mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-23 07:29:04 -08:00
Migrate to using mdbook
This commit is contained in:
Congon4tor
@@ -0,0 +1,144 @@
|
||||
# GCP - Permissions for a Pentest
|
||||
|
||||
If you want to pentest a GCP environment you need to ask for enough permissions to **check all or most of the services** used in **GCP**. Ideally, you should ask the client to create:
|
||||
|
||||
* **Create** a new **project**
|
||||
* **Create** a **Service Account** inside that project (get **json credentials**) or create a **new user**.
|
||||
* **Give** the **Service account** or the **user** the **roles** mentioned later over the ORGANIZATION
|
||||
* **Enable** the **APIs** mentioned later in this post in the created project
|
||||
|
||||
**Set of permissions** to use the tools proposed later:
|
||||
|
||||
```bash
|
||||
roles/viewer
|
||||
roles/resourcemanager.folderViewer
|
||||
roles/resourcemanager.organizationViewer
|
||||
```
|
||||
|
||||
APIs to enable (from starbase):
|
||||
|
||||
```
|
||||
gcloud services enable \
|
||||
serviceusage.googleapis.com \
|
||||
cloudfunctions.googleapis.com \
|
||||
storage.googleapis.com \
|
||||
iam.googleapis.com \
|
||||
cloudresourcemanager.googleapis.com \
|
||||
compute.googleapis.com \
|
||||
cloudkms.googleapis.com \
|
||||
sqladmin.googleapis.com \
|
||||
bigquery.googleapis.com \
|
||||
container.googleapis.com \
|
||||
dns.googleapis.com \
|
||||
logging.googleapis.com \
|
||||
monitoring.googleapis.com \
|
||||
binaryauthorization.googleapis.com \
|
||||
pubsub.googleapis.com \
|
||||
appengine.googleapis.com \
|
||||
run.googleapis.com \
|
||||
redis.googleapis.com \
|
||||
memcache.googleapis.com \
|
||||
apigateway.googleapis.com \
|
||||
spanner.googleapis.com \
|
||||
privateca.googleapis.com \
|
||||
cloudasset.googleapis.com \
|
||||
accesscontextmanager.googleapis.com
|
||||
```
|
||||
|
||||
## Individual tools permissions
|
||||
|
||||
### [PurplePanda](https://github.com/carlospolop/PurplePanda/tree/master/intel/google)
|
||||
|
||||
```
|
||||
From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration
|
||||
|
||||
roles/bigquery.metadataViewer
|
||||
roles/composer.user
|
||||
roles/compute.viewer
|
||||
roles/container.clusterViewer
|
||||
roles/iam.securityReviewer
|
||||
roles/resourcemanager.folderViewer
|
||||
roles/resourcemanager.organizationViewer
|
||||
roles/secretmanager.viewer
|
||||
```
|
||||
|
||||
### [ScoutSuite](https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions)
|
||||
|
||||
```
|
||||
From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions
|
||||
|
||||
roles/Viewer
|
||||
roles/iam.securityReviewer
|
||||
roles/stackdriver.accounts.viewer
|
||||
```
|
||||
|
||||
### [CloudSploit](https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration)
|
||||
|
||||
```
|
||||
From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration
|
||||
|
||||
includedPermissions:
|
||||
- cloudasset.assets.listResource
|
||||
- cloudkms.cryptoKeys.list
|
||||
- cloudkms.keyRings.list
|
||||
- cloudsql.instances.list
|
||||
- cloudsql.users.list
|
||||
- compute.autoscalers.list
|
||||
- compute.backendServices.list
|
||||
- compute.disks.list
|
||||
- compute.firewalls.list
|
||||
- compute.healthChecks.list
|
||||
- compute.instanceGroups.list
|
||||
- compute.instances.getIamPolicy
|
||||
- compute.instances.list
|
||||
- compute.networks.list
|
||||
- compute.projects.get
|
||||
- compute.securityPolicies.list
|
||||
- compute.subnetworks.list
|
||||
- compute.targetHttpProxies.list
|
||||
- container.clusters.list
|
||||
- dns.managedZones.list
|
||||
- iam.serviceAccountKeys.list
|
||||
- iam.serviceAccounts.list
|
||||
- logging.logMetrics.list
|
||||
- logging.sinks.list
|
||||
- monitoring.alertPolicies.list
|
||||
- resourcemanager.folders.get
|
||||
- resourcemanager.folders.getIamPolicy
|
||||
- resourcemanager.folders.list
|
||||
- resourcemanager.hierarchyNodes.listTagBindings
|
||||
- resourcemanager.organizations.get
|
||||
- resourcemanager.organizations.getIamPolicy
|
||||
- resourcemanager.projects.get
|
||||
- resourcemanager.projects.getIamPolicy
|
||||
- resourcemanager.projects.list
|
||||
- resourcemanager.resourceTagBindings.list
|
||||
- resourcemanager.tagKeys.get
|
||||
- resourcemanager.tagKeys.getIamPolicy
|
||||
- resourcemanager.tagKeys.list
|
||||
- resourcemanager.tagValues.get
|
||||
- resourcemanager.tagValues.getIamPolicy
|
||||
- resourcemanager.tagValues.list
|
||||
- storage.buckets.getIamPolicy
|
||||
- storage.buckets.list
|
||||
```
|
||||
|
||||
### [Cartography](https://lyft.github.io/cartography/modules/gcp/config.html)
|
||||
|
||||
```
|
||||
From https://lyft.github.io/cartography/modules/gcp/config.html
|
||||
|
||||
roles/iam.securityReviewer
|
||||
roles/resourcemanager.organizationViewer
|
||||
roles/resourcemanager.folderViewer
|
||||
```
|
||||
|
||||
### [Starbase](https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md)
|
||||
|
||||
```
|
||||
From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
|
||||
|
||||
roles/iam.securityReviewer
|
||||
roles/iam.organizationRoleViewer
|
||||
roles/bigquery.metadataViewer
|
||||
```
|
||||
Reference in New Issue
Block a user