Publicly Open Amazon AWS S3 Bucket Viewer

Last update: Dec 2, 2022

Related tags

Overview

S3Viewer

Publicly open storage viewer (Amazon S3 Bucket, Azure Blob, FTP server, HTTP Index Of/)

s3viewer is a free tool for security researchers that lists the content of publicly open storages and helps to identify leaking data. The tool allows you to view all the files in a given storage and download selected files and directories. The goal is to identify the owner of the storage as quickly as possible in order to report that data is leaking from it.

Supported open storage:

Amazon S3 Buckets
Microsoft Azure Blobs
FTP servers with Anonymous access allowed
HTTP Index Of / Pages (Apache/nginx-style directory listing)

The tool lists directory contents and display them in a tree view GUI from which you can navigate to view all directories and files and even download them. You can also use the Load button to load a pre-downloaded dirlist to view the directory hierarchy offline.

Feature List

Supporting multiple open storage types including S3 bucket, Azure blob, FTP, HTTP Index
View, download, and interact with open storage directory hierarchy
Generate offline dirlist and load it later to work offline
Search for specific files easily
Cross-platform (Windows, MAC, Linux) GUI desktop application
Free

Setup

Prerequisites

python3
- python3 -m pip install -r packaging/requirements.txt
aws cli
- make sure aws works. Then configure once (aws configure) with a random region (e.g. us-east-1). No need for keys.
azure azcopy
- download and place azcopy somewhere along the PATH

Run

python s3viewer.py

Usage Fill the storage url and press Get Dirlist. Use double-click to download a file or use right-click for more options such as download all files in a directory. You can keep the generated dirlist to load quickly later.

Supported URL schemes

AWS
- http://BUCKETNAME.s3.REGION.amazonaws.com/
- https://BUCKETNAME.s3.amazonaws.com
- s3://BUCKETNAME
Azure
- https://BLOBNAME.blob.core.windows.net/CONTAINER
FTP
- ftp://ftp.server.com
HTTP Index
- http://server.com/indexof

TODO

Features
- Download manager
  - Background downloads
  - Parallel downloads
  - Stop/Pause/Resume a download
- Explorer mode
- Mac, Linux builds
Bugs
- Progress bar isn't synced with FTP downloads

Motivation

TL;DR

Publicly open storages have become a serious threat to many companies and people due to massive data leaks which led to countless breaches, extortions, and overall embarrassment to all invloved parties. I have personally discovered and reported on dozens of major publicly open storages open to the public belonging to companies that were completely unaware of them. This must be stopped and I hope this tool will help security researchers to identify misconfigured cloud instances in order to responsibly disclose it to the affected companies.

Longer Version

Simple Storage Service (S3) bucket is a public cloud storage resource available in Amazon Web Services (AWS). They are favorable by developers and IT team, as their storages offer a simple web service interface which enables them to store and retrieve any amount of data at any time from anywhere. Companies are trying to keep up with the pace and ensure their cloud-stored data is safe, yet despite that, they haven't fully incorporated best practices from AWS and we see WAAAAAAAY TOO MANY misconfigured publicly open buckets that can be easily accessed by anyone.

As the popularity of s3 buckets increased I started to discover more and more publicly open buckets and needed a tool to assist me in identifying the companies behind the buckets. Sometimes correlating a bucket name to a company may prove to be an easy task, but sometimes the name of the bucket is too vague and it’s unclear of the company behind it, for example “devbucket” or “prod3bucket”.

The problem with cloud storage technologies, such as S3 buckets, is that they tend to be misconfigured, as proven in recent data breaches, and may leak data to anyone with a browser. That is why it is important to recognize and report any leaked information, since today's leaked information can be a random company's information, but tomorrow's leaked information could be your business or personally identifying information leaked to criminals.

You might also like...

AHA is an incident management & communication framework to provide real-time alert customers when there are active AWS event(s). For customers with AWS Organizations, customers can get aggregated active account level events of all the accounts in the Organization. Customers not using AWS Organizations still benefit alerting at the account level.

