AugmentClaude
TestingDevOpsSecurity

Cloud Pivot Finder

By KaQus· KaQus/claude-code-pentest· 0

Map cloud infrastructure and identify security paths from external domains to cloud internals.

Installation

  1. Make sure Claude is on your device and in your terminal.

    Skills load from ~/.claude/skills/ when Claude Code starts up — so you need it on your machine first. If you don't have it yet, install it once with the command below, then run claude in any terminal to verify.

    One-time setup
    npm i -g @anthropic-ai/claude-code

    Already have it? Skip ahead.

  2. Paste into Claude Code or into your terminal.
    Install
    Sign up to copy
    Sign up free to reveal

    This copies the whole skill folder into ~/.claude/skills/cloud-pivot-finder-kaqus/ — the SKILL.md plus any scripts, reference docs, or templates the skill ships with. Safe default: works for every skill.

    Faster alternative (instruction-only skills)

    Skips the clone and grabs only the SKILL.md file. Don't use this if the skill ships Python scripts, reference markdowns, or asset templates — they won't be downloaded and the skill will fail when it tries to load them.

    Quick install (SKILL.md only)
    Sign up to copy
    Sign up free to reveal
  3. Restart Claude Code.

    Quit and reopen Claude Code (or any other agent that loads from ~/.claude/skills/). New skills are picked up on startup.

  4. Just ask Claude.

    Skills auto-activate when your request matches the skill's description — no slash command needed. Trigger phrases live in the skill's own frontmatter; you can read them in the “What this skill does” section above.

Prefer to read the source first? Open on GitHub.

When Claude uses it

Maps cloud infrastructure from domains and identifies pivot paths from external to cloud internals. Detects cloud providers, enumerates S3/GCS/Azure storage, finds subdomain takeover opportunities, discovers serverless functions, CI/CD exposure, and IaC leaks. Use when user asks for "cloud security", "S3 enumeration", "subdomain takeover", "cloud recon", "bucket enumeration", "cloud pivot", or provides domains hosted on AWS/GCP/Azure. For authorized testing only.

What this skill does

Cloud Pivot Finder

From external domains to cloud infrastructure compromise paths.

Important

CRITICAL: Only test cloud infrastructure you have explicit authorization to test. Unauthorized access to cloud resources is a criminal offense.

Instructions

Step 1: Cloud Provider Detection

python scripts/cloud_detector.py --domain {target_domain}

Identify cloud hosting:

  1. IP range analysis: Match IPs against AWS, GCP, Azure published IP ranges
  2. DNS analysis: CNAME patterns (*.amazonaws.com, *.googleusercontent.com, *.azurewebsites.net)
  3. Header analysis: Server headers, X-Amz-, X-GUploader-, x-ms-* headers
  4. Certificate analysis: Issuer and SAN entries pointing to cloud services
  5. CDN detection: CloudFront, Cloud CDN, Azure CDN distributions

Output: Map of domain -> cloud provider -> service type.

Step 2: Storage Bucket Enumeration

python scripts/bucket_enum.py --domain {target_domain} --provider {aws|gcp|azure|all}

Naming pattern brute-force:

  • {domain}, {domain}-backup, {domain}-dev, {domain}-staging
  • {company}-assets, {company}-uploads, {company}-data
  • {project}-{env} combinations

Per-provider testing:

  • S3: Check for public ListBucket, GetObject, PutObject
  • GCS: Check for allUsers/allAuthenticatedUsers permissions
  • Azure Blob: Check for public container access

For each accessible bucket:

  1. List contents (if ListBucket allowed)
  2. Check for sensitive files (.env, credentials, backups, database dumps)
  3. Test write access (attempt to upload test file, delete immediately)
  4. Check bucket policy for overly permissive configurations

Step 3: Subdomain Takeover Detection

python scripts/takeover_scanner.py --subdomains {subdomain_list}

Check every subdomain's CNAME for dangling references:

  • AWS: S3, CloudFront, Elastic Beanstalk, ELB
  • Azure: Azure Websites, Traffic Manager, CDN, Blob
  • GCP: Cloud Storage, App Engine, Firebase
  • Other: Heroku, GitHub Pages, Fastly, Shopify, Zendesk, Unbounce, Surge.sh

