Amazon S3 bucket finder.
Project description
s3recon
Amazon S3 bucket finder and crawler.
Installation
$ pip install s3recon
Usage
usage: s3recon [-h] [-o file] [-t seconds] word_list [word_list ...]
positional arguments:
word_list read words from one or more <word-list> files
optional arguments:
-h, --help show this help message and exit
-o file, --output file write output to <file> (default: stdout)
-p, --public only include 'public' buckets in the output
-t seconds, --timeout seconds http request timeout in <seconds> (default: 30)
-v, --version show program's version number and exit
Example
1. Download a word-list. The SecLists repository has a multitude of word-lists to choice from. For this example let's download the sample word-list included in this repository.
$ curl -sSfL -o word-list.txt "https://raw.githubusercontent.com/clarketm/s3recon/master/data/words.txt" | tar -xz
2. Run s3recon against the word-list.txt file and output the public bucket results to a json file named results.json.
$ s3recon "word-list.txt" -o "results.json" --public
- PRIVATE https://s3.sa-east-1.amazonaws.com/test-lyft
- PRIVATE https://s3.ap-south-1.amazonaws.com/test.amazon
+ PUBLIC https://walmart-dev.s3.us-east-1.amazonaws.com
- PRIVATE https://s3.ap-southeast-1.amazonaws.com/apple-prod
- PRIVATE https://walmart.s3.ap-southeast-1.amazonaws.com
...
3. Inspect the results.json file to see the S3 buckets 💰 you have discovered!
$ cat "results.json"
{
"public": {
"total": 12,
"hits": [
"https://walmart-dev.s3.us-east-1.amazonaws.com",
"https://apple-production.s3.ap-southeast-1.amazonaws.com",
...
]
}
}
Note: to limit the results set to only public buckets use the
-p, --publicflag.
4. Crawl the results list and enumerate the static files available in each bucket
Coming soon!
FAQ
Q: How do I configure this utility?
A:
s3recon can be configure using a yaml configuration file location in either the current working directory (e.g. ./s3recon.yml) or the users home diretory (e.g. ~/s3recon.yml).
List of configurable values:
# s3recon.yml
separators: ["-", "_", "."]
environments: ["", "backup", "backups", ...]
regions: ["ap-northeast-1", "ap-northeast-2", ...]
To see the full list of configurable values (and their defaults) please refer to the s3recon.yml configuration file.
Q: How do I customize the AWS regions used in the recon?
A:
The AWS region can be altered by setting the regions array in your s3recon.yml.
# s3recon.yml
regions: [ "us-west-2", ...]
Q: How do I customize the values of the environment modifiers used in the recon?
A:
The environment modifier are modifiers permuted with each item of the word-list and separator to for the bucket value in the lookup.
The value can be altered by setting the environments array in your s3recon.yml.
For example, to only search lines from the word-list verbatim you can set this value to an empty array or an array with an empty string.
# s3recon.yml
environments: []
# same effect as:
environments: [""]
>
## Going Forward
- [] Create `crawl` command to crawl public/private buckets found in `find` stage and output filenames.
- [] Separate out `find` and `crawl` as subcommands.
- [] Store discovered buckets in a NoSQL datastore.
## License
MIT © [**Travis Clarke**](https://blog.travismclarke.com/)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
