{
	"id": "33570e28-29f4-446c-ac95-64be9793006a",
	"created_at": "2026-04-06T01:29:00.118905Z",
	"updated_at": "2026-04-10T13:13:00.359619Z",
	"deleted_at": null,
	"sha1_hash": "aee30ef8d353204e225cc20e34c38c9ebeb9deaf",
	"title": "GitHub - clarketm/s3recon: Amazon S3 bucket finder and crawler.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 116487,
	"plain_text": "GitHub - clarketm/s3recon: Amazon S3 bucket finder and crawler.\r\nBy clarketm\r\nArchived: 2026-04-06 00:14:45 UTC\r\npypi vv11..44..00\r\n ppyytthhoonn 33..66 || 33..77 || 33..88 ddoowwnnllooaaddss 6 1 k \r\ndocs ppaassssiinngg\r\nAmazon S3 bucket finder and crawler.\r\nCheck out the s3recon docs\r\nInstallation\r\nNOTE: s3recon requires python version \u003e=3.6\r\n$ pip install s3recon\r\nUsage\r\nusage: s3recon [-h] [-o file] [-d] [-p] [-t seconds] [-v] [-c num] word_list [word_list ...]\r\npositional arguments:\r\n word_list read words from one or more \u003cword-list\u003e files\r\noptional arguments:\r\n -h, --help show this help message and exit\r\n -o file, --output file write output to \u003cfile\u003e\r\n -d, --db write output to database\r\n -p, --public only include 'public' buckets in the output\r\n -t seconds, --timeout seconds http request timeout in \u003cseconds\u003e (default: 30)\r\n -v, --version show program's version number and exit\r\n -c num, --concurrency num maximum \u003cnum\u003e of concurrent requests (default: # of lcpus)\r\n \r\nhttps://github.com/clarketm/s3recon\r\nPage 1 of 6\n\nExample 1: Output to a json file\r\n1. Download a word-list.\r\nThe SecLists repository has a multitude of word-lists to choose from. For this example, let's download the sample\r\nword-list included in this repository.\r\n$ curl -sSfL -o \"word-list.txt\" \"https://raw.githubusercontent.com/clarketm/s3recon/master/data/words\r\n2. Run s3recon .\r\nExecute s3recon using the word-list.txt file and output the public S3 buckets to a json file named\r\nresults.json .\r\n$ s3recon \"word-list.txt\" -o \"results.json\" --public\r\n- PRIVATE https://s3.sa-east-1.amazonaws.com/test-lyft\r\n- PRIVATE https://s3.ap-south-1.amazonaws.com/test.amazon\r\n+ PUBLIC https://walmart-dev.s3.us-east-1.amazonaws.com\r\n- PRIVATE https://s3.ap-southeast-1.amazonaws.com/apple-prod\r\n- PRIVATE https://walmart.s3.ap-southeast-1.amazonaws.com\r\n...\r\n3. Inspect the results.\r\nCheck the results.json output file to view the S3 buckets you have discovered!\r\n$ cat \"results.json\"\r\n{\r\n \"public\": {\r\n \"total\": 12,\r\n \"hits\": [\r\n \"https://walmart-dev.s3.us-east-1.amazonaws.com\",\r\n \"https://apple-production.s3.ap-southeast-1.amazonaws.com\",\r\n ...\r\n ]\r\n }\r\n}\r\nNote: to include private buckets in the results omit the -p, --public flag from the command.\r\n4. Crawl the results.\r\nhttps://github.com/clarketm/s3recon\r\nPage 2 of 6\n\nEnumerate the static files located in each bucket and record the findings.\r\nComing soon!\r\nExample 2: Output to a MongoDB database\r\n1. Download a word-list.\r\nThe SecLists repository has a multitude of word-lists to choose from. For this example, let's download the sample\r\nword-list included in this repository.\r\n$ curl -sSfL -o \"word-list.txt\" \"https://raw.githubusercontent.com/clarketm/s3recon/master/data/words\r\n2. Start an instance of MongoDB\r\n$ docker run --name \"mongo\" -p 27017:27017 -v \"mongodb_data:/data/db\" -v \"mongodb_config:/data/configdb\" -d mon\r\n3. Run s3recon .\r\nExecute s3recon using the word-list.txt file and output to MongoDB instance.\r\n$ s3recon \"word-list.txt\" --db\r\n- PRIVATE https://s3.sa-east-1.amazonaws.com/test-lyft\r\n- PRIVATE https://s3.ap-south-1.amazonaws.com/test.amazon\r\n+ PUBLIC https://walmart-dev.s3.us-east-1.amazonaws.com\r\n- PRIVATE https://s3.ap-southeast-1.amazonaws.com/apple-prod\r\n- PRIVATE https://walmart.s3.ap-southeast-1.amazonaws.com\r\n...