s3enum is a tool to enumerate a target's Amazon S3 buckets. It is fast and leverages DNS instead of HTTP, which means that requests don't hit AWS directly.
It was originally built back in 2016 to target GitHub.
Find the binaries on the Releases page.
go get github.com/koenrh/s3enum
You need to specify the base name of the target (e.g.
hackerone), and a word list. You could either use the example
wordlist.txtfile from this repository, or get a word list elsewhere. Optionally, you could specify the number of threads (defaults to 10).
$ s3enum --wordlist examples/wordlist.txt --suffixlist examples/suffixlist.txt --threads 10 hackeroneBy default
s3enumwill use the name server as specified in
/etc/resolv.conf. Alternatively, you could specify a different name server using the
--nameserveroption. Besides, you could test multiple names at the same time.
--wordlist examples/wordlist.txt \
--suffixlist examples/suffixlist.txt \
--nameserver 188.8.131.52 \
hackerone h1 roflcopter