For each dangling CNAME:

  1. Verify the target is actually unclaimed
  2. Determine the takeover method
  3. Assess impact (cookie scope, same-origin policy implications)
  4. Generate takeover PoC instructions

Step 4: Serverless and Container Discovery

python scripts/serverless_finder.py --domain {target_domain}

Discover:

  • Lambda Function URLs: {function-id}.lambda-url.{region}.on.aws
  • API Gateway: {api-id}.execute-api.{region}.amazonaws.com
  • Cloud Functions: {region}-{project}.cloudfunctions.net
  • Cloud Run: *.run.app
  • Azure Functions: {app}.azurewebsites.net/api/
  • Container registries: ECR, GCR, ACR public images

Test each for:

  • Unauthenticated access
  • Error messages revealing internal details
  • Excessive function output (debug mode)

Step 5: CI/CD and IaC Exposure

python scripts/cicd_finder.py --domain {target_domain}

Search for:

  • Exposed CI/CD: Jenkins, GitLab CI, GitHub Actions artifacts
  • Terraform state files: .tfstate files on S3/GCS/HTTP
  • CloudFormation templates: Exposed template files
  • Docker/K8s configs: docker-compose.yml, kubernetes manifests
  • Helm charts: values.yaml with secrets
  • Environment files: .env files with cloud credentials

Step 6: Cloud Metadata Pivot Paths

python scripts/metadata_paths.py --recon-data {recon_json}

For each web application on cloud infrastructure:

  1. Identify potential SSRF vectors (URL parameters, PDF generators, webhooks)
  2. Map the SSRF -> metadata -> credential chain
  3. Assess what the IAM role/service account can access
  4. Document the complete pivot path

Step 7: Report Generation

python scripts/cloud_report.py --project {name}

Output:

  1. Cloud infrastructure map
  2. Accessible storage buckets with content inventory
  3. Subdomain takeover opportunities
  4. Serverless/container exposure
  5. CI/CD and IaC exposure
  6. Pivot paths from web to cloud
  7. Prioritized remediation plan

Error Handling

Rate Limiting on Cloud APIs

  1. S3 listing: Built-in exponential backoff
  2. DNS resolution: Use multiple resolvers
  3. If blocked: Reduce concurrency with --threads 5

No Cloud Infrastructure Detected

If domain appears to be on-premise:

  1. Still check for cloud storage buckets (may use S3 for backups)
  2. Check for CI/CD exposure (GitHub Actions, etc.)
  3. Inform user and suggest alternative approaches

Examples

Example 1: Full Cloud Assessment

User says: "Map the cloud infrastructure for example.com"

Actions:

  1. Detect cloud providers
  2. Enumerate storage buckets
  3. Check for subdomain takeover
  4. Find serverless endpoints
  5. Check CI/CD exposure
  6. Map pivot paths
  7. Generate comprehensive report

Example 2: S3 Bucket Hunt

User says: "Find S3 buckets for example.com"

Actions:

  1. Generate naming patterns from domain/company name
  2. Test each pattern for existence
  3. Check permissions on found buckets
  4. List accessible contents
  5. Report findings

Example 3: Subdomain Takeover Scan

User says: "Check for subdomain takeover on these 50 subdomains"

Actions:

  1. Resolve CNAME for each subdomain
  2. Check each CNAME against takeover fingerprints
  3. Verify dangling references
  4. Generate takeover PoC for confirmable targets

Related skills

D

Documentation Co-Authoring

anthropics

Guide structured workflows for writing docs, proposals, and technical specs collaboratively.

Official
M

MCP Server Builder

anthropics

Build protocol servers that connect language models to external APIs and services.

OfficialComplete terms in LICENSE.txt
S

Skill Builder & Optimizer

anthropics

Create, edit, and optimize Claude skills with performance testing and benchmarking.

Official
M

Multi-Component Web Artifacts

anthropics

Build complex React artifacts with Tailwind CSS and shadcn/ui components.

OfficialComplete terms in LICENSE.txt