• Stars
    star
    2,497
  • Rank 18,397 (Top 0.4 %)
  • Language
    Go
  • License
    MIT License
  • Created over 7 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Scan for misconfigured S3 buckets across S3-compatible APIs!

S3Scanner

License: MIT Build Status

A tool to find open S3 buckets and dump their contents💧

Usage

usage: s3scanner [-h] [--version] [--threads n] [--endpoint-url ENDPOINT_URL] [--endpoint-address-style {path,vhost}] [--insecure] {scan,dump} ...

s3scanner: Audit unsecured S3 buckets
           by Dan Salmon - github.com/sa7mon, @bltjetpack

optional arguments:
  -h, --help            show this help message and exit
  --version             Display the current version of this tool
  --threads n, -t n     Number of threads to use. Default: 4
  --endpoint-url ENDPOINT_URL, -u ENDPOINT_URL
                        URL of S3-compliant API. Default: https://s3.amazonaws.com
  --endpoint-address-style {path,vhost}, -s {path,vhost}
                        Address style to use for the endpoint. Default: path
  --insecure, -i        Do not verify SSL

mode:
  {scan,dump}           (Must choose one)
    scan                Scan bucket permissions
    dump                Dump the contents of buckets

🚀 Support

If you've found this tool useful, please consider donating to support its development. You can find sponsor options on the side of this repo page or in FUNDING.yml

Huge thank you to tines for being an ongoing sponsor of this project.

Installation

pip3 install s3scanner

or via Docker:

docker build . -t s3scanner:latest
docker run --rm s3scanner:latest scan --bucket my-buket

or from source:

git clone [email protected]:sa7mon/S3Scanner.git
cd S3Scanner
pip3 install -r requirements.txt
python3 -m S3Scanner

Features

  • ⚡️ Multi-threaded scanning
  • 🔭 Supports tons of S3-compatible APIs
  • 🕵️‍♀️ Scans all bucket permissions to find misconfigurations
  • 💾 Dump bucket contents to a local folder
  • 🐳 Docker support

Examples

  • Scan AWS buckets listed in a file with 8 threads
    $ s3scanner --threads 8 scan --buckets-file ./bucket-names.txt
  • Scan a bucket in Digital Ocean Spaces
    $ s3scanner --endpoint-url https://sfo2.digitaloceanspaces.com scan --bucket my-bucket
  • Dump a single AWS bucket
    $ s3scanner dump --bucket my-bucket-to-dump
  • Scan a single Dreamhost Objects bucket which uses the vhost address style and an invalid SSL cert
    $ s3scanner --endpoint-url https://objects.dreamhost.com --endpoint-address-style vhost --insecure scan --bucket my-bucket

S3-compatible APIs

S3Scanner can scan and dump buckets in S3-compatible APIs services other than AWS by using the --endpoint-url argument. Depending on the service, you may also need the --endpoint-address-style or --insecure arguments as well.

Some services have different endpoints corresponding to different regions

Note: S3Scanner currently only supports scanning for anonymous user permissions of non-AWS services

Service Example Endpoint Address Style Insecure ?
DigitalOcean Spaces (SFO2 region) https://sfo2.digitaloceanspaces.com path No
Dreamhost https://objects.dreamhost.com vhost Yes
Linode Object Storage (eu-central-1 region) https://eu-central-1.linodeobjects.com vhost No
Scaleway Object Storage (nl-ams region) https://s3.nl-ams.scw.cloud path No
Wasabi Cloud Storage http://s3.wasabisys.com/ path Yes

📚 Current status of non-AWS APIs can be found in the project wiki

Interpreting Results

This tool will attempt to get all available information about a bucket, but it's up to you to interpret the results.

Possible permissions for buckets:

  • Read - List and view all files
  • Write - Write files to bucket
  • Read ACP - Read all Access Control Policies attached to bucket
  • Write ACP - Write Access Control Policies to bucket
  • Full Control - All above permissions

Any or all of these permissions can be set for the 2 main user groups:

  • Authenticated Users
  • Public Users (those without AWS credentials set)
  • Individual users/groups (out of scope of this tool)

What this means: Just because a bucket doesn't allow reading/writing ACLs doesn't mean you can't read/write files in the bucket. Conversely, you may be able to list ACLs but not read/write to the bucket

Contributors

License

MIT

More Repositories

1

venmo-data

Venmo trasaction dataset for data analysis/visualization/anything
205
star
2

miniprint

A medium interaction printer honeypot 🍯
Python
197
star
3

ups-telegraf

Get data from USB-connected UPS with Telegraf
Python
21
star
4

watchtower

Detect and alert when Rogue AP and Deauth attacks occur
Python
11
star
5

browser-kali

Docker image for Kali XFCE with NoVNC
Dockerfile
10
star
6

wpe-parse

This is a simple parsing script to convert output from hostapd-wpe (which makes John the Ripper-formatted logs) to Hashcat format.
Shell
7
star
7

validate_emails

A quick Python script used to validate email addresses
Python
7
star
8

press

A multi-threaded tool for resumable Wordpress bruteforcing
Python
6
star
9

h1rss

An RSS feed generator for HackerOne Hacktivity
Go
5
star
10

craigsfeed

RSS feed generator for Craigslist searches
Go
5
star
11

firefly-gone-plaid

A connector to add financial transactions from the Plaid API to Firefly III
Go
5
star
12

fccedits

Find Wikipedia edits originating from IP's belonging to the FCC
Python
5
star
13

startools

To use a RasPi to do an Evil Twin attack and capture 802.1x RADIUS creds
C
4
star
14

orchestra

Quickly create a static site hosted on AWS from the command line
Shell
3
star
15

awesome-open-source-images

3
star
16

docker-benchmark

A simple container to benchmark Docker filesystem performance using fio
Shell
2
star
17

parsecaps

Parse wpa.cap generated from besside-ng and create individual .caps for each network with a captured handshake.
Python
2
star
18

ghostup

Upgrade Ghost and ghost-cli
Shell
2
star
19

resume-latex

Current resume
TeX
1
star
20

tumblr-spam-accounts

1
star
21

podarc

A simple tool to archive podcasts
Go
1
star
22

csv-sql-tools

1
star
23

nixos

Learning NixOS
Nix
1
star
24

uenum

A customizable tool to enumerate users via APIs
Python
1
star
25

cheater-beater

Python
1
star
26

jsCaesar

Simple Caesar cipher written in JavaScript.
JavaScript
1
star
27

bindings

For all those pesky IDE's
1
star
28

dns-rebind

DNS Rebinding Attack research
Go
1
star
29

retirement-calc

MNSU IT680 Spring 2019 - Phase 2 Project
JavaScript
1
star
30

vulnchest

A collection of vulnerable applications for research purposes
Dockerfile
1
star
31

salary-viz

MNSU salary data visualization. IT680 - Spring 2019
JavaScript
1
star