Awesome

bucketcat

Brute-forces objects within a given bucket using Hashcat mask-like syntax

But why?

Because occasionally you'll come across AWS keys that can S3:GetObject but not S3:ListBucket

Does that really happen that often?

Nope.

So then again.... why

Because I needed to take a break from everything else I'm doing and find an excuse to write some good ol' Python.

Usage

usage: bucketcat.py [-h] [-m MASK | -f INFILE] [-k CREDSFILE] [-p PROFILE]
                    [-b BUCKET] [-t THREADS] [-o OUTFILE] [-s] [-c]

optional arguments:
  -h, --help            show this help message and exit
  -m MASK, --mask MASK  Hashcat-like mask for S3 objects
  -f INFILE, --infile INFILE
                        File with multiple Hashcat-like masks
  -k CREDSFILE, --credsfile CREDSFILE
                        File with the AWS credentials to use. Defaults to .env
  -p PROFILE, --profile PROFILE
                        AWS profile to use.
  -b BUCKET, --bucket BUCKET
                        Target bucket
  -t THREADS, --threads THREADS
                        Number of threads to run with. Defaults to 1.
  -o OUTFILE, --outfile OUTFILE
                        Outfile to dump results to. Defaults to stdout.
  -s, --server          Run as a server in distributed mode (not yet
                        supported)
  -c, --client          Run as a client in distributed mode (not yet
                        supported)

hcmask files

bucketcat uses Hashcat mask-like syntax for generating payloads. For example, this mask would generate all possible three-letter filenames ending in .txt:

?l?l?l.txt

The current character sets are supported by default:

Key	Characters
?l	All lowercase letters
?u	All uppercase letters
?d	All digits
?s	All special chars (via `string.punctuation`)
?a	All characters (via `string.printable`)

Custom characters sets can be created as well, but require passing in file instead of an individual mask:

python3 bucketcat.py -f test.hcmask -b atticusstestbucket

And the contents of test.hcmask:

?1 0123456789abcdef
x?1?1.txt

This creates a new key ?1 assigned to 0-9 and a-f. This example would generate all S3 keys in the form of x00.txt through xff.txt. Note: all user-created character sets must use a digit (e.g ?1). This is to allow hcmask files to search for "?a foobar" without overwriting the ?a set.

TODO

Add support for distributed brute-forcing via the --server and --client flags.