GCP Unauthenticated attacks

cloudbrute

Link: https://github.com/0xsha/CloudBrute

Example:

./cloudbrute -d REDACTED.com -k REDACTED -t 80 -m app -w ./data/storage_large.txt -c google -o out2.txt
 ██████╗██╗      ██████╗ ██╗   ██╗██████╗ ██████╗ ██████╗ ██╗   ██╗████████╗███████╗
██╔════╝██║     ██╔═══██╗██║   ██║██╔══██╗██╔══██╗██╔══██╗██║   ██║╚══██╔══╝██╔════╝
██║     ██║     ██║   ██║██║   ██║██║  ██║██████╔╝██████╔╝██║   ██║   ██║   █████╗
██║     ██║     ██║   ██║██║   ██║██║  ██║██╔══██╗██╔══██╗██║   ██║   ██║   ██╔══╝
╚██████╗███████╗╚██████╔╝╚██████╔╝██████╔╝██████╔╝██║  ██║╚██████╔╝   ██║   ███████╗
 ╚═════╝╚══════╝ ╚═════╝  ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝  ╚═╝ ╚═════╝    ╚═╝   ╚══════╝
						V 1.0.7
11:48AM INF Detect config path: config/config.yaml
11:48AM INF Detect provider path: config/modules
11:48AM INF Initialized scan config
11:48AM INF google detected
11:48AM INF Initialized google config
 6650 / 64557 [============>---------------------------------------------------------------------------------------------------------------]  10.30% 01m01s11:48AM WRN 500: Server Error - REDACTEDMOBILE.appspot.com
 6883 / 64557 [=============>--------------------------------------------------------------------------------------------------------------]  10.66% 01m00s11:48AM WRN 500: Server Error - REDACTEDMobile.appspot.com
11:48AM INF 200: Open - REDACTED-Microsite.appspot.com
 8858 / 64557 [=================>----------------------------------------------------------------------------------------------------------]  13.72% 00m56s11:48AM INF 200: Open - REDACTEDSB.appspot.com
 30777 / 64557 [==========================================================>----------------------------------------------------------------]  47.67% 00m32s11:48AM WRN 500: Server Error - REDACTEDfy.appspot.com
 40649 / 64557 [=============================================================================>---------------------------------------------]  62.97% 00m22s11:48AM INF 200: Open - REDACTED-microsite.appspot.com
11:48AM WRN 500: Server Error - REDACTEDmobile.appspot.com
 47621 / 64557 [==========================================================================================>--------------------------------]  73.77% 00m16s11:49AM WRN 500: Server Error - REDACTED-premier.appspot.com
 52277 / 64557 [===================================================================================================>-----------------------]  80.98% 00m11s11:49AM INF 200: Open - REDACTEDsb.appspot.com
 58432 / 64557 [===============================================================================================================>-----------]  90.51% 00m05s11:49AM WRN 500: Server Error - REDACTEDtor.appspot.com
 62990 / 64557 [========================================================================================================================>--]  97.57% 00m01s11:49AM INF 200: Open - REDACTED-test1.appspot.com
 64557 / 64557 [=============================================================================================================================] 100.00% 1m1s

cloud_enum

https://github.com/initstring/cloud_enum

Example:

┌──(iron㉿John-Desktop)-[/opt/cloud_enum]
└─$ ./cloud_enum.py -k REDACTED --disable-azure --disable-aws

##########################
        cloud_enum
   github.com/initstring
##########################

Keywords:    REDACTED
Mutations:   /opt/cloud_enum/enum_tools/fuzz.txt
Brute-list:  /opt/cloud_enum/enum_tools/fuzz.txt

[+] Mutations list imported: 242 items
[+] Mutated results: 1453 items

++++++++++++++++++++++++++
      google checks
++++++++++++++++++++++++++

[+] Checking for Google buckets
  Protected Google Bucket: <http://storage.googleapis.com/REDACTED>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTED1>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTEDbucket>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTED-bucket>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTED-dev>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTEDhub>
  OPEN GOOGLE BUCKET: <http://storage.googleapis.com/REDACTED-mobile>
      FILES:
      -><http://storage.googleapis.com/REDACTED-mobile/REDACTED-mobile>
      -><http://storage.googleapis.com/REDACTED-mobile/REDACTED>
      -><http://storage.googleapis.com/REDACTED-mobile/tests/>
      -><http://storage.googleapis.com/REDACTED-mobile/tests/2022-01-15/>
      -><http://storage.googleapis.com/REDACTED-mobile/tests/2022-01-15/REDACTED.14>
      -><http://storage.googleapis.com/REDACTED-mobile/tests/2022-01-15/test.1>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTED-packages>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTED-pics>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTED-prod>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTEDtest>
  Protected Google Bucket: <http://storage.googleapis.com/REDACTED-test>
                            
 Elapsed time: 00:02:53

[+] Checking for Google Firebase Realtime Databases
  Protected Google Firebase RTDB: <https://REDACTED-beta.firebaseio.com/.json>
    Unknown status codes being received from <https://REDACTED-es.firebaseio.com/.json:>
       {reply.status_code}: {reply.reason}
    Unknown status codes being received from <https://REDACTED-production.firebaseio.com/.json:>
       {reply.status_code}: {reply.reason}
  Protected Google Firebase RTDB: <https://REDACTED-qa.firebaseio.com/.json>
    Unknown status codes being received from <https://REDACTED-staging.firebaseio.com/.json:>
       {reply.status_code}: {reply.reason}
    Unknown status codes being received from <https://test-REDACTED.firebaseio.com/.json:>
       {reply.status_code}: {reply.reason}
                            
 Elapsed time: 00:01:44

[+] Checking for Google App Engine apps
    Unknown status codes being received from <http://REDACTEDmobile.appspot.com/:>
       {reply.status_code}: {reply.reason}
                            
 Elapsed time: 00:00:26

[+] Checking for project/zones with Google Cloud Functions.
[*] Testing across 1 regions defined in the config file
                            
 Elapsed time: 00:01:08

[+] All done, happy hacking!

GCPBucketBrute

Link: https://github.com/RhinoSecurityLabs/GCPBucketBrute

Example:

─$ sudo python3 gcpbucketbrute.py -k REDACTED
No credential file passed in, enter an access token to authenticate? (y/n) n
No credential file passed in and no access token entered, use the default credentials? (y/n) n

No authentication method selected. Only performing unauthenticated enumeration.

Generated 1216 bucket permutations.

    EXISTS: REDACTED-dev
    EXISTS: REDACTED1
    EXISTS: REDACTED-pics
    EXISTS: REDACTED_public
    EXISTS: REDACTED
    EXISTS: REDACTEDtest
    EXISTS: training_REDACTED
    EXISTS: REDACTED-bucket
    EXISTS: REDACTED-prod
    EXISTS: REDACTED-packages

    UNAUTHENTICATED ACCESS ALLOWED: REDACTED-mobile
        - UNAUTHENTICATED LISTABLE (storage.objects.list)
        - UNAUTHENTICATED READABLE (storage.objects.get)
        - ALL PERMISSIONS:
            [
                "storage.objects.get",
                "storage.objects.list"
            ]

    EXISTS: test_REDACTED
    EXISTS: REDACTEDhub
    EXISTS: REDACTED_dev
    EXISTS: REDACTED-test
    EXISTS: REDACTEDbucket
    EXISTS: REDACTED_2

Scanned 1216 potential buckets in 1 minute(s) and 52 second(s).

Gracefully exiting!