s3enum

s3enum is a fast and stealthy Amazon S3 bucket enumeration tool. It leverages DNS instead of HTTP, which means that requests are not logged in S3 server access logs.

It was originally built back in 2016 to target GitHub.

Installation

go install github.com/koenrh/s3enum@latest

Usage

You need to specify the base name of the target (e.g., hackerone), a word list, and a suffix list. Candidate bucket names are generated by combining the target name with each word (using -, _, ., and no delimiter), and then optionally prepending or appending each entry from the suffix list. You could either use the example wordlist.txt and suffixlist.txt files from this repository, or get a word list elsewhere. Optionally, you could specify the number of workers (defaults to 50).

$ s3enum \
    -wordlist examples/wordlist.txt \
    -suffixlist examples/suffixlist.txt \
    hackerone

hackerone
hackerone-attachment
hackerone-attachments
hackerone-static
hackerone-upload

By default, s3enum will use the name server as specified in /etc/resolv.conf. Alternatively, you could specify a different name server using the -nameserver option. Besides, you could test multiple names at the same time.

s3enum \
  -wordlist examples/wordlist.txt \
  -suffixlist examples/suffixlist.txt \
  -nameserver 1.1.1.1 \
  -workers 100 \
  hackerone h1 roflcopter

Known limitations

Bucket detection relies on CNAME responses under s3.amazonaws.com. Buckets in us-east-1 resolve to s3-1-w.amazonaws.com and are currently indistinguishable from non-existent buckets.