├── BucketNames.txt
├── README.md
└── amazon-s3-enum.py


/BucketNames.txt:
--------------------------------------------------------------------------------
   1 | 0
   2 | 01
   3 | 02
   4 | 03
   5 | 1
   6 | 10
   7 | 11
   8 | 12
   9 | 13
  10 | 14
  11 | 15
  12 | 16
  13 | 17
  14 | 18
  15 | 19
  16 | 2
  17 | 20
  18 | 3
  19 | 3com
  20 | 4
  21 | 5
  22 | 6
  23 | 7
  24 | 8
  25 | 9
  26 | ILMI
  27 | a
  28 | a.auth-ns
  29 | a01
  30 | a02
  31 | a1
  32 | a2
  33 | abc
  34 | about
  35 | ac
  36 | academico
  37 | acceso
  38 | access
  39 | accounting
  40 | accounts
  41 | acid
  42 | activestat
  43 | ad
  44 | adam
  45 | adkit
  46 | admin
  47 | administracion
  48 | administrador
  49 | administrator
  50 | administrators
  51 | admins
  52 | ads
  53 | adserver
  54 | adsl
  55 | ae
  56 | af
  57 | affiliate
  58 | affiliates
  59 | afiliados
  60 | ag
  61 | agenda
  62 | agent
  63 | ai
  64 | aix
  65 | ajax
  66 | ak
  67 | akamai
  68 | al
  69 | alabama
  70 | alaska
  71 | albuquerque
  72 | alerts
  73 | alpha
  74 | alterwind
  75 | am
  76 | amarillo
  77 | americas
  78 | an
  79 | anaheim
  80 | analyzer
  81 | announce
  82 | announcements
  83 | antivirus
  84 | ao
  85 | ap
  86 | apache
  87 | apollo
  88 | app
  89 | app01
  90 | app1
  91 | apple
  92 | application
  93 | applications
  94 | apps
  95 | appserver
  96 | aq
  97 | ar
  98 | archie
  99 | arcsight
 100 | argentina
 101 | arizona
 102 | arkansas
 103 | arlington
 104 | as
 105 | as400
 106 | asia
 107 | asterix
 108 | at
 109 | athena
 110 | atlanta
 111 | atlas
 112 | att
 113 | au
 114 | auction
 115 | austin
 116 | auth
 117 | auto
 118 | autodiscover
 119 | autorun
 120 | av
 121 | aw
 122 | ayuda
 123 | az
 124 | b
 125 | b.auth-ns
 126 | b01
 127 | b02
 128 | b1
 129 | b2
 130 | b2b
 131 | b2c
 132 | ba
 133 | back
 134 | backend
 135 | backup
 136 | baker
 137 | bakersfield
 138 | balance
 139 | balancer
 140 | baltimore
 141 | banking
 142 | bayarea
 143 | bb
 144 | bbdd
 145 | bbs
 146 | bd
 147 | bdc
 148 | be
 149 | bea
 150 | beta
 151 | bf
 152 | bg
 153 | bh
 154 | bi
 155 | billing
 156 | biz
 157 | biztalk
 158 | bj
 159 | black
 160 | blackberry
 161 | blog
 162 | blogs
 163 | blue
 164 | bm
 165 | bn
 166 | bnc
 167 | bo
 168 | bob
 169 | bof
 170 | boise
 171 | bolsa
 172 | border
 173 | boston
 174 | boulder
 175 | boy
 176 | br
 177 | bravo
 178 | brazil
 179 | britian
 180 | broadcast
 181 | broker
 182 | bronze
 183 | brown
 184 | bs
 185 | bsd
 186 | bsd0
 187 | bsd01
 188 | bsd02
 189 | bsd1
 190 | bsd2
 191 | bt
 192 | bug
 193 | buggalo
 194 | bugs
 195 | bugzilla
 196 | build
 197 | bulletins
 198 | burn
 199 | burner
 200 | buscador
 201 | buy
 202 | bv
 203 | bw
 204 | by
 205 | bz
 206 | c
 207 | c.auth-ns
 208 | ca
 209 | cache
 210 | cafe
 211 | calendar
 212 | california
 213 | call
 214 | calvin
 215 | canada
 216 | canal
 217 | canon
 218 | careers
 219 | catalog
 220 | cc
 221 | cd
 222 | cdburner
 223 | cdn
 224 | cert
 225 | certificates
 226 | certify
 227 | certserv
 228 | certsrv
 229 | cf
 230 | cg
 231 | cgi
 232 | ch
 233 | channel
 234 | channels
 235 | charlie
 236 | charlotte
 237 | chat
 238 | chats
 239 | chatserver
 240 | check
 241 | checkpoint
 242 | chi
 243 | chicago
 244 | ci
 245 | cims
 246 | cincinnati
 247 | cisco
 248 | citrix
 249 | ck
 250 | cl
 251 | class
 252 | classes
 253 | classifieds
 254 | classroom
 255 | cleveland
 256 | clicktrack
 257 | client
 258 | clientes
 259 | clients
 260 | club
 261 | clubs
 262 | cluster
 263 | clusters
 264 | cm
 265 | cmail
 266 | cms
 267 | cn
 268 | co
 269 | cocoa
 270 | code
 271 | coldfusion
 272 | colombus
 273 | colorado
 274 | columbus
 275 | com
 276 | commerce
 277 | commerceserver
 278 | communigate
