cloud security

Performing GCP Penetration Testing with GCPBucketBrute

Perform GCP security testing using GCPBucketBrute for storage bucket enumeration, gcloud IAM privilege escalation path analysis, and service account permission auditing

bucket-enumerationcloud-pentestinggcpgcpbucketbruteiam-auditprivilege-escalation
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

This skill covers Google Cloud Platform security testing using GCPBucketBrute for storage bucket enumeration and access permission testing, combined with gcloud CLI IAM enumeration to identify privilege escalation paths. The approach tests for publicly accessible buckets, overly permissive IAM bindings, and service account key exposure.

When to Use

  • When conducting security assessments that involve performing gcp penetration testing with gcpbucketbrute
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Python 3.8+ with google-cloud-storage library
  • GCPBucketBrute installed from RhinoSecurityLabs GitHub
  • gcloud CLI authenticated with test credentials
  • Authorized penetration testing scope for target GCP project
  • google-api-python-client and google-auth libraries

Steps

  1. Enumerate Storage Buckets — Use GCPBucketBrute with keyword permutations to discover accessible GCP storage buckets
  2. Test Bucket Permissions — Call TestIamPermissions API on each discovered bucket to determine read/write/admin access levels
  3. Audit IAM Bindings — Enumerate project-level IAM policies to identify overly permissive role bindings
  4. Check Service Account Keys — Identify service accounts with user-managed keys and test for privilege escalation via impersonation
  5. Test Privilege Escalation Paths — Check for iam.serviceAccounts.actAs, setIamPolicy, and other privilege escalation vectors
  6. Generate Findings Report — Produce a structured security assessment with risk severity ratings

Expected Output

  • JSON report of discovered buckets with permission levels
  • IAM privilege escalation path analysis
  • Service account security assessment
  • Risk-scored findings with remediation recommendations
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.3 KB

GCP Penetration Testing API Reference

GCPBucketBrute — Bucket Enumeration

# Install
git clone https://github.com/RhinoSecurityLabs/GCPBucketBrute.git
cd GCPBucketBrute
pip install -r requirements.txt
 
# Unauthenticated scan
python3 gcpbucketbrute.py -k company-name -u
 
# Authenticated with service account
python3 gcpbucketbrute.py -k company-name -f /path/to/service-account-key.json
 
# Authenticated with user account (uses default gcloud credentials)
python3 gcpbucketbrute.py -k company-name
 
# Custom subprocesses for speed
python3 gcpbucketbrute.py -k company-name -s 10

Output columns: Bucket name | Exists | Public | Authenticated Access | Permissions

gcloud IAM Enumeration

# List all IAM bindings for a project
gcloud projects get-iam-policy PROJECT_ID --format=json
 
# List service accounts
gcloud iam service-accounts list --project PROJECT_ID --format=json
 
# List user-managed keys for a service account
gcloud iam service-accounts keys list \
  --iam-account SA_EMAIL --managed-by=user --format=json
 
# Describe a role to see its permissions
gcloud iam roles describe roles/editor --format=json
 
# Test IAM permissions on a resource
gcloud asset search-all-iam-policies --scope=projects/PROJECT_ID \
  --query="policy:allUsers OR policy:allAuthenticatedUsers"

gsutil Bucket Permission Testing

# Check if bucket is listable
gsutil ls gs://target-bucket/
 
# Check bucket IAM policy
gcloud storage buckets get-iam-policy gs://target-bucket --format=json
 
# Test specific permissions
gsutil acl get gs://target-bucket/

Privilege Escalation Permissions

Dangerous IAM permissions that enable privilege escalation:

Permission Risk
iam.serviceAccounts.actAs Impersonate any SA
iam.serviceAccountKeys.create Create keys for any SA
resourcemanager.projects.setIamPolicy Grant yourself any role
deploymentmanager.deployments.create Deploy as project SA
cloudfunctions.functions.create Execute as function SA
compute.instances.create Launch VM as any SA

Google Cloud Storage Python Client

from google.cloud import storage
 
client = storage.Client()
bucket = client.bucket("target-bucket")
# Test permissions via testIamPermissions
permissions = bucket.test_iam_permissions(["storage.objects.list", "storage.objects.get"])

