├── LICENSE ├── README.md ├── SpacesNames.txt ├── interesting_keywords.txt ├── requirements.txt └── spaces_finder.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 JP 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Spaces finder 2 | 3 | #### Spaces finder is a tool to quickly enumerate [DigitalOcean Spaces](https://www.digitalocean.com/community/tutorials/an-introduction-to-digitalocean-spaces) to look for loot. It's similar to a subdomain bruteforcer but is made specifically for DigitalOcean Spaces and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive. 4 | #### By [Bharath](https://twitter.com/0xbharath) 5 | #### Built on top of AWSBucketDump by [@ok_bye_now](https://twitter.com/ok_bye_now) 6 | 7 | ## Pre-Requisites 8 | Non-Standard Python Libraries: 9 | 10 | - [xmltodict](https://pypi.python.org/pypi/xmltodict) 11 | - [requests](docs.python-requests.org/) 12 | - Written in Python 3.6 13 | 14 | ## Overview 15 | 16 | - This is a tool that enumerates DigitalOcean Spaces and looks for interesting files 17 | - I have example wordlists but I haven't put much time into refining them 18 | - `https://github.com/danielmiessler/SecLists` will have all the word lists you need 19 | - If you are targeting a specific company, you will likely want to use jhaddix's [enumall](https://github.com/jhaddix/domain) tool which leverages [recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng) and [Alt-DNS](https://github.com/infosec-au/altdns) 20 | - As far as word lists for grepping interesting files, that is completely up to you. The one I provided has some basics and yes, those word lists are based on files that I personally have found with this tool. 21 | - Using the download feature might fill your hard drive up, you can provide a max file size for each download at the command line when you run the tool. Keep in mind that it is in bytes. 22 | 23 | 24 | ## Usage: 25 | 26 | ``` 27 | usage: python3 spaces_finder.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE] 28 | 29 | optional arguments: 30 | -h, --help show this help message and exit` 31 | -D Download files. This requires significant diskspace` 32 | -d If set to 1 or True, create directories for each host w/ results` 33 | -t THREADS number of threads` 34 | -l HOSTLIST` 35 | -g GREPWORDS Provide a wordlist to grep for` 36 | -m MAXSIZE Maximum file size to download.` 37 | ``` 38 | 39 | `python3 spaces_finder.py -l SpacesNames.txt -g interesting_keywords.txt -D -m 500000 -d 1 -t 5` 40 | -------------------------------------------------------------------------------- /SpacesNames.txt: -------------------------------------------------------------------------------- 1 | 0 2 | 01 3 | 02 4 | 03 5 | 1 6 | 10 7 | 11 8 | 12 9 | 13 10 | 14 11 | 15 12 | 16 13 | 17 14 | 18 15 | 19 16 | 2 17 | 20 18 | 3 19 | 3com 20 | 4 21 | 5 22 | 6 23 | 7 24 | 8 25 | 9 26 | ILMI 27 | a 28 | a.auth-ns 29 | a01 30 | a02 31 | a1 32 | a2 33 | abc 34 | about 35 | ac 36 | academico 37 | acceso 38 | access 39 | accounting 40 | accounts 41 | acid 42 | activestat 43 | ad 44 | adam 45 | adkit 46 | admin 47 | administracion 48 | administrador 49 | administrator 50 | administrators 51 | admins 52 | ads 53 | adserver 54 | adsl 55 | ae 56 | af 57 | affiliate 58 | affiliates 59 | afiliados 60 | ag 61 | agenda 62 | agent 63 | ai 64 | aix 65 | ajax 66 | ak 67 | akamai 68 | al 69 | alabama 70 | alaska 71 | albuquerque 72 | alerts 73 | alpha 74 | alterwind 75 | am 76 | amarillo 77 | americas 78 | an 79 | anaheim 80 | analyzer 81 | announce 82 | announcements 83 | antivirus 84 | ao 85 | ap 86 | apache 87 | apollo 88 | app 89 | app01 90 | app1 91 | apple 92 | application 93 | applications 94 | apps 95 | appserver 96 | aq 97 | ar 98 | archie 99 | arcsight 100 | argentina 101 | arizona 102 | arkansas 103 | arlington 104 | as 105 | as400 106 | asia 107 | asterix 108 | at 109 | athena 110 | atlanta 111 | atlas 112 | att 113 | au 114 | auction 115 | austin 116 | auth 117 | auto 118 | autodiscover 119 | autorun 120 | av 121 | aw 122 | ayuda 123 | az 124 | b 125 | b.auth-ns 126 | b01 127 | b02 128 | b1 129 | b2 130 | b2b 131 | b2c 132 | ba 133 | back 134 | backend 135 | backup 136 | baker 137 | bakersfield 138 | balance 139 | balancer 140 | baltimore 141 | banking 142 | bayarea 143 | bb 144 | bbdd 145 | bbs 146 | bd 147 | bdc 148 | be 149 | bea 150 | beta 151 | bf 152 | bg 153 | bh 154 | bi 155 | billing 156 | biz 157 | biztalk 158 | bj 159 | black 160 | blackberry 161 | blog 