 279 | community
 280 | compaq
 281 | compras
 282 | con
 283 | concentrator
 284 | conf
 285 | conference
 286 | conferencing
 287 | confidential
 288 | connect
 289 | connecticut
 290 | consola
 291 | console
 292 | consult
 293 | consultant
 294 | consultants
 295 | consulting
 296 | consumer
 297 | contact
 298 | content
 299 | contracts
 300 | core
 301 | core0
 302 | core01
 303 | corp
 304 | corpmail
 305 | corporate
 306 | correo
 307 | correoweb
 308 | cortafuegos
 309 | counterstrike
 310 | courses
 311 | cr
 312 | cricket
 313 | crm
 314 | crs
 315 | cs
 316 | cso
 317 | css
 318 | ct
 319 | cu
 320 | cust1
 321 | cust10
 322 | cust100
 323 | cust101
 324 | cust102
 325 | cust103
 326 | cust104
 327 | cust105
 328 | cust106
 329 | cust107
 330 | cust108
 331 | cust109
 332 | cust11
 333 | cust110
 334 | cust111
 335 | cust112
 336 | cust113
 337 | cust114
 338 | cust115
 339 | cust116
 340 | cust117
 341 | cust118
 342 | cust119
 343 | cust12
 344 | cust120
 345 | cust121
 346 | cust122
 347 | cust123
 348 | cust124
 349 | cust125
 350 | cust126
 351 | cust13
 352 | cust14
 353 | cust15
 354 | cust16
 355 | cust17
 356 | cust18
 357 | cust19
 358 | cust2
 359 | cust20
 360 | cust21
 361 | cust22
 362 | cust23
 363 | cust24
 364 | cust25
 365 | cust26
 366 | cust27
 367 | cust28
 368 | cust29
 369 | cust3
 370 | cust30
 371 | cust31
 372 | cust32
 373 | cust33
 374 | cust34
 375 | cust35
 376 | cust36
 377 | cust37
 378 | cust38
 379 | cust39
 380 | cust4
 381 | cust40
 382 | cust41
 383 | cust42
 384 | cust43
 385 | cust44
 386 | cust45
 387 | cust46
 388 | cust47
 389 | cust48
 390 | cust49
 391 | cust5
 392 | cust50
 393 | cust51
 394 | cust52
 395 | cust53
 396 | cust54
 397 | cust55
 398 | cust56
 399 | cust57
 400 | cust58
 401 | cust59
 402 | cust6
 403 | cust60
 404 | cust61
 405 | cust62
 406 | cust63
 407 | cust64
 408 | cust65
 409 | cust66
 410 | cust67
 411 | cust68
 412 | cust69
 413 | cust7
 414 | cust70
 415 | cust71
 416 | cust72
 417 | cust73
 418 | cust74
 419 | cust75
 420 | cust76
 421 | cust77
 422 | cust78
 423 | cust79
 424 | cust8
 425 | cust80
 426 | cust81
 427 | cust82
 428 | cust83
 429 | cust84
 430 | cust85
 431 | cust86
 432 | cust87
 433 | cust88
 434 | cust89
 435 | cust9
 436 | cust90
 437 | cust91
 438 | cust92
 439 | cust93
 440 | cust94
 441 | cust95
 442 | cust96
 443 | cust97
 444 | cust98
 445 | cust99
 446 | customer
 447 | customers
 448 | cv
 449 | cvs
 450 | cx
 451 | cy
 452 | cz
 453 | d
 454 | dallas
 455 | data
 456 | database
 457 | database01
 458 | database02
 459 | database1
 460 | database2
 461 | databases
 462 | datastore
 463 | datos
 464 | david
 465 | db
 466 | db0
 467 | db01
 468 | db02
 469 | db1
 470 | db2
 471 | dc
 472 | de
 473 | dealers
 474 | dec
 475 | def
 476 | default
 477 | defiant
 478 | delaware
 479 | dell
 480 | delta
 481 | delta1
 482 | demo
 483 | demonstration
 484 | demos
 485 | denver
 486 | depot
 487 | des
 488 | desarrollo
 489 | descargas
 490 | design
 491 | designer
 492 | desktop
 493 | detroit
 494 | dev
 495 | dev0
 496 | dev01
 497 | dev1
 498 | devel
 499 | develop
 500 | developer
 501 | developers
 502 | development
 503 | device
 504 | devserver
 505 | devsql
 506 | dhcp
 507 | dial
 508 | dialup
 509 | digital
 510 | dilbert
 511 | dir
 512 | direct
 513 | directory
 514 | disc
 515 | discovery
 516 | discuss
 517 | discussion
 518 | discussions
 519 | disk
 520 | disney
 521 | distributer
 522 | distributers
 523 | dj
 524 | dk
 525 | dm
 526 | dmail
 527 | dmz
 528 | dnews
 529 | dns
 530 | dns-2
 531 | dns0
 532 | dns1
 533 | dns2
 534 | dns3
 535 | do
 536 | docs
 537 | documentacion
 538 | documentos
 539 | domain
 540 | domains
 541 | dominio
 542 | domino
 543 | dominoweb
 544 | doom
 545 | download
