Google Cloud Platform

Understand GCP

• Here is a fun way to grasp the core concepts of GCP (thanks Ygor Cappai for putting all the images in on PDF).

pentips/GCP-cloudgirldev.pdf at main · CSbyGB/pentipsGitHub

The Cloud Girl - Google Cloud Platform

• You can get CloudGirl full book here:

Checklist

• Enumeration

Source: Nettitude

• Man In the Middle Attack

• Access Level Control (Leveraging Permissive IAM Roles and Permissions, Lack of Role-Based Access Controls (RBAC), ...)

  • Enumerate access to Cloud Services for the current IAM role

  • Create new Cloud users

  • Extract credentials from meta­data, configuration files, environment variables, and logs

  • Clone databases and instances to access information stored in snapshots

• Misconfigured In-bound ports

• Over permissive Storage Buckets

• Logging and Monitoring

• Try to Escape from the GCP sandbox environment

• Try to exploit publicly Exposed Services (access keys, tokens, buckets, ...)

• Check for the usual user creds compromission (cred stuffing, password spray, ...)

Practice

• Check out six2dez gitbook here with many useful tools and commands for GCP pentest

• If you want to practice check out GCP-GOAT here

• Take so time also to check out this amazing tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments by Chris Moberly

Tools

• If you are in restricted environment and can not install any other tools you can check out GCP IAM Analyzer

  • gcloud asset analyze-iam-policy --organization="123456" --permissions="iam.serviceAccounts.actAS, iam.serviceAccounts.getAccessToken, iam.serviceAccounts.getOpenIdToken, Iam.serviceAccounts.implicitDelegation, iam.serviceAccounts.signBlob, iam.serviceAccounts.signJwt" find all members that can impersonate a service account from the Organization level

• gcploit

• IAAS permission mining

• Hayat

• GCP Firewall Enum - Generate targeted port scans for Compute Instances exposed to the internet

• GCP Enum - Most of the enumeration commands in this blog, consolidated to a single script

• GCP misc - Various tools for attacking GCP environments

Resources

Cloud Penetration Testing - An Essential Guide | NettitudeNettitude_com

Nettitude - Cloud Penetration Testing - An Essential Guide

GCP SecurityHackTricks

Cloud Security - GCP - Hacktricks

gcpHound : A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP)Medium

gcpHound : A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP) - Madhav Bhatt

Permission Mining in GCP - Colin Estep

Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation: Blackhat/Defcon 2020

GitHub - allisonis/gcp-iam-sentinel-examplesGitHub

Google Cloud Platform IAM Sentinel Policies

https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf

Google Cloud security foundations guide

Google Cloud Developer Cheat Sheet