162 | blogs 163 | blue 164 | bm 165 | bn 166 | bnc 167 | bo 168 | bob 169 | bof 170 | boise 171 | bolsa 172 | border 173 | boston 174 | boulder 175 | boy 176 | br 177 | bravo 178 | brazil 179 | britian 180 | broadcast 181 | broker 182 | bronze 183 | brown 184 | bs 185 | bsd 186 | bsd0 187 | bsd01 188 | bsd02 189 | bsd1 190 | bsd2 191 | bt 192 | bug 193 | buggalo 194 | bugs 195 | bugzilla 196 | build 197 | bulletins 198 | burn 199 | burner 200 | buscador 201 | buy 202 | bv 203 | bw 204 | by 205 | bz 206 | c 207 | c.auth-ns 208 | ca 209 | cache 210 | cafe 211 | calendar 212 | california 213 | call 214 | calvin 215 | canada 216 | canal 217 | canon 218 | careers 219 | catalog 220 | cc 221 | cd 222 | cdburner 223 | cdn 224 | cert 225 | certificates 226 | certify 227 | certserv 228 | certsrv 229 | cf 230 | cg 231 | cgi 232 | ch 233 | channel 234 | channels 235 | charlie 236 | charlotte 237 | chat 238 | chats 239 | chatserver 240 | check 241 | checkpoint 242 | chi 243 | chicago 244 | ci 245 | cims 246 | cincinnati 247 | cisco 248 | citrix 249 | ck 250 | cl 251 | class 252 | classes 253 | classifieds 254 | classroom 255 | cleveland 256 | clicktrack 257 | client 258 | clientes 259 | clients 260 | club 261 | clubs 262 | cluster 263 | clusters 264 | cm 265 | cmail 266 | cms 267 | cn 268 | co 269 | cocoa 270 | code 271 | coldfusion 272 | colombus 273 | colorado 274 | columbus 275 | com 276 | commerce 277 | commerceserver 278 | communigate 279 | community 280 | compaq 281 | compras 282 | con 283 | concentrator 284 | conf 285 | conference 286 | conferencing 287 | confidential 288 | connect 289 | connecticut 290 | consola 291 | console 292 | consult 293 | consultant 294 | consultants 295 | consulting 296 | consumer 297 | contact 298 | content 299 | contracts 300 | core 301 | core0 302 | core01 303 | corp 304 | corpmail 305 | corporate 306 | correo 307 | correoweb 308 | cortafuegos 309 | counterstrike 310 | courses 311 | cr 312 | cricket 313 | crm 314 | crs 315 | cs 316 | cso 317 | css 318 | ct 319 | cu 320 | cust1 321 | cust10 322 | cust100 323 | cust101 324 | cust102 325 | cust103 326 | cust104 327 | cust105 328 | cust106 329 | cust107 330 | cust108 331 | cust109 332 | cust11 333 | cust110 334 | cust111 335 | cust112 336 | cust113 337 | cust114 338 | cust115 339 | cust116 340 | cust117 341 | cust118 342 | cust119 343 | cust12 344 | cust120 345 | cust121 346 | cust122 347 | cust123 348 | cust124 349 | cust125 350 | cust126 351 | cust13 352 | cust14 353 | cust15 354 | cust16 355 | cust17 356 | cust18 357 | cust19 358 | cust2 359 | cust20 360 | cust21 361 | cust22 362 | cust23 363 | cust24 364 | cust25 365 | cust26 366 | cust27 367 | cust28 368 | cust29 369 | cust3 370 | cust30 371 | cust31 372 | cust32 373 | cust33 374 | cust34 375 | cust35 376 | cust36 377 | cust37 378 | cust38 379 | cust39 380 | cust4 381 | cust40 382 | cust41 383 | cust42 384 | cust43 385 | cust44 386 | cust45 387 | cust46 388 | cust47 389 | cust48 390 | cust49 391 | cust5 392 | cust50 393 | cust51 394 | cust52 395 | cust53 396 | cust54 397 | cust55 398 | cust56 399 | cust57 400 | cust58 401 | cust59 402 | cust6 403 | cust60 404 | cust61 405 | cust62 406 | cust63 407 | cust64 408 | cust65 409 | cust66 410 | cust67 411 | cust68 412 | cust69 413 | cust7 414 | cust70 415 | cust71 416 | cust72 417 | cust73 418 | cust74 419 | cust75 420 | cust76 421 | cust77 422 | cust78 423 | cust79 424 | cust8 425 | cust80 426 | cust81 427 | cust82 428 | cust83 429 | cust84 430 | cust85 431 | cust86 432 | cust87 433 | cust88 434 | cust89 435 | cust9 436 | cust90 437 | cust91 438 | cust92 439 | cust93 440 | cust94 441 | cust95 442 | cust96 443 | cust97 444 | cust98 445 | cust99 446 | customer 447 | customers 448 | cv 449 | cvs 450 | cx 451 | cy 452 | cz 453 | d 454 | dallas 455 | data 456 | database 457 | database01 458 | database02 459 | database1 460 | database2 461 | databases 462 | datastore 463 | datos 464 | david 465 | db 466 | db0 467 | db01 468 | db02 469 | db1 470 | db2 471 | dc 472 | de 473 | dealers 474 | dec 475 | def 476 | default 477 | defiant 478 | delaware 479 | dell 480 | delta 481 | delta1 482 | demo 483 | demonstration 484 | demos 485 | denver 486 | depot 487 | des 488 | desarrollo 489 | descargas 490 | design 491 | designer 492 | desktop 493 | detroit 494 | dev 495 | dev0 496 | dev01 497 | dev1 498 | devel 499 | develop 500 | developer 501 | developers 502 | development 503 | device 504 | devserver 505 | devsql 506 | dhcp 507 | dial 508 | dialup 509 | digital 510 | dilbert 511 | dir 512 | direct 513 | directory 514 | disc 515 | discovery 516 | discuss 517 | discussion 518 | discussions 519 | disk 520 | disney 521 | distributer 522 | distributers 523 | dj 524 | dk 525 | dm 526 | dmail 527 | dmz 528 | dnews 529 | dns 530 | dns-2 531 | dns0 532 | dns1 533 | dns2 534 | dns3 535 | do 536 | docs 537 | documentacion 538 | documentos 539 | domain 540 | domains 541 | dominio 542 | domino 543 | dominoweb 544 | doom 545 | download 546 | downloads 547 | downtown 548 | dragon 549 | drupal 550 | dsl 551 | dyn 552 | dynamic 553 | dynip 554 | dz 555 | e 556 | e-com 557 | e-commerce 558 | e0 559 | eagle 560 | earth 561 | east 562 | ec 563 | echo 564 | ecom 565 | ecommerce 566 | edi 567 | edu 568 | education 569 | edward 570 | ee 571 | eg 572 | eh 573 | ejemplo 574 | elpaso 575 | email 576 | employees 577 | empresa 578 | empresas 579 | en 580 | enable 581 | eng 582 | eng01 583 | eng1 584 | engine 585 | engineer 586 | engineering 587 | enterprise 588 | epsilon 589 | er 590 | erp 591 | es 592 | esd 593 | esm 594 | espanol 595 | estadisticas 596 | esx 597 | et 598 | eta 599 | europe 600 | events 601 | example 602 | exchange 603 | exec 604 | extern 605 | external 606 | extranet 607 | f 608 | f5 609 | falcon 610 | farm 611 | faststats 612 | fax 613 | feedback 614 | feeds 615 | fi 616 | field 617 | file 618 | files 619 | fileserv 620 | fileserver 621 | filestore 622 | filter 623 | find 624 | finger 625 | firewall 626 | fix 627 | fixes 628 | fj 629 | fk 630 | fl 631 | flash 632 | florida 633 | flow 634 | fm 635 | fo 636 | foobar 637 | formacion 638 | foro 639 | foros 640 | fortworth 641 | forum 642 | forums 643 | foto 644 | fotos 645 | foundry 646 | fox 647 | foxtrot 648 | fr 649 | france 650 | frank 651 | fred 652 | freebsd 653 | freebsd0 654 | freebsd01 655 | freebsd02 656 | freebsd1 657 | freebsd2 658 | freeware 659 | fresno 660 | front 661 | frontdesk 662 | fs 663 | fsp 664 | ftp 665 | ftp- 666 | ftp0 667 | ftp2 668 | ftpserver 669 | fw 670 | fw-1 671 | fw1 672 | fwsm 673 | fwsm0 674 | fwsm01 675 | fwsm1 676 | g 677 | ga 678 | galeria 679 | galerias 680 | galleries 681 | gallery 682 | games 683 | gamma 684 | gandalf 685 | gate 686 | gatekeeper 687 | gateway 688 | gauss 689 | gd 690 | ge 691 | gemini 692 | general 693 | george 694 | georgia 695 | germany 696 | gf 697 | gg 698 | gh 699 | gi 700 | gl 701 | glendale 702 | gm 703 | gmail 704 | gn 705 | go 706 | gold 707 | goldmine 708 | golf 709 | gopher 710 | gp 711 | gq 712 | gr 713 | green 714 | group 715 | groups 716 | groupwise 717 | gs 718 | gsx 719 | gt 720 | gu 721 | guest 722 | gw 723 | gw1 724 | gy 725 | h 726 | hal 727 | halflife 728 | hawaii 729 | hello 730 | help 731 | helpdesk 732 | helponline 733 | henry 734 | hermes 735 | hi 736 | hidden 737 | hk 738 | hm 739 | hn 740 | hobbes 741 | hollywood 742 | home 743 | homebase 744 | homer 745 | honeypot 746 | honolulu 747 | host 748 | host1 749 | host3 750 | host4 751 | host5 752 | hotel 753 | hotjobs 754 | houstin 755 | houston 756 | howto 757 | hp 758 | hpov 759 | hr 760 | ht 761 | http 762 | https 763 | hu 764 | hub 765 | humanresources 766 | i 767 | ia 768 | ias 769 | ibm 770 | ibmdb 771 | id 772 | ida 773 | idaho 774 | ids 775 | ie 776 | iis 777 | il 778 | illinois 779 | im 780 | images 781 | imail 782 | imap 783 | imap4 784 | img 785 | img0 786 | img01 787 | img02 788 | in 789 | inbound 790 | inc 791 | include 792 | incoming 793 | india 794 | indiana 795 | indianapolis 796 | info 797 | informix 798 | inside 799 | install 800 | int 801 | intern 802 | internal 803 | international 804 | internet 805 | intl 806 | intranet 807 | invalid 808 | investor 809 | investors 810 | io 811 | iota 812 | iowa 813 | iplanet 814 | ipmonitor 815 | ipsec 816 | ipsec-gw 817 | ipv6 818 | ipv6.teredo 819 | iq 820 | ir 821 | irc 822 | ircd 823 | ircserver 824 | ireland 825 | iris 826 | irvine 827 | irving 828 | is 829 | isa 830 | isaserv 831 | isaserver 832 | ism 833 | israel 834 | isync 835 | it 836 | italy 837 | ix 838 | j 839 | japan 840 | java 841 | je 842 | jedi 843 | jm 844 | jo 845 | jobs 846 | john 847 | jp 848 | jrun 849 | juegos 850 | juliet 851 | juliette 852 | juniper 853 | k 854 | kansas 855 | kansascity 856 | kappa 857 | kb 858 | ke 859 | kentucky 860 | kerberos 861 | keynote 862 | kg 863 | kh 864 | ki 865 | kilo 866 | king 867 | km 868 | kn 869 | knowledgebase 870 | knoxville 871 | koe 872 | korea 873 | kp 874 | kr 875 | ks 