HackTricks CloudGCP - Permessi per un Pentest
Reading time: 1 minute
Se vuoi pentestare un ambiente GCP, devi richiedere abbastanza permessi per controllare tutti o la maggior parte dei servizi utilizzati in GCP. Idealmente, dovresti chiedere al cliente di creare:
- Creare un nuovo progetto
- Creare un Service Account all'interno di quel progetto (ottenere credenziali json) o creare un nuovo utente.
- Dare al Service account o all'utente i ruoli menzionati successivamente sull'ORGANIZZAZIONE
- Abilitare le API menzionate successivamente in questo post nel progetto creato
Set di permessi per utilizzare gli strumenti proposti successivamente:
bash
roles/viewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
API da abilitare (da starbase):
gcloud services enable \
serviceusage.googleapis.com \
cloudfunctions.googleapis.com \
storage.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com \
compute.googleapis.com \
cloudkms.googleapis.com \
sqladmin.googleapis.com \
bigquery.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
logging.googleapis.com \
monitoring.googleapis.com \
binaryauthorization.googleapis.com \
pubsub.googleapis.com \
appengine.googleapis.com \
run.googleapis.com \
redis.googleapis.com \
memcache.googleapis.com \
apigateway.googleapis.com \
spanner.googleapis.com \
privateca.googleapis.com \
cloudasset.googleapis.com \
accesscontextmanager.googleapis.com
Permessi degli strumenti individuali
PurplePanda
From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration
roles/bigquery.metadataViewer
roles/composer.user
roles/compute.viewer
roles/container.clusterViewer
roles/iam.securityReviewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
roles/secretmanager.viewer
ScoutSuite
From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions
roles/Viewer
roles/iam.securityReviewer
roles/stackdriver.accounts.viewer
CloudSploit
From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration
includedPermissions:
- cloudasset.assets.listResource
- cloudkms.cryptoKeys.list
- cloudkms.keyRings.list
- cloudsql.instances.list
- cloudsql.users.list
- compute.autoscalers.list
- compute.backendServices.list
- compute.disks.list
- compute.firewalls.list
- compute.healthChecks.list
- compute.instanceGroups.list
- compute.instances.getIamPolicy
- compute.instances.list
- compute.networks.list
- compute.projects.get
- compute.securityPolicies.list
- compute.subnetworks.list
- compute.targetHttpProxies.list
- container.clusters.list
- dns.managedZones.list
- iam.serviceAccountKeys.list
- iam.serviceAccounts.list
- logging.logMetrics.list
- logging.sinks.list
- monitoring.alertPolicies.list
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.hierarchyNodes.listTagBindings
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.resourceTagBindings.list
- resourcemanager.tagKeys.get
- resourcemanager.tagKeys.getIamPolicy
- resourcemanager.tagKeys.list
- resourcemanager.tagValues.get
- resourcemanager.tagValues.getIamPolicy
- resourcemanager.tagValues.list
- storage.buckets.getIamPolicy
- storage.buckets.list
Cartografia
From https://lyft.github.io/cartography/modules/gcp/config.html
roles/iam.securityReviewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewer
Starbase
From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
roles/iam.securityReviewer
roles/iam.organizationRoleViewer
roles/bigquery.metadataViewer