 546 | downloads
 547 | downtown
 548 | dragon
 549 | drupal
 550 | dsl
 551 | dyn
 552 | dynamic
 553 | dynip
 554 | dz
 555 | e
 556 | e-com
 557 | e-commerce
 558 | e0
 559 | eagle
 560 | earth
 561 | east
 562 | ec
 563 | echo
 564 | ecom
 565 | ecommerce
 566 | edi
 567 | edu
 568 | education
 569 | edward
 570 | ee
 571 | eg
 572 | eh
 573 | ejemplo
 574 | elpaso
 575 | email
 576 | employees
 577 | empresa
 578 | empresas
 579 | en
 580 | enable
 581 | eng
 582 | eng01
 583 | eng1
 584 | engine
 585 | engineer
 586 | engineering
 587 | enterprise
 588 | epsilon
 589 | er
 590 | erp
 591 | es
 592 | esd
 593 | esm
 594 | espanol
 595 | estadisticas
 596 | esx
 597 | et
 598 | eta
 599 | europe
 600 | events
 601 | example
 602 | exchange
 603 | exec
 604 | extern
 605 | external
 606 | extranet
 607 | f
 608 | f5
 609 | falcon
 610 | farm
 611 | faststats
 612 | fax
 613 | feedback
 614 | feeds
 615 | fi
 616 | field
 617 | file
 618 | files
 619 | fileserv
 620 | fileserver
 621 | filestore
 622 | filter
 623 | find
 624 | finger
 625 | firewall
 626 | fix
 627 | fixes
 628 | fj
 629 | fk
 630 | fl
 631 | flash
 632 | florida
 633 | flow
 634 | fm
 635 | fo
 636 | foobar
 637 | formacion
 638 | foro
 639 | foros
 640 | fortworth
 641 | forum
 642 | forums
 643 | foto
 644 | fotos
 645 | foundry
 646 | fox
 647 | foxtrot
 648 | fr
 649 | france
 650 | frank
 651 | fred
 652 | freebsd
 653 | freebsd0
 654 | freebsd01
 655 | freebsd02
 656 | freebsd1
 657 | freebsd2
 658 | freeware
 659 | fresno
 660 | front
 661 | frontdesk
 662 | fs
 663 | fsp
 664 | ftp
 665 | ftp-
 666 | ftp0
 667 | ftp2
 668 | ftpserver
 669 | fw
 670 | fw-1
 671 | fw1
 672 | fwsm
 673 | fwsm0
 674 | fwsm01
 675 | fwsm1
 676 | g
 677 | ga
 678 | galeria
 679 | galerias
 680 | galleries
 681 | gallery
 682 | games
 683 | gamma
 684 | gandalf
 685 | gate
 686 | gatekeeper
 687 | gateway
 688 | gauss
 689 | gd
 690 | ge
 691 | gemini
 692 | general
 693 | george
 694 | georgia
 695 | germany
 696 | gf
 697 | gg
 698 | gh
 699 | gi
 700 | gl
 701 | glendale
 702 | gm
 703 | gmail
 704 | gn
 705 | go
 706 | gold
 707 | goldmine
 708 | golf
 709 | gopher
 710 | gp
 711 | gq
 712 | gr
 713 | green
 714 | group
 715 | groups
 716 | groupwise
 717 | gs
 718 | gsx
 719 | gt
 720 | gu
 721 | guest
 722 | gw
 723 | gw1
 724 | gy
 725 | h
 726 | hal
 727 | halflife
 728 | hawaii
 729 | hello
 730 | help
 731 | helpdesk
 732 | helponline
 733 | henry
 734 | hermes
 735 | hi
 736 | hidden
 737 | hk
 738 | hm
 739 | hn
 740 | hobbes
 741 | hollywood
 742 | home
 743 | homebase
 744 | homer
 745 | honeypot
 746 | honolulu
 747 | host
 748 | host1
 749 | host3
 750 | host4
 751 | host5
 752 | hotel
 753 | hotjobs
 754 | houstin
 755 | houston
 756 | howto
 757 | hp
 758 | hpov
 759 | hr
 760 | ht
 761 | http
 762 | https
 763 | hu
 764 | hub
 765 | humanresources
 766 | i
 767 | ia
 768 | ias
 769 | ibm
 770 | ibmdb
 771 | id
 772 | ida
 773 | idaho
 774 | ids
 775 | ie
 776 | iis
 777 | il
 778 | illinois
 779 | im
 780 | images
 781 | imail
 782 | imap
 783 | imap4
 784 | img
 785 | img0
 786 | img01
 787 | img02
 788 | in
 789 | inbound
 790 | inc
 791 | include
 792 | incoming
 793 | india
 794 | indiana
 795 | indianapolis
 796 | info
 797 | informix
 798 | inside
 799 | install
 800 | int
 801 | intern
 802 | internal
 803 | international
 804 | internet
 805 | intl
 806 | intranet
 807 | invalid
 808 | investor
 809 | investors
 810 | io
 811 | iota
 812 | iowa
 813 | iplanet
 814 | ipmonitor
 815 | ipsec
 816 | ipsec-gw
 817 | ipv6
 818 | ipv6.teredo
 819 | iq
 820 | ir
 821 | irc
 822 | ircd
 823 | ircserver
 824 | ireland
 825 | iris
 826 | irvine
 827 | irving
 828 | is
 829 | isa
 830 | isaserv
 831 | isaserver
 832 | ism
 833 | israel
 834 | isync
