{"id":13454453,"url":"https://github.com/sa7mon/S3Scanner","last_synced_at":"2025-03-24T05:33:51.019Z","repository":{"id":37367677,"uuid":"94825396","full_name":"sa7mon/S3Scanner","owner":"sa7mon","description":"Scan for misconfigured S3 buckets across S3-compatible APIs!","archived":false,"fork":false,"pushed_at":"2025-03-17T14:02:50.000Z","size":501,"stargazers_count":2703,"open_issues_count":36,"forks_count":381,"subscribers_count":65,"default_branch":"main","last_synced_at":"2025-03-19T05:25:41.658Z","etag":null,"topics":["aws","bugbounty","gcp","infosec","s3","s3scanner"],"latest_commit_sha":null,"homepage":"https://github.com/sa7mon/S3Scanner/discussions/135","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sa7mon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"sa7mon","ko_fi":"sa7mon","custom":["https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick\u0026hosted_button_id=XG5BGLQZPJ9H8"]}},"created_at":"2017-06-19T22:14:21.000Z","updated_at":"2025-03-19T04:19:48.000Z","dependencies_parsed_at":"2024-01-05T23:56:43.620Z","dependency_job_id":"586d6c17-6c91-45e6-9466-d26e28c49d69","html_url":"https://github.com/sa7mon/S3Scanner","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sa7mon%2FS3Scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sa7mon%2FS3Scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sa7mon%2FS3Scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sa7mon%2FS3Scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sa7mon","download_url":"https://codeload.github.com/sa7mon/S3Scanner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245217434,"owners_count":20579291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","bugbounty","gcp","infosec","s3","s3scanner"],"created_at":"2024-07-31T08:00:54.194Z","updated_at":"2025-03-24T05:33:50.622Z","avatar_url":"https://github.com/sa7mon.png","language":"Go","readme":"\u003ch1 align=\"center\"\u003e\nS3Scanner\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-yellow.svg\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/sponsors/sa7mon/\"\u003e\u003cimg src=\"https://img.shields.io/github/sponsors/sa7mon\" /\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/sa7mon/S3Scanner/issues\"\u003e\u003cimg src=\"https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/sa7mon/S3Scanner/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/sa7mon/s3scanner\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n\u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e - \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e - \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e - \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e - \u003ca href=\"https://github.com/sa7mon/S3Scanner/discussions\"\u003eDiscuss\u003c/a\u003e \n\u003c/p\u003e\n\u003cbr\u003e\nA tool to find open S3 buckets in AWS or other cloud providers:\n\n- AWS\n- DigitalOcean\n- DreamHost\n- GCP\n- Linode\n- Scaleway\n- Custom\n\n\u003cimg alt=\"demo\" src=\"https://github.com/sa7mon/S3Scanner/assets/3712226/cfa16801-2a44-4ae9-ad85-9dd466390cd9\"\u003e\n\n# Features\n\n* ⚑️ Multi-threaded scanning\n* πŸ”­ Supports many built-in S3 storage providers or custom\n* πŸ•΅οΈβ€β™€οΈ Scans all bucket permissions to find misconfigurations\n* πŸ’Ύ Save results to Postgres database\n* πŸ‡ Connect to RabbitMQ for automated scanning at scale\n* 🐳 Docker support\n\n# Used By\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://github.com/six2dez/reconftw\"\u003e\u003cimg src=\"https://github.com/six2dez/reconftw/blob/main/images/banner.png\" alt=\"banner for six2dez/reconftw\" width=\"50%\"\u003e\u003c/a\u003e\n \u003ca href=\"https://github.com/yogeshojha/rengine\"\u003e\u003cimg src=\"https://github.com/yogeshojha/rengine/blob/master/.github/screenshots/banner.gif\" alt=\"banner for yogeshojha/rengine\" width=\"50%\"/\u003e\u003c/a\u003e\n \u003ca href=\"https://github.com/pry0cc/axiom\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/pry0cc/axiom/master/screenshots/axiom_banner.png\" alt=\"banner for pry0cc/axiom - reads 'the dynamic infrastructure framework for everybody'\" width=\"50%\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# Usage\n\n```\nINPUT: (1 required)\n -bucket string Name of bucket to check.