Table of Contents Introduction Architecture Configuring an Endpoint Creating a Amazon Chime Webhook URL Creating a Slack Webhook URL Creating a Micros

215 Dec 23, 2022

Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

20 Dec 7, 2022

AWS Interactive CLI - Allows you to execute a complex AWS commands by chaining one or more other AWS CLI dependency

2 Dec 10, 2021

A simple URL shortener app using Python AWS Chalice, AWS Lambda and AWS Dynamodb.

url-shortener-chalice A simple URL shortener app using AWS Chalice. Please make sure you configure your AWS credentials using AWS CLI before starting

2 Dec 9, 2022

Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.

1 Jan 1, 2022

Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

8 Nov 22, 2022

Amazon Scraper: A command-line tool for scraping Amazon product data

Amazon Product Scraper: 2021 Description A command-line tool for scraping Amazon product data to CSV or JSON format(s). Requirements Python 3 pip3 Ins

49 Nov 15, 2021

This repository contains the implementations related to the experiments of a set of publicly available datasets that are used in the time series forecasting research space.

TSForecasting This repository contains the implementations related to the experiments of a set of publicly available datasets that are used in the tim

80 Dec 30, 2022

Generate a list of papers with publicly available source code in the daily arxiv

2021-06-08 paper code optimal network slicing for service-oriented networks with flexible routing and guaranteed e2e latency networkslicing multi-moda

79 Jan 3, 2023

Repository for publicly available deep learning models developed in Rosetta community

trRosetta2 This package contains deep learning models and related scripts used by Baker group in CASP14. Installation Linux/Mac clone the package git

81 Dec 29, 2022

Anime Streams Scrapper for Telegram Publicly Available for everyone to use

AniRocks Project Structure: ╭─ bot ├──── plugins: directory stored all the plugins ├──── utils: a directory of Utilities to help bot Client to create

11 Oct 28, 2022

A repository of publicly verifiable token Sale contracts

Token-Sale-Plutus-Contract A repository of publicly verifiable token sale and royalty contracts. This will be the storage solution since it is easily

29 Aug 18, 2022

Archive, organize, and watch for changes to publicly available information.

0. Overview The Trapper Keeper is a collection of scripts that support archiving information from around the web to make it easier to study and use. I

9 Oct 26, 2022

Tool to check whether a GCP bucket is public or not.

Tool to check publicly accessible GCP bucket. Blog https://justm0rph3u5.medium.com/gcp-inspector-auditing-publicly-exposed-gcp-bucket-ac6cad55618c Wha

7 Nov 24, 2022

Crawler job that scrapes comments from social media posts and saves them in a S3 bucket.

Toxicity comments crawler Crawler job that scrapes comments from social media posts and saves them in a S3 bucket. Twitter Tweets and replies are scra

2 Jan 24, 2022

Terraform module to ship CloudTrail logs stored in a S3 bucket into a Kinesis stream for further processing and real-time analysis.

AWS infrastructure to ship CloudTrail logs from S3 to Kinesis This repository contains a Terraform module to ship CloudTrail logs stored in a S3 bucke

8 Sep 20, 2022

S3-cleaner - A Python script attempts to delete the all objects/delete markers/versions from specific S3 bucket

Comments

Custom dirlist not working

This tool is really great, nonetheless, with the built-in downloader. I couldn't get it to work with an S3 compatible endpoint hence I looked into the code to find how you generate the dirlist.

Here is what I got: aws --no-sign-request s3 ls s3://capitol-hill-riots --endpoint-url=https://s3.us-east-1.wasabisys.com --recursive > list.txt

Here is the preview:

However, I get a warning message box when trying to load it.

opened by victorshx 7
Fixed Code Quality Issues
Description

Summary:

Removed useless Object inheritance

Removed the usage of self

Add .deepsource.toml

I ran a DeepSource Analysis on my fork of this repository. You can see all the issues raised by DeepSource here.

DeepSource helps you to automatically find and fix issues in your code during code reviews. This tool looks for anti-patterns, bug risks, performance problems, and raises issues. There are plenty of other issues in relation to Bug Discovery and Anti-Patterns which you would be interested to take a look at.

