• Scenario mainargs.2: --out-file
• Scenario mainargs.3: --list
• Scenario mainargs.4: --dump

• Scenario checkBucketwc.1 - Non-existent bucket
• Scenario checkBucketwc.2 - Good bucket
• Scenario checkBucketwc.3 - No public read perm

To speed things up if the user has an idea of which S3 region the buckets are probably in

Seems to be only when a certain sequence of results happens. i.e. open, not found, closed

Try to upload a file to see if write permissions are available. Have a default file that it tries to upload and possible re-create the file automatically if it doesn't exist.

Will need to do some initial testing to see how much time a bucket file of size, say, 200 takes. Then look at taking out the calls to checkBucket from inside the other functions. The way the program flow goes, they're always checked first so we can probably assume later that they exist.

Check if it's still outputting lines with " [found] :" as prefix. If so, remove that. Output should be awk-able on '|'.

Domain list used: alexa1m-resume.txt

Scanning just stops after 2,343 domains

Now that we're doing proper release versioning, add an arg to output it. Also useful for having people submit issues.

• Scenario dumpBucket.2 - Public read permission disabled
• Scenario dumpBucket.3 - Authenticated users read enabled, public users read disabled

Need to pass the Ctrl+C signal to the sh process from the Python script

Currently, both s3scanner and s3utils do string formatting on the results. Move all string formatting to s3scanner to simplify things and make the code more portable.

Listing buckets is time consuming. Add an option to either skip it, or just check if we can list it instead of getting the size.

Both produce same output:
s3scanner.py sites.txt
s3scanner.py --list sites.txt

• Decide what default behavior should be. Probably just don't write anything to file if --list is omitted.
• Change the name to something more meaningful

Probably fix #61 at the same time

Finder

• Job creation - Job = Buckets to try
• Notifications with configurable triggers. i.e. Interesting file types, total bucket size, or any buckets found in job.

Dumper

• Set maximum file size

Add references to other tools:

• https://github.com/jordanpotti/AWSBucketDump
• https://www.virtuesecurity.com/blog/aws-penetration-testing-s3-buckets/

I think it's only visible if the bucket is list-able. Look into.

Figure out how to do this using pytest

• Scenario listBucket.2 - Public read disabled

Not sure why it's in master. Make sure we really don't need it first.

pprint was only supposed to be temporary. Fix that.

Buckets from the log output of bucket-stream are in the form: mybucket.s3.amazonaws.com. Currently, these buckets return as non-existent.

This seems to be part of a bigger (seemingly incorrect) assumption I made about how S3 urls work. It looks like bucket.s3.amazonaws.com will always work while bucket.s3-region-1.amazonaws.com my not always return valid results.

Remedy

Probably switch to always checking bucket.s3.amazonaws.com. Otherwise, look at using boto3 or aws-cli to check for bucket existence.

Would also be cool if it could read from STDIN

Instead of taking a FQDN, getting the DNS records, and then resolving them to see if they resolve to s3-website-region.amazonaws.com, we can simply GET websitename.com-any-s3-region.amazonaws.com and check for a 200 or 301 status.

• checkBucketName.4 - Blank name
• checkBucketName.5 - Good name

Maybe related to #13.

Description: When a bucket with a large number of files is found and the script attempts to get the size of the bucket, the operation times out and the script exits with a 255 error return code.

Steps to reproduce: use letsintern(dot)com

Stack trace: (partial output)

raise exc
sh.ErrorReturnCode_255:

RAN: /Volumes/DATA/Projects/s3scanner/venv/bin/aws s3 ls --summarize --human-readable --recursive --no-sign-request s3://letsintern(dot)com

STDERR:
The read operation timed out

• checkAcl.1 - Public ACL listing enabled
• checkAcl.4 - Bucket doesn't exist

The README.md file mentions in the first example "--include-closed", yet this option was deprecated in one of the recent commits. Maybe edit that one out and replace with another working example.

bucketname: de'an

Need to filter out all invalid characters from input bucket names

Amazon docs

Verify that when --out-file is set that:

• The supplied file is written to
• buckets.txt isn't written to

Verify that when --out-file isn't set that:

• buckets.txt gets written to

s3scanner.py -h
Traceback (most recent call last):
File "C:\Python3\S3Scanner-master\s3scanner.py", line 12, in
import s3utils as s3
File "C:\Python3\S3Scanner-master\s3utils.py", line 1, in
import sh
File "C:\Python3\lib\site-packages\sh.py", line 36, in
support." % version)
ImportError: sh 1.12.14 is currently only supported on linux and osx. please install pbs 0.110 (http://pypi.python.org/pypi/pbs) for windows support.

