Listen to this Post
2025-02-12
Wordlists are a critical component in the toolkit of hackers and security researchers when enumerating resources within AWS accounts. These lists help identify potential targets, such as IAM principals, SQS queue names, and S3 bucket names, which are often hidden or misconfigured. Awseye, an OSINT tool, has leveraged such wordlists to discover nearly 3.2 million AWS resources. To aid in security research and testing, Plerion has released free, high-quality wordlists that anyone can use.
Wordlists Released:
- IAM Principals: A comprehensive list of IAM roles, users, and policies.
- SQS Queue Names: A curated list of common SQS queue naming conventions.
- S3 Bucket Names: A robust list of S3 bucket names, including common prefixes and suffixes.
How to Use These Wordlists:
Below are some practical examples of how to use these wordlists with common security tools:
1. Enumerating S3 Buckets with `s3scanner`:
s3scanner --bucket-list s3_buckets_wordlist.txt --region us-east-1
This command scans for publicly accessible S3 buckets using the provided wordlist.
2. Enumerating IAM Principals with `enumerate-iam`:
python3 enumerate-iam.py --wordlist iam_principals_wordlist.txt --profile aws-profile
This script attempts to enumerate IAM roles and users associated with the specified AWS profile.
3. Testing SQS Queues with `sqs-enum`:
sqs-enum --queue-list sqs_queues_wordlist.txt --region eu-west-1
This tool checks for the existence of SQS queues using the provided wordlist.
Reproducing the Wordlist Creation Process:
Plerion’s blog provides a detailed guide on how these wordlists were created. The process involves:
– Scraping publicly available AWS resources.
– Analyzing naming conventions.
– Using machine learning to predict common patterns.
What Undercode Say:
Wordlists are indispensable for security professionals and researchers aiming to uncover hidden or misconfigured AWS resources. The release of these wordlists by Plerion democratizes access to high-quality data, enabling more effective security testing and research. Below are additional Linux and AWS commands to enhance your enumeration and security testing workflows:
1. AWS CLI Command to List S3 Buckets:
aws s3api list-buckets --query "Buckets[].Name"
2. Check IAM Policies:
aws iam list-policies --scope Local
3. List SQS Queues:
aws sqs list-queues --queue-name-prefix myqueue
4. Scan for Open S3 Buckets:
for bucket in $(cat s3_buckets_wordlist.txt); do aws s3 ls s3://$bucket; done
5. Enumerate IAM Roles:
aws iam list-roles --query "Roles[].RoleName"
6. Check SQS Queue Attributes:
aws sqs get-queue-attributes --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/myqueue --attribute-names All
- Use `nmap` to Scan for Open Ports on AWS Instances:
nmap -p 22,80,443 -iL aws_instances.txt
8. Check for Publicly Accessible S3 Buckets:
aws s3api get-bucket-acl --bucket mybucket --query "Grants[?Grantee.URI=='http://acs.amazonaws.com/groups/global/AllUsers']"
9. List Lambda Functions:
aws lambda list-functions --query "Functions[].FunctionName"
10. Enumerate EC2 Instances:
aws ec2 describe-instances --query "Reservations[].Instances[].InstanceId"
These commands, combined with the provided wordlists, can significantly enhance your ability to identify and secure AWS resources. For further reading, visit Plerion’s Blog to understand the methodology behind these wordlists and how to create your own.
By leveraging these tools and techniques, security professionals can better protect their AWS environments from potential threats and misconfigurations.
References:
Hackers Feeds, Undercode AI


