Check AWS S3 instances for read/write/delete access

Related tags

Third-party APIs Wrapperss3sec
Overview

s3sec

Test AWS S3 buckets for read/write/delete access

This tool was developed to quickly test a list of s3 buckets for public read, write and delete access for the purposes of penetration testing on bug bounty programs.

Screenshot

Found a bug bounty using this tool? Feel free to add me as a collaborator: @0xmoot :)

Installation

Clone the git repo onto your machine:

git clone https://github.com/0xmoot/s3sec

Happy hunting :)

Usage

Check a single S3 instance:

echo "test-instance.s3.amazonaws.com" | python3 s3sec.py

Or:

echo "test-instance" | python3 s3sec.py

Check a list of S3 instances:

cat locations | python3 s3sec.py

Setup AWS CLI & Credentials (optional)

To get the most out of this tool you should install the AWS CLI and setup user credentials.

With AWS CLI a series of deeper tests (including unsigned read, writing files and deleting files) is activated:

Installing AWS CLI on Kali Linux

To install AWS CLI you can simply install using below command:

pip3 install awscli

Getting AWS Credentials (Access Key ID and AWS Secret Access Key)

  1. Sign up for Amazon's AWS from their official website: https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc

  2. Login into your AWS account and click on My Security Credentials.

  3. Click on Access Keys (access key id and secret access key) to get your login credentials for AWS CLI.

  4. Then click on Show Access Key option to get your Access Key ID and Secret Access Key or you can download it as well.

Configuring AWS CLI on Kali Linux

  1. Start a terminal and enter the below commands then enter the AWS Access Key ID and AWS Secret Access Key that was created in previous steps.
aws configure

Use the following default settings:

AWS Access Key Id: <
   
    >
AWS Secret Access Key: <
    
     >
Default region name: ap-south-1
Default output format: json

Disclaimer

The developers assume no liability and are not responsible for any misuse or damage caused by the s3sec tool. The tool is provided as-is for educational and bug bounty purposes.

License

MIT License

Owner
0xmoot
Infosec protagonist since October 2021
0xmoot
GitHub Repository
A small script to migrate or synchronize users & groups from Okta to AWS SSO

aws-sso-sync-okta A small script to migrate or synchronize users & groups from Okta to AWS SSO Changelog Version Remove hardcoded values on variables

Paul 4 Feb 11, 2022
A bot for the [email protected] Discord server.

KittyBot - a sentient Discord bot! Key Notes An open-source, community-powered bot for the [email 

Ollie 11 Dec 06, 2022
Public repo of the bot

wiki-reddit-bot Public repo of u/wikipedia_answer_bot Tools Language: Python Libraries: praw (Reddit API) mediawikiapi (Wikipedia API) tenacity How it

TheBugYouCantFix 51 Dec 03, 2022
Bot for automated buying boxes on Binance

V 1.0 Bot for automated buying boxes on Binance В settings.py выставляем свои COOKIE и свой CSRFTOKEN В settings.py для headers выставляем свои параме

Matvey 3 Jan 18, 2022
Track player's stats, find out when they're online and grinding!

Hypixel Stats Tracker Track player's stats, find out when they're online and playing games! INFO Showcase Server: https://discord.gg/yY5qQHPar6 Suppor

4 Dec 18, 2022
:lock: Python 2.7/3.X client for HashiCorp Vault

hvac HashiCorp Vault API client for Python 3.x Tested against the latest release, HEAD ref, and 3 previous minor versions (counting back from the late

hvac 1k Dec 29, 2022
Python3 script to dump employee information from XING API

XingDumper Python 3 script to dump company employees from XING API. Perfect OSINT tool ;-) The results contain firstname, lastname, position, gender,

LRVT 11 Dec 26, 2022
Louis Manager Bot With Python

✨ Natsuki ✨ Are You Okay Baby I'm Natsuki Unmaintained. The new repo of @TheNatsukiBot is public. ⚡ (It is no longer based on this source code. The co

Team MasterXBots 1 Nov 07, 2021
Collaboration with Microsoft, AWS, Google, and ETHZürich Analytics Club (2022 Datathon Project)

DATATHON_ Collaboration with Microsoft, AWS, Google, and ETHZürich Analytics Club (2022 Datathon Project) Datathon Original Challenge SAV DataDays Rei

esthi 34 Nov 10, 2022
Bot playing "mathbattle" game from Telegram messenger

mathbattlebot Bot playing mathbattle game from Telegram messenger Installing: run in command line pip3 install -r requirements.txt Running: Example c

Egor 1 May 30, 2022
Senditapp.com bot spammer, spam your friends

Sendit Spammer Python ⚠️ I am not responsible for how you use this tool. This tool is against "Sendit" ToS and shall not be used in a production envir

Glaukio 1 Dec 31, 2021
PyDottie is a version of Dottie.js written in Python 3.

PyDottie is a version of Dottie.js written in Python 3.

Jose Noriega 2 Nov 21, 2021
📷 An Instagram bot written in Python using Selenium on Google Chrome

📷 An Instagram bot written in Python using Selenium on Google Chrome. It will go through posts in hashtag(s) and like and comment on them.

anniedotexe 47 Dec 19, 2022
Projeto de teste para acesso a API SWAPI.

SwapiTest Projeto de teste para acesso a API Swapi com informações sobre Star Wars. Como rodar o programa Foi utilizado o pipenv, então basta clonar o

Gabriel de Souza Alves 1 Nov 23, 2021
Termux Pkg

PKG Install Termux All Basic Pkg. Installation : pkg update && pkg upgrade && pkg install python && pkg install python2 && pkg install git && git clon

ɴᴏʙɪᴛᴀシ︎ 1 Oct 28, 2021
Send pm to Admin - Telegram

Send pm to Admin - Telegram

Ahoora 3 Nov 17, 2022
Aria/qBittorrent Telegram mirror/leech bot.

Missneha Mirror Leech Bot Aria/qBittorrent Telegram mirror/leech bot. missneha Mirror Leech Bot is a multipurpose Telegram Bot written in Python for m

ACHAL 6 Sep 30, 2022
VC-Music , Playing music without bot.

VC-Userbot A Telegram Userbot to play or streaming Audio and Video songs / files in Telegram Voice Chats. It's made with PyTgCalls and Pyrogram Requir

RioProjectX 8 Aug 04, 2022
Streaming Finance Data with AWS Lambda

A data pipeline consisting of an AWS lambda function reading data from yfinance API, an AWS Kinesis stream to receive & store data in S3 buckets and AWS Glue crawler & Athena to run SQL queries.

Aarif Munwar Jahan 4 Aug 30, 2022
A bot can play all variants, but standard are abit weak, so if you need strongest you can change fsf instead of stockfish_14_Dev

MAINTAINERS Drdisrespect1 and drrespectable lichess-bot Engine communication code taken from https://github.com/ShailChoksi/lichess-bot by ShailChoksi

RPNS Nimsilu 1 Dec 12, 2021