{"id":37231403,"url":"https://github.com/xeloxa/s3finder","last_synced_at":"2026-01-15T03:43:18.778Z","repository":{"id":332122034,"uuid":"1132808774","full_name":"xeloxa/s3finder","owner":"xeloxa","description":"A high-performance CLI tool for discovering AWS S3 buckets using intelligent name generation. Combines traditional wordlist scanning with LLM-powered suggestions to find buckets that other tools miss.","archived":false,"fork":false,"pushed_at":"2026-01-12T20:43:29.000Z","size":18325,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-01-12T20:53:54.165Z","etag":null,"topics":["aws","bucket","bug-bounty","enumeration","finder","hack","pentest","s3","tool"],"latest_commit_sha":null,"homepage":"https://xeloxa.github.io/s3finder/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xeloxa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-12T13:34:24.000Z","updated_at":"2026-01-12T20:43:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/xeloxa/s3finder","commit_stats":null,"previous_names":["xeloxa/s3finder"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/xeloxa/s3finder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xeloxa%2Fs3finder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xeloxa%2Fs3finder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xeloxa%2Fs3finder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xeloxa%2Fs3finder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xeloxa","download_url":"https://codeload.github.com/xeloxa/s3finder/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xeloxa%2Fs3finder/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28442327,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-15T00:55:22.719Z","status":"online","status_checked_at":"2026-01-15T02:00:08.019Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","bucket","bug-bounty","enumeration","finder","hack","pentest","s3","tool"],"created_at":"2026-01-15T03:43:18.303Z","updated_at":"2026-01-15T03:43:18.767Z","avatar_url":"https://github.com/xeloxa.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"logo.png\" alt=\"s3finder\" width=\"400\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003cstrong\u003eAI-Powered S3 Bucket Enumeration Tool\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://xeloxa.github.io/s3finder/\"\u003eDocumentation\u003c/a\u003e •\n \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e •\n \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e •\n \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://xeloxa.github.io/s3finder/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Docs-GitHub%20Pages-blue?style=flat\" alt=\"Documentation\"\u003e\u003c/a\u003e\n \u003ca href=\"https://go.dev/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Go-1.21+-00ADD8?style=flat\u0026logo=go\" alt=\"Go Version\"\u003e\u003c/a\u003e\n \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n \u003ca href=\"https://github.com/xeloxa/s3finder/releases\"\u003e\u003cimg src=\"https://img.shields.io/badge/Platform-Linux%20%7C%20macOS%20%7C%20Windows-lightgrey\" alt=\"Platform\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nA high-performance CLI tool for discovering AWS S3 buckets using intelligent name generation. Decouples input sources for precise control: permutations only apply to the provided seed, while wordlists and CT logs are processed as raw inputs.