If you do not want to use DeepSource to continuously analyze this repo, I'll remove the .deepsource.toml from this PR and you can merge the rest of the fixes. If you want to setup DeepSource for Continuous Analysis, I can help you set that up.
opened by HarshCasper 2

Releases(v0.7)

v0.7(Feb 20, 2021)

Bug fixes in HTTP storage provider
Source code(tar.gz)
Source code(zip)
s3viewer_x64.exe(34.64 MB)
v0.6(Jan 17, 2021)
Added Azure blob support. Now the tools supports:

Amazon S3 Buckets

Microsoft Azure Blobs

FTP servers with Anonymous access allowed

HTTP Index Of / Pages (Apache/nginx-style directory listing)

Source code(tar.gz)
Source code(zip)
s3viewer_x64.exe(34.64 MB)
v0.5(Jan 17, 2021)
Added more open storage providers:

HTTP Index Of (http directory lister page)

FTP Server

Source code(tar.gz)
Source code(zip)
s3viewer_x64.exe(34.63 MB)
v0.3(Jan 13, 2021)

Now you can search for specific file and directories
Source code(tar.gz)
Source code(zip)
s3viewer_x64.exe(33.87 MB)
v0.2(Jan 11, 2021)

Supporting dirlist with different encoding schemes (utf8, utf16, etc..)
Source code(tar.gz)
Source code(zip)
s3viewer_x64.exe(33.93 MB)
v0.1(Jan 8, 2021)

First release (x64)
Source code(tar.gz)
Source code(zip)
s3viewer_x64.exe(33.93 MB)

Publicly Open Amazon AWS S3 Bucket Viewer

Related tags

Overview

S3Viewer

Publicly open storage viewer (Amazon S3 Bucket, Azure Blob, FTP server, HTTP Index Of/)

Feature List

Setup

Run

TODO

Motivation

TL;DR

Longer Version

You might also like...

Automated AWS account hardening with AWS Control Tower and AWS Step Functions

AWS Interactive CLI - Allows you to execute a complex AWS commands by chaining one or more other AWS CLI dependency

A simple URL shortener app using Python AWS Chalice, AWS Lambda and AWS Dynamodb.

Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.

Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Amazon Scraper: A command-line tool for scraping Amazon product data

This repository contains the implementations related to the experiments of a set of publicly available datasets that are used in the time series forecasting research space.

Generate a list of papers with publicly available source code in the daily arxiv

Repository for publicly available deep learning models developed in Rosetta community

Anime Streams Scrapper for Telegram Publicly Available for everyone to use

A repository of publicly verifiable token Sale contracts

Archive, organize, and watch for changes to publicly available information.

Tool to check whether a GCP bucket is public or not.

Crawler job that scrapes comments from social media posts and saves them in a S3 bucket.

Terraform module to ship CloudTrail logs stored in a S3 bucket into a Kinesis stream for further processing and real-time analysis.

S3-cleaner - A Python script attempts to delete the all objects/delete markers/versions from specific S3 bucket

Openstack bucket retention cli

Bancos de Dados Relacionais (SQL) na AWS com Amazon RDS

Comments

Custom dirlist not working

Fixed Code Quality Issues

Description

Releases(v0.7)

v0.7(Feb 20, 2021)

v0.6(Jan 17, 2021)

v0.5(Jan 17, 2021)

v0.3(Jan 13, 2021)

v0.2(Jan 11, 2021)

v0.1(Jan 8, 2021)

Owner

Sharon Brizinov

Extract an archive file (zip file or tar file) stored on AWS S3

Recursive-Bucket-Sort - An efficient sorting algorithm (implemented in Python) inspired by the Bucket Sort and the Pigeonhole Sort

An open-source CLI tool for backing up RDS(PostgreSQL) Locally or to Amazon S3 bucket

Image-Viewer is a Windows image viewer based on Python 3.

Napari 3D Ortho Viewer - an ortho viewer for napari for 3D images

DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

Live Coding - Mensageria na AWS com Amazon SNS e Amazon SQS

It's a simple python script to take backup of directories (compressing) then the same to move your mentioned S3 bucket with the help of AWS IAM User.

Let's learn how to build, release and operate your containerized applications to Amazon ECS and AWS Fargate using AWS Copilot.

An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet 😈