\n -bucket-file string File of bucket names to check.\n -mq Connect to RabbitMQ to get buckets. Requires config file key \"mq\". Default: \"false\"\n\nOUTPUT:\n -db Save results to a Postgres database. Requires config file key \"db.uri\". Default: \"false\"\n -json Print logs to stdout in JSON format instead of human-readable. Default: \"false\"\n\nOPTIONS:\n -enumerate Enumerate bucket objects (can be time-consuming). Default: \"false\"\n -provider string Object storage provider: aws, custom, digitalocean, dreamhost, gcp, linode, scaleway - custom requires config file. Default: \"aws\"\n -threads int Number of threads to scan with. Default: \"4\"\n\nDEBUG:\n -verbose Enable verbose logging. Default: \"false\"\n -version Print version Default: \"false\"\n\nIf config file is required these locations will be searched for config.yml: \".\" \"/etc/s3scanner/\" \"$HOME/.s3scanner/\"\n```\n\n# πŸš€ Support\nIf you've found this tool useful, please consider donating to support its development. You can find sponsor options on the side of this repo page or in [FUNDING.yml](.github/FUNDING.yml)\n\n\u003cdiv align=\"center\"\u003e\u003ca href=\"https://www.tines.com/?utm_source=oss\u0026utm_medium=sponsorship\u0026utm_campaign=s3scanner\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/3712226/146481766-a331b010-29c4-4537-ac30-9a4b4aad06b3.png\" height=50 width=140\u003e\u003c/a\u003e\u003c/div\u003e\n\n\u003cp align=\"center\"\u003eHuge thank you to \u003ca href=\"https://www.tines.com/?utm_source=oss\u0026utm_medium=sponsorship\u0026utm_campaign=s3scanner\"\u003etines\u003c/a\u003e for being an ongoing sponsor of this project.\u003c/p\u003e\n\n# Quick Start\n\nScan AWS for bucket names listed in a file, enumerate all objects\n ```shell\n $ s3scanner -bucket-file names.txt -enumerate\n ```\n\nScan a bucket in GCP, enumerate all objects, and save results to database\n ```shell\n $ s3scanner -provider gcp -db -bucket my-bucket -enumerate\n ```\n\n# Installation\n\n| Platform | Version | Steps |\n|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|\n| BlackArch | [![BlackArch package](https://repology.org/badge/version-for-repo/blackarch/s3scanner.svg?header=BlackArch)](https://repology.org/project/s3scanner/versions) | `pacman -S s3scanner` |\n| Docker | ![Docker release](https://img.shields.io/github/v/release/sa7mon/s3scanner?label=Docker) | `docker run ghcr.io/sa7mon/s3scanner` |\n| Go | ![Golang](https://img.shields.io/github/v/release/sa7mon/s3scanner?label=Go) | `go install -v github.com/sa7mon/s3scanner@latest` |\n| Kali Linux | [![Kali package](https://repology.org/badge/version-for-repo/kali_rolling/s3scanner.svg?header=Kali+Linux)](https://repology.org/project/s3scanner/versions) | `apt install s3scanner` |\n| MacOS | [![homebrew version](https://img.shields.io/homebrew/v/s3scanner)](https://github.com/Homebrew/homebrew-core/blob/master/Formula/s/s3scanner.rb) | `brew install s3scanner` |\n| Parrot OS | [![Parrot package](https://repology.org/badge/version-for-repo/parrot/s3scanner.svg?header=Parrot+OS)](https://repology.org/project/s3scanner/versions) | `apt install s3scanner` |\n| Windows - winget | | `winget install s3scanner` |\n| NixOS stable | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_stable_24_05/s3scanner.svg)](https://repology.org/project/s3scanner/versions) | `nix-shell -p s3scanner` |\n| NixOS unstable | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/s3scanner.svg)](https://repology.org/project/s3scanner/versions) | `nix-shell -p s3scanner` |\n| Other - Build from source | ![GitHub release](https://img.shields.io/github/v/release/sa7mon/s3scanner?label=Git) | `git clone git@github.com:sa7mon/S3Scanner.git \u0026\u0026 cd S3Scanner \u0026\u0026 go build -o s3scanner .` |\n\n# Using\n\n## Input\n\n`s3scanner` requires exactly one type of input: `-bucket`, `-bucket-file`, or `-mq`.