Skip to content
All-in-one AWS S3 bucket tool for pentesters.
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.


Python |2.7 Twitter

This tool is based off of the Sandcastle projet from @yasinS. Using a word list, it will enumerate buckets and list files (if allowed). You can also choose to try to upload a test file, or attempt to view a bucket's ACL, policy, CORS configuration, replication configuration, website configuration and bucket location. You also have the option to check a single bucket that you have already found elsewhere.


How to use S3Cruze

  1. Clone this repo
  2. Run with your target name. You can also specify your own dictionnary file if you'd like and you can also select if you want to try to upload a file or not. The default behavior will only enumerate buckets.
usage: [-h] -t targetBucket [-f inputFile] [-u] [-d] [-a] [-p]
                   [-c] [-r] [-w] [-l] [--all] (-b | -s)

optional arguments:
  -h, --help            show this help message and exit
  -t targetBucket, --target targetBucket
                        Select a target bucket name (e.g. 'shopify')
  -f inputFile, --file inputFile
                        Select a bucket brute-forcing file (default: bucket-
  -u, --upload          File to upload will be automatically generated (e.g.
  -d, --delete          Delete file from bucket after uploading it
  -a, --acl             View bucket ACL
  -p, --policy          View bucket policy
  -c, --cors            View bucket CORS configuration
  -r, --replication     View bucket replication configuration
  -w, --website         View bucket website configuration
  -l, --location        View bucket location
  --all                 View all bucket configuration
  -b, --bruteforce      Bruteforce buckets names. By default it will try to
                        list files from the buckets.
  -s, --single          Check a single bucket only



I'm just beginning to code in Python so if you feel it could work better by coding it in a certain way, please feel free to create pull requests, it would be greatly appreciated. Honestly, please do.

If needed, I can also be reached via Twitter @JR0ch17.

You can’t perform that action at this time.