Enumeration

Unauthenticated Enumeration

Use OSINT for unauthenticated enumeration.

Use DNS Enumeration and External Identity Provider.

Enumerate publicly accessible gcp resources with OSINT tools like cloud_enum.py.

Search for Leaked Credential on Github to obtain Service Account JSON file.

Authenticated Enumeration

Authentication Methods

- GCP Portal [GUI]

Credential : User Account [Username & Password]

GCP Portal URL : https://console.cloud.google.com/

- Gcloud CLI

With Username and Password Credentials:

gcloud auth login

gcloud auth list

With Service Account (Json Key File):

gcloud auth activate-service-account --key-file key-file.json

gcloud auth list

With stored credentials in Local System :

• Window : “C:\Users\UserName\AppData\Roaming\gcloud\”

• Linux : “/home/UserName/.config/gcloud/”

To obtain the value of stored credential in sqlite database (use sqlite browser client to view the content of database):

  • Database Name : access_tokens.db

  • Table: access_tokens

  • Columns: account_id, access_token, token_expiry, rapt_token

  • Database Name : credentials.db

  • Table: credentials

  • Columns: account_id, value

- Google Cloud API

Google cloud api documentation: https://developers.google.com/apis-explorer

Service Endpoint:

https://[ServiceName].googleapis.com

Validating Access Token:

curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=AccessToken

Access Google API:

curl -X Method -H “Authorization: Bearer $AccessToken” https://API-URL

- External Application (Application Default Credential)

With Username and Password Credentials:

gcloud auth application-default login

This will create credentials file and will be stored:

• Linux, macOS: $HOME/.config/gcloud/application_default_credentials.json

• Windows: %APPDATA%\gcloud\application_default_credentials.json

GCP CLI Enumeration

- Google Cloud CLI Configuration

List of Active User / Service accounts in Google Cloud CLI:

gcloud auth list

Get the configuration of Gcloud CLI (user / service account & project):

gcloud config list

- GCP Organizations

List of organizations, logged-in user / service account can access :

gcloud organizations list

Lists of iam policy attached to the specified organization:

gcloud organizations get-iam-policy [OrganizationID]

List of gcp folder within an organization:

gcloud resource-manager folders list --organization OrgID

- GCP Service Account

List all of service accounts in a project:

gcloud iam service-accounts list

Get the IAM policy for a service account:

gcloud iam service-accounts get-iam-policy [Service Account Email ID]

List of credential [keys] for a service account:

gcloud iam service-accounts keys list --iam-account [service Account Email ID]

- GCP Projects

List of gcp projects, a member have access:

gcloud projects list

Get the gcp hierarchy of a projects:

gcloud projects get-ancestors ProjectID

Get IAM policy for a project:

gcloud projects get-iam-policy PROJECT_ID

Set a different project:

gcloud config set project <project name>

To list of all APIs that are enabled in project:

gcloud services list

To get source code repos available to user:

gcloud source repos list

To clone repo to home directory:

gcloud source repos clone <repo_name>

- GCP Pre-defined Role

Lists of roles in an origination / project:

gcloud iam roles list

Lists of permissions in a specified role:

gcloud iam roles describe [roles/owner]

- GCP Custom Role

Lists of roles in an origination / project:

gcloud iam roles list --project PROJECT_ID

Lists of permissions in a specified role:

gcloud iam roles describe ROLE_NAME --project PROJECT_ID

- Instances

List compute instances:

gcloud compute instances list

Get IAM policy for a compute instance:

gcloud compute instances get-iam-policy INSTANCE_NAME --zone ZONE

List networks:

gcloud compute networks list

List subnets:

gcloud compute networks subnets list

List VPN tunnels:

gcloud compute vpn-tunnels list

List Interconnects (VPN):

gcloud compute interconnects list

- Storage Buckets

List Google Storage buckets recursively:

gsutil ls -r gs://<bucket name>

- Webapps & SQL

List WebApps:

gcloud app instances list

List SQL instances:

gcloud sql instances list

gcloud spanner instances list

gcloud bigtable instances list

List SQL databases:

gcloud sql databases list --instance <instance ID>

gcloud spanner databases list --instance <instance name>

- Containers

To list containers:

gcloud container clusters list

To generate GCP Kubernetes config file (~/.kube/config):

gcloud container clusters get-credentials <cluster name> --region <region>

If the authentication is successful and the user has the correct permission, we can get cluster info:

kubectl cluster-info

- GCP Functions Log Analysis

This analysis may get useful information from logs associated with GCP functions:

gcloud functions list

gcloud functions describe <function name>

gcloud functions logs read <function name> --limit <number of lines>

- GCP Cloud Run Analysis

This analysis may get useful information from descriptions such as environment variables:

gcloud run services list

gcloud run services describe <service-name>

gcloud run revisions describe --region=<region> <revision-name>

Enum Automated Tools

- gcp_enum.sh

https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum

Automated authenticated enumeration:

./gcp_enum.sh

PreviousInitial AccessNextPrivilege Escalation & Lateral Movement

Last updated