Information Gatherings3bucketsscanningmisconfigurationsdumpawsmultithreaded

s3scanner

Tool to find open S3 buckets and dump their contents. Supports multi-threaded scanning, S3-compatible APIs, permission checks, and Docker.

Description

s3scanner is a Kali Linux tool designed to identify open S3 buckets and extract their contents. It scans for misconfigurations by checking all bucket permissions, making it useful for security assessments of cloud storage setups. The tool supports a wide range of S3-compatible APIs from providers like AWS, DigitalOcean, Dreamhost, GCP, and Linode.

Key use cases include reconnaissance in penetration testing, auditing cloud storage security, and discovering publicly accessible data in object storage systems. Features like multi-threaded scanning speed up the process, while options to enumerate objects and dump contents to local folders aid in thorough analysis.

It integrates with external systems such as RabbitMQ for bucket input and Postgres for result storage, enhancing its utility in automated workflows. Docker support allows easy deployment in containerized environments.

How It Works

s3scanner performs multi-threaded scans on specified S3 buckets or lists, checking permissions across supported providers via their APIs. It detects open buckets and misconfigurations by testing access levels. When enumeration is enabled, it lists objects which can be dumped to a local folder. Configurable via YAML files for database output, RabbitMQ input, and custom providers. Threads default to 4 for parallel operations.

Installation

bash

sudo apt install s3scanner

Flags

-bucketName of bucket to check.

-bucket-fileFile of bucket names to check.

-mqConnect to RabbitMQ to get buckets. Requires config file key "mq". Default: "false"

-dbSave results to a Postgres database. Requires config file key "db.uri". Default: "false"

-jsonPrint logs to stdout in JSON format instead of human-readable. Default: "false"

-enumerateEnumerate bucket objects (can be time-consuming). Default: "false"

-providerObject storage provider: aws, custom, digitalocean, dreamhost, gcp, linode - custom requires config file. Default: "aws"

-threadsNumber of threads to scan with. Default: "4"

-verboseEnable verbose logging. Default: "false"

-versionPrint version Default: "false"

Examples

Display help output showing all flags and usage.

s3scanner -h

Check a single specified bucket for openness and permissions.

s3scanner -bucket example-bucket

Scan a list of bucket names from a file.

s3scanner -bucket-file buckets.txt

Scan buckets against GCP provider.

s3scanner -bucket-file buckets.txt -provider gcp

Multi-threaded scan with 8 threads and object enumeration.

s3scanner -bucket-file buckets.txt -threads 8 -enumerate

Use RabbitMQ for buckets alongside file input (requires config).

s3scanner -mq -bucket-file list.txt

Scan bucket, save to Postgres DB, output JSON logs (requires config).

s3scanner -bucket target -db -json

Updated 2026-04-16kali.org ↗