Scripts 1

agent.py8.4 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""GCP penetration testing agent: bucket enumeration, IAM audit, privilege escalation analysis.
# For authorized testing only
"""

import json
import subprocess
import argparse
from datetime import datetime

BUCKET_PERMUTATIONS = [
    "{keyword}", "{keyword}-dev", "{keyword}-staging", "{keyword}-prod",
    "{keyword}-backup", "{keyword}-data", "{keyword}-logs", "{keyword}-assets",
    "{keyword}-uploads", "{keyword}-internal", "{keyword}-private", "{keyword}-public",
    "dev-{keyword}", "staging-{keyword}", "prod-{keyword}", "backup-{keyword}",
]

PRIV_ESC_PERMISSIONS = [
    "iam.serviceAccounts.actAs",
    "iam.serviceAccounts.getAccessToken",
    "iam.serviceAccounts.implicitDelegation",
    "iam.serviceAccounts.signBlob",
    "iam.serviceAccounts.signJwt",
    "iam.serviceAccountKeys.create",
    "resourcemanager.projects.setIamPolicy",
    "deploymentmanager.deployments.create",
    "cloudfunctions.functions.create",
    "cloudfunctions.functions.update",
    "compute.instances.create",
    "run.services.create",
]


def generate_bucket_names(keyword):
    """Generate bucket name permutations from a keyword."""
    return [perm.format(keyword=keyword) for perm in BUCKET_PERMUTATIONS]


def check_bucket_exists(bucket_name):
    """Check if a GCS bucket exists and test access permissions."""
    result = subprocess.run(
        ["gsutil", "ls", f"gs://{bucket_name}/"],
        capture_output=True, text=True, timeout=15
    )
    if result.returncode == 0:
        return {"exists": True, "accessible": True, "listing": result.stdout[:500]}
    if "AccessDeniedException" in result.stderr:
        return {"exists": True, "accessible": False, "error": "Access denied"}
    return {"exists": False, "accessible": False}


def test_bucket_permissions(bucket_name):
    """Test IAM permissions on a discovered bucket using gsutil."""
    permissions_to_test = [
        "storage.objects.list", "storage.objects.get", "storage.objects.create",
        "storage.objects.delete", "storage.buckets.getIamPolicy",
        "storage.buckets.setIamPolicy",
    ]
    result = subprocess.run(
        ["gcloud", "storage", "buckets", "get-iam-policy", f"gs://{bucket_name}",
         "--format=json"],
        capture_output=True, text=True, timeout=15
    )
    granted = []
    if result.returncode == 0:
        try:
            policy = json.loads(result.stdout)
            for binding in policy.get("bindings", []):
                if "allUsers" in binding.get("members", []) or "allAuthenticatedUsers" in binding.get("members", []):
                    granted.append({
                        "role": binding["role"],
                        "members": binding["members"],
                        "severity": "critical",
                    })
        except json.JSONDecodeError:
            pass
    return {"bucket": bucket_name, "public_bindings": granted}


def enumerate_iam_bindings(project_id):
    """Enumerate project-level IAM bindings for overly permissive roles."""
    result = subprocess.run(
        ["gcloud", "projects", "get-iam-policy", project_id, "--format=json"],
        capture_output=True, text=True, timeout=30
    )
    if result.returncode != 0:
        return {"error": result.stderr[:200]}
    policy = json.loads(result.stdout)
    findings = []
    risky_roles = {"roles/owner", "roles/editor", "roles/iam.securityAdmin",
                   "roles/iam.serviceAccountAdmin", "roles/storage.admin"}
    for binding in policy.get("bindings", []):
        if binding["role"] in risky_roles:
            findings.append({
                "role": binding["role"],
                "members": binding["members"],
                "member_count": len(binding["members"]),
                "severity": "high",
                "finding": "Overly permissive role binding",
            })
    return {"project": project_id, "risky_bindings": findings}


