/ Personal

Adventures In S3 Enumeration

Intro

It all began with something funny (https://protoxin.net/holiday-message-2017-and-s3-buckets/). It then evolved into this:

It's truly amazing how far things have progressed in collecting S3 bucket names. When I decided to publish the list of bucket names, I was just over one thousand. At the time of writing, only a few weeks later, I am just shy of ten thousand unique bucket names.

We've found a ton of sensitive data which has been reported to the proper people. I'd like to note that I cannot possibly go through ~10k unique buckets...even if I wanted to, I do not have near the available time to do so. This project started off becasue I wanted to be hip and check out potential leaks on S3. I quickly realized that there were all these methods of enumerating buckets, however, no one was sharing bucket names. I decided that I wanted to enumerate bucket names so that admins and researchers could see if I collected their bucket..if I have it, so do others. This also means that a researcher could focus more on enumerating info rather than just trying to find buckets.

Buckets'n Stuff

When this project started, it was a list of stuff and me going through it. Things quickly turned to a static .js file that had a massive array of bucket names and fed into datatables. Now, buckets are being pulled from an in-house-developed API and then displayed into datatables. Additionally, the API is open to people because I wanted to allow people to integrate this into their projects.

If you haven't checked it out, you are more than welcome to search buckets and see the list here:

https://protoxin.net/s3

There's even some basic API documentation:

https://protoxin.net/api/

Please note that this project is still ongoing. I've had to seize updating the database due to some personal things going on over here, however, updates should come back within the next two weeks.


There are a bunch of people that I'd like to thank for either helping with this project or were just inspirational. Also, a big thank you to you, the reader.

Cheers,
P.

ProToxin

ProToxin

Cyber Operations Specialist Div. 7// S3 Aficionado // Certainly on watch lists // Loves a good conversation // חי

Read More