\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"banner.png\" alt=\"S3Finder Banner\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n## Features\n\n- **Decoupled Input Sources** — Independent handling of seeds, wordlists, and domains (no cross-contamination)\n- **Optional Seed** — Scan using only a wordlist or domain without requiring a seed keyword\n- **High-Concurrency Scanning** — Worker pool architecture handles thousands of requests simultaneously\n- **CT Log Reconnaissance** — Discover subdomains via Certificate Transparency logs (crt.sh) with automatic word extraction\n- **AI-Powered Generation** — OpenAI, Ollama, Anthropic, or Gemini generate context-aware bucket name variations\n- **Permutation Engine** — 780+ automatic variations per seed (suffixes, prefixes, years, regions)\n- **Adaptive Rate Limiting** — AIMD algorithm auto-adjusts to avoid throttling and IP blocks\n- **Deep Inspection** — AWS SDK integration reveals region, ACL status, and sample objects\n- **Live Progress Bar** — Real-time TUI showing scanned count, RPS, ETA, and discovery stats\n- **HTTP/2 \u0026 Connection Pooling** — Optimized networking with keep-alives and connection reuse\n- **Smart Retry Logic** — Automatic retries with exponential backoff for transient failures\n- **Custom DNS Resolver** — Uses Google/Cloudflare DNS to prevent local resolver saturation\n- **Multiple Formats** — Export results as JSON or TXT for post-processing\n- **Cross-Platform** — Native binaries for Linux, macOS, and Windows (amd64 \u0026 arm64)\n\n---\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"demo.gif\" alt=\"s3finder demo\" \u003e\n\u003c/p\u003e\n\n---\n\n## Installation\n\n### Download Binary (Recommended)\n\nDownload the latest release for your platform:\n\n| Platform | Architecture | Download |\n|----------|--------------|----------|\n| Linux | amd64 | [s3finder-linux-amd64.tar.gz](https://github.com/xeloxa/s3finder/releases/latest) |\n| Linux | arm64 | [s3finder-linux-arm64.tar.gz](https://github.com/xeloxa/s3finder/releases/latest) |\n| macOS | Intel | [s3finder-darwin-amd64.tar.gz](https://github.com/xeloxa/s3finder/releases/latest) |\n| macOS | Apple Silicon | [s3finder-darwin-arm64.tar.gz](https://github.com/xeloxa/s3finder/releases/latest) |\n| Windows | amd64 | [s3finder-windows-amd64.zip](https://github.com/xeloxa/s3finder/releases/latest) |\n| Windows | arm64 | [s3finder-windows-arm64.zip](https://github.com/xeloxa/s3finder/releases/latest) |\n\n### Homebrew (macOS/Linux)\n\n```bash\nbrew install xeloxa/tap/s3finder\n```\n\n### Go Install\n\n```bash\ngo install github.com/xeloxa/s3finder/cmd/s3finder@latest\n```\n\n### Build from Source\n\n```bash\ngit clone https://github.com/xeloxa/s3finder.git\ncd s3finder\n\n# Build for current platform\nmake build\n\n# Build for all platforms\nmake build-all\n\n# Or use go directly\ngo build -o s3finder ./cmd/s3finder\n```\n\n---\n\n## Quick Start\n\n```bash\n# Basic scan with permutations of a seed\ns3finder -s acme-corp\n\n# Scan using ONLY a wordlist (no permutations)\ns3finder -w wordlist.txt\n\n# Scan using ONLY a domain (CT log discovery)\ns3finder -d acme.com\n\n# Combined independent sources\ns3finder -s acme -w custom.txt -d acme.com\n\n# High-speed scan\ns3finder -s acme-corp -t 200 --rps 1000\n```\n\n---\n\n## Usage\n\n### Seed-Based Permutations\n\n```bash\n# Scan with 780+ permutations of a seed keyword\ns3finder -s acme-corp\n```\n\n### Wordlist Scanning (Raw Mode)\n\nWordlists are now processed as raw inputs. They are **not** combined with the seed or permuted, giving you exact control over what is scanned.\n\n```bash\n# Scan exactly what is in the wordlist\ns3finder -w wordlists/common.txt\n```\n\n### CT Log Reconnaissance (As-Is Mode)\n\nDiscovered subdomains are scanned exactly as they appear in Certificate Transparency logs. Unique words are extracted from subdomains and used to generate additional permutations for deeper scanning.\n\n```bash\n# Fetch and scan subdomains from CT logs\ns3finder -d acme.com\n\n# Limit CT results (default: 100)\ns3finder -d acme.com --ct-limit 50\n```\n\n\u003e [!NOTE]\n\u003e Bucket names containing dots (e.g., `dev.acme.com`) may trigger SSL/TLS certificate warnings due to virtual-hosted style access limitations.\n\n### AI-Powered Scanning\n\nAI generation analyzes CT log patterns and generates bucket names matching organizational naming conventions.