GCPBucketBrute – Enumerate Google Storage Buckets

GCPBucketBrute is a script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.

This script (optionally) accepts GCP user/service account credentials and a keyword. Then, a list of permutations will be generated from that keyword which will then be used to scan for the existence of Google Storage buckets with those names.

GCPBucketBrute - Enumerate Google Storage
GCPBucketBrute – Enumerate Google Storage

If credentials are supplied, the majority of enumeration will still be performed while unauthenticated, but for any bucket that is discovered via unauthenticated enumeration, it will attempt to enumerate the bucket permissions using the TestIamPermissions API with the supplied credentials. This will help find buckets that are accessible while authenticated, but not while unauthenticated.

The summary for the script execution are:

  • Given a keyword, this script enumerates Google Storage buckets based on a number of permutations generated from the keyword.
  • Then, any discovered bucket will be output.
  • Then, any permissions that you are granted (if any) to any discovered bucket will be output.
  • Then the script will check those privileges for privilege escalation (storage.buckets.setIamPolicy) and will output anything interesting (such as publicly listable, publicly writable, authenticated listable, privilege escalation, etc).

You can read more and download the script over here: https://github.com/RhinoSecurityLabs/GCPBucketBrute

Notify of
Inline Feedbacks
View all comments