GCP - KMS Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

KMS

Find basic information about KMS in:

`cloudkms.cryptoKeyVersions.destroy`

An attacker with this permission could destroy a KMS version. In order to do this you first need to disable the key and then destroy it:

# pip install google-cloud-kms

from google.cloud import kms

def disable_key_version(project_id, location_id, key_ring_id, key_id, key_version):
    """
    Disables a key version in Cloud KMS.
    """
    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)

    # Call the API to disable the key version.
    client.update_crypto_key_version(request={'crypto_key_version': {'name': key_version_name, 'state': kms.CryptoKeyVersion.State.DISABLED}})

def destroy_key_version(project_id, location_id, key_ring_id, key_id, key_version):
    """
    Destroys a key version in Cloud KMS.
    """
    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)

    # Call the API to destroy the key version.
    client.destroy_crypto_key_version(request={'name': key_version_name})

# Example usage
project_id = 'your-project-id'
location_id = 'your-location'
key_ring_id = 'your-key-ring'
key_id = 'your-key-id'
key_version = '1'  # Version number to disable and destroy

# Disable the key version
disable_key_version(project_id, location_id, key_ring_id, key_id, key_version)

# Destroy the key version
destroy_key_version(project_id, location_id, key_ring_id, key_id, key_version)

KMS Ransomware

In AWS it's possible to completely steal a KMS key by modifying the KMS resource policy and only allowing the attackers account to use the key. As these resource policies doesn't exist in GCP this is not possible.

However, there is another way to perform a global KMS Ransomware, which would involve the following steps:

Create a new version of the key with a key material imported by the attacker

gcloud kms import-jobs create [IMPORT_JOB] --location [LOCATION] --keyring [KEY_RING] --import-method [IMPORT_METHOD] --protection-level [PROTECTION_LEVEL] --target-key [KEY]

Set it as default version (for future data being encrypted)
Re-encrypt older data encrypted with the previous version with the new one.
Delete the KMS key
Now only the attacker, who has the original key material could be able to decrypt the encrypted data

`cloudkms.cryptoKeyVersions.useToEncrypt` | `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation`

from google.cloud import kms
import base64

def encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext):
    """
    Encrypts data using a symmetric key from Cloud KMS.
    """
    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key name.
    key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)

    # Convert the plaintext to bytes.
    plaintext_bytes = plaintext.encode('utf-8')

    # Call the API.
    encrypt_response = client.encrypt(request={'name': key_name, 'plaintext': plaintext_bytes})
    ciphertext = encrypt_response.ciphertext

    # Optional: Encode the ciphertext to base64 for easier handling.
    return base64.b64encode(ciphertext)

# Example usage
project_id = 'your-project-id'
location_id = 'your-location'
key_ring_id = 'your-key-ring'
key_id = 'your-key-id'
plaintext = 'your-data-to-encrypt'

ciphertext = encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext)
print('Ciphertext:', ciphertext)

`cloudkms.cryptoKeyVersions.useToSign`

import hashlib
from google.cloud import kms

def sign_asymmetric(project_id, location_id, key_ring_id, key_id, key_version, message):
    """
    Sign a message using an asymmetric key version from Cloud KMS.
    """
    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)

    # Convert the message to bytes and calculate the digest.
    message_bytes = message.encode('utf-8')
    digest = {'sha256': hashlib.sha256(message_bytes).digest()}

    # Call the API to sign the digest.
    sign_response = client.asymmetric_sign(name=key_version_name, digest=digest)
    return sign_response.signature

# Example usage for signing
project_id = 'your-project-id'
location_id = 'your-location'
key_ring_id = 'your-key-ring'
key_id = 'your-key-id'
key_version = '1'
message = 'your-message'

signature = sign_asymmetric(project_id, location_id, key_ring_id, key_id, key_version, message)
print('Signature:', signature)

`cloudkms.cryptoKeyVersions.useToVerify`

from google.cloud import kms
import hashlib

def verify_asymmetric_signature(project_id, location_id, key_ring_id, key_id, key_version, message, signature):
    """
    Verify a signature using an asymmetric key version from Cloud KMS.
    """
    # Create the client.
    client = kms.KeyManagementServiceClient()

    # Build the key version name.
    key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)

    # Convert the message to bytes and calculate the digest.
    message_bytes = message.encode('utf-8')
    digest = {'sha256': hashlib.sha256(message_bytes).digest()}

    # Build the verify request and call the API.
    verify_response = client.asymmetric_verify(name=key_version_name, digest=digest, signature=signature)
    return verify_response.success

# Example usage for verification
verified = verify_asymmetric_signature(project_id, location_id, key_ring_id, key_id, key_version, message, signature)
print('Verified:', verified)

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - IAM Post Exploitation NextGCP - Logging Post Exploitation

Last updated 2 months ago

KMS

cloudkms.cryptoKeyVersions.destroy

KMS Ransomware

cloudkms.cryptoKeyVersions.useToEncrypt | cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

`cloudkms.cryptoKeyVersions.destroy`

`cloudkms.cryptoKeyVersions.useToEncrypt` | `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation`

`cloudkms.cryptoKeyVersions.useToSign`

`cloudkms.cryptoKeyVersions.useToVerify`