-
Notifications
You must be signed in to change notification settings - Fork 28
Getting Started
- Python
3.11+ pip
-
gcloudCLI
Used for ADC-based authentication workflows (ex.gcloud auth login). -
prettytable
Enables table-formatted terminal output mode rather than just txt stdout. -
xlsxwriter
Enables Excel (.xlsx) export support (ex.data export excel).
Choose the install option that fits your workflow. GCPwn stores collected data in local SQLite databases, and the database path depends on how you installed the tool.
If you want a clean reset, remove the databases/ directory (ex. rm -r databases) for your install location.
Downloaded artifacts and exports are written under gcpwn_output/ in the runtime location (or the mounted output path in Docker).
git clone https://github.com/NetSPI/gcpwn.git
cd gcpwn
python3 -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txtOptional extras:
pip install prettytable==3.17.0
pip install xlsxwriter==3.2.9Run:
python -m gcpwnDatabase location for this option:
-
./databases/(inside the clonedgcpwnfolder) - Example:
./databases/gcpwn.db
pip3 install gcpwnOptional extras:
pip3 install "gcpwn[table]"
pip3 install "gcpwn[excel]"
pip3 install "gcpwn[table,excel]"Run:
gcpwnIf the shell cannot find gcpwn:
python -m gcpwnDatabase location for this option:
- Under your home directory at
~/.gcpwn/databases/(site-packages is read-only, so GCPwn writes its data there) - Quick path check:
python -c "from gcpwn.core.db import DataController as D; print(D.database_path)"Download a release binary from GitHub Releases:
Use the binary asset that matches your OS and CPU architecture (for example, Linux/macOS/Windows and amd64 vs arm64).
Example (Linux/macOS):
chmod +x ./gcpwn
./gcpwnDatabase location for this option:
- Runtime path used by the binary (commonly in the directory where you execute it) under
databases/ - Example:
./databases/gcpwn.db
docker build -t gcpwn .
docker run --rm -it gcpwnBuild with optional extras:
# prettytable extra
docker build --build-arg GCPWN_EXTRAS=table -t gcpwn .
# xlsxwriter extra
docker build --build-arg GCPWN_EXTRAS=excel -t gcpwn .
# both extras
docker build --build-arg GCPWN_EXTRAS=table,excel -t gcpwn .With output/data persistence:
docker run --rm -it \
-v "$(pwd)/databases:/opt/gcpwn/databases" \
-v "$(pwd)/gcpwn_output:/opt/gcpwn/gcpwn_output" \
gcpwnDatabase location for this option:
- In-container default:
/opt/gcpwn/databases/ - If you use the volume mount above, host path:
$(pwd)/databases/
- Create or select a workspace at startup.
- Add or select credentials (see Authentication Reference).
- If using ADC, set your active project context when needed:
gcloud config set project <PROJECT_ID>- Run baseline collection:
# Minimal first pass
modules run enum_all
# Common day-one run
modules run enum_all --iam --download
# Deeper pass (large Resource Manager permission sets)
modules run enum_all --iam --all-permissions --download
# Run only a subset of services (comma/space separated tokens; omit to run all)
modules run enum_all --modules iam,storage gke
# Include the opt-in Cloud Asset Inventory pull (additive: bare enum_all skips it)
modules run enum_all --iam --asset-inventory
# Reuse the cached hierarchy instead of re-discovering projects/folders/orgs
modules run enum_all --iam --no-enum-resources
# Scoped Resource Manager deep-dive while still discovering broadly
modules run enum_all --modules resource-manager --iam --get --project-allowlist-file projects.txt --folder-allowlist 123456789012 --org-allowlist-file org_ids.txtenum_all covers 43 GCP services. Choose which ones to run with --modules
(comma/space separated tokens) — omit it to run everything. Tokens accept short
names (storage, iam, bq, gke, secrets, compute, …) or full names
(cloud-storage); run modules run enum_all --list-modules for the full list.
enum_all also runs a once-only Google Workspace phase; enum_gcp is identical
but skips Workspace, and enum_google_workspace runs only the Workspace enumerators.
