Inspired by a conversation with Instacart’s @nickelser on HackerOne, I’ve optimized and published Sandcastle – a Python script for AWS S3 bucket enumeration, formerly known as bucketCrawler.
The script takes a target’s name as the stem argument (e.g. shopify
) and iterates through a file of bucket name permutations, such as the ones below:
-training
-bucket
-dev
-attachments
-photos
-elasticsearch […]
Getting Started
sandcastle.py
with a target name and input file (grab an example from this repo)Usage: sandcastle.py [-h] -t targetStem [-f inputFile]
Arguments:
-h, –help show this help message and exit
-t targetStem, –target targetStem
Select a target stem name (e.g. ‘shopify’)
-f inputFile, –file inputFile
Select a bucket permutation file (default: bucket-
names.txt)
>>S3 bucket enumeration // release v1.2.4 // ysx
>>[*] Commencing enumeration of ‘shopify’, reading 138 lines from ‘bucket-names.txt’.
>>[+] Checking potential match: shopify-content –> 403
>>An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
Also Read – MSSQLi-DUET : MSSQL Injection-based Domain User Enumeration Tool
Status Codes & Testing
Status code | Definition | Notes |
---|---|---|
404 | Bucket Not Found | Not a target for analysis (hidden by default) |
403 | Access Denied | Potential target for analysis via the CLI |
200 | Publicly Accessible | Potential target for analysis via the CLI |
AWS CLI Commands
Here’s a quick reference of some useful AWS CLI commands:
aws s3 ls s3://bucket-name
aws s3 cp s3://bucket-name/<file> <destination>
aws s3 cp/mv test-file.txt s3://bucket-name
aws s3 rm s3://bucket-name/test-file.txt
What is S3?
Closing Remarks
How Does a Firewall Work Step by Step? What Is a Firewall and How Does…
ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…
Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…
SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…
PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…
HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…