0009471: BucketLoot - An Automated S3-compatible Bucket Inspector - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0009471	Kali Linux	New Tool Requests	public	2025-12-30 06:03	2026-03-26 10:20

Reporter	umair	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	new	Resolution	open

Summary	0009471: BucketLoot - An Automated S3-compatible Bucket Inspector
Description	BucketLoot is an automated S3-compatible Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text. The tool can scan for buckets deployed on Amazon Web Services (AWS), Google Cloud Storage (GCS), DigitalOcean Spaces and even custom domains/URLs which could be connected to these platforms. It returns the output in a JSON format, thus enabling users to parse it according to their liking or forward it to any other tool for further processing. BucketLoot comes with a guest mode by default, which means a user doesn't needs to specify any API tokens / Access Keys initially in order to run the scan. The tool will scrape a maximum of 1000 files that are returned in the XML response and if the storage bucket contains more than 1000 entries which the user would like to run the scanner on, they can provide platform credentials to run a complete scan. If you'd like to know more about the tool please refer to this blog: https://redhuntlabs.com/blog/introducing-bucketloot-an-automated-cloud-bucket-inspector/ . [Github] - https://github.com/redhuntlabs/BucketLoot
Attached Files	toolscreenshot.png (180,517 bytes) toolscreenshot.png (180,517 bytes)

umair 2025-12-30 06:04 reporter ~0021192	This tool is currently taught as part of the CEH v13 Practical certification ++ AFAIK is also being used by several companies in their automation pipelines. Happy to assist with any questions you may have.

daniruiz 2026-03-26 10:19 manager ~0021476	To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will be for us): [Name] - The name of the tool [Already packaged] - Is the tool already packaged following Debian standard? A binary .deb is not sufficient. [Willingness to package] - Is the tool creator willing to package the tool? [Version] - What version of the tool should be added? --- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag). [Activity] - When did the project start? Is it still actively being developed? When was the most recent tagged release? How often are commits tagged? [Homepage] - Where can the tool be found online? Where to go to get more information? [Download] - Where to go to get the tool? Either a download page or a link to the latest version. [Author(s)] - Who made the tool? What is their contact information (email, git, etc)? [License] - How is the software distributed? What conditions does it come with? --- Note, sometimes tools will bundle third-party code under a different license. Does the tool include multiple licenses? Which license(s) apply to which parts of the code? [Description] - What is the tool about? What does it do? [Features] - What features does the tool have? [Update and/or dependency checking] - Does the tool have an auto update feature? Can it be disabled? Does it check for dependencies? Can it be disabled? [Programming language] - What is the code written in? What utilities are used? --- Think something like a setup.py file or minified javascript files. [Hardcoding] - Does the tool contain hardcoded directories and paths? --- Something like /home/user/tool/file would cause issues with typical Debian packaging standards, please include mention of these cases. [Dependencies] - What is needed for the tool to work? [Missing] - Are there any dependencies that are missing? [Old] - Does this tool require an old version of a dependency? Which version? [Kaboxer] - Is this tool a candidate for Kaboxer? [Similar tools] - What other tools are out there that can be used for the same purpose? [How to install] - How do you compile it? --- Note, using source code to acquire (e.g. git clone or svn checkout) can't be used - Also downloading from the head. Please use a "tag" or "release" version. [System-wide installation] - Does the tool support system-wide installation? [How to use] - What are some basic commands/functions to demonstrate it? [Pentest use case] - In what way is this tool used in a Pentest?

Date Modified	Username	Field	Change
2025-12-30 06:03	umair	New Issue
2025-12-30 06:03	umair	File Added: toolscreenshot.png
2025-12-30 06:04	umair	Note Added: 0021192
2026-03-26 10:19	daniruiz	Note Added: 0021476
2026-03-26 10:20	daniruiz	Description Updated