I've just published Sandcastle – a Python script for AWS S3 bucket enumeration. It's the public version of a personal script formerly known as bucketCrawler.
Intended for bug bounty and penetration testing engagements, Sandcastle takes a target's name as the "stem" (e.g.
shopify) and iterates through a list of potential name permutations.
[+] Match: shopify-dev --> 403 [+] Match: shopify-pics --> 403 [+] Match: shopify-assets --> 403 [+] Match: shopify-development --> 403 [+] Match: shopify-content --> 403 [+] Match: shopify-ops --> 200
Find out more and download the script from GitHub.
Along with the Sandcastle script, I've included a selection of reference points in
README.md and below.
What is S3?
From the Amazon documentation, Working with Amazon S3 Buckets:
Amazon S3 [Simple Storage Service] is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.
In terms of implementation, buckets and objects are resources, and Amazon S3 provides APIs for you to manage them.
Using the AWS CLI
Here are some useful AWS commands which may prove useful when testing targets' S3 buckets.
- List Files:
aws s3 ls s3://bucket-name
- Download Files:
aws s3 cp s3://bucket-name/<file> <destination>
- Upload Files:
aws s3 cp/mv test-file.txt s3://bucket-name
- Remove Files:
aws s3 rm s3://bucket-name/test-file.txt
Scott Piper (@0xdabbad00)'s flAWS is a great resource for getting started with "common mistakes and gotchas" involving Amazon Web Services.
Also – take a look at #128088 and #129381 – a pair of incredibly helpful HackerOne reports by @yaworsk!
Edit (9th April): the example Sandcastle output has been updated to reflect changes in version 1.1.0. Furthermore, after a further round of changes, I'm pleased to announce that Sandcastle is now live on PyPi and can be installed via pip!