GCPwn: A Pentesting Tool For Google Cloud Platform

gcpwn

It consists of numerous enumeration modules I wrote plus exploit modules leveraging research done by others in the space (ex. Rhino Security) along with some existing known standalone tools like GCPBucketBrute to make the tool a one-stop-shop for Google Cloud Platform (GCP) testing. While other exploit scripts are generally one-time use, GCPwn stores both data and permissions as you are running through modules organizing the data for you, and re-using it to make your life easier in terms of pentesting/tracking permissions.

Who is this for?

This tool is mainly for pentesters, those just learning GCP security, and security researchers in general.

  • For pentesters, as illustrated above the tool automates a lot of scripts you would normally run and stores data to make exploit modules trivial to execute.
  • For those just learning GCP security, the tool is setup in such a way that it should be easy to add your own module via a Pull request as you dive into the individual service.
  • For security researchers, the tool allows you to run through a large number of GCP API calls and I document how to proxy the tool in the background through a local tool like Burp Suite. So running enum_all with burp suite logging all the requests will give you visibility into all the different API endpoints across all the different Python libraries with one command. That’s the hope at least, I got it partially working with env variables, if someone can finish cracking the code

Module Organization + Searching

Modules are grouped by GCP services. For example, modules dealing with Cloud Storage (S3 Buckets if you’re from AWS) are under the “CloudStorage” directory in the “Modules” folder.

Modules are also split up into several key categories. At this time this includes:

  • Enumeration: Enumerate data. Includes all testIAMPermission API calls via the –iam flag and can download content in some cases if supplied with a –download flag or other similar flag.
  • Exploit: Perform singular exploit attacks such as setIamPolicy, implicit delegation, generate a service account key, etc.
  • Unauthenticated: Modules that require no credentials (ex. GCPBucketBrute taken from Rhino Security).

Install & Use

Copyright (c) 2024, NetSPI