v1.2.4 update with improvements/drops PyPi

Author: yasinS

CHANGELOG.md

@@ -1,11 +1,13 @@
 # Change Log
 All notable changes to the Sandcastle script will be documented in this file.
 
+## 1.2.4 – 2017-05-28
+* Temporarily removed PyPi distribution channel
+* Shipping an updated bucket names wordlist
+* Script identifies potential matches and uses S3 CLI to check Read permissions
+
 ## 1.2.3 – 2017-04-09
-- Due to PyPi issues, Sandcastle will not ship with a default `bucket-names.txt`.
-	* The example `bucket-names.txt` can be downloaded from this repo
-	* By default, Sandcastle searches for `bucket-names.txt` in the current directory 
-	* As previously, use the `-f` flag to specify a different input file
+- PyPi distribution info not applicable; please see above
 - Removes "no match" display from Sandcastle script
 
 ## 1.2.2 – 2017-04-09

MANIFEST

@@ -21,10 +21,10 @@ The script takes a target name as the "stem" argument (e.g. `instacart`) and ite
 [...]
 ```
 ## Getting started
-Here's how to get started:
-1. Install with Pip: `pip install sandcastle`
+I've temporarily disabled Pip distribution. Here's how to get started:
+1. Clone this repo.
 2. Run `sandcastle.py` with a target name and input file (grab an example from this repo)
-3. Valid bucket permutations will be identified as "matches"
+3. Matching bucket permutations will be identified, and read permissions tested
 
 ```
 usage: sandcastle.py [-h] -t targetStem [-f inputFile]
@@ -39,12 +39,20 @@ arguments:
 ```
 
 ```
-[+] Match: shopify-dev --> 403
-[+] Match: shopify-pics --> 403
-[+] Match: shopify-assets --> 403
-[+] Match: shopify-development --> 403
-[+] Match: shopify-content --> 403
-[+] Match: shopify-ops --> 200
+   ____             __             __  __
+  / __/__ ____  ___/ /______ ____ / /_/ /__
+ _\ \/ _ `/ _ \/ _  / __/ _ `(_-</ __/ / -_)
+/___/\_,_/_//_/\_,_/\__/\_,_/___/\__/_/\__/
+
+S3 bucket enumeration // release v1.2.4 // ysx
+
+
+[*] Commencing enumeration of 'shopify', reading 138 lines from 'bucket-names.txt'.
+
+[+] Checking potential match: shopify-content --> 403
+
+An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
+
 ```
 
 ### Status codes and testing

README.md

@@ -1,4 +1,83 @@
+-vanity-production
+-vanity-staging
+-vanity-dev
+-vanity-development
+-media-uploads
+-datasets
+-dataset
+-website-assets
+-logos
+-avatars
+-backgrounds
+-share
+-matrix
+-s3-connector-test
+-media
+-terraform-binaries
+-consultant
+-consultants
+-consulting
+-consumer
+-contact
+-content
+-contracts
+-gemini
+-general
+-kerberos
+-keynote
+-loadbalancer
+-local
+-localhost
+-splunk
+-git
+-subversion
+-mercurial
+-design
+-package
+-packages
+-ios
+-android
+-betas
+-bugs
+-bugzilla
+-build
+-bulletins
+-corporate
 -training
+-conference
+-conferencing
+-confidential
+-cloud
+-club
+-clubs
+-cluster
+-clusters
+-developer
+-developers
+-engineer
+-engineering
+-fileserv
+-fileserver
+-filestore
+-intranet
+-invalid
+-investor
+-investors
+-member
+-members
+-operations
+-products
+-profiles
+-project
+-projects
+-research
+-reseller
+-reserved
+-static
+-statistics
+-stats
+-reports
+-bugbounty
 -bucket
 -dev
 -attachments
@@ -16,7 +95,6 @@
 -files
 -production
 -development
--content
 -uploads
 -aws
 -marketing

README.rst

@@ -1,34 +1,43 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
-# Initialise – import and present
-import sys, os, requests
+
+import sys, os, commands, requests
 from argparse import ArgumentParser
+
 print """
    ____             __             __  __   
   / __/__ ____  ___/ /______ ____ / /_/ /__ 
  _\ \/ _ `/ _ \/ _  / __/ _ `(_-</ __/ / -_)
 /___/\_,_/_//_/\_,_/\__/\_,_/___/\__/_/\__/ 
                                             
-S3 bucket enumeration // release v1.2.3 // ysx
+S3 bucket enumeration // release v1.2.4 // ysx
+
 """
-# Receive – target stem and argument check
 targetStem = ""
 inputFile = ""
+
 parser = ArgumentParser()
 parser.add_argument("-t", "--target", dest="targetStem",
-                    help="Select a target stem name (e.g. 'instacart')", metavar="targetStem", required="True")
+                    help="Select a target stem name (e.g. 'shopify')", metavar="targetStem", required="True")
 parser.add_argument("-f", "--file", dest="inputFile",
                     help="Select a bucket permutation file (default: bucket-names.txt)", default="bucket-names.txt", metavar="inputFile")
 args = parser.parse_args()
+
 with open(args.inputFile, 'r') as f: 
     bucketNames = [line.strip() for line in f] 
     lineCount = len(bucketNames)
-print "[*] Commencing enumeration of target '%s', reading %i lines from '%s'." % (args.targetStem, lineCount, f.name)
-# Enumerate – standard permutations and status code analysis
+
+print "[*] Commencing enumeration of '%s', reading %i lines from '%s'." % (args.targetStem, lineCount, f.name)
+
 for name in bucketNames:
 	r = requests.head("http://%s%s.s3.amazonaws.com" % (args.targetStem, name))
 	if r.status_code != 404:
-		print "[+] Match: %s%s --> %s" % (args.targetStem, name, r.status_code)
+                # macOS, coming soon: os.system("notify Potential match found! %s%s: %s" % (args.targetStem, name, r.status_code))
+		print "[+] Checking potential match: %s%s --> %s" % (args.targetStem, name, r.status_code)
+		check = commands.getoutput("/usr/local/bin/aws s3 ls s3://%s%s" % (args.targetStem, name))
+		print check
 	else:
 		sys.stdout.write('')
-print "[+] Enumeration of '%s' complete." % (args.targetStem)
+
+print "[*] Enumeration of '%s' buckets complete." % (args.targetStem)
+# macOS, coming soon: os.system("notify Enumeration of %s buckets complete." % (args.targetStem))