GWS - Workspace Pentesting

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Entry Points

Google Platforms and OAuth Apps Phishing

Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in:

GWS - Google Platforms Phishing

Password Spraying

In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like https://github.com/ustayready/CredKing (although it looks unmaintained) which will use AWS lambdas to change IP address.

Post-Exploitation

If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges:

GWS - Post Exploitation

GWS <-->GCP Pivoting

Read more about the different techniques to pivot between GWS and GCP in:

GCP <--> Workspace Pivoting

GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID)

GCPW (Google Credential Provider for Windows): This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using their Workspace credentials. Moreover, this will store tokens to access Google Workspace in some places in the PC.
GCDS (Google CLoud DIrectory Sync): This is a tool that can be used to sync your active directory users and groups to your Workspace. The tool requires the credentials of a Workspace superuser and privileged AD user. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
Admin Directory Sync: It allows you to synchronize users from AD and EntraID in a serverless process from https://admin.google.com/ac/sync/externaldirectories.

GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)

Persistence

If you have compromised some credentials or the session of the user check these options to maintain persistence over it:

GWS - Persistence

Account Compromised Recovery

Log out of all sessions
Change user password
Generate new 2FA backup codes
Remove App passwords
Remove OAuth apps
Remove 2FA devices
Remove email forwarders
Remove emails filters
Remove recovery email/phones
Removed malicious synced smartphones
Remove bad Android Apps
Remove bad account delegations

References

https://www.youtube-nocookie.com/embed/6AsVUS79gLw - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
https://www.youtube.com/watch?v=KTVHLolz6cE - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousGCP - Public Buckets Privilege Escalation NextGWS - Post Exploitation

Last updated 1 month ago

Entry Points

Google Platforms and OAuth Apps Phishing

Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in:

GWS - Google Platforms Phishing

Password Spraying

Post-Exploitation

If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges:

GWS - Post Exploitation

GWS <-->GCP Pivoting

Read more about the different techniques to pivot between GWS and GCP in:

GCP <--> Workspace Pivoting

GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID)

GCPW (Google Credential Provider for Windows): This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using their Workspace credentials. Moreover, this will store tokens to access Google Workspace in some places in the PC.

GCDS (Google CLoud DIrectory Sync): This is a tool that can be used to sync your active directory users and groups to your Workspace. The tool requires the credentials of a Workspace superuser and privileged AD user. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.

Admin Directory Sync: It allows you to synchronize users from AD and EntraID in a serverless process from https://admin.google.com/ac/sync/externaldirectories.

GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)