I've just published Sandcastle – a Python script for AWS S3 bucket enumeration. It's the public version of a personal script formerly known as bucketCrawler.
Intended for bug bounty and penetration testing engagements, Sandcastle takes a target's name as the "stem" (e.g.
shopify) and iterates through a list of potential name permutations.
[+] Match: shopify-dev --> 403 [+] Match: shopify-pics --> 403 [+] Match: shopify-assets --> 403 [+] Match: shopify-development --> 403 [+] Match: shopify-content --> 403 [+] Match: shopify-ops --> 200
Find out more and download the script from GitHub.
Along with the Sandcastle script, I've included a selection of reference points in
README.md and below.
What is S3?
From the Amazon documentation, Working with Amazon S3 Buckets:
Amazon S3 [Simple Storage Service] is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.
In terms of implementation, buckets and objects are resources, and Amazon S3 provides APIs for you to manage them.
Using the AWS CLI
Here are some useful AWS commands which may prove useful when testing targets' S3 buckets.
- List Files:
aws s3 ls s3://bucket-name
- Download Files:
aws s3 cp s3://bucket-name/<file> <destination>
- Upload Files:
aws s3 cp/mv test-file.txt s3://bucket-name
- Remove Files:
aws s3 rm s3://bucket-name/test-file.txt
Scott Piper (@0xdabbad00)'s flAWS is a great resource for getting started with "common mistakes and gotchas" involving Amazon Web Services.
Also – take a look at #128088 and #129381 – a pair of incredibly helpful HackerOne reports by @yaworsk!
Update: Friday 7th July — Sandcastle is at EOL
Thanks for supporting the Sandcastle project. Apologies for the inconvenience, but upon consideration I've decided to cease development and place this project at End of Life. I would recommend @tomdev's Bucketeers tool, which incorporates a wider range of scanning prefixes and is open to contributions/PRs under the MIT License. Please feel free to use the
bucket-names.txt list in your projects; a de-duplicated version can be found here.