redhuntlabs/BucketLoot redhuntlabs/BucketLoot

  • Stars
    star
    370
  • Rank 115,405 (Top 3 %)
  • Language
    Go
  • License
    MIT License
  • Created over 1 year ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
redhuntlabs/BucketLoot
github

redhuntlabs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

BucketLoot is an automated S3-compatible bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.

BucketLoot

An Automated S3-compatible Bucket Inspector

Description • Features • Documentation • Acknowledgements

Static Badge Static Badge Static Badge Static Badge


Description

BucketLoot is an automated S3-compatible Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.

The tool can scan for buckets deployed on Amazon Web Services (AWS), Google Cloud Storage (GCS), DigitalOcean Spaces and even custom domains/URLs which could be connected to these platforms. It returns the output in a JSON format, thus enabling users to parse it according to their liking or forward it to any other tool for further processing.

BucketLoot comes with a guest mode by default, which means a user doesn't needs to specify any API tokens / Access Keys initially in order to run the scan. The tool will scrape a maximum of 1000 files that are returned in the XML response and if the storage bucket contains more than 1000 entries which the user would like to run the scanner on, they can provide platform credentials to run a complete scan. If you'd like to know more about the tool, make sure to check out our blog.

Features

Secret Scanning

Scans for over 30+ unique RegEx signatures that can help in uncovering secret exposures from the misconfigured storage bucket. Users have the ability to modify or add their own signatures in the regexes.json file. If you believe you have any cool signatures which might be helpful for others too and could be flagged at scale, go ahead and make a PR!

Asset Extraction

Interested in stepping up your asset discovery game? BucketLoot extracts all the URLs/Subdomains and Domains that could be present in an exposed storage bucket, enabling you to have a chance of discovering hidden endpoints, thus giving you an edge over the other traditional recon tools.

Searching

The tool goes beyond just asset discovery and secret exposure scanning by letting users search for custom keywords and even Regular Expression queries which may help them find exactly what they are looking for.

Acknowledgements

To know more about our Attack Surface Management platform, check out NVADR.

More Repositories

1

Awesome-Asset-Discovery

List of Awesome Asset Discovery Resources
1,946
star
2

RedHunt-OS

Virtual Machine for Adversary Emulation and Threat Hunting
1,234
star
3

Octopii

An AI-powered Personal Identifiable Information (PII) scanner.
Python
626
star
4

HTTPLoot

An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.
Go
384
star
5

BurpSuite-Asset_Discover

Burp Suite extension to discover assets from HTTP response.
Python
217
star
6

KubeStalk

KubeStalk discovers Kubernetes and related infrastructure based attack surface from a black-box perspective.
Python
166
star
7

Hunt4Spring

A "Spring4Shell" vulnerability scanner.
Go
50
star
8

Project-Resonance

47
star
9

Log4JHunt

An automated, reliable scanner for the Log4Shell (CVE-2021-44228) vulnerability.
Python
43
star
10

antisquat

Python
33
star
11

BurpSuite-Asset_History

Python
33
star
12

Maltego-Scripts

Python
33
star
13

ConfluentPwn

Atlassian confluence unauthenticated ONGL injection remote code execution scanner (CVE-2022-26134).
Go
11
star
14

one-liner-pocs

6
star
15

Project-Resonance-Website

Internet wide surveys to study and understand the security state of Internet as well as facilitate research into various components / topics which originate as a result of our surveys.
4
star
16

Varunastra

Go
1
star