-
Notifications
You must be signed in to change notification settings - Fork 226
GCP Commands
jbarciabf edited this page Feb 26, 2026
·
1 revision
Prerequisites: https://github.com/BishopFox/cloudfox#prerequisites
To list GCP commands: ./cloudfox gcp -h
For help with each command: ./cloudfox gcp [command_name] -h
- Identity & Access Management
- Compute & Containers
- Storage & Databases
- Networking
- Security & Compliance
- CI/CD & Source Control
- Messaging & Events
- Logging & Monitoring
- Organization & Projects
- Attack Path Analysis
- Sensitive Data Scanning
| Attribute | Value |
|---|---|
| Summary | Display identity context for the authenticated GCP user/service account |
| Aliases |
identity, me
|
| Author | Bishop Fox |
| Background | Understanding your current identity context is the first step in any GCP penetration test. This command shows who you are, what projects you have access to, your effective roles across the hierarchy, and (with --extended) a unified attack paths table showing privilege escalation, data exfiltration, and lateral movement capabilities. Unlike AWS where IAM is account-scoped, GCP IAM is hierarchical (Organization → Folder → Project), so understanding role inheritance is critical. |
| Use case 1: Initial Recon | Run immediately after authenticating to understand your current access level and scope. |
| Use case 2: Attack Path Discovery | Use --extended flag to identify all attack paths: privilege escalation, data exfiltration, and lateral movement capabilities. |
| Use case 3: Group-based Access | If you know you're a member of certain groups but enumeration fails, use --groups to include those bindings. |
| Flags |
--extended, -e: Enable extended enumeration (impersonation targets, unified attack paths table)--groups, -g: Comma-separated list of known group email addresses--groupslist: Path to file containing group email addresses (one per line) |
| Loot file(s) |
loot/whoami-impersonation.txt, loot/whoami-privesc.txt, loot/whoami-data-exfil.txt, loot/whoami-lateral-movement.txt, loot/whoami-privesc-playbook.txt, loot/whoami-data-exfil-playbook.txt, loot/whoami-lateral-movement-playbook.txt
|
Example 1: Basic identity enumeration
❯ cloudfox gcp --project my-project whoami
[whoami] Enumerating identity context...
[whoami] Current Identity: pentester@company.com (user)
╭─────────────────────────────────────────────────────────────────────────────╮
│ Identity Summary │
╰─────────────────────────────────────────────────────────────────────────────╯
Email: pentester@company.com
Type: user
Projects: 3 accessible
╭───────────────┬─────────────────────┬──────────────────────────────────────╮
│ Scope │ Scope ID │ Role │
├───────────────┼─────────────────────┼──────────────────────────────────────┤
│ organization │ 123456789012 │ roles/viewer │
│ project │ prod-project │ roles/compute.viewer │
│ project │ dev-project │ roles/editor │
│ project │ staging-project │ roles/storage.objectViewer │
╰───────────────┴─────────────────────┴──────────────────────────────────────╯
[whoami] Found 4 role bindings across 3 projects
Example 2: Extended enumeration with attack paths
❯ cloudfox gcp --project my-project whoami --extended
[whoami] Running extended enumeration...
[whoami] Analyzing impersonation targets and attack paths...
