xs3scann3r
xs3scann3r
is a command-line interface (CLI) utility to scan S3 bucket permissions.
Resources
Features
- Scans all bucket permissions to find misconfigurations
Installation
Install release binaries
Visit the releases page and find the appropriate archive for your operating system and architecture. Download the archive from your browser or copy its URL and retrieve it with wget
or curl
:
-
...with wget
:
wget https://github.com/hueristiq/xs3scann3r/releases/download/v<version>/xs3scann3r-<version>-linux-amd64.tar.gz
-
...or, with curl
:
curl -OL https://github.com/hueristiq/xs3scann3r/releases/download/v<version>/xs3scann3r-<version>-linux-amd64.tar.gz
...then, extract the binary:
tar xf xs3scann3r-<version>-linux-amd64.tar.gz
TIP: The above steps, download and extract, can be combined into a single step with this onliner
curl -sL https://github.com/hueristiq/xs3scann3r/releases/download/v<version>/xs3scann3r-<version>-linux-amd64.tar.gz | tar -xzv
NOTE: On Windows systems, you should be able to double-click the zip archive to extract the xs3scann3r
executable.
...move the xs3scann3r
binary to somewhere in your PATH
. For example, on GNU/Linux and OS X systems:
sudo mv xs3scann3r /usr/local/bin/
NOTE: Windows users can follow How to: Add Tool Locations to the PATH Environment Variable in order to add xs3scann3r
to their PATH
.
Install source
Before you install from source, you need to make sure that Go is installed on your system. You can install Go by following the official instructions for your operating system. For this, we will assume that Go is already installed.
go install ...
go install -v github.com/hueristiq/xs3scann3r/cmd/xs3scann3r@latest
go build ...
the development Version
-
Clone the repository
git clone https://github.com/hueristiq/xs3scann3r.git
-
Build the utility
cd xs3scann3r/cmd/xs3scann3r && \
go build .
-
Move the xs3scann3r
binary to somewhere in your PATH
. For example, on GNU/Linux and OS X systems:
sudo mv xs3scann3r /usr/local/bin/
NOTE: Windows users can follow How to: Add Tool Locations to the PATH Environment Variable in order to add xs3scann3r
to their PATH
.
NOTE: While the development version is a good way to take a peek at xs3scann3r
's latest features before they get released, be aware that it may have bugs. Officially released versions will generally be more stable.
Usage
NOTE: To use this tool awscli is required to have been installed and configured.
To display help message for xs3scann3r use the -h
flag:
`xs3scann3r` -h
help message:
_____ _____
__ _____|___ / ___ ___ __ _ _ __ _ __ |___ / _ __
\ \/ / __| |_ \/ __|/ __/ _` | '_ \| '_ \ |_ \| '__|
> <\__ \___) \__ \ (_| (_| | | | | | | |___) | |
/_/\_\___/____/|___/\___\__,_|_| |_|_| |_|____/|_| v0.0.0
A CLI utility to scan S3 buckets permissions.
USAGE:
xs3scann3r [OPTIONS]
INPUT:
-i, --input input file (use `-` to get from stdin)
CONFIGURATIONS:
-c, --concurrency number of concurrent threads (default: 10)
-d, --dump location to dump objects
OUTPUT:
-m, --monochrome disable output content coloring
-v, --verbosity debug, info, warning, error, fatal or silent (default: info)
xs3scann3r takes buckets in the format:
- Name - e.g.
flaws.cloud
- URL style - e.g.
s3://flaws.cloud
- Path style - e.g
https://s3.amazonaws.com/flaws.cloud
- Virtual Hosted style - e.g
flaws.cloud.s3.amazonaws.com
Interpreting Results
Possible permissions for buckets:
- Read - List and view all files
- Write - Write files to bucket
- Read ACP - Read all Access Control Policies attached to bucket
- Write ACP - Write Access Control Policies to bucket
- Full Control - All above permissions
Contribution
Issues and Pull Requests are welcome! Check out the contribution guidelines.
Licensing
This utility is distributed under the MIT license