 835 | it
 836 | italy
 837 | ix
 838 | j
 839 | japan
 840 | java
 841 | je
 842 | jedi
 843 | jm
 844 | jo
 845 | jobs
 846 | john
 847 | jp
 848 | jrun
 849 | juegos
 850 | juliet
 851 | juliette
 852 | juniper
 853 | k
 854 | kansas
 855 | kansascity
 856 | kappa
 857 | kb
 858 | ke
 859 | kentucky
 860 | kerberos
 861 | keynote
 862 | kg
 863 | kh
 864 | ki
 865 | kilo
 866 | king
 867 | km
 868 | kn
 869 | knowledgebase
 870 | knoxville
 871 | koe
 872 | korea
 873 | kp
 874 | kr
 875 | ks
 876 | kw
 877 | ky
 878 | kz
 879 | l
 880 | la
 881 | lab
 882 | laboratory
 883 | labs
 884 | lambda
 885 | lan
 886 | laptop
 887 | laserjet
 888 | lasvegas
 889 | launch
 890 | lb
 891 | lc
 892 | ldap
 893 | legal
 894 | leo
 895 | li
 896 | lib
 897 | library
 898 | lima
 899 | lincoln
 900 | link
 901 | linux
 902 | linux0
 903 | linux01
 904 | linux02
 905 | linux1
 906 | linux2
 907 | lista
 908 | lists
 909 | listserv
 910 | listserver
 911 | live
 912 | lk
 913 | load
 914 | loadbalancer
 915 | local
 916 | localhost
 917 | log
 918 | log0
 919 | log01
 920 | log02
 921 | log1
 922 | log2
 923 | logfile
 924 | logfiles
 925 | logger
 926 | logging
 927 | loghost
 928 | login
 929 | logs
 930 | london
 931 | longbeach
 932 | losangeles
 933 | lotus
 934 | louisiana
 935 | lr
 936 | ls
 937 | lt
 938 | lu
 939 | luke
 940 | lv
 941 | ly
 942 | lyris
 943 | m
 944 | ma
 945 | mac
 946 | mac1
 947 | mac10
 948 | mac11
 949 | mac2
 950 | mac3
 951 | mac4
 952 | mac5
 953 | mach
 954 | macintosh
 955 | madrid
 956 | mail
 957 | mail2
 958 | mailer
 959 | mailgate
 960 | mailhost
 961 | mailing
 962 | maillist
 963 | maillists
 964 | mailroom
 965 | mailserv
 966 | mailsite
 967 | mailsrv
 968 | main
 969 | maine
 970 | maint
 971 | mall
 972 | manage
 973 | management
 974 | manager
 975 | manufacturing
 976 | map
 977 | mapas
 978 | maps
 979 | marketing
 980 | marketplace
 981 | mars
 982 | marvin
 983 | mary
 984 | maryland
 985 | massachusetts
 986 | master
 987 | max
 988 | mc
 989 | mci
 990 | md
 991 | mdaemon
 992 | me
 993 | media
 994 | member
 995 | members
 996 | memphis
 997 | mercury
 998 | merlin
 999 | messages
1000 | messenger
1001 | mg
1002 | mgmt
1003 | mh
1004 | mi
1005 | miami
1006 | michigan
1007 | mickey
1008 | midwest
1009 | mike
1010 | milwaukee
1011 | minneapolis
1012 | minnesota
1013 | mirror
1014 | mis
1015 | mississippi
1016 | missouri
1017 | mk
1018 | ml
1019 | mm
1020 | mn
1021 | mngt
1022 | mo
1023 | mobile
1024 | mobilemail
1025 | mom
1026 | monitor
1027 | monitoring
1028 | montana
1029 | moon
1030 | moscow
1031 | movies
1032 | mozart
1033 | mp
1034 | mp3
1035 | mpeg
1036 | mpg
1037 | mq
1038 | mr
1039 | mrtg
1040 | ms
1041 | ms-exchange
1042 | ms-sql
1043 | msexchange
1044 | mssql
1045 | mssql0
1046 | mssql01
1047 | mssql1
1048 | mt
1049 | mta
1050 | mtu
1051 | mu
1052 | multimedia
1053 | music
1054 | mv
1055 | mw
1056 | mx
1057 | my
1058 | mysql
1059 | mysql0
1060 | mysql01
1061 | mysql1
1062 | mz
1063 | n
1064 | na
1065 | name
1066 | names
1067 | nameserv
1068 | nameserver
1069 | nas
1070 | nashville
1071 | nat
1072 | nc
1073 | nd
1074 | nds
1075 | ne
1076 | nebraska
1077 | neptune
1078 | net
1079 | netapp
1080 | netdata
1081 | netgear
1082 | netmeeting
1083 | netscaler
1084 | netscreen
1085 | netstats
1086 | network
1087 | nevada
1088 | new
1089 | newhampshire
1090 | newjersey
1091 | newmexico
1092 | neworleans
1093 | news
1094 | newsfeed
1095 | newsfeeds
1096 | newsgroups
1097 | newton
1098 | newyork
1099 | newzealand
1100 | nf
1101 | ng
1102 | nh
1103 | ni
1104 | nigeria
1105 | nj
1106 | nl
1107 | nm
1108 | nms
1109 | nntp
1110 | no
1111 | node
1112 | nokia
1113 | nombres
1114 | nora
1115 | north
1116 | northcarolina
1117 | northdakota
1118 | northeast
1119 | northwest