876 | kw 877 | ky 878 | kz 879 | l 880 | la 881 | lab 882 | laboratory 883 | labs 884 | lambda 885 | lan 886 | laptop 887 | laserjet 888 | lasvegas 889 | launch 890 | lb 891 | lc 892 | ldap 893 | legal 894 | leo 895 | li 896 | lib 897 | library 898 | lima 899 | lincoln 900 | link 901 | linux 902 | linux0 903 | linux01 904 | linux02 905 | linux1 906 | linux2 907 | lista 908 | lists 909 | listserv 910 | listserver 911 | live 912 | lk 913 | load 914 | loadbalancer 915 | local 916 | localhost 917 | log 918 | log0 919 | log01 920 | log02 921 | log1 922 | log2 923 | logfile 924 | logfiles 925 | logger 926 | logging 927 | loghost 928 | login 929 | logs 930 | london 931 | longbeach 932 | losangeles 933 | lotus 934 | louisiana 935 | lr 936 | ls 937 | lt 938 | lu 939 | luke 940 | lv 941 | ly 942 | lyris 943 | m 944 | ma 945 | mac 946 | mac1 947 | mac10 948 | mac11 949 | mac2 950 | mac3 951 | mac4 952 | mac5 953 | mach 954 | macintosh 955 | madrid 956 | mail 957 | mail2 958 | mailer 959 | mailgate 960 | mailhost 961 | mailing 962 | maillist 963 | maillists 964 | mailroom 965 | mailserv 966 | mailsite 967 | mailsrv 968 | main 969 | maine 970 | maint 971 | mall 972 | manage 973 | management 974 | manager 975 | manufacturing 976 | map 977 | mapas 978 | maps 979 | marketing 980 | marketplace 981 | mars 982 | marvin 983 | mary 984 | maryland 985 | massachusetts 986 | master 987 | max 988 | mc 989 | mci 990 | md 991 | mdaemon 992 | me 993 | media 994 | member 995 | members 996 | memphis 997 | mercury 998 | merlin 999 | messages 1000 | messenger 1001 | mg 1002 | mgmt 1003 | mh 1004 | mi 1005 | miami 1006 | michigan 1007 | mickey 1008 | midwest 1009 | mike 1010 | milwaukee 1011 | minneapolis 1012 | minnesota 1013 | mirror 1014 | mis 1015 | mississippi 1016 | missouri 1017 | mk 1018 | ml 1019 | mm 1020 | mn 1021 | mngt 1022 | mo 1023 | mobile 1024 | mobilemail 1025 | mom 1026 | monitor 1027 | monitoring 1028 | montana 1029 | moon 1030 | moscow 1031 | movies 1032 | mozart 1033 | mp 1034 | mp3 1035 | mpeg 1036 | mpg 1037 | mq 1038 | mr 1039 | mrtg 1040 | ms 1041 | ms-exchange 1042 | ms-sql 1043 | msexchange 1044 | mssql 1045 | mssql0 1046 | mssql01 1047 | mssql1 1048 | mt 1049 | mta 1050 | mtu 1051 | mu 1052 | multimedia 1053 | music 1054 | mv 1055 | mw 1056 | mx 1057 | my 1058 | mysql 1059 | mysql0 1060 | mysql01 1061 | mysql1 1062 | mz 1063 | n 1064 | na 1065 | name 1066 | names 1067 | nameserv 1068 | nameserver 1069 | nas 1070 | nashville 1071 | nat 1072 | nc 1073 | nd 1074 | nds 1075 | ne 1076 | nebraska 1077 | neptune 1078 | net 1079 | netapp 1080 | netdata 1081 | netgear 1082 | netmeeting 1083 | netscaler 1084 | netscreen 1085 | netstats 1086 | network 1087 | nevada 1088 | new 1089 | newhampshire 1090 | newjersey 1091 | newmexico 1092 | neworleans 1093 | news 1094 | newsfeed 1095 | newsfeeds 1096 | newsgroups 1097 | newton 1098 | newyork 1099 | newzealand 1100 | nf 1101 | ng 1102 | nh 1103 | ni 1104 | nigeria 1105 | nj 1106 | nl 1107 | nm 1108 | nms 1109 | nntp 1110 | no 1111 | node 1112 | nokia 1113 | nombres 1114 | nora 1115 | north 1116 | northcarolina 1117 | northdakota 1118 | northeast 1119 | northwest 1120 | noticias 1121 | novell 1122 | november 1123 | np 1124 | nr 1125 | ns 1126 | ns- 1127 | ns0 1128 | ns01 1129 | ns02 1130 | ns1 1131 | ns2 1132 | ns3 1133 | ns4 1134 | ns5 1135 | nt 1136 | nt4 1137 | nt40 1138 | ntmail 1139 | ntp 1140 | ntserver 1141 | nu 1142 | null 1143 | nv 1144 | ny 1145 | nz 1146 | o 1147 | oakland 1148 | ocean 1149 | odin 1150 | office 1151 | offices 1152 | oh 1153 | ohio 1154 | ok 1155 | oklahoma 1156 | oklahomacity 1157 | old 1158 | om 1159 | omaha 1160 | omega 1161 | omicron 1162 | online 1163 | ontario 1164 | open 1165 | openbsd 1166 | openview 1167 | operations 1168 | ops 1169 | ops0 1170 | ops01 1171 | ops02 1172 | ops1 1173 | ops2 1174 | opsware 1175 | or 1176 | oracle 1177 | orange 1178 | order 1179 | orders 1180 | oregon 1181 | orion 1182 | orlando 1183 | oscar 1184 | out 1185 | outbound 1186 | outgoing 1187 | outlook 1188 | outside 1189 | ov 1190 | owa 1191 | owa01 1192 | owa02 1193 | owa1 1194 | owa2 1195 | ows 1196 | oxnard 1197 | p 1198 | pa 1199 | page 1200 | pager 1201 | pages 1202 | paginas 1203 | papa 1204 | paris 1205 | parners 1206 | partner 1207 | partners 1208 | patch 1209 | patches 1210 | paul 1211 | payroll 1212 | pbx 1213 | pc 1214 | pc01 1215 | pc1 1216 | pc10 1217 | pc101 1218 | pc11 1219 | pc12 1220 | pc13 1221 | pc14 1222 | pc15 1223 | pc16 