Skip to main content

Scan for open S3 buckets and dump the contents

Project description

S3Scanner

License: MIT Build Status

A tool to find open S3 buckets and dump their contents💧

Usage

usage: s3scanner [-h] [--version] [--threads n] [--endpoint-url ENDPOINT_URL] [--endpoint-address-style {path,vhost}] [--insecure] {scan,dump} ...

s3scanner: Audit unsecured S3 buckets
           by Dan Salmon - github.com/sa7mon, @bltjetpack

optional arguments:
  -h, --help            show this help message and exit
  --version             Display the current version of this tool
  --threads n, -t n     Number of threads to use. Default: 4
  --endpoint-url ENDPOINT_URL, -u ENDPOINT_URL
                        URL of S3-compliant API. Default: https://s3.amazonaws.com
  --endpoint-address-style {path,vhost}, -s {path,vhost}
                        Address style to use for the endpoint. Default: path
  --insecure, -i        Do not verify SSL

mode:
  {scan,dump}           (Must choose one)
    scan                Scan bucket permissions
    dump                Dump the contents of buckets

Support

🚀 If you've found this tool useful, please consider donating to support its development

paypal

ko-fi

Installation

pip3 install s3scanner

or via Docker:

docker build . -t s3scanner:latest
docker run --rm s3scanner:latest scan --bucket my-buket

or from source:

git clone git@github.com:sa7mon/S3Scanner.git
cd S3Scanner
pip3 install -r requirements.txt
python3 -m S3Scanner

Features

  • ⚡️ Multi-threaded scanning
  • 🔭 Supports tons of S3-compatible APIs
  • 🕵️‍♀️ Scans all bucket permissions to find misconfigurations
  • 💾 Dump bucket contents to a local folder
  • 🐳 Docker support

Examples

  • Scan AWS buckets listed in a file with 8 threads
    $ s3scanner --threads 8 scan --buckets-file ./bucket-names.txt
    
  • Scan a bucket in Digital Ocean Spaces
    $ s3scanner --endpoint-url https://sfo2.digitaloceanspaces.com scan --bucket my-bucket
    
  • Dump a single AWS bucket
    $ s3scanner dump --bucket my-bucket-to-dump
    
  • Scan a single Dreamhost Objects bucket which uses the vhost address style and an invalid SSL cert
    $ s3scanner --endpoint-url https://objects.dreamhost.com --endpoint-address-style vhost --insecure scan --bucket my-bucket
    

S3-compatible APIs

S3Scanner can scan and dump buckets in S3-compatible APIs services other than AWS by using the --endpoint-url argument. Depending on the service, you may also need the --endpoint-address-style or --insecure arguments as well.

Some services have different endpoints corresponding to different regions

Note: S3Scanner currently only supports scanning for anonymous user permissions of non-AWS services

Service Example Endpoint Address Style Insecure ?
DigitalOcean Spaces (SFO2 region) https://sfo2.digitaloceanspaces.com path No
Dreamhost https://objects.dreamhost.com vhost Yes
Linode Object Storage (eu-central-1 region) https://eu-central-1.linodeobjects.com vhost No
Scaleway Object Storage (nl-ams region) https://s3.nl-ams.scw.cloud path No
Wasabi Cloud Storage http://s3.wasabisys.com/ path Yes

📚 Current status of non-AWS APIs can be found in the project wiki

Interpreting Results

This tool will attempt to get all available information about a bucket, but it's up to you to interpret the results.

Possible permissions for buckets:

  • Read - List and view all files
  • Write - Write files to bucket
  • Read ACP - Read all Access Control Policies attached to bucket
  • Write ACP - Write Access Control Policies to bucket
  • Full Control - All above permissions

Any or all of these permissions can be set for the 2 main user groups:

  • Authenticated Users
  • Public Users (those without AWS credentials set)
  • Individual users/groups (out of scope of this tool)

What this means: Just because a bucket doesn't allow reading/writing ACLs doesn't mean you can't read/write files in the bucket. Conversely, you may be able to list ACLs but not read/write to the bucket

Contributors

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

S3Scanner-2.0.2.tar.gz (16.1 kB view details)

Uploaded Source

Built Distribution

S3Scanner-2.0.2-py3-none-any.whl (15.6 kB view details)

Uploaded Python 3

File details

Details for the file S3Scanner-2.0.2.tar.gz.

File metadata

  • Download URL: S3Scanner-2.0.2.tar.gz
  • Upload date:
  • Size: 16.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.6.0 importlib_metadata/4.8.2 pkginfo/1.8.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.7

File hashes

Hashes for S3Scanner-2.0.2.tar.gz
Algorithm Hash digest
SHA256 451c76bbe3c7c5c7629de990a1e904c47dbe4d4f9bac626e77b5e6799dc045ce
MD5 19104dc846a4f0b5bd8b8063acd5fb4b
BLAKE2b-256 7c2820af6edde8edee3e44cbaeaab0cbe0fb1dd64d9f613bd1f68b678cee944b

See more details on using hashes here.

File details

Details for the file S3Scanner-2.0.2-py3-none-any.whl.

File metadata

  • Download URL: S3Scanner-2.0.2-py3-none-any.whl
  • Upload date:
  • Size: 15.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.6.0 importlib_metadata/4.8.2 pkginfo/1.8.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.7

File hashes

Hashes for S3Scanner-2.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 e1301528c2ca6dd5abce31fe13bdd47152be939b05b0fc86a583c3443ffb74fd
MD5 7ddcc4153b4a88fb7a99f9122adf6960
BLAKE2b-256 1eaa10c4540a7bfd2ba561b6ee7d1f338946684c2007e25a0fe66cb23a5a2cd2

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page