Posts Subscribe to Revolution ChurchComments

Monday, August 24, 2020

goGetBucket - A Penetration Testing Tool To Enumerate And Analyse Amazon S3 Buckets Owned By A Domain

4:21 PM Posted by ဦးဘုန္း

When performing a recon on a domain - understanding assets they own is very important. AWS S3 bucket permissions have been confused time and time again, and have allowed for the exposure of sensitive material.

What this tool does, is enumerate S3 bucket names using common patterns I have identified during my time bug hunting and pentesting. Permutations are supported on a root domain name using a custom wordlist. I highly recommend the one packaged within AltDNS.

The following information about every bucket found to exist will be returned:
  • List Permission
  • Write Permission
  • Region the Bucket exists in
  • If the bucket has all access disabled

Installation
go get -u github.com/glen-mac/goGetBucket

Usage
goGetBucket -m ~/tools/altdns/words.txt -d <domain> -o <output> -i <wordlist>
Usage of ./goGetBucket:
  -d string
        Supplied domain name (used with mutation flag)
  -f string
        Path to a testfile (default "/tmp/test.file")
  -i string
        Path to input wordlist to enumerate
  -k string
        Keyword list (used with mutation flag)
  -m string
        Path to mutation wordlist (requires domain flag)
  -o string
        Path to output file to store log
  -t int
        Number of concurrent threads (default 100)
Throughout my use of the tool, I have produced the best results when I feed in a list (-i) of subdomains for a root domain I am interested in. E.G:
www.domain.com
mail.domain.com
dev.domain.com
The test file (-f) is a file that the script will attempt to store in the bucket to test write permissions. So maybe store your contact information and a warning message if this is performed during a bounty?
The keyword list (-k) is concatenated with the root domain name (-d) and the domain without the TLD to permutate using the supplied permuation wordlist (-m).
Be sure not to increase the threads too high (-t) - as the AWS has API rate limiting that will kick in and start giving an undesired return code.

More information
  1. Hackrf Tools
  2. Hacking Tools Windows 10
  3. Android Hack Tools Github
  4. Black Hat Hacker Tools
  5. Github Hacking Tools
  6. Hacking Tools For Games
  7. Hack Apps
  8. Tools Used For Hacking
  9. New Hacker Tools
  10. Hacker Tools
  11. Pentest Tools For Mac
  12. Blackhat Hacker Tools
  13. Pentest Tools Port Scanner
  14. Hacker Tools Free Download
  15. Best Hacking Tools 2020
  16. Hacker Search Tools
  17. Hacker Tools Linux
  18. Pentest Box Tools Download
  19. Best Pentesting Tools 2018
  20. Hak5 Tools
  21. How To Make Hacking Tools
  22. Pentest Tools Android
  23. Pentest Tools Open Source
  24. Hack Tools For Ubuntu
  25. Pentest Tools For Android
  26. Hack And Tools
  27. Pentest Tools List
  28. Easy Hack Tools
  29. Hacker Tools Linux
  30. Hacker Tools Free
  31. Install Pentest Tools Ubuntu
  32. Hacking Tools Name
  33. Android Hack Tools Github
  34. Hacker Tools 2019
  35. Hacking Tools For Windows
  36. Pentest Tools For Windows
  37. Hack Website Online Tool
  38. Hacking Tools Mac
  39. Pentest Tools Linux
  40. Pentest Tools Free
  41. Pentest Tools Website Vulnerability
  42. Hacking Tools Github
  43. Pentest Tools Github
  44. Install Pentest Tools Ubuntu
  45. Hack Tool Apk
  46. Pentest Tools Alternative
  47. Hacker Tools 2019
  48. Hacking Apps
  49. Nsa Hack Tools Download
  50. Hacking Tools For Windows Free Download
  51. Hacking Tools For Pc
  52. Pentest Tools Url Fuzzer
  53. Hacking Tools Name
  54. Github Hacking Tools
  55. Beginner Hacker Tools
  56. Hacking Tools For Games
  57. Hack Tools For Games

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Country

free counters
 

ဦးဘုန္း (ဓာတု) မႏၱေလး. Copyright 2011 All Rights Reserved Free Wordpress Templates by Brian Gardner Blogger Templates presents HD TV Fringe Streaming. Featured on Wedding Photographers Singapore.