╭─────────────────────────────────────────────────────────────────────────────╮
│ Impersonation Targets │
╰─────────────────────────────────────────────────────────────────────────────╯
╭───────────────────────────────────────────────┬─────────────┬────────────┬─────────╮
│ Service Account │ Project │ Impersonate│ ActAs │
├───────────────────────────────────────────────┼─────────────┼────────────┼─────────┤
│ compute@developer.gserviceaccount.com │ dev-project │ Yes │ Yes │
│ cloudbuild@dev-project.iam.gserviceaccount.com │ dev-project │ No │ Yes │
╰───────────────────────────────────────────────┴─────────────┴────────────┴─────────╯
╭─────────────────────────────────────────────────────────────────────────────╮
│ Attack Paths │
╰─────────────────────────────────────────────────────────────────────────────╯
╭─────────┬─────────────────────┬─────────────────────────────┬──────────────────────────────────┬──────────────────┬─────────────────────────────╮
│ TYPE │ SOURCE SCOPE │ SOURCE ROLE │ PERMISSION │ CATEGORY │ DESCRIPTION │
├─────────┼─────────────────────┼─────────────────────────────┼──────────────────────────────────┼──────────────────┼─────────────────────────────┤
│ Privesc │ project/dev-project │ user:pentester@company.com │ iam.serviceAccountKeys.create │ Key Creation │ Can create persistent keys │
│ Privesc │ project/dev-project │ user:pentester@company.com │ cloudfunctions.functions.create │ Serverless │ Deploy functions with any SA│
│ Exfil │ project/dev-project │ user:pentester@company.com │ storage.objects.get │ Storage │ Can download objects │
│ Lateral │ project/dev-project │ user:pentester@company.com │ compute.instances.setMetadata │ SSH Key Injection│ Can inject SSH keys │
╰─────────┴─────────────────────┴─────────────────────────────┴──────────────────────────────────┴──────────────────┴─────────────────────────────╯
[whoami] Found 2 impersonation targets, 2 privesc paths, 1 exfil path, 1 lateral path
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP IAM principals across organizations, folders, and projects |
| Aliases | roles |
| Author | Bishop Fox |
| Background | GCP IAM is hierarchical - roles granted at the organization level inherit down to folders and projects. This command enumerates all IAM bindings across the hierarchy, identifies high-privilege roles, detects public access (allUsers/allAuthenticatedUsers), and shows conditional IAM policies. Understanding who has what access is fundamental to identifying attack paths. |
| Use case 1: Privilege Mapping | Identify all principals with high-privilege roles (Owner, Editor, Admin roles). |
| Use case 2: Public Access Detection | Find resources exposed to allUsers or allAuthenticatedUsers. |
| Use case 3: Service Account Analysis | Enumerate service accounts and their role assignments across projects. |
| Loot file(s) |
loot/iam-commands.txt, loot/iam-enumeration.txt
|
Example:
❯ cloudfox gcp --project my-project iam
[iam] Enumerating IAM principals...
[iam] Processing project: my-project
╭────────────────────────────────────────────────────────────────────────────────────────╮
│ IAM Bindings │
╰────────────────────────────────────────────────────────────────────────────────────────╯
╭──────────┬─────────────┬────────────────────────────────────┬───────────────────────────────────────┬──────────╮
│ Scope │ Scope ID │ Role │ Principal │ HighPriv │
├──────────┼─────────────┼────────────────────────────────────┼───────────────────────────────────────┼──────────┤
│ project │ my-project │ roles/owner │ user:admin@company.com │ Yes │
│ project │ my-project │ roles/editor │ serviceAccount:compute@dev.iam.gsa │ Yes │
│ project │ my-project │ roles/storage.objectViewer │ allUsers │ PUBLIC │
│ project │ my-project │ roles/compute.viewer │ group:developers@company.com │ No │
╰──────────┴─────────────┴────────────────────────────────────┴───────────────────────────────────────┴──────────╯
[iam] Found 4 IAM bindings
[iam] WARNING: Found 1 public binding(s) - allUsers or allAuthenticatedUsers
| Attribute | Value |
|---|---|
| Summary | Enumerate ALL permissions for each IAM entity with full inheritance explosion |
| Aliases |
perms, privs
|
| Author | Bishop Fox |
| Background | GCP roles contain permissions, and understanding the actual permissions a principal has (not just their roles) is critical for identifying attack paths. This command explodes all role bindings into their constituent permissions, accounting for inheritance from organizations, folders, and custom roles. |
| Use case 1: Permission Analysis | See exactly what permissions a principal has, not just their role names. |
| Use case 2: Custom Role Review | Analyze custom roles to understand their actual permission grants. |
| Loot file(s) |
loot/permissions-commands.txt, loot/permissions-enumeration.txt
|
Example:
❯ cloudfox gcp --project my-project permissions
[permissions] Enumerating permissions with full inheritance explosion...
[permissions] This may take a while for large environments...
