Google Cloud Storage

Find public buckets

• GCPBucketBrute
• CloudBrute

GCPBucketBrute

Installation

cd /usr/bin
git clone https://github.com/RhinoSecurityLabs/GCPBucketBrute.git
cd GCPBucketBrute/
#apt install python3-pip
pip3 install -r requirements.txt

Behind a proxy

pip3 --proxy http://user:password@proxy.com:8080 install --trusted-host pypi.org --trusted-host files.pythonhosted.org -r requirements.txt

Usage

Find buckets

Using a keyword & unauthenticated. It will create permutations on the keyword provided.

python3 gcpbucketbrute.py -k <keyword> -u

Using a wordlist (no permutations created)

WL=$HOME/buckets.txt
python3 gcpbucketbrute.py -w $WL -u

Check permissions on specified bucket

python3 gcpbucketbrute.py --check <bucketname> -u

Accessing public objects

Accessing public data

API

https://storage.googleapis.com/BUCKET_NAME
https://storage.googleapis.com/BUCKET_NAME/OBJECT_NAME

Example

https://storage.googleapis.com/gcp-public-data-landsat
https://storage.googleapis.com/gcp-public-data-landsat/LC08/PRE/06LC08/01/001/004/LC08_L1GT_001004_20150730_20170406_01_T2/LC08_L1GT_001004_20150730_20170406_01_T2_BQA.TIF

Google Console

Log into Google account

https://console.cloud.google.com/storage/browser/BUCKET_NAME

Example

https://console.cloud.google.com/storage/browser/gcp-public-data-landsat

Using gsutil

Install gsutil

gs://BUCKET_NAME/OBJECT_NAME

Errors

Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket.

https://stackoverflow.com/questions/49302859/gsutil-serviceexception-401-anonymous-caller-does-not-have-storage-objects-list