1120 | noticias
1121 | novell
1122 | november
1123 | np
1124 | nr
1125 | ns
1126 | ns-
1127 | ns0
1128 | ns01
1129 | ns02
1130 | ns1
1131 | ns2
1132 | ns3
1133 | ns4
1134 | ns5
1135 | nt
1136 | nt4
1137 | nt40
1138 | ntmail
1139 | ntp
1140 | ntserver
1141 | nu
1142 | null
1143 | nv
1144 | ny
1145 | nz
1146 | o
1147 | oakland
1148 | ocean
1149 | odin
1150 | office
1151 | offices
1152 | oh
1153 | ohio
1154 | ok
1155 | oklahoma
1156 | oklahomacity
1157 | old
1158 | om
1159 | omaha
1160 | omega
1161 | omicron
1162 | online
1163 | ontario
1164 | open
1165 | openbsd
1166 | openview
1167 | operations
1168 | ops
1169 | ops0
1170 | ops01
1171 | ops02
1172 | ops1
1173 | ops2
1174 | opsware
1175 | or
1176 | oracle
1177 | orange
1178 | order
1179 | orders
1180 | oregon
1181 | orion
1182 | orlando
1183 | oscar
1184 | out
1185 | outbound
1186 | outgoing
1187 | outlook
1188 | outside
1189 | ov
1190 | owa
1191 | owa01
1192 | owa02
1193 | owa1
1194 | owa2
1195 | ows
1196 | oxnard
1197 | p
1198 | pa
1199 | page
1200 | pager
1201 | pages
1202 | paginas
1203 | papa
1204 | paris
1205 | parners
1206 | partner
1207 | partners
1208 | patch
1209 | patches
1210 | paul
1211 | payroll
1212 | pbx
1213 | pc
1214 | pc01
1215 | pc1
1216 | pc10
1217 | pc101
1218 | pc11
1219 | pc12
1220 | pc13
1221 | pc14
1222 | pc15
1223 | pc16
1224 | pc17
1225 | pc18
1226 | pc19
1227 | pc2
1228 | pc20
1229 | pc21
1230 | pc22
1231 | pc23
1232 | pc24
1233 | pc25
1234 | pc26
1235 | pc27
1236 | pc28
1237 | pc29
1238 | pc3
1239 | pc30
1240 | pc31
1241 | pc32
1242 | pc33
1243 | pc34
1244 | pc35
1245 | pc36
1246 | pc37
1247 | pc38
1248 | pc39
1249 | pc4
1250 | pc40
1251 | pc41
1252 | pc42
1253 | pc43
1254 | pc44
1255 | pc45
1256 | pc46
1257 | pc47
1258 | pc48
1259 | pc49
1260 | pc5
1261 | pc50
1262 | pc51
1263 | pc52
1264 | pc53
1265 | pc54
1266 | pc55
1267 | pc56
1268 | pc57
1269 | pc58
1270 | pc59
1271 | pc6
1272 | pc60
1273 | pc7
1274 | pc8
1275 | pc9
1276 | pcmail
1277 | pda
1278 | pdc
1279 | pe
1280 | pegasus
1281 | pennsylvania
1282 | peoplesoft
1283 | personal
1284 | pf
1285 | pg
1286 | pgp
1287 | ph
1288 | phi
1289 | philadelphia
1290 | phoenix
1291 | phoeniz
1292 | phone
1293 | phones
1294 | photos
1295 | pi
1296 | pics
1297 | pictures
1298 | pink
1299 | pipex-gw
1300 | pittsburgh
1301 | pix
1302 | pk
1303 | pki
1304 | pl
1305 | plano
1306 | platinum
1307 | pluto
1308 | pm
1309 | pm1
1310 | pn
1311 | po
1312 | policy
1313 | polls
1314 | pop
1315 | pop3
1316 | portal
1317 | portals
1318 | portfolio
1319 | portland
1320 | post
1321 | postales
1322 | postoffice
1323 | ppp1
1324 | ppp10
1325 | ppp11
1326 | ppp12
1327 | ppp13
1328 | ppp14
1329 | ppp15
1330 | ppp16
1331 | ppp17
1332 | ppp18
1333 | ppp19
1334 | ppp2
1335 | ppp20
1336 | ppp21
1337 | ppp3
1338 | ppp4
1339 | ppp5
1340 | ppp6
1341 | ppp7
1342 | ppp8
1343 | ppp9
1344 | pptp
1345 | pr
1346 | prensa
1347 | press
1348 | printer
1349 | printserv
1350 | printserver
1351 | priv
1352 | privacy
1353 | private
1354 | problemtracker
1355 | products
1356 | profiles
1357 | project
1358 | projects
1359 | promo
1360 | proxy
1361 | prueba
1362 | pruebas
1363 | ps
1364 | psi
1365 | pss
1366 | pt
1367 | pub
1368 | public
1369 | pubs
1370 | purple
1371 | pw
1372 | py
1373 | q
1374 | qa
1375 | qmail
1376 | qotd
1377 | quake
1378 | quebec
1379 | queen
1380 | quotes
1381 | r
1382 | r01
1383 | r02
1384 | r1
1385 | r2
1386 | ra
1387 | radio
1388 | radius
1389 | rapidsite
1390 | raptor
1391 | ras
1392 | rc
1393 | rcs
1394 | rd
1395 | re
1396 | read
1397 | realserver
1398 | recruiting
1399 | red
1400 | redhat
1401 | ref
1402 | reference
1403 | reg
1404 | register
1405 | registro
1406 | registry
1407 | regs
1408 | relay
1409 | rem
1410 | remote
1411 | remstats
1412 | reports
1413 | research
1414 | reseller
1415 | reserved
1416 | resumenes