╭─────────────────────────────────────────────────────────────────────────────────────╮
│ Permission Summary │
╰─────────────────────────────────────────────────────────────────────────────────────╯
╭───────────────────────────────────────┬──────────────┬──────────────────────────────╮
│ Principal │ Permissions │ Source Role │
├───────────────────────────────────────┼──────────────┼──────────────────────────────┤
│ user:admin@company.com │ 2847 │ roles/owner │
│ serviceAccount:compute@dev.iam.gsa │ 1523 │ roles/editor │
│ user:developer@company.com │ 47 │ roles/storage.objectViewer │
╰───────────────────────────────────────┴──────────────┴──────────────────────────────╯
[permissions] Found 4417 unique permissions across 3 principals
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP service accounts with security analysis |
| Aliases |
sa, sas, service-accounts
|
| Author | Bishop Fox |
| Background | Service accounts are the primary identity for workloads in GCP. They can have keys (which can be leaked), can be impersonated, and often have excessive permissions. This command enumerates all service accounts, their keys, and identifies security issues like disabled accounts with active keys or accounts with domain-wide delegation. |
| Use case 1: Key Discovery | Find service accounts with user-managed keys that could be targets for theft. |
| Use case 2: Impersonation Targets | Identify service accounts that can be impersonated by your current identity. |
| Use case 3: Privilege Analysis | Find service accounts with high-privilege roles. |
| Loot file(s) | loot/serviceaccounts-commands.txt |
Example:
❯ cloudfox gcp --project my-project serviceaccounts
[serviceaccounts] Enumerating service accounts...
╭────────────────────────────────────────────────────────────────────────────────────────────╮
│ Service Accounts │
╰────────────────────────────────────────────────────────────────────────────────────────────╯
╭────────────────────────────────────────────────┬─────────┬──────┬─────────┬────────────────╮
│ Email │ Enabled │ Keys │ DWD │ Created │
├────────────────────────────────────────────────┼─────────┼──────┼─────────┼────────────────┤
│ compute@my-project.iam.gserviceaccount.com │ Yes │ 2 │ No │ 2023-01-15 │
│ cloudbuild@my-project.iam.gserviceaccount.com │ Yes │ 0 │ No │ 2023-01-15 │
│ admin-sa@my-project.iam.gserviceaccount.com │ Yes │ 1 │ Yes │ 2022-06-20 │
╰────────────────────────────────────────────────┴─────────┴──────┴─────────┴────────────────╯
[serviceaccounts] Found 3 service accounts
[serviceaccounts] WARNING: 1 service account(s) have Domain-Wide Delegation enabled
[serviceaccounts] WARNING: 2 service account(s) have user-managed keys
| Attribute | Value |
|---|---|
| Summary | Enumerate Google-managed service agents |
| Aliases |
agents, service-accounts-google, gcp-agents
|
| Author | Bishop Fox |
| Loot file(s) | loot/serviceagents-commands.txt |
| Background | Google automatically creates service agents to perform operations on your behalf for various GCP services. These are different from user-managed service accounts. Understanding which service agents exist and their roles helps identify the full IAM picture and potential lateral movement paths through service-to-service access. |
| Use case 1: Inventory | Understand which Google-managed agents are active in your projects. |
| Use case 2: Role Analysis | See what roles Google service agents have been granted. |
Example:
❯ cloudfox gcp --project my-project service-agents
[service-agents] Enumerating Google-managed service agents...
╭────────────────────────────────────────────────────────────────────────────────────╮
│ Service Agents │
╰────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────────────────────────────────────────────────┬──────────────╮
│ Agent Email │ Service │
├─────────────────────────────────────────────────────────────────────┼──────────────┤
│ service-123456@compute-system.iam.gserviceaccount.com │ Compute │
│ service-123456@container-engine-robot.iam.gserviceaccount.com │ GKE │
│ service-123456@gcp-sa-cloudbuild.iam.gserviceaccount.com │ Cloud Build │
╰─────────────────────────────────────────────────────────────────────┴──────────────╯
[service-agents] Found 3 service agents
| Attribute | Value |
|---|---|
| Summary | Enumerate all GCP keys (SA keys, HMAC keys, API keys) |
| Aliases |
credentials, creds, access-keys
|
| Author | Bishop Fox |
| Background | Keys in GCP come in several forms: service account keys (JSON credentials), HMAC keys (for Cloud Storage S3-compatible access), and API keys (for public APIs). Service account keys are particularly dangerous as they don't expire by default and can be used from anywhere. This command enumerates all key types to identify potential credential theft targets. |
| Use case 1: Key Inventory | Find all keys that could be targets for theft or are already leaked. |
| Use case 2: Key Age Analysis | Identify old keys that should be rotated. |
| Use case 3: HMAC Key Discovery | Find HMAC keys that allow S3-compatible access to GCS. |
| Loot file(s) |
loot/keys-hmac-s3-commands.txt, loot/keys-apikey-test-commands.txt, loot/keys-enumeration-commands.txt
|
Example:
❯ cloudfox gcp --project my-project keys
[keys] Enumerating all key types...