\n\n```\nINPUT: (1 required)\n -bucket string Name of bucket to check.\n -bucket-file string File of bucket names to check.\n -mq Connect to RabbitMQ to get buckets. Requires config file key \"mq\". Default: \"false\"\n```\n\n*`-bucket`*\n------------\n\nScan a single bucket\n\n```shell\ns3scanner -bucket secret_uploads\n```\n\n*`-bucket-file`*\n----------------\nScans every bucket name listed in file\n\n```\ns3scanner -bucket-file names.txt\n```\nwhere `names.txt` contains one bucket name per line\n\n```\n$ cat names.txt\nbucket123\nassets\nimage-uploads\n```\n\nBucket names listed multiple times will only be scanned once.\n\n*`-mq`*\n-------\n\nConnects to a RabbitMQ server and consumes messages containing bucket names to scan.\n\n```\ns3scanner -mq\n```\n\nMessages should be JSON-encoded [`Bucket`](https://github.com/sa7mon/s3scanner/blob/main/bucket/bucket.go) objects - refer to [`mqingest`](https://github.com/sa7mon/s3scanner/blob/main/cmd/mqingest/mqingest.go) for a Golang publishing example.\n\n`-mq` requires the `mq.uri` and `mq.queue_name` config file keys. See Config File section for example.\n\n## Output\n\n```\nOUTPUT:\n -db Save results to a Postgres database. Requires config file key \"db.uri\". Default: \"false\"\n -json Print logs to stdout in JSON format instead of human-readable. Default: \"false\"\n```\n\n*`-db`*\n----------\n\nSaves all scan results to a PostgreSQL database\n\n```shell\ns3scanner -bucket images -db\n```\n\n* Requires the `db.uri` config file key. See Config File section for example.\n* If using `-db`, results will also be printed to the console if using `-json` or the default human-readable output mode.\n* `s3scanner` runs Gorm's [Auto Migration](https://gorm.io/docs/migration.html#Auto-Migration) feature each time it connects two the database. If\nthe schema already has tables with names Gorm expects, it may change these tables' structure. It is recommended to create a Postgres schema dedicated to `s3scanner` results.\n\n*`-json`*\n----------\n\nInstead of outputting scan results to console in human-readable format, output machine-readable JSON.\n\n```shell\ns3scanner -bucket images -json\n```\n\nThis will print one JSON object per line to the console, which can then be piped to `jq` or other tools that accept JSON input.\n\n**Example**: Print bucket name and region for all buckets that exist\n\n```shell\n$ s3scanner -bucket-file names.txt -json | jq -r '. | select(.bucket.exists==1) | [.bucket.name, .bucket.region] | join(\" - \")' \n10000 - eu-west-1\n10000.pizza - ap-southeast-1\nimages_staging - us-west-2\n```\n\n## Options\n\n```\nOPTIONS:\n -enumerate Enumerate bucket objects (can be time-consuming). Default: \"false\"\n -provider string Object storage provider: aws, custom, digitalocean, dreamhost, gcp, linode, scaleway - custom requires config file. Default: \"aws\"\n -threads int Number of threads to scan with. Default: \"4\"\n```\n\n*`-enumerate`*\n--------------\n\nEnumerate all objects stored in bucket. By default, `s3scanner` will only check permissions of buckets.\n```shell\ns3scanner -bucket attachments -enumerate\n```\n\n* **Note:** This can take a long time if there are a large number of objects stored.\n* When enumerating, `s3scanner` will request \"pages\" of 1,000 objects. If there are more than 5,000 pages of objects, it will skip the rest.\n\n*`-provider`*\n-------------\n\nName of storage provider to use when checking buckets.\n\n```shell\ns3scanner -bucket assets -provider gcp\n```\n\n* Use \"custom\" when targeting a currently unsupported or local network storage provider.\n* \"custom\" provider requires config file keys under `providers.custom` listed in the Config File section.\n\n*`-threads`*\n------------\n\nNumber of threads to scan with.\n\n```shell\ns3scanner -bucket secret_docs -threads 8\n```\n\n* Increasing threads will increase the number of buckets being scanned simultaneously, but will not speed up object enumeration. Enumeration is currently single-threaded per bucket.