\n\n```bash\n# OpenAI (default: gpt-4o-mini)\nexport OPENAI_API_KEY=sk-xxxxx\ns3finder -s acme-corp --ai\n\n# Anthropic Claude (default: claude-3-5-haiku-20241022)\nexport ANTHROPIC_API_KEY=sk-ant-xxxxx\ns3finder -s acme-corp --ai --ai-provider anthropic\n\n# Google Gemini (default: gemini-3-flash-preview)\nexport GEMINI_API_KEY=xxxxx\ns3finder -s acme-corp --ai --ai-provider gemini\n\n# Ollama local (default: llama3.2)\ns3finder -s acme-corp --ai --ai-provider ollama\n\n# Context-aware: combine with CT logs for pattern discovery\ns3finder -s acme -d acme.com --ai\n```\n\n### High-Speed Scanning\n\n```bash\n# Aggressive scan with 200 workers and 1000 RPS\ns3finder -s acme-corp -t 200 --rps 1000\n```\n\n### Output Options\n\n```bash\n# JSON report (default)\ns3finder -s acme-corp -o results.json\n\n# Plain text report\ns3finder -s acme-corp -o results.txt -f txt\n\n# Disable colors (for piping)\ns3finder -s acme-corp --no-color\n```\n\n---\n\n## Flags Reference\n\n| Flag | Short | Default | Description |\n|------|-------|---------|-------------|\n| `--seed` | `-s` | | Target keyword for bucket name generation |\n| `--domain` | `-d` | | Target domain for CT log subdomain discovery |\n| `--ct-limit` | | `100` | Maximum subdomains to fetch from CT logs |\n| `--wordlist` | `-w` | | Path to wordlist file |\n| `--threads` | `-t` | `50` | Number of concurrent workers |\n| `--rps` | | `150` | Maximum requests per second |\n| `--timeout` | | `15` | Request timeout in seconds |\n| `--deep` | | `true` | Perform deep inspection on found buckets |\n| `--ai` | | `false` | Enable AI-powered name generation |\n| `--ai-provider` | | `openai` | AI provider: `openai`, `ollama`, `anthropic`, `gemini` |\n| `--ai-model` | | *provider default* | AI model name |\n| `--ai-key` | | | API key (or use environment variables) |\n| `--ai-url` | | | Base URL for custom endpoints or proxies |\n| `--ai-count` | | `50` | Number of AI-generated names |\n| `--output` | `-o` | `results.json` | Output file path |\n| `--format` | `-f` | `json` | Output format: `json`, `txt` |\n| `--no-color` | | `false` | Disable colored output |\n| `--verbose` | `-v` | `false` | Verbose output |\n\n\u003e [!NOTE]\n\u003e At least one input source (`--seed`, `--wordlist`, `--domain`, or `--ai`) must be provided.\n\n---\n\n## Environment Variables\n\n| Variable | Description |\n|----------|-------------|\n| `OPENAI_API_KEY` | OpenAI API key for AI generation |\n| `ANTHROPIC_API_KEY` | Anthropic API key for Claude |\n| `GEMINI_API_KEY` | Google Gemini API key |\n\n---\n\n## Build Commands\n\n```bash\n# Build for current platform\nmake build\n\n# Build for all platforms (Linux, macOS, Windows × amd64, arm64)\nmake build-all\n\n# Build for specific platform\nmake build-linux\nmake build-darwin\nmake build-windows\n\n# Run tests\nmake test\n\n# Run tests with coverage\nmake test-cover\n\n# Create release archives\nmake release\n\n# Clean build artifacts\nmake clean\n\n# Show all available commands\nmake help\n```\n\n---\n\n## Output Example\n\n### Terminal Output\n\n```\n ____ _____ __ _ _\n / ___|___ / / _(_)_ __ __| | ___ _ __\n \\___ \\ |_ \\| |_| | '_ \\ / _` |/ _ \\ '__|\n ___) |__) | _| | | | | (_| | __/ |\n |____/____/|_| |_|_| |_|\\__,_|\\___|_|\n v1.2.4\n AI-Powered S3 Bucket Enumeration Tool\n ─────────────────────────────────────────\n\nPermutation engine generated 780 names\nAI (openai) generated 48 names\nGenerated 828 unique bucket names to scan\n\n[PUBLIC] acme-corp-backup (objects: 1547, region: us-east-1)\n https://acme-corp-backup.s3.amazonaws.com\n[PRIVATE] acme-corp-internal (region: eu-west-1)\n[PUBLIC] acme-corp-assets-2024 (objects: 100+, region: us-west-2)\n https://acme-corp-assets-2024.s3.amazonaws.com\n\n[████████████████████████████████] 100.0% [828/828] Public:2 Private:1 Err:0 145 r/s ETA:0s [2m34s]\n\n────────────────────────────────────────\nScan completed in 2m34s\nScanned: 828 | Found: 3 | Public: 2 | Private: 1 | Errors: 0\nResults saved to: results.json\n```\n\n### Progress Bar\n\nDuring scanning, a live TUI progress bar displays real-time statistics:\n- **Visual progress** - Fill bar showing scan completion percentage\n- **Scanned count** - Current/total buckets scanned\n- **Public/Private/Errors** - Real-time discovery counts\n- **RPS** - Current requests per second\n- **ETA** - Estimated time remaining\n- **Elapsed time** - Total time since scan started\n\n### JSON Report\n\n```json\n{\n \"generated_at\": \"2025-01-12T15:30:00Z\",\n \"scan_duration\": \"2m34s\",\n \"total_found\": 3,\n \"public_buckets\": 2,\n \"private_buckets\": 1,\n \"results\": [\n {\n \"bucket\": \"acme-corp-backup\",\n \"probe_result\": \"public\",\n \"inspect\": {\n \"bucket\": \"acme-corp-backup\",\n \"exists\": true,\n \"is_public\": true,\n \"acl\": \"public-read\",\n \"region\": \"us-east-1\",\n \"object_count\": 1547,\n \"sample_keys\": [\"db-dump.sql\", \"config.yml\", \"backup-2024.tar.gz\"]\n }\n }\n ]\n}\n```\n\n---\n\n## Supported Platforms\n\n| Platform | Architecture | Status |\n|----------|--------------|--------|\n| Linux | amd64 | ✅ Supported |\n| Linux | arm64 | ✅ Supported |\n| macOS | amd64 (Intel) | ✅ Supported |\n| macOS | arm64 (Apple Silicon) | ✅ Supported |\n| Windows | amd64 | ✅ Supported |\n| Windows | arm64 | ✅ Supported |\n\n### Platform-Specific Notes\n\n**Windows:**\n- ANSI colors are enabled automatically on Windows 10+\n- Use PowerShell or Windows Terminal for best experience\n- Legacy cmd.exe may not display colors correctly\n\n**macOS:**\n- Both Intel and Apple Silicon are natively supported\n- No Rosetta required for M1/M2/M3 Macs\n\n**Linux:**\n- Works on all major distributions\n- ARM64 builds for Raspberry Pi and AWS Graviton\n\n---\n\n## Architecture\n\n```\n┌─────────────────────────────────────────────────────────────────┐\n│ SCANNER ORCHESTRATOR │\n├─────────────────────────────────────────────────────────────────┤\n│ Wordlist → AI Generator → Permutation Engine │\n│ │ │\n│ ▼ │\n│ ┌──────────────────┐ │\n│ │ names channel │ │\n│ └────────┬─────────┘ │\n│ ┌──────────────────┼──────────────────┐ │\n│ ▼ ▼ ▼ │\n│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │\n│ │ Worker 1 │ │ Worker 2 │ │ Worker N │ │\n│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │\n│ └──────────────────┼──────────────────┘ │\n│ ▼ │\n│ ┌───────────────────────────┐ │\n│ ▼ ▼ │\n│ ┌─────────────┐ ┌─────────────┐ │\n│ │ Inspector │ │ Output │ │\n│ │ (AWS SDK) │ │ Writer │ │\n│ └─────────────┘ └─────────────┘ │\n└─────────────────────────────────────────────────────────────────┘\n```\n\n---\n\n## Project Structure\n\n```\ns3finder/\n├── cmd/s3finder/ # CLI entrypoint\n├── pkg/\n│ ├── scanner/ # Worker pool, prober, inspector\n│ ├── ai/ # LLM providers (OpenAI, Ollama, Anthropic, Gemini)\n│ ├── recon/ # CT log reconnaissance (crt.sh)\n│ ├── permutation/ # Name generation engine\n│ ├── ratelimit/ # Adaptive AIMD rate limiter\n│ └── output/ # Real-time + report writers\n├── internal/config/ # Configuration management\n├── wordlists/ # Default wordlists\n├── Makefile # Build automation\n└── .goreleaser.yaml # Release automation\n```\n\n---\n\n## Contributing\n\n1. Fork the repository\n2. Create your feature branch (`git checkout -b feature/amazing-feature`)\n3. Run tests (`make test`)\n4. Commit your changes (`git commit -m 'Add amazing feature'`)\n5. Push to the branch (`git push origin feature/amazing-feature`)\n6. Open a Pull Request\n\n---\n\n## Disclaimer\n\nThis tool is intended for **authorized security testing** and **research purposes only**. Only scan buckets belonging to organizations you have explicit permission to test. Unauthorized access to AWS resources is illegal.\n\n---\n\n## License\n\nMIT License - see [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxeloxa%2Fs3finder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxeloxa%2Fs3finder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxeloxa%2Fs3finder/lists"}