Yasin Soliman

Yasin Soliman


I'm Yasin, a security analyst and OSCP from the UK, interested in web application testing and red team operations. This is my personal blog for sharing research findings.

Yasin Soliman
Author

Share


Twitter


Introducing Sandcastle: a script for S3 bucket enumeration

Yasin SolimanYasin Soliman

I've just published Sandcastle – a Python script for AWS S3 bucket enumeration. It's the public version of a personal script formerly known as bucketCrawler.

Sandcastle logo - AWS S3 bucket enumeration

Intended for bug bounty and penetration testing engagements, Sandcastle takes a target's name as the "stem" (e.g. shopify) and iterates through a list of permutations.    

[+] Match: shopify-dev --> 403
[+] Match: shopify-pics --> 403
[+] Match: shopify-assets --> 403
[+] Match: shopify-development --> 403
[+] Match: shopify-content --> 403
[+] Match: shopify-ops --> 200

Find out more and download the script from GitHub.

Further reading

Along with the Sandcastle script, I've included a selection of reference points in README.md and below.

What is S3?

From the Amazon documentation, Working with Amazon S3 Buckets:

Amazon S3 [Simple Storage Service] is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.

In terms of implementation, buckets and objects are resources, and Amazon S3 provides APIs for you to manage them.

Using the AWS CLI

Here are some useful AWS commands which may prove useful when testing targets' S3 buckets.

  • List Files: aws s3 ls s3://bucket-name
  • Download Files: aws s3 cp s3://bucket-name/<file> <destination>
  • Upload Files: aws s3 cp/mv test-file.txt s3://bucket-name
  • Remove Files: aws s3 rm s3://bucket-name/test-file.txt

Learning more

Scott Piper (@0xdabbad00)'s flAWS is a great resource for getting started with "common mistakes and gotchas" involving Amazon Web Services.

Also – take a look at #128088 and #129381 – a pair of incredibly helpful HackerOne reports by @yaworsk!


Update: Friday 7th July — Sandcastle is at EOL

Thanks for supporting the Sandcastle project. Apologies for the inconvenience, but upon consideration I've decided to cease development and place this project at End of Life. I would recommend @tomdev's Bucketeers tool, which incorporates a wider range of scanning prefixes and is open to contributions/PRs under the MIT License. Please feel free to use the bucket-names.txt list in your projects; a de-duplicated version can be found here.

Yasin Soliman
Author

Yasin Soliman

Comments