def check_service_account_keys(project_id):
    """Check for user-managed service account keys."""
    result = subprocess.run(
        ["gcloud", "iam", "service-accounts", "list",
         "--project", project_id, "--format=json"],
        capture_output=True, text=True, timeout=20
    )
    if result.returncode != 0:
        return {"error": result.stderr[:200]}
    accounts = json.loads(result.stdout)
    findings = []
    for sa in accounts:
        email = sa.get("email", "")
        keys_result = subprocess.run(
            ["gcloud", "iam", "service-accounts", "keys", "list",
             "--iam-account", email, "--format=json", "--managed-by=user"],
            capture_output=True, text=True, timeout=15
        )
        if keys_result.returncode == 0:
            keys = json.loads(keys_result.stdout)
            if keys:
                findings.append({
                    "service_account": email,
                    "user_managed_keys": len(keys),
                    "severity": "high",
                    "finding": "User-managed keys found (potential for key theft)",
                })
    return {"service_account_findings": findings}


def check_priv_esc_paths(project_id):
    """Check testable IAM permissions for privilege escalation vectors."""
    result = subprocess.run(
        ["gcloud", "projects", "get-iam-policy", project_id, "--format=json"],
        capture_output=True, text=True, timeout=20
    )
    if result.returncode != 0:
        return []
    policy = json.loads(result.stdout)
    esc_findings = []
    for binding in policy.get("bindings", []):
        role = binding["role"]
        role_result = subprocess.run(
            ["gcloud", "iam", "roles", "describe", role, "--format=json"],
            capture_output=True, text=True, timeout=10
        )
        if role_result.returncode == 0:
            role_info = json.loads(role_result.stdout)
            perms = set(role_info.get("includedPermissions", []))
            esc_perms = perms.intersection(PRIV_ESC_PERMISSIONS)
            if esc_perms:
                esc_findings.append({
                    "role": role,
                    "members": binding["members"],
                    "escalation_permissions": list(esc_perms),
                    "severity": "critical",
                })
    return esc_findings


def generate_report(buckets, iam_findings, sa_findings, esc_paths, keyword, project_id):
    """Generate GCP penetration test findings report."""
    return {
        "report_time": datetime.utcnow().isoformat(),
        "target_keyword": keyword,
        "target_project": project_id,
        "bucket_enumeration": buckets,
        "iam_audit": iam_findings,
        "service_account_audit": sa_findings,
        "privilege_escalation_paths": esc_paths,
        "total_findings": (
            len([b for b in buckets if b.get("exists")]) +
            len(iam_findings.get("risky_bindings", [])) +
            len(sa_findings.get("service_account_findings", [])) +
            len(esc_paths)
        ),
    }


def main():
    parser = argparse.ArgumentParser(description="GCP Penetration Testing Agent")
    parser.add_argument("--keyword", required=True, help="Keyword for bucket name permutation")
    parser.add_argument("--project", help="GCP project ID for IAM audit")
    parser.add_argument("--output", default="gcp_pentest_report.json")
    parser.add_argument("--skip-buckets", action="store_true", help="Skip bucket enumeration")
    args = parser.parse_args()

    buckets = []
    if not args.skip_buckets:
        names = generate_bucket_names(args.keyword)
        print(f"[*] Testing {len(names)} bucket permutations for '{args.keyword}'")
        for name in names:
            status = check_bucket_exists(name)
            if status["exists"]:
                perms = test_bucket_permissions(name)
                status.update(perms)
                buckets.append({"name": name, **status})
                print(f"  [!] Found: gs://{name} (accessible={status['accessible']})")

    iam_findings, sa_findings, esc_paths = {}, {}, []
    if args.project:
        print(f"[*] Auditing IAM for project: {args.project}")
        iam_findings = enumerate_iam_bindings(args.project)
        sa_findings = check_service_account_keys(args.project)
        esc_paths = check_priv_esc_paths(args.project)

    report = generate_report(buckets, iam_findings, sa_findings, esc_paths, args.keyword, args.project)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"[+] Report saved to {args.output} ({report['total_findings']} findings)")


if __name__ == "__main__":
    main()
Keep exploring