I always smile when I stumble across files on a network.

And it’s not just because they are full of interesting content.

The way in which people name files and directories gives a lot of insight into how they work.

q4-report-version-2-edit-1-revision-34-martin.ppt and customer-report-FINAL-CONFIRMED-public.docs are real examples of files I’ve discovered. Hint: track changes is your friend.

Directory names are equally as interesting.

JOHNS SHARED FOLDER DO NOT TOUCH. The frighteningly common passwords or accounts directories. And, on a company machine, Pictures of Jen. I left it to the network admin to look inside.

In any case, non are very sensible, nor imaginative.

And we’re all susceptible to conformity.

Developers often use common suffixes to name directories or git branches.

test, dev, web, beta, bucket, space, files, content, data, prod, staging, production, stage, app

I wonder what production holds?

ThreatPipes bucket results

Allow me to spark your imagination with what I’ve found; user emails, private photos uploaded, personal messages, and medical information. This was all found in a single production directory.

Now, you might wonder how many super dooper professional master hacking skillz were involved to uncover such sensitive information.

Not many.

Most online storage solutions have a finite number of endpoints. Take Amazon S3 Buckets; s3.amazonaws.com, s3-external-1.amazonaws.com, s3-us-west-1.amazonaws.com, etc.

Not only will developers use common suffixes, company names are used too.

It’s also very common they will use their company or app names when naming Buckets too.

With all this combined, we can start dreaming up S3 Bucket URLs to search for ones that might be wide open for open.

s3.amazonaws.com/COMPANY_NAME-production

ThreatPipes bucket results

Amazon has tightened default S3 Bucket policies in recent years to help reduce the problem of data in S3 Buckets being accidentally made public.

Don’t let that deter you. Many are explicitly opened publicly for ease of development, with the intention of “closing them when pushed to production”…

..said numerous engineering teams when confronted.

ThreatPipes Modules relevant to this post

  • Azure Blob Finder: Search for potential Azure blobs associated with the target and attempt to list their contents.
  • Amazon S3 Bucket Finder: Search for potential Amazon S3 buckets associated with the target and attempt to list their contents.
  • Interesting files: Identifies potential files of interest, e.g. office documents, zip files.
  • Junk files: Looks for old/temporary and other similar files.

Here are 100’s more…

David Greenwood

David Greenwood, ThreatPipes Team