Introducing BucketLoot – An Automated Cloud Bucket Inspector

Introduction

In the ever-evolving landscape of modern data management, cloud object storage solutions have emerged as a foundational pillar for organizations worldwide. These solutions provide a scalable, flexible, and cost-effective means of storing vast amounts of data, from critical business information to multimedia assets. However, as the adoption of cloud object storage grows, so does the concern over potential security risks.

To address these challenges, RedHunt Labs introduces BucketLoot – a cutting-edge, automated S3-compatible Cloud Object Storage bucket inspector designed to empower users in securing their data. BucketLoot offers an array of powerful features, allowing users to seamlessly extract valuable assets, detect secret exposures, and search for custom keywords and Regular Expressions within publicly-exposed storage buckets.

What sets BucketLoot apart is its versatility across multiple cloud platforms. It can efficiently scan for buckets deployed not only on Amazon S3 and GCS but also on DigitalOcean Spaces and custom domains/URLs connected to these platforms. The tool’s ability to return the scan output in a JSON format further enhances user convenience, enabling them to easily parse and integrate the results into their existing workflows.

With BucketLoot, RedHunt Labs provides organizations with a robust solution to proactively tackle potential security risks in their cloud object storage, ensuring the safety and confidentiality of their valuable data.

How BucketLoot Extracts Secrets and Assets from Cloud Object Storage: Unveiling Its Inner Workings

Let’s delve into the inner workings of BucketLoot and explore how it ensures the safety of sensitive data stored in cloud buckets.

1. Validating Public Exposures:

The first step in BucketLoot’s inspection process is to determine whether a target URL corresponds to a valid storage bucket and if it is publicly exposed, allowing anyone to list its files. By making a GET request on the target URL, BucketLoot swiftly ascertains the bucket’s accessibility status, helping users identify potential security gaps in their cloud storage configurations.

2. Focusing on Textual Data Files:

BucketLoot is designed with efficiency in mind. To streamline the scanning process, the tool checks the extension of the files within the storage bucket. It focuses solely on files that store data in plain-text formats, effectively narrowing down the scope of the scan and optimizing the tool’s performance.

3. Guest Mode for Initial Scans:

BucketLoot’s user-friendly approach includes a guest mode by default. In this mode, users are not required to specify any API tokens or Access Keys during the initial scan. The tool employs a GET request to scrape a maximum of 1000 files from the XML response. This allows users to quickly perform an initial scan and gain valuable insights into their cloud storage security posture.

4. Complete Scan with Platform Credentials:

For scenarios where a storage bucket contains more than 1000 entries and users desire a comprehensive scan, BucketLoot offers the flexibility to provide platform credentials. By supplying the necessary API tokens or Access Keys, users can unlock a complete scan, ensuring that no file is left unexamined. At the moment, BucketLoot only supports AWS for the complete scan module but we plan to introduce modules for more platforms soon. In case there is an issue with the credentials or the target is not related to AWS, the tool automatically falls back to guest mode and scans a maximum of 1000 files per bucket instead.

5. Deep File Content Analysis:

BucketLoot’s robustness lies in its ability to dig deep into the discovered files. After identifying potential risk-bearing files, the tool proceeds to make GET requests on each file to extract their content. This enables BucketLoot to thoroughly scan for secrets, assets, custom keywords, and Regular Expressions, empowering users to gain granular insights into their data’s security posture.

BucketLoot, with its advanced capabilities and thoughtful design, delivers a powerful ally in the battle against cloud storage vulnerabilities. By simplifying the scanning process, offering flexibility in credential usage, and performing in-depth content analysis, BucketLoot ensures that cloud object storage remains secure, enabling organizations to embrace the full potential of cloud technologies with confidence. 

How BucketLoot can help

BucketLoot is designed to empower users with a range of powerful features, simplifying the process of safeguarding sensitive information stored in cloud buckets.

1. Secret Scanning at Scale:

With its arsenal of over 30+ unique Regular Expression (RegEx) signatures, BucketLoot can expertly identify secret exposures resulting from misconfigured storage buckets. The tool allows users to customize or add their own signatures through the regexes.json file, enabling tailored scans that cater to your specific security requirements.

2. Unleash Asset Discovery Potential:

BucketLoot goes beyond the basics by extracting URLs, subdomains, and domains present in exposed storage buckets. This exceptional asset extraction feature opens up a world of hidden endpoints, giving you an edge over traditional reconnaissance tools and allowing you to step up your recon game.

3. Precision with Custom Searches:

Customization is key, and BucketLoot understands that. The tool empowers users to conduct custom keyword searches and harness the power of Regular Expression queries. This precision-focused approach ensures you find exactly what you are looking for, streamlining your data exploration process.

