S3 Bucket Recon


Here’s a list of common tools and methods you can use to perform S3 bucket Recon. 👇

#Method 1:

Google Dork to find S3 Buckets

site: s3.amazonaws.com site.com

site:amazonaws.com inurl:.s3.amazonaws.com

site:s3.amazonaws.com intitle:index.of.bucket

#Method 2:

Using Burp Suite

Crawl the whole application through the browser proxy and then discover the S3 buckets from the sitemap feature of the Burp suite. Look for web addresses or special headers that mention S3 buckets, like “s3.amazonaws.com” or “x-am-bucket”.

#Method 3:

From Application

To find the target application’s S3 bucket, right-click on any image available on the application, open it in a new tab, and check if the image URL format is something like this: “https://name.s3.amazonaws.com/image1.png" In this case, “name” before “.s3” is the bucket name where the images or data is stored.

#Method 4:

There are many online tools available on GitHub for discovering the S3 bucket associated with a website

S3Scanner: https://github.com/sa7mon/S3Scanner

Mass3: https://github.com/smiegles/mass3

slurp: https://github.com/0xbharath/slurp

Lazy S3: https://github.com/nahamsec/lazys3

bucket_finder: https://github.com/mattweidner/bucket_finder


: https://github.com/netgusto/awsbucketdump

sandcastle: https://github.com/0xSearches/sandcastle

Dumpster Diver: https://github.com/securing/DumpsterDiver

S3 Bucket Finder: https://github.com/gwen001/s3-buckets-finder

#Method 5:

Online Websites

grayhatwarfare: https://buckets.grayhatwarfare.com

osint.[sh]: https://osint.sh/buckets

#Method 6:

Nuclei Template to find S3 Bucket

Template: https://github.com/projectdiscovery/nuclei-templates/blob/master/technologies/s3-detect.yaml

#Method 7:

A simple command to extract S3 buckets from a list of js URLs from a file. You can modify the regex based on your requirements.

cat js_url.txt | xargs -I {} curl -s {} | grep -oE ‘http[s]?://[^”]*.s3.amazonaws.com’

cat js_url.txt | xargs -I {} curl -s {} | grep -oE ‘http[s]?://[^”]*.s3.amazonaws.com/*’

#Method 8:

Extract using #subfinder and #httpx

subfinder -d domain.com -all -silent | httpx -status-code -title -tech-detect | grep “Amazon S3”

#securitycipher #bugbounty #s3recon #bugbountytips #bugbountytools #bugbountytool #cybersecurity #secure #security #pentesting #cloudsecurity #cloudpentesting #cyberawarness #recon #attacksurface #github #dorks

Follow on :

Twitter: https://twitter.com/piyush_supiy

Linkedin: https://linkedin.com/in/piyush-kumawat



Piyush Kumawat (securitycipher)

I'm a digital detective, hunting bugs and fortifying digital fortresses. Penetration tester by day, bug bounty hunter by night. https://securitycipher.com