-
Notifications
You must be signed in to change notification settings - Fork 28
Home
GCPwn is a Google Cloud offensive security assessment framework for workspace-driven credential handling, service enumeration, artifact collection, and graph-based attack-path analysis. It covers 44 GCP services plus Google Workspace (Cloud Identity + Admin SDK Directory), with a Cloud Asset Inventory pipeline and a BloodHound OpenGraph generator.
- Getting Started
- Authentication Reference
- Common Use Cases
- Workspace Instructions
- CLI Module Reference
- Downloads to Disk
- Data View/Export
- IAM Enumeration and Analysis Workflow
- OpenGraph Overview and Usage
- OpenGraph - Node/Edge Tables
- OpenGraph - Default Priv Escalation Mode
- OpenGraph - IAM Conditionals
- OpenGraph - Inheritance & Include-All
- OpenGraph - Add Your Own Content
Modules live under gcpwn/modules/ in four top-level areas:
-
gcp/— 40+ per-service directories (one folder per GCP service) holdingenumeration,exploit, andunauthenticatedmodules. -
workspace/— Google Workspace modules split by API:cloud_identity/(Cloud Identity groups/memberships/users),directory/(Admin SDK Directory: admin roles, org units, domains, mobile devices, OAuth tokens),groups_settings/,data_transfer/, andapps/drive/(the Google Drive data plane:enum_drive). -
everything/— cross-cutting modules:enum_all,enum_gcp,enum_google_workspace,enum_gcp_policy_bindings,exploit_gcp_setiampolicy,process_gcp_iam_bindings. -
opengraph/— the BloodHound OpenGraph generator (process_og_gcpwn_data,process_og_node_color_images).
These are Python namespace packages. Dotted module paths follow the folder
layout, e.g. gcpwn.modules.gcp.<service>.enumeration.enum_<service>. The
authoritative module list lives in gcpwn/mappings/module_mappings.json.
Alongside long-standing services (Compute, Cloud Storage, IAM, Resource Manager, Cloud Functions, Cloud Run, BigQuery, Pub/Sub, KMS, Secret Manager, GKE, Cloud SQL, and more), recent additions include:
- Cloud Scheduler, Cloud Workflows, Eventarc — surface the service account each job / workflow / trigger runs as (a priv-esc signal).
- Cloud Spanner, AlloyDB — database instances and nested databases/instances.
- Organization Policy — which guardrails (constraints) are enforced, so you can see which attack paths are blocked.
- Cloud Asset Inventory — opt-in org/folder/project pull of resources + IAM policies into the shared workspace tables (force-multiplier + fallback).
- Cloud Workstations, Cloud Billing, Cloud Shell.
- Cloud Logging — sinks (export destinations + writer SA), buckets, log names,
metrics, and on
--downloadrecent log entries. - Memorystore for Redis Cluster — a new
--clusterscomponent in the existing Memorystore module.
modules run enum_gcp --iam
modules run enum_gcp_policy_bindings --ensure-tree
modules run process_gcp_iam_bindings
modules run process_og_gcpwn_data --expand-inherited --reset --out Bloodhound_OutputExport collected data:
data export csv
data export json
data export excelIf your goal is custom attack-path modeling, go directly to OpenGraph - Add Your Own Content.
- Authentication Reference
- Workspace Instructions
- Google Workspace Enumeration
- CLI Module Reference
- Downloads to Disk
- Logging & Verbosity
- Data View/Export
- IAM Enumeration and Analysis Workflow
- Troubleshooting and FAQ