1224 | pc17 1225 | pc18 1226 | pc19 1227 | pc2 1228 | pc20 1229 | pc21 1230 | pc22 1231 | pc23 1232 | pc24 1233 | pc25 1234 | pc26 1235 | pc27 1236 | pc28 1237 | pc29 1238 | pc3 1239 | pc30 1240 | pc31 1241 | pc32 1242 | pc33 1243 | pc34 1244 | pc35 1245 | pc36 1246 | pc37 1247 | pc38 1248 | pc39 1249 | pc4 1250 | pc40 1251 | pc41 1252 | pc42 1253 | pc43 1254 | pc44 1255 | pc45 1256 | pc46 1257 | pc47 1258 | pc48 1259 | pc49 1260 | pc5 1261 | pc50 1262 | pc51 1263 | pc52 1264 | pc53 1265 | pc54 1266 | pc55 1267 | pc56 1268 | pc57 1269 | pc58 1270 | pc59 1271 | pc6 1272 | pc60 1273 | pc7 1274 | pc8 1275 | pc9 1276 | pcmail 1277 | pda 1278 | pdc 1279 | pe 1280 | pegasus 1281 | pennsylvania 1282 | peoplesoft 1283 | personal 1284 | pf 1285 | pg 1286 | pgp 1287 | ph 1288 | phi 1289 | philadelphia 1290 | phoenix 1291 | phoeniz 1292 | phone 1293 | phones 1294 | photos 1295 | pi 1296 | pics 1297 | pictures 1298 | pink 1299 | pipex-gw 1300 | pittsburgh 1301 | pix 1302 | pk 1303 | pki 1304 | pl 1305 | plano 1306 | platinum 1307 | pluto 1308 | pm 1309 | pm1 1310 | pn 1311 | po 1312 | policy 1313 | polls 1314 | pop 1315 | pop3 1316 | portal 1317 | portals 1318 | portfolio 1319 | portland 1320 | post 1321 | postales 1322 | postoffice 1323 | ppp1 1324 | ppp10 1325 | ppp11 1326 | ppp12 1327 | ppp13 1328 | ppp14 1329 | ppp15 1330 | ppp16 1331 | ppp17 1332 | ppp18 1333 | ppp19 1334 | ppp2 1335 | ppp20 1336 | ppp21 1337 | ppp3 1338 | ppp4 1339 | ppp5 1340 | ppp6 1341 | ppp7 1342 | ppp8 1343 | ppp9 1344 | pptp 1345 | pr 1346 | prensa 1347 | press 1348 | printer 1349 | printserv 1350 | printserver 1351 | priv 1352 | privacy 1353 | private 1354 | problemtracker 1355 | products 1356 | profiles 1357 | project 1358 | projects 1359 | promo 1360 | proxy 1361 | prueba 1362 | pruebas 1363 | ps 1364 | psi 1365 | pss 1366 | pt 1367 | pub 1368 | public 1369 | pubs 1370 | purple 1371 | pw 1372 | py 1373 | q 1374 | qa 1375 | qmail 1376 | qotd 1377 | quake 1378 | quebec 1379 | queen 1380 | quotes 1381 | r 1382 | r01 1383 | r02 1384 | r1 1385 | r2 1386 | ra 1387 | radio 1388 | radius 1389 | rapidsite 1390 | raptor 1391 | ras 1392 | rc 1393 | rcs 1394 | rd 1395 | re 1396 | read 1397 | realserver 1398 | recruiting 1399 | red 1400 | redhat 1401 | ref 1402 | reference 1403 | reg 1404 | register 1405 | registro 1406 | registry 1407 | regs 1408 | relay 1409 | rem 1410 | remote 1411 | remstats 1412 | reports 1413 | research 1414 | reseller 1415 | reserved 1416 | resumenes 1417 | rho 1418 | rhodeisland 1419 | ri 1420 | ris 1421 | rmi 1422 | ro 1423 | robert 1424 | romeo 1425 | root 1426 | rose 1427 | route 1428 | router 1429 | router1 1430 | rs 1431 | rss 1432 | rtelnet 1433 | rtr 1434 | rtr01 1435 | rtr1 1436 | ru 1437 | rune 1438 | rw 1439 | rwhois 1440 | s 1441 | s1 1442 | s2 1443 | sa 1444 | sac 1445 | sacramento 1446 | sadmin 1447 | safe 1448 | sales 1449 | saltlake 1450 | sam 1451 | san 1452 | sanantonio 1453 | sandiego 1454 | sanfrancisco 1455 | sanjose 1456 | saskatchewan 1457 | saturn 1458 | sb 1459 | sbs 1460 | sc 1461 | scanner 1462 | schedules 1463 | scotland 1464 | scotty 1465 | sd 1466 | se 1467 | search 1468 | seattle 1469 | sec 1470 | secret 1471 | secure 1472 | secured 1473 | securid 1474 | security 1475 | sendmail 1476 | seri 1477 | serv 1478 | serv2 1479 | server 1480 | server1 1481 | servers 1482 | service 1483 | services 1484 | servicio 1485 | servidor 1486 | setup 1487 | sg 1488 | sh 1489 | shared 1490 | sharepoint 1491 | shareware 1492 | shipping 1493 | shop 1494 | shoppers 1495 | shopping 1496 | si 1497 | siebel 1498 | sierra 1499 | sigma 1500 | signin 1501 | signup 1502 | silver 1503 | sim 1504 | sirius 1505 | site 1506 | sj 1507 | sk 1508 | skywalker 1509 | sl 1510 | slackware 1511 | slmail 1512 | sm 1513 | smc 1514 | sms 1515 | smtp 1516 | smtphost 1517 | sn 1518 | sniffer 1519 | snmp 1520 | snmpd 1521 | snoopy 1522 | snort 1523 | so 1524 | soap 1525 | socal 1526 | software 1527 | sol 1528 | solaris 1529 | solutions 1530 | soporte 1531 | source 1532 | sourcecode 1533 | sourcesafe 1534 | south 1535 | southcarolina 1536 | southdakota 1537 | southeast 1538 | southwest 1539 | spain 1540 | spam 1541 | spider 1542 | spiderman 1543 | splunk 1544 | spock 1545 | spokane 1546 | springfield 1547 | sprint 1548 | sqa 1549 | sql 1550 | sql0 1551 | sql01 1552 | sql1 1553 | sql7 1554 | sqlserver 1555 | squid 1556 | sr 1557 | ss 1558 | ssh 1559 | ssl 1560 | ssl0 1561 | ssl01 1562 | ssl1 1563 | st 1564 | staff 