bucket
  • write/upload files to S3 bucket
  • change access rights to all objects and control the content of the files (full control of the bucket does not mean the attacker gains full read access of the objects, but they can control the content)

Please note that attackers can gain access without the company hosting the S3 bucket ever noticing or finding out.

AWS are aware of the security issue, but are not likely to mitigate it since it is caused by user misconfigurations.

S3 misconfiguration explained

What can happen

When Disposable mail’s Security Advisor Frans Rosén, a prominent white hat hacker, did the underlying research for his Proof of Concept blog post, he could control assets on high profile websites, meaning he could do anything from overwrite files, upload vulnerable files, and download Intellectual property.

Disclaimer:
All instances disclosed in the Labs post were reported to the affected parties using responsible disclosure policies. In some of the cases, third party companies were involved and we got assistance from the companies affected to contact the vulnerable party.

Since so many companies store sensitive data in S3 buckets, any leak could be devastating. You might remember the Million Dollar Instagram Bug that allowed security researcher Wes Wineberg to access every single image and account on Instagram. This was only possible because he had gained access to Instagram’s S3 bucket, where the company stored everything from source code to images. “To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” wrote Wineberg. “With the keys I obtained, I could now easily impersonate Instagram, or impersonate any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, private pictures and data.”

Here is another example of a public bug bounty report where a security researcher could write files to HackerOne’s bucket without any read access: https://hackerone.com/reports/128088

How to fix it

Change privileges on your bucket: https://docs.aws.amazon.com/AmazonS3/latest/UG/EditingBucketPermissions.html (using AWS Command Line helps proving that exploitation is possible)
Scan your website with Disposable mail (If you already have a Disposable mail account and would like to check your S3 configuration, simply create a new scan profile pointing to your S3 bucket.)
Read the detailed guides and resources in the tool

Additional reading:
https://cloudacademy.com/blog/amazon-s3-security-master-bucket-polices-acls/

Test if you are vulnerable with Disposable mail

Disposable mail scans for S3 misconfigurations with a severity range between 4.4-9 on the CVSS scale. They are all placed in the security misconfiguration category in the Disposable mail tool.

The 6 vulnerability types are:
Amazon S3 bucket allows for full anonymous access
Amazon S3 bucket allows for arbitrary file listing
Amazon S3 bucket allows for arbitrary file upload and exposure
Amazon S3 bucket allows for blind uploads
Amazon S3 bucket allows arbitrary read/writes of objects
Amazon S3 bucket reveals ACP/ACL

Read Frans’ full blog post if you want a more detailed walkthrough of the misconfiguration, and reach out to us if you have any questions!

//The Disposable mail Team


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail and AWS Security Solution Successes: KRY – 10 minute mail

About the company:

KRY offers video consultations with licensed doctors through their app and is revolutionizing the healthcare sector by making quality healthcare safe and easy to access.

The problem

KRY has spent a lot of time discussing security with county councils to ensure it fulfills even the toughest requirements. Healthcare services need to satisfy the strictest security measures, which is why KRY has been very selective when choosing the right tools to secure their patients’ sensitive data.

KRY was running AWS and was on the hunt for a security company with an understanding of the AWS infrastructure. Disposable mail, built on AWS, had extensive knowledge of AWS services, infrastructure, and building serverless services using Dockers on AWS, was therefore the perfect fit for KRY.

The solution

Disposable mail consulted with KRY and recommended them to test the security of their whole environment, including production, to be able to find vulnerabilities. Since we continuously implement unique tests for AWS Cloudfront and S3 Buckets, we can help KRY continue to operate in a safe environment.

Results

KRY are continuously using Disposable mail to test the security of their whole environment. The service has enabled them to set high goals for their security status, and helped them increase the security awareness in their organisation.

Sample Architecture

AWS-KRY- Disposable mail

Read more about Disposable mail’s AWS application vulnerability scanning pre-authorization and advanced technology partner status.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail and AWS Security Solution Successes: Sonokinetic – 10 minute mail

About the company

Sonokinetic BV is a virtual instruments manufacturer based in the Netherlands catering to composers in the media industry. The company produces professional audio tools that change the way content is created and help composers focus on their creativity without losing time getting stuck on technical aspects of the digital production path.

The Problem

The key challenge Sonokinetic was facing is the fact that technology is changing rapidly, and they wanted to be able to move fast while keeping up with the latest security threats. Since they found it hard to stay on top of potential vulnerabilities, they were looking for a solution that both worked well with the AWS infrastructure, had unique security tests for the AWS technology, and could help them stay on top of security threats.

Proposed Solution

Disposable mail consulted with Sonokinetic and recommended them to continuously run Disposable mail scans on their application to make sure it was safe.

Results

By using Disposable mail, Sonokinetic utilize the knowledge of over 100 handpicked ethical hackers to continuously detect the latest security issues on their web application, including AWS specific vulnerabilities. The extensive knowledge base provides the Sonokinetic team with information on how to fix their identified vulnerabilities, allowing them to stay on top of threats and continue to operate in a safe environment.

