> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/information-gathering/network-enumeration-with-nmap/passive-recon/cloud-storage.md).

# Cloud Storage

Use passive recon to find cloud-hosted storage tied to the target.

Common targets include:

* Amazon S3
* Azure Blob Storage
* Google Cloud Storage

Misconfigurations sometimes expose data without authentication.

High-value findings include:

* public file listings
* backups
* configuration files
* private SSH keys

### Tools

Start with:

* Google dorks
* `domain.glass`
* GrayHatWarfare
* page source review

### Resolve subdomains and look for cloud-hosted endpoints

Use `host` to resolve discovered subdomains.

```bash
for i in $(cat subdomainlist); do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4; done
```

Example output:

```
blog.inlanefreight.com 10.129.24.93
inlanefreight.com 10.129.27.33
matomo.inlanefreight.com 10.129.127.22
www.inlanefreight.com 10.129.127.33
s3-website-us-west-2.amazonaws.com 10.129.95.250
```

This helps you spot infrastructure that points to cloud-backed services.

An S3 website endpoint is a strong clue that public storage may be in use.

### Find cloud storage in public search results

Google dorks often reveal exposed buckets, file listings, and indexed objects.

#### AWS

<figure><img src="/files/SjWuLWjbx9gWHFMgQ1Iw" alt=""><figcaption></figcaption></figure>

#### Azure

<figure><img src="/files/hjU73j8cngDuGKbWo5wr" alt=""><figcaption></figcaption></figure>

### Check page source and client-side files

Developers sometimes leave storage URLs in source code, JavaScript files, or configuration snippets.

<figure><img src="/files/oeDAlIReU1nIVgqfmQKR" alt=""><figcaption></figcaption></figure>

### Review DNS and edge exposure

Use `domain.glass` to review DNS, hosting, and edge protection details.

<figure><img src="/files/rVFSn2HQvgA4Pdpvc5lA" alt=""><figcaption></figcaption></figure>

If a gateway such as Cloudflare is present, note it and continue mapping exposed assets behind it.

### Search known public bucket indexes

GrayHatWarfare can reveal publicly indexed storage objects.

Try:

* the full company name
* common abbreviations
* product names
* internal naming patterns

<figure><img src="/files/AdqWraoBgNE1Q3HgeySe" alt=""><figcaption></figcaption></figure>

### Watch for leaked credentials and keys

Cloud storage leaks become critical when they expose secrets.

Private SSH keys, API keys, and backups can turn simple recon into immediate access.

<figure><img src="/files/E8LGznjy0IxRvr8XvALP" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
Treat exposed keys and credentials as critical findings. Validate access carefully and stay within scope.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/information-gathering/network-enumeration-with-nmap/passive-recon/cloud-storage.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
