Dependency on AWS CLI

[pbnj]

Hi @JR0ch17 ,

Why does this tool need AWS CLI and AWS API access keys in order to enumerate buckets?

Here is what I'm trying to get at:

$ curl https://toyota.s3.amazonaws.com
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Name>toyota</Name><Prefix></Prefix><Marker></Marker><MaxKeys>1000</MaxKeys><IsTruncated>true</IsTruncated>

<Contents><Key>86FB/</Key><LastModified>2012-05-29T02:42:05.000Z</LastModified><ETag>&quot;d41d8cd98f00b204e9800998ecf8427e&quot;</ETag><Size>0</Size><StorageClass>STANDARD</StorageClass></Contents>

<Contents><Key>86FB/downloads/</Key><LastModified>2012-08-22T02:39:52.000Z</LastModified><ETag>&quot;d41d8cd98f00b204e9800998ecf8427e&quot;</ETag><Size>0</Size><StorageClass>STANDARD</StorageClass></Contents>

<Contents><Key>86FB/downloads/1024x768-Drift.jpg</Key><LastModified>2012-08-22T03:04:10.000Z</LastModified><ETag>&quot;dffe2d801f594efc813285a3a60e9075&quot;</ETag><Size>330465</Size><StorageClass>STANDARD</StorageClass></Contents>

...

$ aws s3api list-objects --bucket toyota
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

I would think if you're truly trying to enumerate buckets, you would just try to loop over a list of names and curl https://<bucket-name>.s3.amazonaws.com, or am I missing something?

[JR0ch17]

Hey Peter,

It doesn't need the AWS access keys to enumerate buckets. It is needed for other features like uploading files to a bucket, listing ACLs, configs, etc. I don't use curl to enumerate buckets but it does make a GET request to https://.s3.amazonaws.com. By default, how it works is that, if it gets a response of 404 (bucket doesn't exist), it skips to the next bucket. For every other response codes, it tries to list the files of the bucket and prints the result.

If you know a way to do all of this below without the need of using the awscli, please let me know. It would be even better to have the tool run without people needing to install and configure awscli but I'm not sure if it's possible for now.

• -u, --upload File to upload will be automatically generated (e.g. 'BugBounty-[######].txt')
• -d, --delete Delete file from bucket after uploading it
• -a, --acl View bucket ACL
• -p, --policy View bucket policy
• -c, --cors View bucket CORS configuration
• -r, --replication View bucket replication configuration
• -w, --website View bucket website configuration
• -l, --location View bucket location