\n\n## Debug\n\n```\nDEBUG:\n -verbose Enable verbose logging. Default: \"false\"\n -version Print version Default: \"false\"\n```\n\n*`-verbose`*\n------------\n\nEnables verbose logging of debug messages. This option will produce a lot of logs and is not recommended to use unless filing a bug report.\n\n```shell\ns3scanner -bucket spreadsheets -verbose\n```\n\n*`-version`*\n------------\n\nPrint the version info and exit.\n\n```shell\ns3scanner -version\n```\n\n* Will print `dev` if compiled from source.\n\n# Development\n\nA docker compose file is included which creates 4 containers:\n\n* rabbitmq\n* postgres\n* app\n* mitm\n\n2 profiles are configured:\n\n- `dev` - Standard development environment\n- `dev-mitm` - Environment configured with `mitmproxy` for easier observation of HTTP traffic when debugging or adding new providers.\n\nTo bring up the dev environment run `make dev` or `make dev-mitm`. Drop into the `app` container with `docker exec -it -w /app app_dev sh`, then `go run .`\nIf using the `dev-mitm` profile, open `http://127.0.0.1:8081` in a browser to view and manipulate HTTP calls being made from the app container.\n\n# Config File\n\nIf using flags that require config options, `s3scanner` will search for `config.yml` in:\n \n* (current directory)\n* `/etc/s3scanner/`\n* `$HOME/.s3scanner/`\n\n```yaml\n# Required by -db\ndb:\n uri: \"postgresql://user:pass@db.host.name:5432/schema_name\"\n\n# Required by -mq\nmq:\n queue_name: \"aws\"\n uri: \"amqp://user:pass@localhost:5672\"\n\n# providers.custom required by `-provider custom`\n# address_style - Addressing style used by endpoints.\n# type: string\n# values: \"path\" or \"vhost\"\n# endpoint_format - Format of endpoint URLs. Should contain '$REGION' as placeholder for region name\n# type: string\n# insecure - Ignore SSL errors\n# type: boolean\n# regions must contain at least one option\nproviders:\n custom: \n address_style: \"path\"\n endpoint_format: \"https://$REGION.vultrobjects.com\"\n insecure: false\n regions:\n - \"ewr1\"\n```\n\nWhen `s3scanner` parses the config file, it will take the `endpoint_format` and replace `$REGION` for all `regions` listed to create a list of endpoint URLs.\n\n# S3 compatible APIs\n\n**Note:** `S3Scanner` currently only supports scanning for anonymous user permissions of non-AWS services\n\nπŸ“š More information on non-AWS APIs can be found [in the project wiki](https://github.com/sa7mon/S3Scanner/wiki/S3-Compatible-APIs).\n\n## Permissions\n\nThis tool will attempt to get all available information about a bucket, but it's up to you to interpret the results.\n\n[Possible permissions](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-bucket-permissions.html) for buckets:\n\n* Read - List and view all files\n* Write - Write files to bucket\n* Read ACP - Read all Access Control Policies attached to bucket\n* Write ACP - Write Access Control Policies to bucket\n* Full Control - All above permissions\n\nAny or all of these permissions can be set for the 2 main user groups:\n* Authenticated Users\n* Public Users (those without AWS credentials set)\n* Individual users/groups (out of scope of this tool)\n\n**What this means:** Just because a bucket doesn't allow reading/writing ACLs doesn't mean you can't read/write files in the bucket. Conversely, you may be able to list ACLs but not read/write to the bucket\n\n# License\n\nMIT\n","funding_links":["https://github.com/sponsors/sa7mon","https://ko-fi.com/sa7mon","https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick\u0026hosted_button_id=XG5BGLQZPJ9H8","https://github.com/sponsors/sa7mon/"],"categories":["Content Discovery","Go","Miscellaneous","Weapons","Python (1887)","Python","Bucket Enumeration Tools","Cloud and Backend Security","0x02 ε·₯ε…· :hammer_and_wrench:","AWS"],"sub_categories":["AWS S3 Bucket","Buckets","Tools","AWS IoT Security","1 δΊ‘ζœεŠ‘ε·₯ε…·"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsa7mon%2FS3Scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsa7mon%2FS3Scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsa7mon%2FS3Scanner/lists"}