Getting started with BucketLoot

To begin your cloud object storage security journey with BucketLoot, make sure you have Go installed in your environment. This powerful tool is written in Go, which enables seamless installation and setup. Once you have Go ready, follow the simple steps below to get BucketLoot up and running swiftly.

Step 1: Clone the Repository:

Start by cloning the BucketLoot repository to any directory or path of your preference. Open your terminal and execute the following command:

git clone https://github.com/redhuntlabs/BucketLoot.git

Step 2: Build the Binary:

With the repository successfully cloned, you’re almost there! Now, run the following command to build the BucketLoot binary according to your environment.

go build

Now that you have BucketLoot installed on your system, let’s walk through basic ways for running a basic scan.

Approach 1: Provide the Target URL:

To execute a basic scan, open your terminal and navigate to the BucketLoot directory. If you have a specific target URL in mind, run the following command:

./bucketloot https://myvulninstance.s3.amazonaws.com/

Approach 2: Use a Target(s) File:

Alternatively, if you have a list of target URLs stored in a file named “targets.txt,” execute the following command:

./bucketloot targets.txt

Below you can see BucketLoot in action when the target URL is provided.

The tool also supports several additional flags including those mentioned in the above image. To know more about the tool usage in detail and how you can leverage it according to your needs, head over to the tool documentation section in the GitHub repository.

Community Contribution

At RedHunt Labs, we believe that collaboration is the key to building powerful and effective security tools. BucketLoot’s success lies not only in its robust features but also in the active participation of the information security community. We invite security enthusiasts, researchers, and professionals to join us in enhancing BucketLoot’s capabilities and making cloud object storage security even stronger.

1. Add New Features:

As the cloud landscape evolves, so do the challenges it presents. The information security community can play a crucial role in adding new features to BucketLoot. Whether it’s refining the scanning process, enhancing reporting capabilities, or incorporating support for additional cloud storage platforms, your expertise can make a significant impact on the tool’s versatility.

2. Contribute New Signatures for Secret Detection:

BucketLoot’s secret scanning capabilities are driven by Regular Expression (RegEx) signatures in the regexes.json file. The community can contribute by adding new signatures for identifying secret exposures. Your unique insights and discoveries can benefit others, ensuring that BucketLoot remains up-to-date with the latest security challenges.

3. Bug Fixes and Improvements:

Even the most well-crafted tools can encounter bugs or have areas that could benefit from improvement. The information security community can play a crucial role in identifying and resolving these issues. If you come across any bugs or have ideas to enhance BucketLoot’s performance, we encourage you to share your insights.

Whether it’s streamlining the scanning process, optimizing resource usage, or enhancing error handling, your bug fixes and improvements can elevate BucketLoot’s efficiency and user experience. The collective efforts of the community contribute to a more stable and reliable tool that benefits security professionals worldwide.

How to Contribute:

Contributing to BucketLoot is straightforward. Simply follow these steps:

• Fork the BucketLoot repository on GitHub.
• Implement your changes or additions locally.
• Create a new branch for your changes.
• Commit your changes with descriptive messages.
• Push the changes to your fork.
• Finally, submit a Pull Request (PR) to the main BucketLoot repository.

Our team at RedHunt Labs will review your contributions promptly. Collaborating with the information security community allows us to address a broader range of security challenges and deliver a more powerful and effective tool.

By contributing to BucketLoot, you become an essential part of a global effort to enhance cloud security practices. Your insights and expertise can positively impact security professionals worldwide, ensuring they can protect their cloud object storage with confidence.

Conclusion

As BucketLoot continues to evolve, RedHunt Labs remains committed to fostering an environment of open collaboration. We invite you to be part of this journey and contribute your expertise to make cloud object storage security stronger, more efficient, and more reliable.

Let’s forge ahead, hand in hand, towards a safer cloud ecosystem. Embrace the power of BucketLoot, secure your cloud storage, and embark on a future where data remains well-guarded and cloud security thrives. Together, we will pave the way for a secure digital landscape that empowers organizations to embrace the cloud’s full potential, with confidence and peace of mind.

About NVADR

We at RedHunt Labs help organizations discover untracked assets, data exposure, and external attack surface with NVADR, an all-in-one attack surface management SaaS solution.

New attack vectors and vulnerabilities keep originating quite often and might affect one (or many) assets across your organization. During such times, having a precise external asset inventory makes it easy to scan for systems affecting the newly published vulnerability.

NVADR also ‘continuously’ enumerates and lists all the technologies used across your external attack surface and thus helps identify affected assets right away. Don’t hesitate to get in touch with us to schedule your free trial today.