I recently released a Python tool to identify public S3 buckets and objects through appending multiple permutations to a root name.

usage: inSp3ctor.py [-h] [-w wordlist] [-n root] [-o] [-a] [-p] [-b batch]

AWS s3 Bucket Permutation Checker

optional arguments:  
  -h, --help   show this help message and exit
  -w wordlist  Specify list of buckets to check from wordlist
  -n root      Specify the root name to use, i.e. google, amazon
  -o           Check objects in a public s3 bucket if they are available
  -a           Use AWS Credentials to authenticate the request
  -p           Only show buckets/objects that are public in the results
  -b batch     Specify filename containing words to apply permutations to

How To Use

You can either use a pre-made wordlist containing all the buckets/objects you want to check or supply a root name, and let inSp3ctor add in common permutations to the bucket name to find different variations.

Example

If you wanted to look for any information for example, you'd run python inSp3ctor.py -n example, you can supply the argument -o if you want to check the status of the objects contained in the public buckets.

[!] Applying permutations to example
[!] Bucket is marked private [http://example-dev.s3.amazonaws.com]
[>] Bucket has a redirect [http://s3.amazonaws.com/example-dev] Redirected here - [example-dev.s3.amazonaws.com]
[-] Bucket does not exist or cannot list [http://example-prod.s3.amazonaws.com]
[-] Bucket does not exist or cannot list [http://s3.amazonaws.com/example-prod]
[-] Bucket does not exist or cannot list [http://example-production.s3.amazonaws.com]
[-] Bucket does not exist or cannot list [http://s3.amazonaws.com/example-production]
[-] Bucket does not exist or cannot list [http://example-tmp.s3.amazonaws.com]
[-] Bucket does not exist or cannot list [http://s3.amazonaws.com/example-tmp]
[!] Bucket is marked private [http://example-media.s3.amazonaws.com]
[>] Bucket has a redirect [http://s3.amazonaws.com/example-media] Redirected here - [example-media.s3.amazonaws.com]
[-] Bucket does not exist or cannot list [http://example-tmp-logs.s3.amazonaws.com]
[-] Bucket does not exist or cannot list [http://s3.amazonaws.com/example-tmp-logs]
[!] Bucket is marked private [http://example-logs.s3.amazonaws.com]
[!] Bucket is marked private [http://s3.amazonaws.com/example-logs]
[-] Bucket does not exist or cannot list [http://example-splunk.s3.amazonaws.com]
[-] Bucket does not exist or cannot list [http://s3.amazonaws.com/example-splunk]

If you want to do lookups on a batch of companies, you can specify -b and supply a wordlist file, with a name on each line. The tool will then run through each line and lookup each name along with the list of permutations consecutively. I would recommend specifying -p to only output the public buckets/objects.

TODO

  • Right now, the AWS credentials are hardcoded in the python script, which should be handled through the /.aws credential file.