1565 | stage 1566 | staging 1567 | start 1568 | stat 1569 | static 1570 | statistics 1571 | stats 1572 | stlouis 1573 | stock 1574 | storage 1575 | store 1576 | storefront 1577 | streaming 1578 | stronghold 1579 | strongmail 1580 | studio 1581 | submit 1582 | subversion 1583 | sun 1584 | sun0 1585 | sun01 1586 | sun02 1587 | sun1 1588 | sun2 1589 | superman 1590 | supplier 1591 | suppliers 1592 | support 1593 | sv 1594 | sw 1595 | sw0 1596 | sw01 1597 | sw1 1598 | sweden 1599 | switch 1600 | switzerland 1601 | sy 1602 | sybase 1603 | sydney 1604 | sysadmin 1605 | sysback 1606 | syslog 1607 | syslogs 1608 | system 1609 | sz 1610 | t 1611 | tacoma 1612 | taiwan 1613 | talk 1614 | tampa 1615 | tango 1616 | tau 1617 | tc 1618 | tcl 1619 | td 1620 | team 1621 | tech 1622 | technology 1623 | techsupport 1624 | telephone 1625 | telephony 1626 | telnet 1627 | temp 1628 | tennessee 1629 | terminal 1630 | terminalserver 1631 | termserv 1632 | test 1633 | test2k 1634 | testajax 1635 | testasp 1636 | testaspnet 1637 | testbed 1638 | testcf 1639 | testing 1640 | testjsp 1641 | testlab 1642 | testlinux 1643 | testphp 1644 | testserver 1645 | testsite 1646 | testsql 1647 | testxp 1648 | texas 1649 | tf 1650 | tftp 1651 | tg 1652 | th 1653 | thailand 1654 | theta 1655 | thor 1656 | tienda 1657 | tiger 1658 | time 1659 | titan 1660 | tivoli 1661 | tj 1662 | tk 1663 | tm 1664 | tn 1665 | to 1666 | tokyo 1667 | toledo 1668 | tom 1669 | tool 1670 | tools 1671 | toplayer 1672 | toronto 1673 | tour 1674 | tp 1675 | tr 1676 | tracker 1677 | train 1678 | training 1679 | transfers 1680 | trinidad 1681 | trinity 1682 | ts 1683 | ts1 1684 | tt 1685 | tucson 1686 | tulsa 1687 | tunnel 1688 | tv 1689 | tw 1690 | tx 1691 | tz 1692 | u 1693 | ua 1694 | uddi 1695 | ug 1696 | uk 1697 | um 1698 | uniform 1699 | union 1700 | unitedkingdom 1701 | unitedstates 1702 | unix 1703 | unixware 1704 | update 1705 | updates 1706 | upload 1707 | ups 1708 | upsilon 1709 | uranus 1710 | urchin 1711 | us 1712 | usa 1713 | usenet 1714 | user 1715 | users 1716 | ut 1717 | utah 1718 | utilities 1719 | uy 1720 | uz 1721 | v 1722 | v6 1723 | va 1724 | vader 1725 | vantive 1726 | vault 1727 | vc 1728 | ve 1729 | vega 1730 | vegas 1731 | vend 1732 | vendors 1733 | venus 1734 | vermont 1735 | vg 1736 | vi 1737 | victor 1738 | video 1739 | videos 1740 | viking 1741 | violet 1742 | vip 1743 | virginia 1744 | vista 1745 | vm 1746 | vmserver 1747 | vmware 1748 | vn 1749 | vnc 1750 | voice 1751 | voicemail 1752 | voip 1753 | voyager 1754 | vpn 1755 | vpn0 1756 | vpn01 1757 | vpn02 1758 | vpn1 1759 | vpn2 1760 | vt 1761 | vu 1762 | w 1763 | w1 1764 | w2 1765 | w3 1766 | wa 1767 | wais 1768 | wallet 1769 | wam 1770 | wan 1771 | wap 1772 | warehouse 1773 | washington 1774 | wc3 1775 | web 1776 | webaccess 1777 | webadmin 1778 | webalizer 1779 | webboard 1780 | webcache 1781 | webcam 1782 | webcast 1783 | webdev 1784 | webdocs 1785 | webfarm 1786 | webhelp 1787 | weblib 1788 | weblogic 1789 | webmail 1790 | webmaster 1791 | webproxy 1792 | webring 1793 | webs 1794 | webserv 1795 | webserver 1796 | webservices 1797 | website 1798 | websites 1799 | websphere 1800 | websrv 1801 | websrvr 1802 | webstats 1803 | webstore 1804 | websvr 1805 | webtrends 1806 | welcome 1807 | west 1808 | westvirginia 1809 | wf 1810 | whiskey 1811 | white 1812 | whois 1813 | wi 1814 | wichita 1815 | wiki 1816 | wililiam 1817 | win 1818 | win01 1819 | win02 1820 | win1 1821 | win2 1822 | win2000 1823 | win2003 1824 | win2k 1825 | win2k3 1826 | windows 1827 | windows01 1828 | windows02 1829 | windows1 1830 | windows2 1831 | windows2000 1832 | windows2003 1833 | windowsxp 1834 | wingate 1835 | winnt 1836 | winproxy 1837 | wins 1838 | winserve 1839 | winxp 1840 | wire 1841 | wireless 1842 | wisconsin 1843 | wlan 1844 | wordpress 1845 | work 1846 | world 1847 | wpad 1848 | write 1849 | ws 1850 | ws1 1851 | ws10 1852 | ws11 1853 | ws12 1854 | ws13 1855 | ws2 1856 | ws3 1857 | ws4 1858 | ws5 1859 | ws6 1860 | ws7 1861 | ws8 1862 | ws9 1863 | wusage 1864 | wv 1865 | ww 1866 | www 1867 | www- 1868 | www-01 1869 | www-02 1870 | www-1 1871 | www-2 1872 | www-int 1873 | www0 1874 | www01 1875 | www02 1876 | www1 1877 | www2 1878 | www3 1879 | wwwchat 1880 | wwwdev 1881 | wwwmail 1882 | wy 1883 | wyoming 1884 | x 1885 | x-ray 1886 | xi 1887 | xlogan 1888 | xmail 1889 | xml 1890 | xp 1891 | y 1892 | yankee 1893 | ye 1894 | yellow 1895 | young 1896 | yt 1897 | yu 1898 | z 1899 | z-log 