• Stars
    star
    478
  • Rank 91,950 (Top 2 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.

GCPBucketBrute

A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.

  • This script (optionally) accepts GCP user/service account credentials and a keyword.
  • Then, a list of permutations will be generated from that keyword which will then be used to scan for the existence of Google Storage buckets with those names.
  • If credentials are supplied, the majority of enumeration will still be performed while unauthenticated, but for any bucket that is discovered via unauthenticated enumeration, it will attempt to enumerate the bucket permissions using the TestIamPermissions API with the supplied credentials. This will help find buckets that are accessible while authenticated, but not while unauthenticated.
  • Regardless if credentials are supplied or not, the script will then try to enumerate the bucket permissions using the TestIamPermissions API while unauthenticated. This means that if you don't enter credentials, you will only be shown the privileges an unauthenticated user has, but if you do enter credentials, you will see what access authenticated users have compared to unauthenticated users.
  • WARNING: If credentials are supplied, your username can be disclosed in the access logs of any buckets you discover.

TL;DR Summary

  • Given a keyword, this script enumerates Google Storage buckets based on a number of permutations generated from the keyword.
  • Then, any discovered bucket will be output.
  • Then, any permissions that you are granted (if any) to any discovered bucket will be output.
  • Then the script will check those privileges for privilege escalation (storage.buckets.setIamPolicy) and will output anything interesting (such as publicly listable, publicly writable, authenticated listable, privilege escalation, etc).

Requirements

  • Linux/OS X
    • Windows only works for unauthenticated scans. Something is wrong with how the script uses the subprocess module in that it fails when using an authenticated Google client.
  • Python3
  • Pip3

Installation

  1. git clone https://github.com/RhinoSecurityLabs/GCPBucketBrute.git
  2. cd GCPBucketBrute/
  3. pip3 install -r requirements.txt or python3 -m pip install -r requirements.txt

Usage

First, determine the type of authentication you want to use for enumeration between a user account, service account, or unauthenticated. If you are using a service account, provide the file path to the private key via the -f/--service-account-credential-file-path argument. If you are using a user account, don't provide an authentication argument. You will then be prompted to enter the access token of your user account for accessing the GCP APIs. If you want to scan completely unauthenticated, pass the -u/--unauthenticated argument to hide authentication prompts.

  • Scan for buckets using the keyword "test" while completely unauthenticated:
python3 gcpbucketbrute.py -k test -u
  • Scan for buckets using the keyword "test" while authenticating with a service account (private key stored at ../sa-priv-key.pem), outputting results to out.txt in the current directory:
python3 gcpbucketbrute.py -k test -f ../sa-priv-key.pem -o ./out.txt
  • Scan for buckets using the keyword "test", using a user account access token, running with 10 subprocesses instead of 5:
python3 gcpbucketbrute.py -k test -s 10

Available Arguments

  • -k/--keyword
    • This argument is used to specify what keyword will be used to generate permutations with. Those permutations are what will be searched for in Google Storage.
  • --check
    • This argument is mutually exclusive with -k/--keyword and accepts a single string. It allows you to check your permissions on a particular bucket, rather than generating a list of permutations based on a keyword. This may be repeated to check several buckets. Credit: @BBerastegui
  • --check-list
    • This argument is mutually exclusive with -k/--keyword and --check. It allows you to check permissions of a list of buckets in a file. They should be listed one-per-line in a text file. To read from standard input, pass - as the filename.
  • -s/--subprocesses
    • This argument specifies how many subprocesses will be used for bucket enumeration. The default is 5 and the higher you set this value, the faster enumeration will be, but your requests-per-second to Google will increase. These are essentially threads, but the script uses subprocesses instead of threads for parallel execution.
  • -f/--service-account-credential-file-path
  • -u/--unauthenticated
    • This argument forces unauthenticated enumeration. With this flag, you will not be prompted for credentials and valid buckets will not be checked for authenticated permissions.
  • -o/--out-file
    • This argument allows you to specify a (relative or absolute) file path to a log file to output the results to. The file will be created if it does not already exist and it will be appended to if it does already exist.
  • -w/--wordlist
    • This argument allows you to specify a wordlist input file.

More Repositories

1

pacu

The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
Python
4,339
star
2

cloudgoat

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
Python
2,923
star
3

Security-Research

Exploits written by the Rhino Security Labs team
Python
1,057
star
4

AWS-IAM-Privilege-Escalation

A centralized source of all AWS IAM privilege escalation methods released by Rhino Security Labs.
894
star
5

IPRotate_Burp_Extension

Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
Python
809
star
6

CVEs

A collection of proof-of-concept exploit scripts written by the team at Rhino Security Labs for various CVEs.
Python
793
star
7

ccat

Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
Python
586
star
8

SleuthQL

Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
Python
464
star
9

Cloud-Security-Research

Cloud-related research releases from the Rhino Security Labs team.
Python
353
star
10

GCP-IAM-Privilege-Escalation

A collection of GCP IAM privilege escalation methods documented by the Rhino Security Labs team.
Python
336
star
11

Swagger-EZ

A tool geared towards pentesting APIs using OpenAPI definitions.
JavaScript
169
star
12

IAMActionHunter

An AWS IAM policy statement parser and query tool.
Python
154
star
13

Aggressor-Scripts

Aggregation of Cobalt Strike's aggressor scripts.
PowerShell
144
star
14

dsnap

Utility for downloading and mounting EBS snapshots using the EBS Direct API's
Python
73
star
15

Presentations

A collection of slides, videos, and proof-of-concept scripts from various Rhino presentations.
37
star
16

little-stitch

Send and receive bypassing Little Snitch alerting.
Go
10
star