╭────────────────────────────────────────────────────────────────────────────────────╮
│ Service Account Keys │
╰────────────────────────────────────────────────────────────────────────────────────╯
╭────────────────────────────────────────────────┬────────────────┬───────────────────╮
│ Service Account │ Key ID │ Created │
├────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ compute@my-project.iam.gserviceaccount.com │ abc123def456 │ 2022-03-15 │
│ compute@my-project.iam.gserviceaccount.com │ xyz789ghi012 │ 2023-08-20 │
│ admin-sa@my-project.iam.gserviceaccount.com │ key456abc789 │ 2021-01-10 │
╰────────────────────────────────────────────────┴────────────────┴───────────────────╯
[keys] Found 3 service account keys, 2 HMAC keys, 5 API keys
[keys] WARNING: 1 key is older than 90 days
| Attribute | Value |
|---|---|
| Summary | Enumerate IAM policies on GCP resources (buckets, datasets, secrets, etc.) |
| Aliases |
resiam, resource-policies
|
| Author | Bishop Fox |
| Background | Beyond project-level IAM, many GCP resources have their own IAM policies. Buckets, BigQuery datasets, Pub/Sub topics, and secrets can all have resource-level IAM bindings that grant access independently of project IAM. This command enumerates these resource-level policies to find access that might be missed by only looking at project IAM. |
| Use case 1: Public Resource Detection | Find resources directly exposed to allUsers or allAuthenticatedUsers. |
| Use case 2: Cross-Project Access | Identify resources accessible from other projects. |
| Use case 3: Least Privilege Analysis | Find resources with overly broad IAM policies. |
| Loot file(s) |
loot/resource-iam-commands.txt, loot/public-resources.txt
|
Example:
❯ cloudfox gcp --project my-project resource-iam
[resource-iam] Enumerating resource-level IAM policies...
╭─────────────────────────────────────────────────────────────────────────────────────╮
│ Resource IAM Policies │
╰─────────────────────────────────────────────────────────────────────────────────────╯
╭──────────────┬─────────────────────────┬────────────────────────┬──────────────┬────────╮
│ Resource Type│ Resource Name │ Role │ Member │ Public │
├──────────────┼─────────────────────────┼────────────────────────┼──────────────┼────────┤
│ bucket │ public-assets-bucket │ roles/storage.viewer │ allUsers │ Yes │
│ dataset │ analytics_data │ roles/bigquery.viewer │ allAuthUsers │ Yes │
│ secret │ api-credentials │ roles/secretmanager... │ user:dev@... │ No │
╰──────────────┴─────────────────────────┴────────────────────────┴──────────────┴────────╯
[resource-iam] Found 3 resource-level IAM policies
[resource-iam] WARNING: 2 resource(s) are publicly accessible
| Attribute | Value |
|---|---|
| Summary | Find service accounts with Domain-Wide Delegation to Google Workspace |
| Aliases |
dwd, delegation, workspace-delegation
|
| Author | Bishop Fox |
| Background | Domain-Wide Delegation (DWD) allows a service account to impersonate any user in a Google Workspace domain. This is extremely powerful and dangerous - a compromised service account with DWD can access Gmail, Drive, Calendar, and other Workspace data for any user. This command identifies service accounts with DWD enabled. |
| Use case 1: DWD Discovery | Find service accounts that could be used to access Google Workspace data. |
| Use case 2: Attack Path Identification | DWD service accounts are high-value targets for attackers. |
| Loot file(s) |
loot/dwd_exploit.py, loot/dwd-playbook.txt
|
Example:
❯ cloudfox gcp --project my-project domain-wide-delegation
[domain-wide-delegation] Searching for service accounts with Domain-Wide Delegation...