1900 | za 1901 | zebra 1902 | zera 1903 | zeus 1904 | zlog 1905 | zm 1906 | zulu 1907 | zw 1908 | -------------------------------------------------------------------------------- /interesting_keywords.txt: -------------------------------------------------------------------------------- 1 | png 2 | txt 3 | html 4 | css 5 | password 6 | user 7 | wp-config 8 | bak 9 | backup 10 | bank 11 | secret 12 | vpn 13 | xls 14 | csv 15 | confidential 16 | invoice 17 | ssn 18 | ssh 19 | keys 20 | zip 21 | tar 22 | pdf 23 | xlsx 24 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | xmltodict 3 | argparse 4 | -------------------------------------------------------------------------------- /spaces_finder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # "Spaces finder" is a tool to quickly enumerate DigitalOcean Spaces to look for loot. 4 | # It's similar to a subdomain bruteforcer but is made specifically to DigitalOcean 5 | # Spaces and also has some extra features that allow you to grep for 6 | # delicous files as well as download interesting files if you're not 7 | # afraid to quickly fill up your hard drive. 8 | # Built on top of AWSBucketDump by Jordan Potti(@ok_bye_now) 9 | 10 | __author__ = "Bharath" 11 | __twitter__ = "0xbharath" 12 | __version__ = "0.0.2" 13 | 14 | from argparse import ArgumentParser 15 | import codecs 16 | import requests 17 | import xmltodict 18 | import sys 19 | import os 20 | import shutil 21 | import traceback 22 | from queue import Queue 23 | from threading import Thread, Lock 24 | 25 | bucket_q = Queue() 26 | download_q = Queue() 27 | 28 | grep_list=None 29 | 30 | arguments = None 31 | total_public_spaces = 0 32 | 33 | # Regions available for DigitalOcean Spaces 34 | regions = ['nyc3', 'ams3', 'sgp1', 'sfo2', 'fra1'] 35 | 36 | def fetch(url): 37 | print('[+] fetching ' + url) 38 | try: 39 | response = requests.get(url) 40 | except requests.exceptions.RequestException as e: # This is the correct syntax 41 | print(e) 42 | sys.exit(1) 43 | if response.status_code == 403 or response.status_code == 404: 44 | status403(url) 45 | if response.status_code == 200: 46 | if "Content" in response.text: 47 | returnedList=status200(response,grep_list,url) 48 | 49 | def bucket_worker(): 50 | while True: 51 | item = bucket_q.get() 52 | try: 53 | fetch(item) 54 | except Exception as e: 55 | traceback.print_exc(file=sys.stdout) 56 | print(e) 57 | bucket_q.task_done() 58 | 59 | def downloadWorker(): 60 | print('[+] download worker running') 61 | while True: 62 | item = download_q.get() 63 | try: 64 | downloadFile(item) 65 | except Exception as e: 66 | traceback.print_exc(file=sys.stdout) 67 | print(e) 68 | download_q.task_done() 69 | directory_lock = Lock() 70 | 71 | def get_directory_lock(): 72 | directory_lock.acquire() 73 | 74 | def release_directory_lock(): 75 | directory_lock.release() 76 | 77 | def get_make_directory_return_filename_path(url): 78 | global arguments 79 | bits = url.split('/') 80 | directory = arguments.savedir 81 | for i in range(2,len(bits)-1): 82 | directory = os.path.join(directory, bits[i]) 83 | try: 84 | get_directory_lock() 85 | if not os.path.isdir(directory): 86 | os.makedirs(directory) 87 | except Exception as e: 88 | traceback.print_exc(file=sys.stdout) 89 | print(e) 90 | finally: 91 | release_directory_lock() 92 | 93 | return os.path.join(directory, bits[-1]).rstrip() 94 | 95 | interesting_file_lock = Lock() 96 | def get_interesting_file_lock(): 97 | interesting_file_lock.acquire() 98 | 99 | def release_interesting_file_lock(): 100 | interesting_file_lock.release() 101 | 102 | def write_interesting_file(filepath): 103 | try: 104 | get_interesting_file_lock() 105 | with open('interesting_file.txt', 'ab+') as interesting_file: 106 | interesting_file.write(filepath.encode('utf-8')) 107 | interesting_file.write('\n'.encode('utf-8')) 108 | finally: 109 | release_interesting_file_lock() 110 | 111 | def downloadFile(filename): 112 | global arguments 113 | print('[+] Downloading {}'.format(filename)) 114 | local_path = get_make_directory_return_filename_path(filename) 115 | local_filename = (filename.split('/')[-1]).rstrip() 116 | print('[*] local {}'.format(local_path)) 117 | if local_filename =="": 118 | print("Directory..\n") 119 | else: 120 | r = requests.get(filename.rstrip(), stream=True) 121 | if 'Content-Length' in r.headers: 122 | if int(r.headers['Content-Length']) > arguments.maxsize: 123 | print("[!] This file is greater than the specified max size.. skipping..