1417 | rho
1418 | rhodeisland
1419 | ri
1420 | ris
1421 | rmi
1422 | ro
1423 | robert
1424 | romeo
1425 | root
1426 | rose
1427 | route
1428 | router
1429 | router1
1430 | rs
1431 | rss
1432 | rtelnet
1433 | rtr
1434 | rtr01
1435 | rtr1
1436 | ru
1437 | rune
1438 | rw
1439 | rwhois
1440 | s
1441 | s1
1442 | s2
1443 | sa
1444 | sac
1445 | sacramento
1446 | sadmin
1447 | safe
1448 | sales
1449 | saltlake
1450 | sam
1451 | san
1452 | sanantonio
1453 | sandiego
1454 | sanfrancisco
1455 | sanjose
1456 | saskatchewan
1457 | saturn
1458 | sb
1459 | sbs
1460 | sc
1461 | scanner
1462 | schedules
1463 | scotland
1464 | scotty
1465 | sd
1466 | se
1467 | search
1468 | seattle
1469 | sec
1470 | secret
1471 | secure
1472 | secured
1473 | securid
1474 | security
1475 | sendmail
1476 | seri
1477 | serv
1478 | serv2
1479 | server
1480 | server1
1481 | servers
1482 | service
1483 | services
1484 | servicio
1485 | servidor
1486 | setup
1487 | sg
1488 | sh
1489 | shared
1490 | sharepoint
1491 | shareware
1492 | shipping
1493 | shop
1494 | shoppers
1495 | shopping
1496 | si
1497 | siebel
1498 | sierra
1499 | sigma
1500 | signin
1501 | signup
1502 | silver
1503 | sim
1504 | sirius
1505 | site
1506 | sj
1507 | sk
1508 | skywalker
1509 | sl
1510 | slackware
1511 | slmail
1512 | sm
1513 | smc
1514 | sms
1515 | smtp
1516 | smtphost
1517 | sn
1518 | sniffer
1519 | snmp
1520 | snmpd
1521 | snoopy
1522 | snort
1523 | so
1524 | soap
1525 | socal
1526 | software
1527 | sol
1528 | solaris
1529 | solutions
1530 | soporte
1531 | source
1532 | sourcecode
1533 | sourcesafe
1534 | south
1535 | southcarolina
1536 | southdakota
1537 | southeast
1538 | southwest
1539 | spain
1540 | spam
1541 | spider
1542 | spiderman
1543 | splunk
1544 | spock
1545 | spokane
1546 | springfield
1547 | sprint
1548 | sqa
1549 | sql
1550 | sql0
1551 | sql01
1552 | sql1
1553 | sql7
1554 | sqlserver
1555 | squid
1556 | sr
1557 | ss
1558 | ssh
1559 | ssl
1560 | ssl0
1561 | ssl01
1562 | ssl1
1563 | st
1564 | staff
1565 | stage
1566 | staging
1567 | start
1568 | stat
1569 | static
1570 | statistics
1571 | stats
1572 | stlouis
1573 | stock
1574 | storage
1575 | store
1576 | storefront
1577 | streaming
1578 | stronghold
1579 | strongmail
1580 | studio
1581 | submit
1582 | subversion
1583 | sun
1584 | sun0
1585 | sun01
1586 | sun02
1587 | sun1
1588 | sun2
1589 | superman
1590 | supplier
1591 | suppliers
1592 | support
1593 | sv
1594 | sw
1595 | sw0
1596 | sw01
1597 | sw1
1598 | sweden
1599 | switch
1600 | switzerland
1601 | sy
1602 | sybase
1603 | sydney
1604 | sysadmin
1605 | sysback
1606 | syslog
1607 | syslogs
1608 | system
1609 | sz
1610 | t
1611 | tacoma
1612 | taiwan
1613 | talk
1614 | tampa
1615 | tango
1616 | tau
1617 | tc
1618 | tcl
1619 | td
1620 | team
1621 | tech
1622 | technology
1623 | techsupport
1624 | telephone
1625 | telephony
1626 | telnet
1627 | temp
1628 | tennessee
1629 | terminal
1630 | terminalserver
1631 | termserv
1632 | test
1633 | test2k
1634 | testajax
1635 | testasp
1636 | testaspnet
1637 | testbed
1638 | testcf
1639 | testing
1640 | testjsp
1641 | testlab
1642 | testlinux
1643 | testphp
1644 | testserver
1645 | testsite
1646 | testsql
1647 | testxp
1648 | texas
1649 | tf
1650 | tftp
1651 | tg
1652 | th
1653 | thailand
1654 | theta
1655 | thor
1656 | tienda
1657 | tiger
1658 | time
1659 | titan
1660 | tivoli
1661 | tj
1662 | tk
1663 | tm
1664 | tn
1665 | to
1666 | tokyo
1667 | toledo
1668 | tom
1669 | tool
1670 | tools
1671 | toplayer
1672 | toronto
1673 | tour
1674 | tp
1675 | tr
1676 | tracker
1677 | train
1678 | training
1679 | transfers
1680 | trinidad
1681 | trinity
1682 | ts
1683 | ts1
1684 | tt
1685 | tucson
1686 | tulsa
1687 | tunnel
1688 | tv
1689 | tw
1690 | tx
1691 | tz
1692 | u
1693 | ua
1694 | uddi
1695 | ug
1696 | uk
1697 | um
1698 | uniform
