Inspired by a conversation with Instacart’s @nickelser on HackerOne, I’ve optimized and published Sandcastle – a Python script for AWS S3 bucket enumeration, formerly known as bucketCrawler.
The script takes a target’s name as the stem argument (e.g.
shopify) and iterates through a file of bucket name permutations, such as the ones below:
- Here’s how to get started:
- Clone this repo (PyPi distribution temporarily disabled).
sandcastle.pywith a target name and input file (grab an example from this repo)
- Matching bucket permutations will be identified, and read permissions tested.
Usage: sandcastle.py [-h] -t targetStem [-f inputFile]
-h, –help show this help message and exit
-t targetStem, –target targetStem
Select a target stem name (e.g. ‘shopify’)
-f inputFile, –file inputFile
Select a bucket permutation file (default: bucket-
>>S3 bucket enumeration // release v1.2.4 // ysx
>>[*] Commencing enumeration of ‘shopify’, reading 138 lines from ‘bucket-names.txt’.
>>[+] Checking potential match: shopify-content –> 403
>>An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
Also Read – MSSQLi-DUET : MSSQL Injection-based Domain User Enumeration Tool
Status Codes & Testing
|404||Bucket Not Found||Not a target for analysis (hidden by default)|
|403||Access Denied||Potential target for analysis via the CLI|
|200||Publicly Accessible||Potential target for analysis via the CLI|
AWS CLI Commands
Here’s a quick reference of some useful AWS CLI commands:
- List Files:
aws s3 ls s3://bucket-name
- Download Files:
aws s3 cp s3://bucket-name/<file> <destination>
- Upload Files:
aws s3 cp/mv test-file.txt s3://bucket-name
- Remove Files:
aws s3 rm s3://bucket-name/test-file.txt
What is S3?
- From the Amazon documentation, Working with Amazon S3 Buckets:
- Amazon S3 [Simple Storage Service] is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.
- In terms of implementation, buckets and objects are resources, and Amazon S3 provides APIs for you to manage them.
- This is my first public security project. Sandcastle is published under the MIT License.
- Usage acknowledgements:
- Castle (icon) by Andrew Doane from the Noun Project
- Nixie One (logo typeface) free by Jovanny Lemonad