icon
CyberPars - Next Generation
get a quote

How to Enumerate All Cloud IP Ranges — And Use Them Like a Search Engine

Görkem Göksu
May 1, 2025
Uncategorized

How to Enumerate All Cloud IP Ranges — And Use Them Like a Search Engine

When hunting for vulnerabilities, especially across cloud infrastructure, reconnaissance is everything. But what if you could passively scan entire countries—or even the world—for exposed services, ICS devices, vulnerable endpoints, or misconfigured cloud assets, all without ever touching a target directly?

In this post, we'll explore a passive technique to enumerate all cloud provider IP ranges and leverage that data to map out exposed systems using open-source tools. With this approach, you'll essentially gain the power of Shodan, Censys, and other security search engines, all from your own command line.

⚠️ If you're looking for active scanning and deep SSL/TLS reconnaissance, check out this awesome tool instead: SSL-Hunter by Vulnpire.

Why This Matters?

Cloud services dominate today's infrastructure—AWS, Azure, Google Cloud, Oracle, and more. These providers host everything from enterprise dashboards to industrial control systems (ICS). If you're not mapping cloud IP ranges during recon, you're missing a huge part of the attack surface.

Many bug bounty programs, penetration tests, and red team operations involve discovering and investigating assets in the cloud. Knowing where cloud lives on the internet is the first step to identifying misconfigurations, exposed ports, and vulnerable services—passively.

Step 1: Get All Cloud IP Ranges:

A great resource that aggregates IP blocks from all major cloud providers is this repo:

Download all cloud IPv4 ranges from: https://raw.githubusercontent.com/lord-alfred/ipranges/main/all/ipv4.txt

This file contains CIDRs from AWS, GCP, Azure, Oracle, Cloudflare, and others—conveniently in one place. You’ll be surprised how much of the internet falls under these ranges.

Step 2: Use sXtract to Find Vulnerable Assets:

Now that you have all cloud IPs, it’s time to put them to use.

sXtract is a powerful open-source tool that lets you passively query and extract open ports, vulnerable endpoints, or specific tech stacks from massive internet-wide scan datasets—like Censys, Shodan exports, or leaked scanning archives.

Why This Is So Powerful?

All port 445 (SMB) servers hosted in Azure

ICS/SCADA devices hosted on GCP
Open Elasticsearch clusters on Oracle Cloud
Vulnerable HTTP servers with exposed admin panels in AWS EU region
Identify open ports in specific cloud providers or countries
Track exposed services and misconfigured endpoints
Passively map large-scale cloud infrastructure

Here’s how to use it:

cat ipv4.txt | sXtract -ir -q "your-query" -ssl | anew output

The result? A focused, filtered, passive reconnaissance view over cloud assets. You can even plug in your own scan data or public datasets.

Bonus: sXtract supports all commands used by the Shodan search engine. Power in Your Hands.

This passive approach is ideal for:
Reconnaissance in restricted bug bounty scopes
Mapping attack surfaces in specific countries or regions
Discovering high-value misconfigurations at scale
Profiling cloud infrastructure across industries

Think of it as building your own custom Shodan or ZoomEye, tuned to your target scope and filtered by cloud ranges.

Pro Tip: For even more power, use sXtract with Axiom to distribute passive recon at scale across your VPS fleet. This is extremely handy when working with large IP datasets, allowing you to:
Parallelize passive searches
Process entire countries in minutes
Chain into custom recon pipelines

Next Steps: Active Recon + Vulnerability Discovery:
Once you’ve identified cloud IPs and filtered your targets with sXtract, you can move on to vulnerability discovery.

Here’s a powerful workflow:
Scan open ports with Naabu
Fast, reliable, and simple. Naabu will detect which hosts are live and which ports are open.
Feed those results into Nuclei
Run high-quality vulnerability templates to find CVEs, misconfigs, exposures, and more.

cat found.txt | naabu | nuclei --flag

This combination gives you a rapid vulnerability assessment pipeline — based on targets you discovered passively.

Axiom Module of sXtract:

[{                                                                                                                                    
        "command":"cat input | sXtract | anew output",                                                                                
        "ext":"txt"                                                                                                                   
}]

Wrapping Up: This technique gives you the same level of visibility and filtering as Shodan or Censys — but in your own recon stack. Combine cloud IP enumeration, sXtract, Axiom, Naabu, and Nuclei, and you've got a fully automated adversary-grade recon pipeline.

Conclusion:

Passive recon is a powerful and often underestimated phase of offensive security. By enumerating all cloud IP ranges and combining them with tools like sXtract, you unlock the ability to conduct large-scale, stealthy reconnaissance—without sending a single packet to the target.

Whether you're mapping the cloud or monitoring national attack surfaces, this technique gives you unparalleled visibility.

Final Notes:

Both tools mentioned in this blog post — sXtract and ssl-hunter — were developed by our team to empower security researchers with high-performance reconnaissance capabilities.


Keep your recon silent. Keep it smart.

Happy hunting. 🕵️‍♂️

Facebook
Twitter