Tools for finding public buckets

Introduction

Due to the common mistakes that administrators and AWS users do, a lot of buckets get exposed to the Internet. In recent years, a lot of data has been revealed through open S3 buckets ranging from employee contracts, software code base, sensitive information like network diagram to usernames and passwords etc.

There are several tools to find and dump the contents of public buckets.

What are we going to cover?

This chapter covers some popular tools that can be used find public buckets and dump data from within if required.

AWS Buckets

The following is a list of valid S3 bucketnames on EC2

1. https://bucketname.s3.eu-west-1.amazonaws.com/file.txt

2. https://s3-eu-west-1.amazonaws.com/bucketname/file.txt

3. https://bucketname.s3.amazonaws.com/file.txt

4. https://s3.amazonaws.com/bucketname/file.txt

Google dorking

Google is an extremely powerful search engine that can be used to find specific resources on the Internet

For example, the following dork can be used to find S3 buckets containing excel sheets which in turn contain potential passwords

site:*.s3.amazonaws.com ext:xls | ext:xlsx | ext:csv password|passwd|pass user|username|uid|email

Google dorking for Buckets

Other keywords can also be used to find other information

Practice Exercise: DigiNinja Bucket Finder

Bucket finder is a ruby script that was written to work with discovering buckets with a provided dictionary.

bucket_finder ~/tools/AWSBucketDump/BucketNames.txt -l results.txt

If you want to download the contents of the discovered buckets then specify -d to enable file downloads

bucket_finder -d ~/tools/AWSBucketDump/BucketNames.txt -l results-download.txt

Additional references

• Bucket finder - DigiNinja

• Enumerate S3 buckets via certstream

• Bucket Stream

• Misconfigured bucket to system calls