1699 | union
1700 | unitedkingdom
1701 | unitedstates
1702 | unix
1703 | unixware
1704 | update
1705 | updates
1706 | upload
1707 | ups
1708 | upsilon
1709 | uranus
1710 | urchin
1711 | us
1712 | usa
1713 | usenet
1714 | user
1715 | users
1716 | ut
1717 | utah
1718 | utilities
1719 | uy
1720 | uz
1721 | v
1722 | v6
1723 | va
1724 | vader
1725 | vantive
1726 | vault
1727 | vc
1728 | ve
1729 | vega
1730 | vegas
1731 | vend
1732 | vendors
1733 | venus
1734 | vermont
1735 | vg
1736 | vi
1737 | victor
1738 | video
1739 | videos
1740 | viking
1741 | violet
1742 | vip
1743 | virginia
1744 | vista
1745 | vm
1746 | vmserver
1747 | vmware
1748 | vn
1749 | vnc
1750 | voice
1751 | voicemail
1752 | voip
1753 | voyager
1754 | vpn
1755 | vpn0
1756 | vpn01
1757 | vpn02
1758 | vpn1
1759 | vpn2
1760 | vt
1761 | vu
1762 | w
1763 | w1
1764 | w2
1765 | w3
1766 | wa
1767 | wais
1768 | wallet
1769 | wam
1770 | wan
1771 | wap
1772 | warehouse
1773 | washington
1774 | wc3
1775 | web
1776 | webaccess
1777 | webadmin
1778 | webalizer
1779 | webboard
1780 | webcache
1781 | webcam
1782 | webcast
1783 | webdev
1784 | webdocs
1785 | webfarm
1786 | webhelp
1787 | weblib
1788 | weblogic
1789 | webmail
1790 | webmaster
1791 | webproxy
1792 | webring
1793 | webs
1794 | webserv
1795 | webserver
1796 | webservices
1797 | website
1798 | websites
1799 | websphere
1800 | websrv
1801 | websrvr
1802 | webstats
1803 | webstore
1804 | websvr
1805 | webtrends
1806 | welcome
1807 | west
1808 | westvirginia
1809 | wf
1810 | whiskey
1811 | white
1812 | whois
1813 | wi
1814 | wichita
1815 | wiki
1816 | wililiam
1817 | win
1818 | win01
1819 | win02
1820 | win1
1821 | win2
1822 | win2000
1823 | win2003
1824 | win2k
1825 | win2k3
1826 | windows
1827 | windows01
1828 | windows02
1829 | windows1
1830 | windows2
1831 | windows2000
1832 | windows2003
1833 | windowsxp
1834 | wingate
1835 | winnt
1836 | winproxy
1837 | wins
1838 | winserve
1839 | winxp
1840 | wire
1841 | wireless
1842 | wisconsin
1843 | wlan
1844 | wordpress
1845 | work
1846 | world
1847 | wpad
1848 | write
1849 | ws
1850 | ws1
1851 | ws10
1852 | ws11
1853 | ws12
1854 | ws13
1855 | ws2
1856 | ws3
1857 | ws4
1858 | ws5
1859 | ws6
1860 | ws7
1861 | ws8
1862 | ws9
1863 | wusage
1864 | wv
1865 | ww
1866 | www
1867 | www-
1868 | www-01
1869 | www-02
1870 | www-1
1871 | www-2
1872 | www-int
1873 | www0
1874 | www01
1875 | www02
1876 | www1
1877 | www2
1878 | www3
1879 | wwwchat
1880 | wwwdev
1881 | wwwmail
1882 | wy
1883 | wyoming
1884 | x
1885 | x-ray
1886 | xi
1887 | xlogan
1888 | xmail
1889 | xml
1890 | xp
1891 | y
1892 | yankee
1893 | ye
1894 | yellow
1895 | young
1896 | yt
1897 | yu
1898 | z
1899 | z-log
1900 | za
1901 | zebra
1902 | zera
1903 | zeus
1904 | zlog
1905 | zm
1906 | zulu
1907 | zw
1908 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # s3brute
2 | s3 brute force tool
3 | 
4 | # Usage
5 | ```
6 | python amazon-s3-enum.py -w BucketNames.txt -d example.com
7 | ```
8 | 


--------------------------------------------------------------------------------
/amazon-s3-enum.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | from bs4 import BeautifulSoup
  3 | import queue
  4 | import threading
  5 | import argparse
  6 | 
  7 | class amazonBucketClass():
  8 | 
  9 | 	def __init__(self,domain,wordlist):
 10 | 		self.q = queue.Queue()
 11 | 		self.Searchdomain = domain
 12 |                 self.wordlist = wordlist
 13 |                 self.amazonBase = ".s3.amazonaws.com"
 14 |                 self.httpStart = "http://"
 15 | 		self.buckets = []
 16 |                 self.bucketContent = []
 17 | 		self.bucketDumpDone = 0
 18 | 		self.bucketCheckDone = 0
 19 | 
 20 | 
 21 | 	def worker(self):
 22 | 		while 1:
 23 | 			domain = self.q.get()
 24 | 			#test url make sure no errors
 25 | 			try:
