Awesome GCP Pentesting

Hi my name is Shannon and I am a consultant focusing on GCP. Finding GCP offensive security resources was hard so I put them all together so no one else has to search for hours.

The purpose of this page is to provide useful tools and resources to anyone who wants to learn offensive GCP security. PM me on twitter @_shannon_mchale if you think something else should be included!

Terminology

• https://github.com/priyankavergadia/google-cloud-4-words

The best resource I have found

• https://cloud.hacktricks.xyz/pentesting-cloud/gcp-pentesting

Tools

Gain Access

• https://github.com/RhinoSecurityLabs/GCPBucketBrute

• https://github.com/initstring/cloud_enum

• https://github.com/oldrho/ip2provider

• https://grayhatwarfare.com/

Enumeration

• https://github.com/nccgroup/ScoutSuite

• https://github.com/darkbitio/gcp-iam-role-permissions

• https://github.com/bartcode/gcp-iam-viz

• https://github.com/lyft/cartography

• https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_misc

• https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_firewall_enum

• https://github.com/NotSoSecure/cloud-service-enum

Priv Esc

• https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation

• https://github.com/dxa4481/gcploit

• https://github.com/google/gcp_scanner

• https://github.com/carlospolop/PurplePanda

Impact

• https://github.com/rek7/patchy

Practice Ranges

• https://github.com/ine-labs/GCPGoat

• https://thunder-ctf.cloud/

Blogs

• https://book.hacktricks.xyz/cloud-security/gcp-security

• https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

• https://irsl.medium.com/the-speckle-umbrella-story-part-2-fcc0193614ea

• https://mbrancato.github.io/2021/12/28/rce-dataflow.html

• https://desi-jarvis.medium.com/gcphound-a-swiss-army-knife-offensive-toolkit-for-google-cloud-platform-gcp-fb9e18b959b4

• https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec

• https://cloudsecdocs.com/gcp/offensive/attacks/writeups/

• https://github.com/dxa4481/AttackingAndDefendingTheGCPMetadataAPI

• https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1

• https://medium.com/@tomaszwybraniec/google-cloud-platform-pentest-notes-service-accounts-b960dc59d93a

• https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/

• https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9

• https://kloudle.com/academy/escalating-privileges-in-google-cloud-from-app-to-cloud-access/

• https://www.praetorian.com/blog/google-cloud-platform-gcp-service-account-based-privilege-escalation-paths/

• https://infosecwriteups.com/enumeration-and-lateral-movement-in-gcp-environments-c3b82d342794

• https://infosecwriteups.com/gcp-inspector-auditing-publicly-exposed-gcp-bucket-ac6cad55618c

• https://expel.com/blog/incident-report-spotting-an-attacker-in-gcp/

• https://www.mitiga.io/blog/google-cloud-platform-exfiltration-a-threat-hunting-guide

Conference Talks

• Google Cloud Post-Exploitation Tactics & Techniques (BSides 2020 "Plundering GCP" Talk)
• IAM Concerned: OAuth Token Hijacking in Google Cloud (GCP)
• Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation
• The GCP Metadata API
• Can I hack GCP?
• Instant Threat Modeling - GCP
• May The Cloud Be With You

Research Projects

• https://github.com/pumasecurity/serverless-prey/tree/main/cheetah - Cloud Function reverse shell

Defense Things

• https://github.com/rigup/ephemeral-iam A CLI tool for temporarily escalating GCP IAM privileges to perform high privilege tasks.
• https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/
• https://expel.com/wp-content/uploads/2022/08/Expel-GCP-mind-map-kit-080422.pdf
• https://github.com/log2timeline/dftimewolf/blob/main/docs/user-manual.md