Skip to content

iobush/aws-s3-bruteforce

BranchesTags

Repository files navigation

Purpose

For a given comapny name, try a large variety of permutations in order to scan and guess AWS S3 bucket names, identifying those that are public, printing them to the screen and open_buckets.txt.

For a given set of chars (e.g. -r abc123) and a number range (e.g. 3-5), generate random strings within the length range, using the given set of chars, to find public buckets, printing them to the screen and open_buckets.txt.

For a given ser of chars (e.g. -cp abc123) and a number of characters (e.g. -c 4), search all possible permutations of all combinations of length 4.

*** BUCKET NAMES ARE NOT CASE SENSITIVE ***

Reason

Companies and individuals, far too often, have public S3 buckets with client data or PII in them. Details of my adventures are here: https://www.mattsvensson.com/nerdings/2017/7/27/amazon-s3-bucket-searching-and-scraping

Doing it at scale

If you want to do a bruteforce of bucket names across a character set via a master-worker articture, send me a message. I created one as part of a personal project but have yet to document it to the level required to make it a public repo.

Prefixes and Postfixes

Prefixes and postfixes, such as "files" and "certs", are added to the strings by default. Behavior change be changed via the "-pp" or "--prefix_or_postfix" parameter to show "prefix" or "postfix" only.

The default is to use both. but you should only need it on the postfix, as that is how a majority of open buckets have been found.

You can modify the list of strings and the separators (e.g. ".", "-", and "_") in the constants.py file.

Use - List

#Single threaded scan of a given company name
./find_public_buckets.py -t 1 -s "This Company Name"

#Single threaded scan of a given company name, changing the output file
./find_public_buckets.py -t 1 -s "This Company Name" -o thiscompanyname.log

#Acronym only search of a given string ./find_public_buckets.py -t 1 -s "This Company Name" -ao

#Dual threaded scan of the example file (company_names.txt)
./find_public_buckets.py -t 2 -l comapny_names.txt

#Dual threaded scan of the example file (company_names.txt), starting after "Harris Corporation"
./find_public_buckets.py -t 2 -l comapny_names.txt -a "Harris Corporation"

#Dual threaded scan of the example file (company_names.txt), starting after the 3rd line (using line 1 as the first)
./find_public_buckets.py -t 2 -l comapny_names.txt -n 3

#Dual threaded scan of the example file (company_names.txt), printing every guessed bucketname
./find_public_buckets.py -t 2 -l comapny_names.txt -p

#Acronym only search of a given file ./find_public_buckets.py -t 2 -l comapny_names.txt -p --acronyms_only

Use - Random Strings

#Random strings with lowercase and numbers, 4 char long
./find_public_buckets.py -r abcdefghijklmnopqrstuvwxyz0123456789 -c 4

#Multi-threaded random strings with lowercase and numbers, 4 char long
./find_public_buckets.py -r abcdefghijklmnopqrstuvwxyz0123456789 -c 4 -t 2

#Random strings with lowercase letters, 3-5 chars long.
./find_public_buckets.py -r abcdefghijklmnopqrstuvwxyz -cr 3-5

Use - All Permutations of a set of chars, for a given length

#Random strings with lowercase and numbers, 4 char long
./find_public_buckets.py -cp abcdefghijklmnopqrstuvwxyz0123456789 -c 4

#Multithreaded random strings with lowercase and numbers, 4 char long
./find_public_buckets.py -cp abcdefghijklmnopqrstuvwxyz0123456789 -c 4 -t 2

#Multithreaded random strings with lowercase and numbers, 4 char long, starting after "bcd", i.e. starting at "bde"
./find_public_buckets.py -cp abcdefghijklmnopqrstuvwxyz0123456789 -c 4 -t 2 -a bcd

#Random strings with lowercase and numbers, 4 char long, starting after "a999" and stoping at "caaa" non-inclusive
./find_public_buckets.py -cp abcdefghijklmnopqrstuvwxyz0123456789 -c 4 -a a999 -f caaa

Output -p modifier to pring New Guesses

Without the -p modifier, you will see a progressbar, like below
0% [                           ] 28/21,147 3/sec eta 1h 40m 22s

With the -p modifier, you will see the same progress bar printed (with updated) and every new guessed name you try (not found in buckets_found.txt.
0% [                           ] 1/1,064 1/sec eta 10m 49s https://s3.amazonaws.com/test
0% [                           ] 2/1,064 1/sec eta 16m 16s https://s3.amazonaws.com/test-company
0% [                           ] 3/1,064 1/sec eta 12m 15s https://s3.amazonaws.com/test-company-archive
0% [                           ] 4/1,064 1/sec eta 10m 13s https://s3.amazonaws.com/test-company-backup
0% [                           ] 5/1,064 1/sec eta 9m 4s https://s3.amazonaws.com/test-company-bak
0% [                           ] 6/1,064 2/sec eta 8m 14s https://s3.amazonaws.com/test-company-beta

Notes

  • On lists, I would recommend running this inside of tmux or screen with the -p option so that you can see the current comapny being scanned in case an error is thrown and it stops or you want to manually stop it.
  • Buckets that exist will be written to found/buckets_found.txt in the root folder
  • The "scanned" folder contains prior lists that you have scanned. All names (by line) in these files will be skipped during the scan, to prevent re-running names on random lists you try.
  • On an AWS EC2 t2.micro instance, I was able to search 30 names/sec per thread on a list of names.
  • Domain names can be added via the constants file but I commented it out beacuse it wasn't adding any value and increasing the search space dramatically

About

Amazon AWS S3 Bucket Name Bruteforce

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages