slurp: Blackbox/whitebox S3 bucket enumerator
Blackbox/whitebox S3 bucket enumerator
- Credit to all the vendor packages that made this tool possible.
- This is a security tool; it’s meant for pen-testers and security professionals to perform audits of s3 buckets.
- Scan via domain(s); you can target a single domain or a list of domains
- Scan via keyword(s); you can target a single keyword or a list of keywords
- Scan via AWS credentials; you can target your own AWS account to see which buckets have been exposed
- Colorized output for visual grep
- Currently generates over 28,000 permutations per domain and keyword (thanks to @jakewarren and @random-robbie)
- Punycode support for internationalized domains
- Strong copyleft license (GPLv3)
There are two modes that this tool operates at; blackbox and whitebox mode. Whitebox mode (or internal) is significantly faster than blackbox (external) mode.
In this mode, you are using the permutations list to conduct scans. It will return false positives and there is no way to link the buckets to an actual aws account! Do not open issues asking how to do this.
In this mode, you are using the AWS API with credentials on a specific account that you own to see what is open. This method pulls all S3 buckets and checks Policy/ACL permissions. Note that, I will not provide support on how to use the AWS API. Your credentials should be in ~/.aws/credentials.
- slurp domain <-t|–target> example.com will enumerate the S3 domains for a specific target.
- slurp keyword <-t|–target> linux,golang,python will enumerate S3 buckets based on those 3 keywords.
- slurp internal performs an internal scan using the AWS API.
- slurp mode <-t|–target> example.com -g export the permutation list to a file; by default its ./generated. Use –generate_file to change the path/name.
It is entirely possible that you’ll experience the following error:
ERRO NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors
This error can be thrown if you have profile-based setup for ~/.aws/ (no default); you can get around this by running with AWS_PROFILE=x slurp internal. Amazons Named Profiles documentation sheds more light onto this issue.
Copyright (C) 2019 hehnope