Google Workspace note:
-
GCP credentials do not grant Workspace access. The Workspace enumerators call the
Cloud Identity / Admin SDK Directory APIs, which need a principal Workspace recognizes as
an admin — either an admin user credential (works directly) or a service account with
domain-wide delegation that impersonates an admin via
--impersonate <admin@domain>. - Directory scoping uses a
directoryCustomerId(C...), resolved from--customer-id, theworkspace_customer_idconfig, or derived + auto-persisted from the GCP org (--org-id). Full details in Authentication Reference → Google Workspace (Domain-Wide Delegation).
Cloud Asset Inventory note:
-
--asset-inventoryis opt-in. A bareenum_allSKIPS it;enum_all --asset-inventoryruns everything PLUS it. It list_assets (RESOURCE + IAM_POLICY) at project/folder/org scope and UPSERTS into the shared workspace tables (IAM policies, the resource tree, service accounts/keys/roles, compute instances, Workload Identity) as a force-multiplier and fallback.
Allowlist note:
- If no allowlist flags are supplied,
enum_alltreats all discovered resources/projects as in scope. - Inline allowlist flags (
--project-allowlist,--folder-allowlist,--org-allowlist) take literal IDs. -
--*-allowlist-fileflags take file paths (one ID per line). -
--parent-allowlist-folder*and--parent-allowlist-org*constrain scope to descendants (any nested depth). - With both direct and parent allowlists, effective scope is their intersection. With parent-only allowlists, scope is all descendants under those parents.
- If only one direct allowlist type is provided, other direct resource types are treated as out of scope unless also allowlisted.
- With allowlists present,
enum_allstill runs baseline Resource Manager discovery, but non-Resource-Manager modules run only for projects inside the effective allowlist scope. - Exception:
enum_gcp_policy_bindingsstill runs once at the end ofenum_all. -
enum_gcp_policy_bindingsuses cached workspace resources, so resources enumerated in earlier runs (including outside the current allowlist) may still be included.
- Analyze and export what was collected:
- Review permissions enumerated for the credentials used (What are my permissions?)
creds info
creds info --csv- Review the data enumerated in Excel or CSV (What data/services can I see?)
data export excel
data export csv- Review the data written to disk or downloaded (What can I download?)
./gcpwn_output/<workspace_id>_<workspace_name_slug>/
- Build OpenGraph JSON for BloodHound import:
modules run process_og_gcpwn_data --expand-inherited --reset --out Bloodhound_Output-o/--out is an OUTPUT DIRECTORY; files are written into it as
opengraph_<folder_name>.json. Import that JSON into BloodHound CE to review
privilege-escalation paths.
Alternatively, build the graph directly from a Cloud Asset Inventory export FILE with no prior enumeration and no SQLite needed:
# 1. Export assets with gcloud (RESOURCE + IAM_POLICY) to a GCS object, then download it
gcloud asset export \
--project <PROJECT_ID> \
--content-type resource \
--output-path "gs://<BUCKET>/assets.json"
# (repeat with --content-type iam-policy, or use --content-type=resource and a second
# iam-policy export; gather the NDJSON export file(s) locally)
# 2. Build the graph straight from the export file
modules run process_og_gcpwn_data --cai-file ./assets.json --expand-inherited --out Bloodhound_Output--cai-file accepts NDJSON from gcloud asset export or a JSON array of assets.
The generated graph is exported but NOT persisted to the workspace's OpenGraph
tables, and it cannot be combined with --use-existing-opengraph-db.
BloodHound CE installation/quickstart: https://bloodhound.specterops.io/get-started/quickstart/community-edition-quickstart
- Auth mode details and startup syntax: Authentication Reference
- Workspace commands (credential/project/config/data menus): Workspace Instructions
- Module flags, categories, and orchestrator flows: CLI Module Reference
- Goal-driven operator workflows: Common Use Cases
- Artifact/content collection patterns with
--download: Downloads to Disk - SQL querying, export formats, and safe wipe operations: Data View/Export
- End-to-end IAM processing workflow from enumeration to analysis: IAM Enumeration and Analysis Workflow
- OpenGraph generation behavior and operational run patterns: OpenGraph Overview and Usage
- Custom single-permission and multi-permission edge authoring: OpenGraph - Add Your Own Content
- Developer extension path for writing/updating modules: Module Development Guide
- Authentication Reference
- Workspace Instructions
- Google Workspace Enumeration
- CLI Module Reference
- Downloads to Disk
- Logging & Verbosity
- Data View/Export
- IAM Enumeration and Analysis Workflow
- Troubleshooting and FAQ