• ✨Always Use Forum Private Messages PM For Deal With Vendors✨

    Admin Contacts Jabber: megiddo@jabber.sk Telegram: @Megiddo1

Gcpbucketbrute - A Script To Enumerate Google Storage Bucket, Determine What Access You Have To Them

✨ DeeZNuTz

✨ Master ✨
Staff member
Joined
May 15, 2017
Messages
982
Likes
760
Points
1,045
Google-Cloud-Storage.png


A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.
  • This script (optionally) accepts GCP user/service account credentials and a keyword.
  • Then, a list of permutations will be generated from that keyword which will then be used to scan for the existence of Google Storage buckets with those names.
  • If credentials are supplied, the majority of enumeration will still be performed while unauthenticated, but for any bucket that is discovered via unauthenticated enumeration, it will attempt to enumerate the bucket permissions using the TestIamPermissions API with the supplied credentials. This will help find buckets that are accessible while authenticated, but not while unauthenticated.
  • Regardless if credentials are supplied or not, the script will then try to enumerate the bucket permissions using the TestIamPermissions API while unauthenticated. This means that if you don't enter credentials, you will only be shown the privileges an unauthenticated user has, but if you do enter credentials, you will see what access authenticated users have compared to unauthenticated users.
  • WARNING: If credentials are supplied, your username can be disclosed in the access logs of any buckets you discover.
TL;DR Summary
  • Given a keyword, this script enumerates Google Storage buckets based on a number of permutations generated from the keyword.
  • Then, any discovered bucket will be output.
  • Then, any permissions that you are granted (if any) to any discovered bucket will be output.
  • Then the script will check those privileges for privilege escalation (storage.buckets.setIamPolicy) and will output anything interesting (such as publicly listable, publicly writable, authenticated listable, privilege escalation, etc).
Requirements
  • Linux/OS XWindows only works for unauthenticated scans. Something is wrong with how the script uses the subprocess module in that it fails when using an authenticated Google client.
  • Python3
  • Pip3
Download GCPBucketBrute
 
Top Bottom