s3enum is a fast and stealthy Amazon S3 bucket enumeration tool. It leverages DNS instead of HTTP, which means that requests are not logged in S3 server access logs.
It was originally built back in 2016 to target GitHub.
go install github.com/koenrh/s3enum@latestYou need to specify the base name of the target (e.g., hackerone), a word
list, and a suffix list. Candidate bucket names are generated by combining
the target name with each word (using -, _, ., and no delimiter), and
then optionally prepending or appending each entry from the suffix list. You
could either use the example wordlist.txt and
suffixlist.txt files from this repository, or
get a word list elsewhere. Optionally, you could specify the
number of workers (defaults to 50).
$ s3enum \
-wordlist examples/wordlist.txt \
-suffixlist examples/suffixlist.txt \
hackerone
hackerone
hackerone-attachment
hackerone-attachments
hackerone-static
hackerone-uploadBy default, s3enum will use the name server as specified in /etc/resolv.conf.
Alternatively, you could specify a different name server using the -nameserver
option. Besides, you could test multiple names at the same time.
s3enum \
-wordlist examples/wordlist.txt \
-suffixlist examples/suffixlist.txt \
-nameserver 1.1.1.1 \
-workers 100 \
hackerone h1 roflcopterBucket detection relies on CNAME responses under s3.amazonaws.com. Buckets in
us-east-1 resolve to s3-1-w.amazonaws.com and are currently indistinguishable
from non-existent buckets.