Recreating repository history for branch master

pentesting-cloud/workspace-security/README.md

@@ -0,0 +1,99 @@
+# GWS - Workspace Pentesting
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Entry Points
+
+### Google Platforms and OAuth Apps Phishing
+
+Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in:
+
+{% content-ref url="gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](gws-google-platforms-phishing/)
+{% endcontent-ref %}
+
+### Password Spraying
+
+In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (although it looks unmaintained) which will use AWS lambdas to change IP address.
+
+## Post-Exploitation
+
+If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges:
+
+{% content-ref url="gws-post-exploitation.md" %}
+[gws-post-exploitation.md](gws-post-exploitation.md)
+{% endcontent-ref %}
+
+### GWS <-->GCP Pivoting
+
+Read more about the different techniques to pivot between GWS and GCP in:
+
+{% content-ref url="../gcp-security/gcp-to-workspace-pivoting/" %}
+[gcp-to-workspace-pivoting](../gcp-security/gcp-to-workspace-pivoting/)
+{% endcontent-ref %}
+
+## GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID)
+
+* **GCPW (Google Credential Provider for Windows)**: This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will **store tokens to access Google Workspace** in some places in the PC.
+* **GCDS (Google CLoud DIrectory Sync)**: This is a tool that can be used to **sync your active directory users and groups to your Workspace**. The tool requires the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
+* **Admin Directory Sync**: It allows you to synchronize users from AD and EntraID in a serverless process from [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
+
+{% content-ref url="gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/" %}
+[gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid](gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/)
+{% endcontent-ref %}
+
+## Persistence
+
+If you have compromised some credentials or the session of the user check these options to maintain persistence over it:
+
+{% content-ref url="gws-persistence.md" %}
+[gws-persistence.md](gws-persistence.md)
+{% endcontent-ref %}
+
+## Account Compromised Recovery
+
+* Log out of all sessions
+* Change user password
+* Generate new 2FA backup codes
+* Remove App passwords
+* Remove OAuth apps
+* Remove 2FA devices
+* Remove email forwarders
+* Remove emails filters
+* Remove recovery email/phones
+* Removed malicious synced smartphones
+* Remove bad Android Apps
+* Remove bad account delegations
+
+## References
+
+* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}