\n") 124 | else: 125 | with open(local_path, 'wb') as f: 126 | shutil.copyfileobj(r.raw, f) 127 | r.close() 128 | 129 | def print_banner(): 130 | print('''\nDescription: 131 | "Spaces finder" is a tool to quickly enumerate DigitalOcean Spaces to look for loot. 132 | It's similar to a subdomain bruteforcer but is made specifically to DigitalOcean Spaces 133 | and also has some extra features that allow you to grep for 134 | delicous files as well as download interesting files if you're not 135 | afraid to quickly fill up your hard drive. 136 | 137 | by 0xbharath 138 | ''' 139 | ) 140 | 141 | def cleanup(): 142 | print("[-] Cleaning Up Files") 143 | 144 | def public_spaces_count(): 145 | print("\033[1;32m[*] Total number of public Spaces found - {}\033[1;m".format(total_public_spaces)) 146 | 147 | def status403(line): 148 | print("[!] " + line.rstrip() + " is not accessible") 149 | 150 | def queue_up_download(filepath): 151 | download_q.put(filepath) 152 | print('[*] Collectable: {}'.format(filepath)) 153 | write_interesting_file(filepath) 154 | 155 | def status200(response,grep_list,line): 156 | global total_public_spaces 157 | total_public_spaces += 1 158 | print("\033[1;31m[*] {} is publicly accessible\033[1;m".format(line.rstrip())) 159 | print("[+] Pilfering "+line.rstrip()) 160 | objects=xmltodict.parse(response.text) 161 | Keys = [] 162 | interest=[] 163 | try: 164 | for child in objects['ListBucketResult']['Contents']: 165 | Keys.append(child['Key']) 166 | except: 167 | pass 168 | hit = False 169 | for words in Keys: 170 | words = (str(words)).rstrip() 171 | collectable = line+'/'+words 172 | if grep_list != None and len(grep_list) > 0: 173 | for grep_line in grep_list: 174 | grep_line = (str(grep_line)).rstrip() 175 | if grep_line in words: 176 | queue_up_download(collectable) 177 | break 178 | else: 179 | queue_up_download(collectable) 180 | return total_public_spaces 181 | 182 | def main(): 183 | global arguments 184 | global grep_list 185 | parser = ArgumentParser() 186 | parser.add_argument("-D", dest="download", required=False, action="store_true", default=False, help="Download files. This requires significant diskspace") 187 | parser.add_argument("-d", dest="savedir", required=False, default='', help="if -D, then -d 1 to create save directories for each space with results.") 188 | parser.add_argument("-l", dest="hostlist", required=True, help="") 189 | parser.add_argument("-g", dest="grepwords", required=False, help="Provide a wordlist to grep for") 190 | parser.add_argument("-m", dest="maxsize", type=int, required=False, default=1024, help="Maximum file size to download.") 191 | parser.add_argument("-t", dest="threads", type=int, required=False, default=1, help="thread count.") 192 | 193 | if len(sys.argv) == 1: 194 | print_banner() 195 | parser.error("[!] No arguments given.") 196 | parser.print_usage 197 | sys.exit() 198 | 199 | # output parsed arguments into a usable object 200 | arguments = parser.parse_args() 201 | 202 | # specify primary variables 203 | with open(arguments.grepwords, "r") as grep_file: 204 | grep_content = grep_file.readlines() 205 | grep_list = [ g.strip() for g in grep_content ] 206 | 207 | if arguments.download and arguments.savedir: 208 | print("[*] Downloads enabled (-D), and save directories (-d) for each host will be created/used") 209 | elif arguments.download and not arguments.savedir: 210 | print("[*] Downloads enabled (-D), and will be saved to current directory") 211 | else: 212 | print("[*] Downloads were not enabled (-D), not saving results locally.") 213 | 214 | # start up bucket workers 215 | for i in range(0,arguments.threads): 216 | print('[+] starting thread') 217 | t = Thread(target=bucket_worker) 218 | t.daemon = True 219 | t.start() 220 | 221 | # start download workers 222 | for i in range(1, arguments.threads): 223 | t = Thread(target=downloadWorker) 224 | t.daemon = True 225 | t.start() 226 | 227 | with open(arguments.hostlist) as f: 228 | for line in f: 229 | for region in regions: 230 | bucket = 'https://'+line.rstrip()+'.'+region+'.digitaloceanspaces.com' 231 | print('[+] queuing {}'.format(bucket)) 232 | bucket_q.put(bucket) 233 | 234 | bucket_q.join() 235 | if arguments.download: 236 | download_q.join() 237 | 238 | public_spaces_count() 239 | cleanup() 240 | 241 | if __name__ == "__main__": 242 | main() 243 | 244 | --------------------------------------------------------------------------------