Identify the cloud perimeter of a target. Thanks to colleagues who are smarter than me.

Identify Service

Filter list

  • GCP: jq '.prefixes[] | .ipv4Prefix' -r
  • AWS: jq '.prefixes[] | .ip_prefix' -r
  • Azure: jq '.values[] | .properties.addressPrefixes[]' -r
  • Ex.
    • wget
    • cat ip-ranges.json | jq '.prefixes[] | if .region == "us-east-1" then .ip_prefix else empty end' -r | sort -u > ips.txt

Create a cloud server

  • If your target is in us-east-1 for example, create an EC2 instance in the same region.
  • Don’t need to get fancy with it. A free tier will do.
  • Download nmap masscan tls-scan and jq


  • Use either nmap or masscan to scan for port 443 on the filtered file.
  • Go get something to eat or touch grass while this runs.
  • nmap -p 443 --open iL ips.txt -oA us-east-1_443_scan
  • sudo masscan -iL ips.txt -oL us-east-2_443_scan.masscan -p 443 --rate 100000
  • Use tls-scan to collect TLS certificates
    • cat <file from above> | tls-scan --port 443 --cacert=ca-bundle.crt -o tls_info.json
  • Filter tls_info.json to find all the IP addresses registered to the target.
    • cat tls_info.json | jq 'select(.host | contains("<ip>")) | .host, .certificateChain[]'
    • <ip> above could be a complete IP or maybe just the network part like 192.168 if you want to filter for all subnets in that network range.