GCP - API Keys Enum

Reading time: 3 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

Katika Google Cloud Platform (GCP), API keys ni mfuatano rahisi wa encrypted ambao unatambulisha programu bila principal yoyote. Zinatumika kufikia Google Cloud APIs ambazo hazihitaji muktadha wa mtumiaji. Hii ina maana kwamba mara nyingi zinatumika katika hali ambapo programu inapata data yake mwenyewe badala ya data za mtumiaji.

Restrictions

Unaweza kueka vizuizi kwa API keys kwa ajili ya usalama ulioimarishwa. Kwa mfano, unaweza kuzuia funguo kutumika tu na anwani fulani za IP, tovuti, programu za android, programu za iOS, au kuzuia kwa APIs au huduma fulani ndani ya GCP.

Enumeration

Inawezekana kuona vizuizi vya API key (ikiwemo vizuizi vya GCP API endpoints) kwa kutumia orodha ya vitenzi au kuelezea:

bash
gcloud services api-keys list
gcloud services api-keys describe <key-uuid>
gcloud services api-keys list --show-deleted

note

Inawezekana kurejesha funguo zilizofutwa kabla ya siku 30 kupita, ndiyo maana unaweza kuorodhesha funguo zilizofutwa.

Privilege Escalation & Post Exploitation

GCP - Apikeys Privesc

Unauthenticated Enum

GCP - API Keys Unauthenticated Enum

Persistence

GCP - API Keys Persistence

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks