Skip to main content
Warning: You are using the test version of PyPI. This is a pre-production deployment of Warehouse. Changes made here affect the production instance of TestPyPI (testpypi.python.org).
Help us improve Python packaging - Donate today!

A Python script for AWS S3 bucket enumeration.

Project Description
<p align="center">

<img src="https://cloud.githubusercontent.com/assets/4115778/24827505/eab7322a-1c42-11e7-96f3-dbc772da5f10.png" width="70%" alt="Sandcastle logo - AWS S3 bucket enumeration">
<br/>
<img src="https://img.shields.io/github/issues/yasinS/sandcastle.svg" alt="Issues">
<img src="https://img.shields.io/github/issues-pr-closed-raw/yasinS/sandcastle.svg" alt="PRs">
<img src="https://img.shields.io/pypi/v/sandcastle.svg" alt="Version">
</p>

Inspired by a conversation with Instacart's [@nickelser](https://github.com/nickelser) on HackerOne, I've optimised and published Sandcastle – a Python script for AWS S3 bucket enumeration, formerly known as bucketCrawler.

The script takes a target name as the "stem" argument (e.g. `instacart`) and iterates through a text file containing bucket name permutations, e.g. as below:

```
-training
-bucket
-dev
-attachments
-photos
-elasticsearch
[...]
```
## Getting started
Here's how to get started:
1. Install with Pip: `pip install sandcastle`
2. Run `sandcastle.py` with the appropriate arguments (below)
3. Permutations which exist will be tagged as "potential matches"

```
usage: sandcastle.py [-h] -t targetStem [-f inputFile]

arguments:
-h, --help show this help message and exit
-t targetStem, --target targetStem
Select a target stem name (e.g. 'instacart')
-f inputFile, --file inputFile
Select a bucket permutation file (default: bucket-
names.txt)
```

```
[+] Match: shopify-dev --> 403
[+] Match: shopify-pics --> 403
[+] Match: shopify-assets --> 403
[+] Match: shopify-development --> 403
[+] Match: shopify-content --> 403
[+] Match: shopify-ops --> 200
```

### Status codes and testing

| Status code | Definition | Notes |
| ------------- | ------------- | -----|
| 404 | Bucket Not Found | Not a target for analysis (hidden by default)|
| 403 | Access Denied | Potential target for analysis via the CLI |
| 200 | Publicly Accessible | Potential target for analysis via the CLI |

### AWS CLI commands
Here's a quick reference of some useful AWS CLI commands:
* List Files: `aws s3 ls s3://bucket-name`
* Download Files: `aws s3 cp s3://bucket-name/<file> <destination>`
* Upload Files: `aws s3 cp/mv test-file.txt s3://bucket-name`
* Remove Files: `aws s3 rm s3://bucket-name/test-file.txt`

## What is S3?
From the Amazon [documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html), *Working with Amazon S3 Buckets*:
> Amazon S3 [Simple Storage Service] is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.

> In terms of implementation, buckets and objects are resources, and Amazon S3 provides APIs for you to manage them.

## Closing remarks
* This is my first public security project on GitHub, and is published under the MIT License.
* Usage acknowlegements:
* Castle (icon) by Andrew Doane from the Noun Project
* Nixie One (logo typeface) free by Jovanny Lemonad
Release History

Release History

This version
History Node

1.2.3

History Node

1.2.2

History Node

1.2.1

Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
sandcastle-1.2.3.tar.gz (4.8 kB) Copy SHA256 Checksum SHA256 Source Apr 9, 2017

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting