BucketLoot
-> Offensive Security Tool
An Automated S3-compatible Bucket Inspector
This tool is capable of inspecting buckets deployed on Amazon Web Services (AWS), Google Cloud Storage (GCS), DigitalOcean Spaces, and even custom domains/URLs that may be linked to these platforms. It provides the results in a JSON format, allowing users to parse it according to their preferences or pass it to another tool for further analysis.
Download and Installation
sudo apt install golang -y
sudo apt install git
git clone
cd BucketLoot
go build
./bucketloot -h
Features
Secret Scanning
It scans for more than 30 unique RegEx patterns that can assist in revealing potential security vulnerabilities stemming from misconfigured storage buckets. Users have the flexibility to customize or add their own patterns in the regexes.json file. If you believe you have some valuable patterns that could be beneficial to others and could be scaled, feel free to submit a pull request.
Asset Extraction
Interested in enhancing your asset discovery capabilities? BucketLoot extracts all URLs, subdomains, and domains that might be found within an exposed storage bucket. This provides an opportunity to uncover hidden endpoints, giving you an advantage over traditional reconnaissance tools.
Searching
The tool goes beyond asset discovery and secret exposure scanning by allowing users to search for custom keywords and even regular expressions. This can help them pinpoint precisely what they are seeking.
Source: Black Hat USA 2023 [Arsenal] ->
-> Offensive Security Tool
An Automated S3-compatible Bucket Inspector
This tool is capable of inspecting buckets deployed on Amazon Web Services (AWS), Google Cloud Storage (GCS), DigitalOcean Spaces, and even custom domains/URLs that may be linked to these platforms. It provides the results in a JSON format, allowing users to parse it according to their preferences or pass it to another tool for further analysis.
Download and Installation
sudo apt install golang -y
sudo apt install git
git clone
cd BucketLoot
go build
./bucketloot -h
Features
Secret Scanning
It scans for more than 30 unique RegEx patterns that can assist in revealing potential security vulnerabilities stemming from misconfigured storage buckets. Users have the flexibility to customize or add their own patterns in the regexes.json file. If you believe you have some valuable patterns that could be beneficial to others and could be scaled, feel free to submit a pull request.
Asset Extraction
Interested in enhancing your asset discovery capabilities? BucketLoot extracts all URLs, subdomains, and domains that might be found within an exposed storage bucket. This provides an opportunity to uncover hidden endpoints, giving you an advantage over traditional reconnaissance tools.
Searching
The tool goes beyond asset discovery and secret exposure scanning by allowing users to search for custom keywords and even regular expressions. This can help them pinpoint precisely what they are seeking.
Source: Black Hat USA 2023 [Arsenal] ->