 26 | 				requests.get(domain,timeout=5)
 27 | 				self.checkS3Bucket(domain)
 28 | 			except:
 29 | 				pass
 30 | 			self.q.task_done()
 31 | 
 32 | 	def run(self):
 33 | 		with open(self.wordlist) as fp:
 34 | 			for word in fp:
 35 | 				word = word.strip()
 36 | 				self.q.put(self.httpStart + word + "." + self.Searchdomain + self.amazonBase)
 37 | 				self.q.put(self.httpStart + word + "-" + self.Searchdomain + self.amazonBase)
 38 | 				#q.put(httpStart + domain + "." + word + amazonBase)
 39 | 				#q.put(httpStart + domain + "-" + word + amazonBase)
 40 | 
 41 | 
 42 | 	def checkS3Bucket(self,domain):
 43 | 		self.bucketCheckDone = 0
 44 | 
 45 | 		r = requests.get(domain,timeout=5)
 46 | 		soup = BeautifulSoup(r.content, 'xml')
 47 | 		message = soup.find('Message')
 48 | 		#print(domain)
 49 | 		if message:
 50 | 			if 'Access Denied' in message.get_text():
 51 | 				self.buckets.append({'domain':domain,'access':message.get_text()})
 52 | 			elif message:
 53 | 				pass
 54 | 		else:
 55 | 			self.buckets.append({'domain':domain,'access':'Access Granted'})
 56 | 
 57 | 	def s3BucketDump(self,domain):
 58 | 		self.bucketContent = []
 59 | 		self.bucketDumpDone = 0
 60 | 
 61 | 		r = requests.get(domain,timeout=5)
 62 |                 soup = BeautifulSoup(r.content, 'xml')
 63 | 		isTruncated = soup.find("IsTruncated").get_text()
 64 | 		while 1:
 65 | 			contents = soup.find_all('Contents')
 66 | 			for content in contents:
 67 | 				key = content.find("Key").get_text()
 68 | 				lastModified = content.find("LastModified").get_text()
 69 | 				size = content.find("Size").get_text()
 70 | 
 71 | 				self.bucketContent.append({'key':key,'modified':lastModified,'size':size})
 72 | 				#print {'key':key,'modified':lastModified,'size':size}
 73 | 			if isTruncated == 'false':
 74 | 				break
 75 | 
 76 | 			r = requests.get(domain + "/?marker="+self.bucketContent[-1]['key'] )
 77 | 			soup = BeautifulSoup(r.content, 'xml')
 78 | 			isTruncated = soup.find("IsTruncated").get_text()
 79 | 		self.bucketDumpDone = 1
 80 | 
 81 | 	def startThreads(self,i):
 82 | 		#Spin up workers
 83 | 		for i in range(i):
 84 | 			t = threading.Thread(target=self.worker)
 85 | 			t.daemon = True
 86 | 			t.start()
 87 | 
 88 | 
 89 | '''
 90 | 	Use tool to find s3 buckets belonging to a domain. Uses simple brute force.
 91 | 	Once bucket is found we can grab a list of all files in the bucket.
 92 | 
 93 | 	Example:
 94 | 		Find S3Buckets	 - 	script.py -d test -w wordlist.txt
 95 | 		Dump Bucket	-	script.py -d http://dev-test.s3.amazon.com -e 1
 96 | '''
 97 | 
 98 | parser = argparse.ArgumentParser()
 99 | parser.add_argument("-d","--domain", help="Domain Name; EX: test.com")
100 | parser.add_argument("-w","--wordlist", help="Wordlist; EX: test.txt")
101 | parser.add_argument("-e","--extract", help="Etract Bucket Contents; EX: -d test.s3.amazon.com -e 1")
102 | args = parser.parse_args()
103 | 
104 | if args.extract:
105 | 	s3Buck = amazonBucketClass(None,None)
106 | 	s3Buck.s3BucketDump(args.domain)
107 | 	print("%-30s %-20s %-40s\n" % ("Last Modified","Size","Key"))
108 | 	for bucket in s3Buck.bucketContent:
109 | 		print("%-30s %-20s %-40s\n" % (bucket['modified'],bucket['size'],bucket['key']))
110 | else:
111 | 	print("Brute forcing s3 buckets......\nThis could take awhile.......")
112 | 	s3Buck = amazonBucketClass(args.domain,args.wordlist)
113 | 	s3Buck.startThreads(20)
114 | 	s3Buck.run()
115 | 	s3Buck.q.join()
116 | 	s3Buck.bucketCheckDone = 1
117 | 
118 | 	print("%-25s %-40s" % ("Access","S3 Bucket"))
119 | 	for bucket in s3Buck.buckets:
120 | 		print("%-25s %-40s" % (bucket['access'],bucket['domain']))
121 | 
122 | print("\n\nDone!")
123 | 


--------------------------------------------------------------------------------