Cloud Pivot Finder
Cloud infrastructure discovery and pivot path mapping from external domains.
What It Does
Detects cloud providers (AWS, GCP, Azure) from domain DNS and HTTP responses, enumerates cloud storage buckets (S3, GCS, Azure Blob), identifies subdomain takeover opportunities, discovers serverless functions and CI/CD pipeline endpoints, probes cloud metadata API paths, and produces a structured cloud attack surface report.
Scripts
| Script | Description |
|---|---|
cloud_detector | Cloud provider detection — CNAME analysis, HTTP headers, IP range matching |
bucket_enum | Storage bucket enumeration — S3, GCS, Azure Blob with ACL and policy checks |
takeover_scanner | Subdomain takeover scanning — dangling CNAMEs, unclaimed cloud resources |
serverless_finder | Serverless function discovery — API Gateway, Cloud Functions, Lambda endpoints |
cicd_finder | CI/CD pipeline exposure — GitHub Actions, GitLab CI, Jenkins config leaks |
metadata_paths | Cloud metadata API probing — IMDSv1/v2, user-data, IAM credential endpoints |
cloud_report | Structured cloud infrastructure report with pivot path recommendations |
When to Use
Use during reconnaissance when the target uses cloud infrastructure. Feed domains from recon-dominator to detect cloud assets and identify external-to-internal pivot paths.
Usage
RedTeamScript(skill="cloud-pivot-finder", script="bucket_enum", args="--domain example.com --output buckets.json")