Sample Architecture

Read more about Disposable mail’s AWS application vulnerability scanning pre-authorization and advanced technology partner status.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail achieves advanced technology partner status with AWS – 10 minute mail

Disposable mail is excited to be recognized as an advanced technology partner at Amazon Web Services (AWS). The Sweden-based IT security company has also been granted pre authorization for application vulnerability scanning, enabling customers hosting applications on AWS to use Disposable mail for scanning their applications without having to submit approval request to AWS in advance of the scan.

AWS Advanced Technology Partner

Earlier this month, Disposable mail was granted pre-authorization status for application vulnerability scanning, and has also achieved the advanced technology partner status in the Amazon Web Services (AWS) Partner Network (APN). Disposable mail provides an automated web security scanner, which is currently used by companies from a wide range of different industries, such as Trello, KING and Le Monde.

“We are very excited to be recognized as advanced technology partners, and have our vulnerability application scanner pre-authorized by AWS”, says Rickard Carlsson, CEO of Disposable mail. “It will allow AWS users to easily start running security tests on their web applications, and continuously test them for over 700 vulnerabilities.”

Disposable mail was founded in 2013 by a group of top ranked security experts, known for finding severe vulnerabilities in both Google, PayPal and Facebook. They used their white-hat hacker knowledge to build an online security scanner that automatically tests web applications for 700+ vulnerabilities. Disposable mail provides the users with information on how to fix their findings, and allows them to follow their progress over time. In addition, the company uses the knowledge of 100 handpicked ethical hackers to ensure that the scanner always checks for the latest vulnerabilities.

AWS applies a shared security model, which means that security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. This means that AWS clients can operate in safe environments, while being able to move fast, deploy code quickly, and stay secure.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cloud security basics: 9 security issues to address as you move to cloud services – 10 minute mail

The scalability advantage of cloud computing can only be sustained with the application of cloud security basics. A cloud service provider takes care of the physical security of their data centres, while the organization storing data up there needs to take responsibility for their own cloud security configurations. Cloud providers are addressing concerns with added security features, yet we continue to see data in the cloud compromised due to misconfigured settings. This tells us just how widespread the issue has become since reporting on this last year. We’ve highlighted this and 8 others cloud security basics every cloud users should know:

1) Data Breaches and misconfigured cloud storage:

What can we learn from recent S3 bucket leaks? Misconfigurations are common, they happen and they can be fixed easily. If we don’t fix it, that’s when disasters occur. Many instances were due to misconfiguration or weak configuration of the access control list. Whether you’re managing Amazon S3 buckets, Azure blobs or Google cloud storage, it’s something that the organizations must take ownership over to safeguard sensitive information stored in cloud storage units. By doing so, you can make sure the right people have the right credentials to access to keep out malicious hackers and any other unauthorized users including third party vendors.

2) Check for forgotten subdomains:

Subdomains can be taken over by a hacker with the help of external services. In 2014, the Disposable mail security researcher team discovered a serious attack vector which allowed one to take control over a subdomain due to DNS misconfigurations, and in a manner that is not noticeable to the domain owner. Thanks to this research, we automated tests to check for this called Asset Monitoring. If you are not using our scanner, you can still remediate this manually by looking through all DNS-entries and removing all entries which are active and unused OR pointing to external cloud-based services which you do not use anymore.

3) Weak Identity, Credential and Access Management:

Using Two Factor Authentication, password or identity controls and proper employee off-boarding are simple measures to take to ensure information doesn’t fall into the wrong hands. Not only are strong password protocols encouraged, but it is also important to encrypt the information traffic flowing by implementing SSL/TLS certificates and setting secure email protocols like SPF- and DMARC-records. When an employee leaves a company, their access accounts should be deactivated immediately to ensure they’re not forgotten and vulnerable.

4) Broken authentication:

It’s critical that a user should not be able to execute functions they are not authorized to do on cloud services. An example of this would be denying an unauthenticated person from uploading files into a “protected” cloud storage bucket. This is defined by an upload policy with a set of requirements and unfortunately, these are at risk for weak controls as shown in Frans Rosén’s research, Bypassing and exploiting Bucket Upload Policies and Signed URLs. It is recommended that an upload policy should be created specifically for every file-upload request or per user.

5) Check that user details and API keys are not left out in the open:

With sharing comes responsibility that you’re not sharing too much. Several high-profile companies including UBER and Slack have learned the hard way unfortunately as they accidentally uploaded code onto Github without attention to the details of sensitive user information. The ubiquitous use of GitHub and other open source coding platforms benefits the developer community with knowledge and best practice sharing. However security still applies here and code that is uploaded, especially legacy code, should be checked that no sensitive information like passwords, user tokens or API keys are exposed. Default settings should not be relied on either as they’re often set to ‘public’.

6) Logging and Monitoring:

Good practices around logging and monitoring activity on the server are essential to keep on eye on the cloud security status. With sufficient logging and monitoring practices you may become better aware of any malicious activity and can answer the questions, “are we even interesting enough to hack?” However collecting information here is not enough, immediate action is also required to ensure any substantial risk to the cloud is mitigated as soon as possible.