╭────────────────────────────────────────────────────────────────────────────────────────╮
│ Service Accounts with Domain-Wide Delegation │
╰────────────────────────────────────────────────────────────────────────────────────────╯
╭────────────────────────────────────────────────┬─────────────┬───────────────────────────╮
│ Service Account │ Project │ OAuth Scopes │
├────────────────────────────────────────────────┼─────────────┼───────────────────────────┤
│ admin-automation@my-project.iam.gserviceaccount│ my-project │ gmail.readonly, drive │
╰────────────────────────────────────────────────┴─────────────┴───────────────────────────╯
[domain-wide-delegation] Found 1 service account(s) with Domain-Wide Delegation
[domain-wide-delegation] CRITICAL: These accounts can impersonate any Workspace user
| Attribute | Value |
|---|---|
| Summary | Identify privilege escalation paths in GCP projects |
| Aliases |
pe, escalate, priv
|
| Author | Bishop Fox |
| Scope | Organization, Folder, Project, and Resource levels |
| Backend |
attackpathService (unified with lateral-movement and data-exfiltration) |
| Background | GCP has numerous privilege escalation vectors - from service account impersonation to cloud function deployment with elevated permissions. This command analyzes IAM policies across all hierarchy levels (Org → Folder → Project → Resource) to identify paths to escalate privileges. |
| Use case 1: Attack Path Discovery | Find ways to escalate from your current permissions to higher access. |
| Use case 2: Security Assessment | Identify privilege escalation risks in the environment. |
| Loot file(s) | loot/privesc-commands.txt |
Privilege Escalation Permissions Analyzed:
| Category | Permission | Risk Level |
|---|---|---|
| SA Impersonation | iam.serviceAccounts.getAccessToken |
CRITICAL |
| SA Impersonation | iam.serviceAccounts.signJwt |
CRITICAL |
| Key Creation | iam.serviceAccountKeys.create |
CRITICAL |
| IAM Modification | resourcemanager.projects.setIamPolicy |
CRITICAL |
| Serverless | cloudfunctions.functions.create |
HIGH |
| Serverless | run.services.create |
HIGH |
| CI/CD | cloudbuild.builds.create |
CRITICAL |
| Compute | compute.instances.setMetadata |
HIGH |
Example:
❯ cloudfox gcp --project my-project privesc
[privesc] Analyzing privilege escalation paths at org/folder/project/resource levels...
╭────────────────────────────────────────────────────────────────────────────────────╮
│ Privilege Escalation Paths │
╰────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────────────┬────────────────────────────────────────────────────╮
│ Technique │ Description │
├─────────────────────────────────┼────────────────────────────────────────────────────┤
│ cloudfunctions.functions.create │ Can deploy Cloud Function with any SA │
│ iam.serviceAccountKeys.create │ Can create keys for compute-sa@project.iam.gsa │
│ run.services.create │ Can deploy Cloud Run with any SA │
╰─────────────────────────────────┴────────────────────────────────────────────────────╯
[privesc] Found 3 potential privilege escalation paths
| Attribute | Value |
|---|---|
| Summary | Identify principals who can modify IAM policies (hidden admins) |
| Aliases |
ha, hidden
|
| Author | Bishop Fox |
| Background | This command analyzes GCP IAM policies to find "hidden admins" — principals who may not have obvious admin roles but possess permissions to grant themselves or others elevated access. It checks for setIamPolicy permissions at organization, folder, project, and resource levels, as well as custom role creation/modification capabilities. Integrates with FoxMapper for "wrong admin" analysis (principals marked as admin without explicit admin roles). |
| Use case 1: IAM Modification Discovery | Find principals who can modify IAM policies at any scope level. |
| Use case 2: Wrong Admin Detection | With FoxMapper data, identify principals who are effectively admin without explicit admin roles. |
| Loot file(s) |
loot/hidden-admins-commands.txt, loot/wrong-admins.txt
|
| Attribute | Value |
|---|---|
| Summary | Enumerate Workload Identity Federation (external identities) |
| Aliases |
federation, wif, federated-identity
|
| Author | Bishop Fox |
| Background | Workload Identity Federation allows external identities (AWS, GitHub Actions, GitLab CI, Azure AD, etc.) to authenticate as GCP service accounts without using service account keys. This command enumerates federation pools, providers, and federated identity bindings. It identifies risky provider configurations such as missing attribute conditions that allow ANY identity from the source to authenticate. |
| Use case 1: External Access Discovery | Find which external identities (AWS roles, GitHub repos) can authenticate to GCP. |
| Use case 2: Misconfiguration Detection | Identify providers without attribute conditions (overly broad trust). |
| Use case 3: Cross-Cloud Attack Paths | Map AWS/Azure/OIDC identities that can assume GCP service accounts. |
| Loot file(s) | loot/identity-federation-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP Compute Engine instances with security configuration |
| Aliases |
vms, compute, ssh, oslogin
|
| Author | Bishop Fox |
| Background | Compute Engine instances are often the primary attack target in GCP. This command enumerates all instances with their security configuration including service accounts, network exposure, OS Login settings, and disk encryption. It also extracts SSH keys and startup scripts which may contain secrets. |
| Use case 1: External Attack Surface | Find instances with external IPs that are internet-accessible. |
| Use case 2: Service Account Analysis | Identify instances using default service accounts with broad scopes. |
| Use case 3: Secret Discovery | Extract startup scripts and metadata that may contain credentials. |
| Loot file(s) |
loot/instances-commands.txt, loot/instances-ssh-keys.txt, loot/instances-metadata.txt, loot/instances-sensitive-metadata.txt
|
Example:
❯ cloudfox gcp --project my-project instances
[instances] Enumerating Compute Engine instances...
