Skip to content
🏰 A Python script for AWS S3 bucket enumeration.
Branch: master
Clone or download
Pull request Compare This branch is 16 commits ahead of 0xSearches:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Apr 8, 2017

Sandcastle logo - AWS S3 bucket enumeration

Inspired by a conversation with Instacart's @nickelser on HackerOne, I've optimised and published Sandcastle – a Python script for AWS S3 bucket enumeration, formerly known as bucketCrawler.

The script takes a target's name as the stem argument (e.g. shopify) and iterates through a file of bucket name permutations, such as the ones below:


Getting started

Here's how to get started:

  1. Clone this repo
  2. Run with a target name or list of targets
  3. Matching bucket permutations will be identified, and read/write permissions tested.
usage: [-h] (-t targetStem | -f inputFile) [-b bucketFile]
                     [-o outputFile] [--threads threadCount]

  -h, --help            show this help message and exit
  -t shopify, --target shopify
                        Select a target stem name (e.g. 'shopify')
  -f targets.txt, --file targets.txt
                        Select a target list file
  -b bucket-names.txt, --bucket-list bucket-names.txt
                        Select a bucket permutation file (default: bucket-
  -o output.txt, --output output.txt
                        Select a output file
  --threads 50
                        Choose number of threads (default=50)
   ____             __             __  __
  / __/__ ____  ___/ /______ ____ / /_/ /__
 _\ \/ _ `/ _ \/ _  / __/ _ `(_-</ __/ / -_)

S3 bucket enumeration // release v1.3 // ysx & Parasimpaticki

[*] Commencing enumeration of 'spotify', reading 2125 lines from 'bucket-names.txt'.

[+] Checking potential match: shopify-content --> 403

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

Status codes and testing

Status code Definition Notes
404 Bucket Not Found Not a target for analysis (hidden by default)
403 Access Denied Potential target for analysis via the CLI
200 Publicly Accessible Potential target for analysis via the CLI

AWS CLI commands

Here's a quick reference of some useful AWS CLI commands:

  • List Files: aws s3 ls s3://bucket-name
  • Download Files: aws s3 cp s3://bucket-name/<file> <destination>
  • Upload Files: aws s3 cp/mv test-file.txt s3://bucket-name
  • Remove Files: aws s3 rm s3://bucket-name/test-file.txt

What is S3?

From the Amazon documentation, Working with Amazon S3 Buckets:

Amazon S3 [Simple Storage Service] is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.

In terms of implementation, buckets and objects are resources, and Amazon S3 provides APIs for you to manage them.

Closing remarks

  • This is my first public security project. Sandcastle is published under the MIT License.
  • Usage acknowlegements:
    • Castle (icon) by Andrew Doane from the Noun Project
    • Nixie One (logo typeface) free by Jovanny Lemonad
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.