A Quick Enumeration Instrument For Publicly Uncovered Azure Storage Blobs

Goblob is a light-weight and quick enumeration instrument designed to help within the discovery of delicate data uncovered publicy in Azure blobs, which may be helpful for numerous analysis functions akin to vulnerability assessments, penetration testing, and reconnaissance.

Warning. Goblob will difficulty particular person goroutines for every container identify to examine in every storage account, solely restricted by the utmost variety of concurrent goroutines specified within the -goroutines flag. This implementation can exhaust bandwidth fairly rapidly usually with the default wordlist, or doubtlessly value you some huge cash in the event you’re utilizing the instrument in a cloud setting. Be sure you perceive what you might be doing earlier than working the instrument.

$ ./goblob <storageaccountname>

$ ./goblob -accounts accounts.txt

$ ./goblob -accounts accounts.txt -containers wordlists/goblob-folder-names.txt

$ ./goblob -accounts accounts.txt -containers wordlists/goblob-folder-names.txt -output outcomes.txt

$ cat accounts.txt | ./goblob

• -goroutines=N – Most variety of concurrent goroutines to permit (default: 5000).
• -blobs=true – Report the URL of every blob as a substitute of the URL of the containers (default: false).
• -verbose=N – Set verbosity stage (default: 1, min: 0, max: 3).
• -maxpages=N – Most of container pages to traverse in search of blobs (default: 20, set to -1 to disable restrict or to 0 to keep away from itemizing blobs in any respect and simply examine if the container is public)
• -timeout=N – Timeout for HTTP requests (seconds, default: 90)
• -maxidleconns=N – MaxIdleConns transport parameter for HTTP consumer (default: 100)
• -maxidleconnsperhost=N – MaxIdleConnsPerHost transport parameter for HTTP consumer (default: 10)
• -maxconnsperhost=N – MaxConnsPerHost transport parameter for HTTP consumer (default: 0)
• -skipssl=true – Skip SSL verification (default: false)
• -invertsearch=true – Enumerate accounts for every container as a substitute of containers for every account (default: false)

As an illustration, in the event you simply need to discover publicly uncovered containers utilizing massive lists of storage accounts and container names, you need to use -maxpages=0 to forestall the goroutines from paginating the outcomes. Then run it once more on the set of outcomes you discovered with -blobs=true and -maxpages=-1 to really get the URLs of the blobs.

If, alternatively, you need to check a small checklist of extremely popular container names towards a big set of storage accounts, you would possibly need to strive -invertsearch=true with -maxpages=0, as a way to see the general public accounts for every container identify as a substitute of the container names for every storage account.

You may additionally need to strive altering -goroutines, -timeout and -maxidleconns, -maxidleconnsperhost and -maxconnsperhost and -skipssl as a way to greatest use your bandwidth and discover outcomes sooner.

Experiment with the flags to seek out what works greatest for you 😉

Instance

Contributions are welcome by opening a problem or by submitting a pull request.

• Test blob area for NXDOMAIN earlier than making an attempt wordlist to avoid wasting bandwidth (possibly)
• Enhance default parameters for higher efficiency

An attention-grabbing visualization of in style container names present in my experiments with the instrument:

If you wish to know extra about my experiments and the topic basically, check out my article: