Now that we’ve learned a bit about the various services that Google Cloud Platform (GCP) has to offer, it’s time to start our own GCP deployment and learn about some GCP pentesting tools through hands-on practice.

We will install and execute some pentesting tools in the GCP virtual machine we set up in Chapter 10. They include Prowler, GCPBucketBrute, and GCP Scanner. We’ll also look at the security tools that Google provides for us in Security Command Center.

This chapter will cover the following topics:

• GCP free tier
• Launching a GCP network
• Using GCP Cloud Shell
• GCP native security tools
• GCP pentesting tools
• Exploiting GCP applications

Let’s get started!

We will be working with Google’s infrastructure. Massive GCP data centers will be doing the bulk of the computer processing work for the exercises in this chapter. So, fortunately, you don’t need to have a top-of-the-line workstation. You will need the following:

• A web browser
• A desktop or laptop PC
• An Android phone or iPhone
• A good reliable internet connection

Check out the following video to view the Code in Action: https://bit.ly/4093wMk

I strongly recommend setting up your own GCP network to test out the exercises in this chapter and Chapter 12.

There are several GCP products and services that you can enjoy in the free tier without incurring charges to your account. Do keep in mind though that you will need to give GCP your credit card number when you sign up. Your credit card will be charged if you go over the free tier limits, so you must check your usage and billing very carefully. When I signed up, I was given a 300 USD free credit for service fees in the first 90 days of my subscription. Depending on when you sign up, where in the world you sign up from, and the specifics of your situation, you may or may not receive a similar credit. Later in this chapter, I will show you where you can check your billing status so that you can make sure you don’t incur service charges that you can’t afford or otherwise wouldn’t want to pay for.

As of this writing in 2023, here are the...

As with AWS and Azure, all you need is a modern laptop or desktop PC running Windows, macOS, or a Linux distribution to launch and manage a GCP network. Google’s computers and infrastructure do all of the heavy lifting as far as computing resources are concerned.

I would also recommend using Google Authenticator on your Android phone (https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&pli=1) or iPhone (https://apps.apple.com/us/app/google-authenticator/id388497605) so that you can use multi-factor authentication (MFA) with your GCP services. I would not recommend using your phone to do most of your GCP work as a PC screen and a physical keyboard are ideal for those purposes. But you may install the Google Cloud app (https://cloud.google.com/app) on your phone if you want to check the status of your GCP services. It’s especially great for checking your billing on the go to make sure you’re not doing...

To launch GCP Cloud Shell, look at the menu bar at the top and click on the icon that looks like >_ to the immediate right of the search bar. Do you notice how similar GCP’s web interface is to the web interfaces in AWS and Azure?

Figure 11.7 – Top menu bar in the GCP console

All of the Bash commands we used in Chapter 5 for AWS and Chapter 8 for Azure will work here. Our Linux VM in GCP is functionally just like any other Linux-based computer; a Bash CLI is standard. If you want, you can review some Bash commands from Chapter 5.

The Cloud Shell screen looks like this:

Figure 11.8 – The Cloud Shell screen

Next, let’s check out some of the tools Google provides that will help us when we work as GCP pentesters.

Security Command Center is your starting point for all of the security tools that are built into GCP. It integrates various first-party GCP security tools that I mentioned in Chapter 10. This means you can see data from these applications and services within your Security Command Center (SCC) panel:

• Identity and Access Management (https://cloud.google.com/iam), which manages all of the user identities and machine identities (such as a TLS certificate for a web server) in your GCP network with robust logging that’s integrated into SCC and can also be integrated into an organization’s third-party security monitoring services. “Identity and Access Management (IAM) lets administrators authorize who can take action on specific resources, giving you full control and visibility to manage Google Cloud resources centrally.”
• Cloud IDS (https://cloud.google.com/intrusion-detection-system), which serves the same functions as most...

There are a few different third-party tools that we’ll use to conduct security scans in our GCP instance. First, we’ll install them.

Prowler

I mentioned Prowler for AWS in Chapter 5 and for Azure in Chapter 8. You can also use Prowler to find vulnerabilities in GCP. I’ll briefly walk you through this process as Prowler has already been covered quite a bit in this book.

Everything we’ll be doing will be in Cloud Shell. From the GCP console web application, click on the icon that looks like >_ on the right-hand side of the search bar in the top menu bar to open Cloud Shell. The default CLI is a terminal, which is Bash. All of the Linux Bash commands we used in the AWS and Azure chapters will work here.

First, I verified that I had pip installed and which version it was with this command:

pip -V

This was the response I got at the command line:

pip 20.3.4 from /usr/lib/python3/dist-packages/pip (python 3...

Now that we’ve installed a few third-party scanning tools, it’s time to use them.

Prowler

Let’s go through the basics of scanning GCP with Prowler first.

By default, Prowler will use the credentials of whichever account you used to log in to GCP for your VM. If you need to change your account, verify your accounts in IAM in the GCP web console. Verify your account credentials. You can change accounts in GCP with this command:

gcloud config set account <account>

Now, we can run a default Prowler scan in GCP with this command. Make sure you’re in the Prowler directory first, then run a scan:

cd prowler
prowler gcp

If you used GitHub to install Prowler, use prowler.py instead of prowler in your commands.

I recommend executing the help file first so that you can see all of the commands and options you can use in Prowler. As in previous chapters, you can get Prowler to list services and checks, and run specific...

Everything you need to create a GCP network to practice pentesting can be done with the services in the GCP free tier. Just make sure you check your billing in the GCP web console to make sure you aren’t incurring charges.

You may need to set up a Google Workspace or Cloud Identity account to get the most out of GCP. That includes using SCC. SCC is your starting point for all of the security tools that are built into GCP. It integrates various first-party GCP security tools. You can use SCC to check for some threats, vulnerabilities, and security recommendations based on Google’s threat intelligence. As with running third-party pentesting tools, SCC may provide you with useful information that you can use in your pentest report.

Just like with AWS and Azure, Prowler can be used to scan for vulnerabilities and regulatory compliance in GCP. We ran a Prowler vulnerability scan at the command line in Cloud Shell.

GCPBucketBrute checks whether attackers can...

To learn more about the topics that were covered in this chapter, take a look at the following resources:

• List of free services in GCP: https://cloud.google.com/free?hl=en
• TechTrapture’s YouTube video How to create Organization,Folder and projects in GCP: https://www.youtube.com/watch?v=QvpedBNZqvA
• Prowler in GCP: https://docs.prowler.cloud/en/latest/#google-cloud
• GCPBucketBrute: https://github.com/RhinoSecurityLabs/GCPBucketBrute
• GCP Scanner: https://github.com/google/gcp_scanner