#########################################################

pip3 install sh
Requirement already satisfied: sh in c:\python3\lib\site-packages (1.12.14)

pip3 install pbs
Requirement already satisfied: pbs in c:\python3\lib\site-packages (0.110)

pip3 install s3utils
Requirement already satisfied: s3utils in c:\python3\lib\site-packages (0.6.1)
Requirement already satisfied: boto>=2.39.0 in c:\python3\lib\site-packages (from s3utils) (2.49.0)

Blocked by #3

Users should have the ability to provide domain names or bucket names in the following ways:

• List of bucket names
• List of domain names
• List of full bucket domains from another tool i.e. BucketStream
• bucket:region

Would be nice to have a single tool. Probably Python that can call a bash subprocess.

Create a default value for the out file and make it optional.

Since listing is pretty time intensive, add an option to either not list at all, or to set the timeout to change the default from 8. A user who wants to quickly scan a big list can change the timeout to 1.

S3 ACL's can apply to Authenticated Users (those with AWS credentials) or to Everyone (the general internet). ACL's can also apply to specific users, but we're not getting into that.

The problem with the code right now is that to check if a bucket is open, it does a GET request which is filtered by the Everyone ACL. The bug you found is because that bucket is not readable by the Everyone group, but is readable by Authenticated Users (Those who have the aws-cli tool installed and AWS credentials defined in ~/.aws/credentials).

Remedy

Probably use boto

Requested on Twitter

~/Tools/S3Scanner$ python s3scanner.py
Traceback (most recent call last):
File "s3scanner.py", line 12, in
import s3utils as s3
File "/home/wayc0de/Tools/S3Scanner/s3utils.py", line 1, in
import sh
ImportError: No module named sh

Dunno how we're going to tackle this one on Travis. Probably a way of storing secrets.

Currently, it takes forever for listings to be saved to file. Not sure if this can be fixed or if we'll just have to rely on multi-threading to help boost speed.

Since the getBucketSize() function uses the --no-sign-request, it functions as a member of the Everyone group. This means that it can't get the size of buckets when the Everyone group doesn't have read rights, but the Authenticated Users group does.

bucket: ed

Traceback (most recent call last):
  File "./s3scanner.py", line 109, in <module>
    result = s3.checkBucket(bucket, region)
  File "/Projects/s3scanner/s3utils.py", line 35, in checkBucket
    raise ValueError("Got an unhandled status code back: " + str(r.status_code) + " for site: " + bucketName + ":" + region)
ValueError: Got an unhandled status code back: 400 for site: ed:us-west-1

• Verify all bucket options are working. Need to add full S3 url test

Add to test matrix

Whichever is more appropriate in this situation.

• Verify the list-buckets folder gets created
• Verify the file gets written to

Format of the lines in the output should be:
bucketname:region

👋
It seems that calling BucketAcl on bucket to which ACL you don't have read access is restricted. No read access to ACL is the default so s3scanner won't mark the buckets as listable or writable.

>>> s3.BucketAcl("rubyci").load()
...
ClientError: An error occurred (AccessDenied) when calling the GetBucketAcl operation: Access Denied

docker run s3scanner rubyci.s3.amazonaws.com
2019-03-17 15:35:55   Warning: AWS credentials not configured. Open buckets will be shown as closed. Run: `aws configure` to fix this.

2019-03-17 15:36:04       [found] : rubyci | Unknown Size - timeout | ACLs: unknown - no aws creds

With bash, you can see that bucket is in fact listable:

$ curl rubyci.s3.amazonaws.com
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Name>rubyci</Name>
...

Setup Docker automated builds to update as the repo is updated

#72 (comment)

• Scenario getBucketSize.3 - Public read disabled
• Scenario getBucketSize.4 - Bucket doesn't exist