GCP - Permissions for a Pentest

Se desideri effettuare un pentest su un ambiente GCP, è necessario richiedere autorizzazioni sufficienti per verificare tutti o la maggior parte dei servizi utilizzati in GCP. Idealmente, dovresti chiedere al cliente di creare:

Creare un nuovo progetto
Creare un Service Account all'interno di quel progetto (ottenere le credenziali json) o creare un nuovo utente.
Assegnare al Service Account o all'utente i ruoli menzionati successivamente sull'ORGANIZZAZIONE
Abilitare le API menzionate successivamente in questo post nel progetto creato

Set di autorizzazioni per utilizzare gli strumenti proposti successivamente:

roles/viewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer

API da abilitare (da starbase):

gcloud services enable \
serviceusage.googleapis.com \
cloudfunctions.googleapis.com \
storage.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com \
compute.googleapis.com \
cloudkms.googleapis.com \
sqladmin.googleapis.com \
bigquery.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
logging.googleapis.com \
monitoring.googleapis.com \
binaryauthorization.googleapis.com \
pubsub.googleapis.com \
appengine.googleapis.com \
run.googleapis.com \
redis.googleapis.com \
memcache.googleapis.com \
apigateway.googleapis.com \
spanner.googleapis.com \
privateca.googleapis.com \
cloudasset.googleapis.com \
accesscontextmanager.googleapis.com

Autorizzazioni per singoli strumenti

PurplePanda

From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration

roles/bigquery.metadataViewer
roles/composer.user
roles/compute.viewer
roles/container.clusterViewer
roles/iam.securityReviewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
roles/secretmanager.viewer

ScoutSuite

ScoutSuite is a tool that allows you to assess the security posture of your Google Cloud Platform (GCP) environment. It provides a comprehensive analysis of the permissions assigned to various entities within your GCP project.

ScoutSuite scans your GCP environment and generates a report that includes information about the permissions assigned to service accounts, users, and groups. This information can be useful for identifying potential security vulnerabilities and ensuring that the principle of least privilege is followed.

To use ScoutSuite, you need to have the necessary permissions to access the GCP environment you want to scan. These permissions include the roles/iam.securityReviewer and roles/iam.serviceAccountKeyAdmin roles.

Once you have the required permissions, you can install ScoutSuite and run it against your GCP project. The tool will analyze the permissions and generate a report that you can review to identify any potential security issues.

ScoutSuite is a valuable tool for conducting security assessments of GCP environments and ensuring that proper permissions are assigned to entities within the project. By regularly scanning your GCP environment with ScoutSuite, you can proactively identify and address any security vulnerabilities that may exist.

From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions

roles/Viewer
roles/iam.securityReviewer
roles/stackdriver.accounts.viewer

CloudSploit

CloudSploit è uno strumento open source che può essere utilizzato per eseguire la scansione delle configurazioni di sicurezza di un'infrastruttura cloud. Supporta anche Google Cloud Platform (GCP) e fornisce una guida dettagliata su come configurare correttamente le autorizzazioni per un test di penetrazione su GCP.

From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration

includedPermissions:
- cloudasset.assets.listResource
- cloudkms.cryptoKeys.list
- cloudkms.keyRings.list
- cloudsql.instances.list
- cloudsql.users.list
- compute.autoscalers.list
- compute.backendServices.list
- compute.disks.list
- compute.firewalls.list
- compute.healthChecks.list
- compute.instanceGroups.list
- compute.instances.getIamPolicy
- compute.instances.list
- compute.networks.list
- compute.projects.get
- compute.securityPolicies.list
- compute.subnetworks.list
- compute.targetHttpProxies.list
- container.clusters.list
- dns.managedZones.list
- iam.serviceAccountKeys.list
- iam.serviceAccounts.list
- logging.logMetrics.list
- logging.sinks.list
- monitoring.alertPolicies.list
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.hierarchyNodes.listTagBindings
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.resourceTagBindings.list
- resourcemanager.tagKeys.get
- resourcemanager.tagKeys.getIamPolicy
- resourcemanager.tagKeys.list
- resourcemanager.tagValues.get
- resourcemanager.tagValues.getIamPolicy
- resourcemanager.tagValues.list
- storage.buckets.getIamPolicy
- storage.buckets.list

Cartografia

From https://lyft.github.io/cartography/modules/gcp/config.html

roles/iam.securityReviewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewer

Starbase

From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md

roles/iam.securityReviewer
roles/iam.organizationRoleViewer
roles/bigquery.metadataViewer

PreviousGCP - Federation Abuse NextGCP - Post Exploitation

Last updated 9 months ago