Quick Start
Get up and running with s3finder in under 5 minutes.
Your First Scan
Run your first scan with a single command:
s3finder -s your-target-companyReplace your-target-company with the organization you're authorized to test. s3finder generates 780+ bucket name variations automatically. You can also scan directly using a wordlist (-w) or a domain (-d) without a seed.
Understanding the Output
____ _____ __ _ _
/ ___|___ / / _(_)_ __ __| | ___ _ __
\___ \ |_ \| |_| | '_ \ / _` |/ _ \ '__|
___) |__) | _| | | | | (_| | __/ |
|____/____/|_| |_|_| |_|\__,_|\___|_|
v1.2.4
AI-Powered S3 Bucket Enumeration Tool
─────────────────────────────────────────
Permutation engine generated 780 names
Generated 780 unique bucket names to scan
[PUBLIC] target-backup (objects: 1547, region: us-east-1)
https://target-backup.s3.amazonaws.com
[PRIVATE] target-internal (region: eu-west-1)
[██████████████████████████████] 100.0% [780/780] Public:1 Private:1 Err:12 145 r/s ETA:0s [45s]
────────────────────────────────────────
Scan completed in 45s
Scanned: 780 | Found: 2 | Public: 1 | Private: 1 | Errors: 12
Results saved to: results.jsonResult Types
| Tag | Meaning | Action |
|---|---|---|
| PUBLIC | Bucket is publicly readable | URL shown - can browse contents |
| PRIVATE | Bucket exists but access denied | Requires credentials |
| ERROR | Request failed (timeout, throttled) | Retry with lower RPS |
Progress Bar
The progress bar shows real-time scan statistics:
| Element | Meaning |
|---|---|
[██████] | Completion percentage |
[780/780] | Scanned / Total buckets |
Public:1 Private:1 Err:12 | Discovery counts |
145 r/s | Requests per second |
ETA:0s [45s] | Estimated time / Elapsed time |
Adding a Wordlist
Combine permutations with a custom wordlist:
s3finder -s target-company -w wordlists/common.txtThe included wordlist has 130 common bucket name patterns.
Using CT Log Discovery
If you know the target's domain, use Certificate Transparency logs to discover real subdomains:
# Discover and scan subdomains as-is
s3finder -d target.comThis queries crt.sh for subdomains like dev.target.com and staging.target.com, which are scanned directly as bucket names.
Enabling AI Generation
For smarter bucket name suggestions:
# Set your API key
export OPENAI_API_KEY=sk-xxxxx
# Run with AI enabled
s3finder -s target-company --aiHigh-Speed Scanning
Increase workers and requests per second:
s3finder -s target-company -t 200 --rps 1000Viewing Results
Results are saved to results.json by default:
# Pretty print JSON results
cat results.json | jq .
# Or use plain text format
s3finder -s target-company -o results.txt -f txt