Slurp : Evaluate The Security Of S3 Buckets

Slurp is a Blackbox/whitebox S3 bucket enumerator.

Overview

  • Credit to all the vendor packages that made this tool possible.
  • This is a security tool; it’s meant for pen-testers and security professionals to perform audits of s3 buckets.

Features

  • Scan via domain(s); you can target a single domain or a list of domains
  • Scan via keyword(s); you can target a single keyword or a list of keywords
  • Scan via AWS credentials; you can target your own AWS account to see which buckets have been exposed
  • Colorized output for visual grep
  • Currently generates over 28,000 permutations per domain and keyword (thanks to @jakewarren and @random-robbie)
  • Punycode support for internationalized domains
  • Strong copyleft license (GPLv3)

Also Read : Python Uncompyle6 – A Cross-Version Python Bytecode Decompiler

Modes

There are two modes that this tool operates at; blackbox and whitebox mode. Whitebox mode (or internal) is significantly faster than blackbox (external) mode.

Blackbox (External)

In this mode, you are using the permutations list to conduct scans. It will return false positives and there is no way to link the buckets to an actual aws account! Do not open issues asking how to do this.

Domain

Keywords

Whitebox (Internal)

In this mode, you are using the AWS API with credentials on a specific account that you own to see what is open. This method pulls all S3 buckets and checks Policy/ACL permissions. Note that, I will not provide support on how to use the AWS API. Your credentials should be in ~/.aws/credentials.

Internal

Usage

  • slurp domain <-t|--target> example.com will enumerate the S3 domains for a specific target.
  • slurp keyword <-t|--target> linux,golang,python will enumerate S3 buckets based on those 3 key words.
  • slurp internal performs an internal scan using the AWS API.

Installation

This project uses vgo; you can clone and go build or download from Releases section. Please do not open issues on why you cannot build the project; this project builds like any other project would in Go, if you cannot build then I strongly suggest you read the go spec.

Also, the only binaries I’m including are linux/amd64; if you want mac/windows binaries, build it yourself.

Download
R K

Share
Published by
R K
Tags: S3S3 BucketsSlurp
7 years ago

Recent Posts

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

10 hours ago

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

Docker is an open-source platform that lets you package and run applications inside containers. Each container…

20 hours ago

Install PostgreSQL on Ubuntu: Database Setup and Admin Guide

PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…

21 hours ago

Install Xrdp Remote Desktop on Ubuntu: Setup and Connect

Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…

22 hours ago

Tomcat 9 on Ubuntu 20.04: Install, Configure, and Start

Apache Tomcat is an open-source web server and Java servlet container. It is one of the…

22 hours ago

Automatic Updates on Ubuntu: Set Up unattended-upgrades

Keeping your Ubuntu system updated is one of the best ways to protect it. Security…

23 hours ago