7) Continuous monitoring of common vulnerabilities and patch them:

Injection is listed on the OWASP Top 10 vulnerabilities list and for good reason. Cloud services can be exploited with injection attacks. If you’ve migrated to cloud, it’s especially needed to check the security status in legacy code. SQL injection is a prevalent modern vulnerability and when detected it should be patched without hesitation. It can easily be automated which makes the risk even higher. Conveniently, they are detected easily with an automated scanner. This concerns vulnerabilities including XML External Entity (XXE) and Server-Side Request Forgery (SSRF).

8) Always update your technology:

Using the latest version of technology is crucial for security. Often patches are released with bug fixes but not everyone feels the urgency to install them, leaving applications vulnerable.  “jQuery is a good example of this where multiple outdated versions of this framework are used despite all their known vulnerabilities,” Disposable mail CIO Johan Norrman explains about lack of updating, “someone has even developed a website to make the information readily available.”

photo of Disposable mail CIO Johan NorrmanDisposable mail CIO Johan Norrman sees a lack of updating tools to be a security concern.

9) Due diligence and cleaning up superfluous tools:

Even if you cover the cloud security basics you may still be at risk for a breach, which means doing your due diligence on the incident response routine is needed. You can stay prepared by rehearsing the contingency steps, test your recovery and make sure the backups work. When auditing your toolbox, apply the use it or lose it rule. This eliminates the need for keeping unused tool updated or left as a preventable risk. As the CSA states, “this applies whether the company is considering moving to the cloud or merging with or acquiring a company that has moved to the cloud or is considering doing so.” They published a list of cloud security risks, the Treacherous 12, last year.

How can Disposable mail help?

With a tool like Disposable mail, you can continually monitor your web apps with a scanner that is updated with security tests at least bi-weekly to keep up with the fast rate which web vulnerabilities could be found. We are a SaaS-service, hosted in the cloud, which means you can scan your web applications without downloading any software. We test for OWASP Top 10 versions 2013 and 2017, AWS S3 Bucket misconfiguration and various key disclosure vulnerabilities. We also offer Asset Monitoring to help identify potential vulnerabilities related to DNS misconfigurations. Our services are hosted on AWS and we are also recognized as a preferred technology partner of AWS, and offer a connector to Route 53 so you import information from your DNS directly for monitoring.

How does it work? The moment you log into the tool, you’ll be running the most updated version. We start up a server on AWS to scan your web applications and once that’s done, we report findings to you and then the server is killed. None of your web application data is stored by us on AWS. It’s the beauty of the cloud.

Are you ready to try out Disposable mail with your cloud services? Sign up for an account and scan with a free trial here.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Connector with AWS Route 53 – 10 minute mail

Last year Disposable mail announced that we were AWS Technology Partners which meant that getting started with Disposable mail was made easier. This year we are thrilled to announce the release of a connector between AWS Route 53 to Disposable mail.

Disposable mail and Route 53 connector

Disposable mail is a SaaS-based web application and domain security startup. We collaborate with 150+ handpicked white hat hackers and currently offer 1500+ security tests from OWASP Top 10 vulnerabilities, subdomain takeovers to S3 buckets misconfigurations and more.

What is the Disposable mail – Route 53 connector?

By activating this connector, Disposable mail will be able to pull DNS records data from your AWS Route 53 into your Disposable mail account. This means domains, subdomains, anything made available in the sharing key. Since the information on Route 53 is constantly changing, this will also sync automatically with what’s shown on your Disposable mail dashboards to ensure your monitoring is up-to-date.

Why should you connect and monitor DNS records?

The cloud landscape has enabled companies to scale up development and business quickly. This also means that it’s not enough to secure your main applications. Together with this expansion, more digital assets are created and hosted in the cloud making it a challenge for IT security teams to ensure anything connected is also secured including temporary applications.

Some of you are probably familiar with the Hostile Subdomain Takeover discovered by Disposable mail’s Security Advisor, Frans Rosén. In this method, he was able to takeover subdomains that pointed to Heroku, Github, Squarespace and more, using a practically non-traceable attack vector due to DNS misconfigurations. With this research we added Asset Monitoring and by activating this, you can keep an eye on your subdomains for takeovers using Disposable mail – even the ones you’ve forgotten about. 

You can activate this in the Asset Inventory tab by following these steps:

  1. You provide the AWS API keys with access to Route 53 key into the Disposable mail tool to activate the connector
  2. Disposable mail will automatically update or add subdomains for monitoring onto your account for the domains you’ve already verified on the Disposable mail platform
  3. You toggle which domain you want to keep monitoring for subdomain takeovers

AWS connector in tool

Why activate the Route 53 connector?

This new feature allows for higher accuracy since we are able to continuously retrieve subdomains from the original DNS records source, and making it easier for you to identify all the web assets available. Then you can see more of your assets in the Asset Inventory view and decide which of them deserves some more security love.

Want to know more? 

If you’re a Disposable mail customer and have questions or thoughts about our Route 53 connector, reach out to your Customer Success Manager or contact our support team at [email protected]detectify.com. 

If you’re currently evaluating Disposable mail and would like to learn more about the Route 53 connector or Asset Monitoring, you can request a demo to get started today.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.