Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
NIST CSF 2.0
MITRE ATLAS
Overview
This skill covers Google Cloud Platform security testing using GCPBucketBrute for storage bucket enumeration and access permission testing, combined with gcloud CLI IAM enumeration to identify privilege escalation paths. The approach tests for publicly accessible buckets, overly permissive IAM bindings, and service account key exposure.
When to Use
- When conducting security assessments that involve performing gcp penetration testing with gcpbucketbrute
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Python 3.8+ with google-cloud-storage library
- GCPBucketBrute installed from RhinoSecurityLabs GitHub
- gcloud CLI authenticated with test credentials
- Authorized penetration testing scope for target GCP project
- google-api-python-client and google-auth libraries
Steps
- Enumerate Storage Buckets — Use GCPBucketBrute with keyword permutations to discover accessible GCP storage buckets
- Test Bucket Permissions — Call TestIamPermissions API on each discovered bucket to determine read/write/admin access levels
- Audit IAM Bindings — Enumerate project-level IAM policies to identify overly permissive role bindings
- Check Service Account Keys — Identify service accounts with user-managed keys and test for privilege escalation via impersonation
- Test Privilege Escalation Paths — Check for iam.serviceAccounts.actAs, setIamPolicy, and other privilege escalation vectors
- Generate Findings Report — Produce a structured security assessment with risk severity ratings
Expected Output
- JSON report of discovered buckets with permission levels
- IAM privilege escalation path analysis
- Service account security assessment
- Risk-scored findings with remediation recommendations
Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.3 KB
GCP Penetration Testing API Reference
GCPBucketBrute — Bucket Enumeration
# Install
git clone https://github.com/RhinoSecurityLabs/GCPBucketBrute.git
cd GCPBucketBrute
pip install -r requirements.txt
# Unauthenticated scan
python3 gcpbucketbrute.py -k company-name -u
# Authenticated with service account
python3 gcpbucketbrute.py -k company-name -f /path/to/service-account-key.json
# Authenticated with user account (uses default gcloud credentials)
python3 gcpbucketbrute.py -k company-name
# Custom subprocesses for speed
python3 gcpbucketbrute.py -k company-name -s 10Output columns: Bucket name | Exists | Public | Authenticated Access | Permissions
gcloud IAM Enumeration
# List all IAM bindings for a project
gcloud projects get-iam-policy PROJECT_ID --format=json
# List service accounts
gcloud iam service-accounts list --project PROJECT_ID --format=json
# List user-managed keys for a service account
gcloud iam service-accounts keys list \
--iam-account SA_EMAIL --managed-by=user --format=json
# Describe a role to see its permissions
gcloud iam roles describe roles/editor --format=json
# Test IAM permissions on a resource
gcloud asset search-all-iam-policies --scope=projects/PROJECT_ID \
--query="policy:allUsers OR policy:allAuthenticatedUsers"gsutil Bucket Permission Testing
# Check if bucket is listable
gsutil ls gs://target-bucket/
# Check bucket IAM policy
gcloud storage buckets get-iam-policy gs://target-bucket --format=json
# Test specific permissions
gsutil acl get gs://target-bucket/Privilege Escalation Permissions
Dangerous IAM permissions that enable privilege escalation:
| Permission | Risk |
|---|---|
iam.serviceAccounts.actAs |
Impersonate any SA |
iam.serviceAccountKeys.create |
Create keys for any SA |
resourcemanager.projects.setIamPolicy |
Grant yourself any role |
deploymentmanager.deployments.create |
Deploy as project SA |
cloudfunctions.functions.create |
Execute as function SA |
compute.instances.create |
Launch VM as any SA |
Google Cloud Storage Python Client
from google.cloud import storage
client = storage.Client()
bucket = client.bucket("target-bucket")
# Test permissions via testIamPermissions
permissions = bucket.test_iam_permissions(["storage.objects.list", "storage.objects.get"])Scripts 1
agent.py8.4 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""GCP penetration testing agent: bucket enumeration, IAM audit, privilege escalation analysis.
# For authorized testing only
"""
import json
import subprocess
import argparse
from datetime import datetime
BUCKET_PERMUTATIONS = [
"{keyword}", "{keyword}-dev", "{keyword}-staging", "{keyword}-prod",
"{keyword}-backup", "{keyword}-data", "{keyword}-logs", "{keyword}-assets",
"{keyword}-uploads", "{keyword}-internal", "{keyword}-private", "{keyword}-public",
"dev-{keyword}", "staging-{keyword}", "prod-{keyword}", "backup-{keyword}",
]
PRIV_ESC_PERMISSIONS = [
"iam.serviceAccounts.actAs",
"iam.serviceAccounts.getAccessToken",
"iam.serviceAccounts.implicitDelegation",
"iam.serviceAccounts.signBlob",
"iam.serviceAccounts.signJwt",
"iam.serviceAccountKeys.create",
"resourcemanager.projects.setIamPolicy",
"deploymentmanager.deployments.create",
"cloudfunctions.functions.create",
"cloudfunctions.functions.update",
"compute.instances.create",
"run.services.create",
]
def generate_bucket_names(keyword):
"""Generate bucket name permutations from a keyword."""
return [perm.format(keyword=keyword) for perm in BUCKET_PERMUTATIONS]
def check_bucket_exists(bucket_name):
"""Check if a GCS bucket exists and test access permissions."""
result = subprocess.run(
["gsutil", "ls", f"gs://{bucket_name}/"],
capture_output=True, text=True, timeout=15
)
if result.returncode == 0:
return {"exists": True, "accessible": True, "listing": result.stdout[:500]}
if "AccessDeniedException" in result.stderr:
return {"exists": True, "accessible": False, "error": "Access denied"}
return {"exists": False, "accessible": False}
def test_bucket_permissions(bucket_name):
"""Test IAM permissions on a discovered bucket using gsutil."""
