Awesome GCP Pentesting
Hi my name is Shannon and I am a consultant focusing on GCP. Finding GCP offensive security resources was hard so I put them all together so no one else has to search for hours.
The purpose of this page is to provide useful tools and resources to anyone who wants to learn offensive GCP security. PM me on twitter @_shannon_mchale if you think something else should be included!
Terminology
The best resource I have found
Tools
Gain Access
Enumeration
-
https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_misc
-
https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_firewall_enum
Priv Esc
Impact
Practice Ranges
Blogs
-
https://irsl.medium.com/the-speckle-umbrella-story-part-2-fcc0193614ea
-
https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec
-
https://github.com/dxa4481/AttackingAndDefendingTheGCPMetadataAPI
-
https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
-
https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
-
https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9
-
https://kloudle.com/academy/escalating-privileges-in-google-cloud-from-app-to-cloud-access/
-
https://infosecwriteups.com/enumeration-and-lateral-movement-in-gcp-environments-c3b82d342794
-
https://infosecwriteups.com/gcp-inspector-auditing-publicly-exposed-gcp-bucket-ac6cad55618c
-
https://expel.com/blog/incident-report-spotting-an-attacker-in-gcp/
-
https://www.mitiga.io/blog/google-cloud-platform-exfiltration-a-threat-hunting-guide
Conference Talks
- Google Cloud Post-Exploitation Tactics & Techniques (BSides 2020 "Plundering GCP" Talk)
- IAM Concerned: OAuth Token Hijacking in Google Cloud (GCP)
- Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation
- The GCP Metadata API
- Can I hack GCP?
- Instant Threat Modeling - GCP
- May The Cloud Be With You
Research Projects
- https://github.com/pumasecurity/serverless-prey/tree/main/cheetah - Cloud Function reverse shell
Defense Things
- https://github.com/rigup/ephemeral-iam A CLI tool for temporarily escalating GCP IAM privileges to perform high privilege tasks.
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/
- https://expel.com/wp-content/uploads/2022/08/Expel-GCP-mind-map-kit-080422.pdf
- https://github.com/log2timeline/dftimewolf/blob/main/docs/user-manual.md