-
Notifications
You must be signed in to change notification settings - Fork 16
4. Common Use Cases (Bruteforcing 9500 Permissions)
Before diving into the individual module descriptions, this covers some generic use cases. I assume most people will follow one of these workflows when using the tool :)
Try to enumerate everything. Good if there is spotty permissions/your able to get some resources.
Step 1: Identify leaked credentials either through email/password, service account keys, or individual OAuth2 tokens.
Step 2: Load the credentials into GCPwn. Note the Authentication wiki demonstrates how to load these into GCPwn.
Step 3: Once loaded in, run creds info
to observe that no permissions have been added to your user.
Step 4: Make sure the project is set to something other than 'None'. Note you might need to manually add the project via projects set <project_id>
as described in the previous article wiki
Step 5: With your creds loaded and project set, run modules run enum_all --iam
and observe the results. See if any resources are found.
Step 6: Run creds info
to see what permissions were successfully called during your run
Step 7: Run modules run process_iam_bindings --txt
if IAM bindings were identified in enum_all
and review the output text file in Gathered Data to see the IAM summary
Step 8: Run modules run analyze_vulns --txt
to see if there are any IAM violations identified. This is still a bit in-progress so you can always manually check the txt output from process_iam_bindings
Good if you have permissions that are not already covered by existing modules.
Step 1: Identify leaked credentials either through email/password, service account keys, or individual OAuth2 tokens.
Step 2: Load the credentials into GCPwn. Note the Authentication wiki demonstrates how to load these into GCPwn.
Step 3: Once loaded in, run creds info
to observe that no permissions have been added to your user.
Step 4: Make sure the project is set to something other than 'None'. Note you might need to manually add the project via projects set <project_id>
as described in the previous article wiki
Step 5: With your creds loaded and project set, run modules run enum_all --iam
and observe the results. See if any additional projects are found.
Step 6: Run modules run enum_resources [--projects | --folders | --organizations] --iam --all-permissions
. This will brute force ~9500 INDIVIDUAL permissions for the project/folder/organizations (pass in none of those flags to run permissions on all of them).
Step 7: Run creds info
and see what individual permissions you identified after the run. Note there is no way to check while the tool is running, but you can always open the tool again as a workaround and just keep running creds info
as the other session runs to see what it collects