permissions_to_test = [
"storage.objects.list", "storage.objects.get", "storage.objects.create",
"storage.objects.delete", "storage.buckets.getIamPolicy",
"storage.buckets.setIamPolicy",
]
result = subprocess.run(
["gcloud", "storage", "buckets", "get-iam-policy", f"gs://{bucket_name}",
"--format=json"],
capture_output=True, text=True, timeout=15
)
granted = []
if result.returncode == 0:
try:
policy = json.loads(result.stdout)
for binding in policy.get("bindings", []):
if "allUsers" in binding.get("members", []) or "allAuthenticatedUsers" in binding.get("members", []):
granted.append({
"role": binding["role"],
"members": binding["members"],
"severity": "critical",
})
except json.JSONDecodeError:
pass
return {"bucket": bucket_name, "public_bindings": granted}
def enumerate_iam_bindings(project_id):
"""Enumerate project-level IAM bindings for overly permissive roles."""
result = subprocess.run(
["gcloud", "projects", "get-iam-policy", project_id, "--format=json"],
capture_output=True, text=True, timeout=30
)
if result.returncode != 0:
return {"error": result.stderr[:200]}
policy = json.loads(result.stdout)
findings = []
risky_roles = {"roles/owner", "roles/editor", "roles/iam.securityAdmin",
"roles/iam.serviceAccountAdmin", "roles/storage.admin"}
for binding in policy.get("bindings", []):
if binding["role"] in risky_roles:
findings.append({
"role": binding["role"],
"members": binding["members"],
"member_count": len(binding["members"]),
"severity": "high",
"finding": "Overly permissive role binding",
})
return {"project": project_id, "risky_bindings": findings}
def check_service_account_keys(project_id):
"""Check for user-managed service account keys."""
result = subprocess.run(
["gcloud", "iam", "service-accounts", "list",
"--project", project_id, "--format=json"],
capture_output=True, text=True, timeout=20
)
if result.returncode != 0:
return {"error": result.stderr[:200]}
accounts = json.loads(result.stdout)
findings = []
for sa in accounts:
email = sa.get("email", "")
keys_result = subprocess.run(
["gcloud", "iam", "service-accounts", "keys", "list",
"--iam-account", email, "--format=json", "--managed-by=user"],
capture_output=True, text=True, timeout=15
)
if keys_result.returncode == 0:
keys = json.loads(keys_result.stdout)
if keys:
findings.append({
"service_account": email,
"user_managed_keys": len(keys),
"severity": "high",
"finding": "User-managed keys found (potential for key theft)",
})
return {"service_account_findings": findings}
def check_priv_esc_paths(project_id):
"""Check testable IAM permissions for privilege escalation vectors."""
result = subprocess.run(
["gcloud", "projects", "get-iam-policy", project_id, "--format=json"],
capture_output=True, text=True, timeout=20
)
if result.returncode != 0:
return []
policy = json.loads(result.stdout)
esc_findings = []
for binding in policy.get("bindings", []):
role = binding["role"]
role_result = subprocess.run(
["gcloud", "iam", "roles", "describe", role, "--format=json"],
capture_output=True, text=True, timeout=10
)
if role_result.returncode == 0:
role_info = json.loads(role_result.stdout)
perms = set(role_info.get("includedPermissions", []))
esc_perms = perms.intersection(PRIV_ESC_PERMISSIONS)
if esc_perms:
esc_findings.append({
"role": role,
"members": binding["members"],
"escalation_permissions": list(esc_perms),
"severity": "critical",
})
return esc_findings
def generate_report(buckets, iam_findings, sa_findings, esc_paths, keyword, project_id):
"""Generate GCP penetration test findings report."""
return {
"report_time": datetime.utcnow().isoformat(),
"target_keyword": keyword,
"target_project": project_id,
"bucket_enumeration": buckets,
"iam_audit": iam_findings,
"service_account_audit": sa_findings,
"privilege_escalation_paths": esc_paths,
"total_findings": (
len([b for b in buckets if b.get("exists")]) +
len(iam_findings.get("risky_bindings", [])) +
len(sa_findings.get("service_account_findings", [])) +
len(esc_paths)
),
}
def main():
parser = argparse.ArgumentParser(description="GCP Penetration Testing Agent")
parser.add_argument("--keyword", required=True, help="Keyword for bucket name permutation")
parser.add_argument("--project", help="GCP project ID for IAM audit")
parser.add_argument("--output", default="gcp_pentest_report.json")
parser.add_argument("--skip-buckets", action="store_true", help="Skip bucket enumeration")
args = parser.parse_args()
buckets = []
if not args.skip_buckets:
names = generate_bucket_names(args.keyword)
print(f"[*] Testing {len(names)} bucket permutations for '{args.keyword}'")
for name in names:
status = check_bucket_exists(name)
if status["exists"]:
perms = test_bucket_permissions(name)
status.update(perms)
buckets.append({"name": name, **status})
print(f" [!] Found: gs://{name} (accessible={status['accessible']})")
iam_findings, sa_findings, esc_paths = {}, {}, []
if args.project:
print(f"[*] Auditing IAM for project: {args.project}")
iam_findings = enumerate_iam_bindings(args.project)
sa_findings = check_service_account_keys(args.project)
esc_paths = check_priv_esc_paths(args.project)
report = generate_report(buckets, iam_findings, sa_findings, esc_paths, args.keyword, args.project)
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Report saved to {args.output} ({report['total_findings']} findings)")
if __name__ == "__main__":
main()
Keep exploring