\r\n3. Inspect the results.\r\nCheck the MongoDB database: s3recon collection: hits to view the S3 buckets you have discovered!\r\n$ mongo \"s3recon\" --quiet --eval 'db.hits.find({}, {\"url\": 1, \"access\": 1, \"_id\": 0}).limit(5)'\r\n{ \"url\" : \"https://s3.us-east-2.amazonaws.com/apple\", \"access\" : \"private\" }\r\n{ \"url\" : \"https://s3.us-west-1.amazonaws.com/microsoft-dev\", \"access\" : \"private\" }\r\n{ \"url\" : \"https://s3.us-west-1.amazonaws.com/dev-microsoft\", \"access\" : \"private\" }\r\n{ \"url\" : \"https://s3.us-east-2.amazonaws.com/amazon\", \"access\" : \"private\" }\r\n{ \"url\" : \"https://s3.us-east-1.amazonaws.com/dev-amazon\", \"access\" : \"private\" }\r\nhttps://github.com/clarketm/s3recon\r\nPage 3 of 6\n\n4. Crawl the results.\r\nEnumerate the static files located in each bucket and record the findings.\r\nComing soon!\r\nFAQ\r\nQ: How do I configure this utility?\r\nA:\r\ns3recon can be configure using a yaml configuration file located in either the current working directory (e.g.\r\n./s3recon.yml ) or your home diretory (e.g. ~/s3recon.yml ).\r\nThe following is the list of configurable values:\r\n# s3recon.yml\r\ndatabase: { host: \"0.0.0.0\", ... }\r\n \r\nseparators: [\"-\", \"_\", \".\"]\r\nenvironments: [\"\", \"backup\", \"backups\", ...]\r\nregions: [\"ap-northeast-1\", \"ap-northeast-2\", ...]\r\nTo see the full list of configurable values (and their defaults) please refer to the s3recon.yml file in this\r\nrepository.\r\nQ: How do I customize the AWS regions used in the recon?\r\nA:\r\nThe AWS regions can be altered by setting the regions array in your s3recon.yml configuration file.\r\n# s3recon.yml\r\nregions: [ \"us-west-2\", ...]\r\nQ: How do I customize the environment values used in the recon?\r\nA:\r\nhttps://github.com/clarketm/s3recon\r\nPage 4 of 6\n\nThe environments are modifiers permuted with each item of the word-list (and the separator) to construct the\r\nbucket value in request. The value can be altered by setting the environments array in your s3recon.yml\r\nconfiguration file.\r\nFor example, to only search lines from the word-list verbatim (i.e. without modification) you can set this value to\r\nan empty array.\r\n# s3recon.yml\r\nenvironments: []\r\nQ: How do I customize the MongoDB host and port?\r\nA:\r\nThe database host and port can be configured by altering the database map in your s3recon.yml configuration\r\nfile.\r\nFor example, host and port can be set directly inside the database map\r\n# s3recon.yml\r\ndatabase: {\r\n host: \"0.0.0.0\",\r\n port: 27017\r\n}\r\nQ: How do I use a database other than MongoDB?\r\nA:\r\nSorry, at the moment only MongoDB is supported.\r\nGoing Forward\r\nCreate crawl command to crawl public/private buckets found in find stage.\r\nSeparate out find and crawl as subcommands.\r\nStore discovered buckets in a NoSQL database.\r\nDisclaimer\r\nThis tools is distributed for educational and security purposes. I take no responsibility and assume no liability for\r\nthe manner in which this tool is used.\r\nhttps://github.com/clarketm/s3recon\r\nPage 5 of 6\n\nLicense\r\nMIT © Travis Clarke\r\nSource: https://github.com/clarketm/s3recon\r\nhttps://github.com/clarketm/s3recon\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/clarketm/s3recon"
	],
	"report_names": [
		"s3recon"
	],
	"threat_actors": [],
	"ts_created_at": 1775438940,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aee30ef8d353204e225cc20e34c38c9ebeb9deaf.pdf",
		"text": "https://archive.orkl.eu/aee30ef8d353204e225cc20e34c38c9ebeb9deaf.txt",
		"img": "https://archive.orkl.eu/aee30ef8d353204e225cc20e34c38c9ebeb9deaf.jpg"
	}
}