Slurp - S3 Bucket Enumerator
Blackbox/whitebox S3 bucket enumerator
Overview
- Credit to all the vendor packages that made this tool possible.
- This is a safety tool; it's meant for pen-testers as well as safety professionals to perform audits of s3 buckets.
Features
- Scan via domain(s); yous tin post away target a unmarried domain or a listing of domains
- Scan via keyword(s); yous tin post away target a unmarried keyword or a listing of keywords
- Scan via AWS credentials; yous tin post away target your ain AWS trouble organization human relationship to come across which buckets convey been exposed
- Colorized output for visual grep
- Currently generates over 28,000 permutations per domain as well as keyword (thanks to @jakewarren as well as @random-robbie)
- Punycode back upward for internationalized domains
- Strong copyleft license (GPLv3)
Modes
There are 2 modes that this tool operates at; blackbox as well as whitebox mode. Whitebox manner (or internal) is significantly faster than blackbox (external) mode.
Blackbox (external)
In this mode, yous are using the permutations listing to send scans. It volition render imitation positives as well as in that place is no agency to link the buckets to an actual aws account! Do non opened upward issues bespeak how to create this.
Domain
Keywords
Whitebox (internal)
In this mode, yous are using the AWS API with credentials on a specific trouble organization human relationship that yous own to come across what is open. This method pulls all S3 buckets as well as checks Policy/ACL permissions. Note that, I volition non furnish back upward on how to piece of job the AWS API. Your credentials should last inward
/.aws/credentials
.internal
Usage
slurp domain <-t|--target> example.com
volition enumerate the S3 domains for a specific target.slurp keyword <-t|--target> linux,golang,python
volition enumerate S3 buckets based on those iii fundamental words.slurp internal
performs an internal scan using the AWS API.
Installation
This projection uses
vgo
; yous tin post away clone as well as go build
or download from Releases section. Please create non opened upward issues on why yous cannot cook the project; this projection builds similar whatever other projection would inward Go, if yous cannot cook as well as hence I strongly propose yous read the go spec.Also, the alone binaries I'm including are
linux/amd64
; if yous desire mac/windows binaries, cook it yourself.