GCP - API Keys Unauthenticated Enum

Jifunze na zoezi la Udukuzi wa AWS:Mafunzo ya HackTricks ya Mtaalam wa Timu Nyekundu ya AWS (ARTE) Jifunze na zoezi la Udukuzi wa GCP: Mafunzo ya HackTricks ya Mtaalam wa Timu Nyekundu ya GCP (GRTE)

unga mkono HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

API Keys

Kwa habari zaidi kuhusu API Keys angalia:

GCP - API Keys Enum

Mbinu za OSINT

Google API Keys hutumiwa sana na aina yoyote ya programu inayotumia upande wa mteja. Ni kawaida kuzipata kwenye msimbo wa chanzo wa tovuti au ombi la mtandao, kwenye programu za simu au tu kwa kutafuta regex kwenye majukwaa kama Github.

Regex ni: AIza[0-9A-Za-z_-]{35}

Tafuta kwa mfano kwenye Github kwa kufuata: https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F&type=code&ref=advsearch

Angalia asili ya mradi wa GCP - `apikeys.keys.lookup`

Hii ni muhimu sana kuchunguza mradi wa GCP ambao funguo ya API uliyoipata inamilikiwa na:

# If you have permissions
gcloud services api-keys lookup AIzaSyD[...]uE8Y
name: projects/5[...]6/locations/global/keys/28d[...]e0e
parent: projects/5[...]6/locations/global

# If you don't, you can still see the project ID in the error msg
gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE
ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project.
Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509
type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: apikeys.googleapis.com
metadata:
permission: serviceusage.apiKeys.getProjectForKey
resource: projects/89123452509
service: cloudresourcemanager.googleapis.com
reason: AUTH_PERMISSION_DENIED

Kufanya nguvu API endspoints

Kwa kuwa huenda usijue ni APIs zipi zimeanzishwa katika mradi, itakuwa ya kuvutia kukimbia zana https://github.com/ozguralp/gmapsapiscanner na kuchunguza unaweza kupata nini kwa kutumia ufunguo wa API.

PreviousGCP - Unauthenticated Enum & Access NextGCP - App Engine Unauthenticated Enum

Last updated 1 month ago

API Keys

Mbinu za OSINT

Angalia asili ya mradi wa GCP - apikeys.keys.lookup

Kufanya nguvu API endspoints

Angalia asili ya mradi wa GCP - `apikeys.keys.lookup`