╭────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Compute Engine Instances │
╰────────────────────────────────────────────────────────────────────────────────────────────────╯
╭──────────────┬─────────────┬───────────────┬─────────────────┬───────────┬──────────┬──────────╮
│ Name │ Zone │ External IP │ Internal IP │ DefaultSA │ OSLogin │ SerialPt │
├──────────────┼─────────────┼───────────────┼─────────────────┼───────────┼──────────┼──────────┤
│ web-server-1 │ us-east1-b │ 35.123.45.67 │ 10.128.0.2 │ No │ Yes │ No │
│ db-server │ us-east1-b │ - │ 10.128.0.3 │ Yes │ No │ No │
│ jump-host │ us-east1-c │ 34.85.100.50 │ 10.128.0.10 │ No │ Yes │ Yes │
╰──────────────┴─────────────┴───────────────┴─────────────────┴───────────┴──────────┴──────────╯
[instances] Found 3 instances
[instances] WARNING: 1 instance uses default service account with broad scopes
[instances] Found 5 SSH keys in metadata
[instances] Found 2 startup scripts (check loot file for secrets)
| Attribute | Value |
|---|---|
| Summary | Enumerate GKE clusters with security analysis |
| Aliases |
kubernetes, k8s, clusters
|
| Author | Bishop Fox |
| Background | GKE clusters are complex environments with many security-relevant settings. This command analyzes cluster configuration including public/private endpoints, RBAC vs legacy ABAC, Workload Identity, network policies, Binary Authorization, and Shielded Nodes. It also enumerates node pools with their service accounts and OAuth scopes. |
| Use case 1: Public Cluster Detection | Find clusters with publicly accessible API servers. |
| Use case 2: Workload Identity Gap Analysis | Identify clusters not using Workload Identity (node SA is shared). |
| Use case 3: Security Misconfiguration | Detect legacy ABAC, disabled network policy, or missing Binary Auth. |
| Loot file(s) | loot/gke-commands.txt |
Example:
❯ cloudfox gcp --project my-project gke
[gke] Enumerating GKE clusters...
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ GKE Clusters │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭───────────────┬─────────────┬────────────────┬─────────┬───────────┬───────────┬────────────┬─────────────╮
│ Name │ Location │ Endpoint │ Private │ MasterAuth│ NetPolicy │ WorkloadID │ Mode │
├───────────────┼─────────────┼────────────────┼─────────┼───────────┼───────────┼────────────┼─────────────┤
│ prod-cluster │ us-east1 │ 34.75.100.200 │ No │ Yes │ Yes │ Yes │ Standard │
│ dev-cluster │ us-central1 │ 35.192.50.100 │ No │ No │ No │ No │ Standard │
│ autopilot-1 │ us-west1 │ - │ Yes │ Yes │ Yes │ Yes │ Autopilot │
╰───────────────┴─────────────┴────────────────┴─────────┴───────────┴───────────┴────────────┴─────────────╯
╭───────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Node Pools │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭───────────────┬────────────────┬──────────────────────────────────────────┬──────────────────────────╮
│ Cluster │ Node Pool │ Service Account │ Cloud Platform Scope │
├───────────────┼────────────────┼──────────────────────────────────────────┼──────────────────────────┤
│ prod-cluster │ default-pool │ gke-nodes@my-project.iam.gserviceaccount │ No │
│ dev-cluster │ default-pool │ default (Compute Engine default) │ Yes │
╰───────────────┴────────────────┴──────────────────────────────────────────┴──────────────────────────╯
[gke] Found 3 clusters with 2 node pools
[gke] WARNING: 1 cluster has public API endpoint without authorized networks
[gke] WARNING: 1 node pool uses default service account with cloud-platform scope
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Run services and jobs with security analysis |
| Aliases |
run, cr
|
| Author | Bishop Fox |
| Background | Cloud Run services are serverless containers that can be invoked via HTTP. They run with service accounts and can be public (unauthenticated) or private. This command enumerates services with their URLs, authentication settings, and attached service accounts. |
| Use case 1: Public Service Discovery | Find Cloud Run services that allow unauthenticated invocations. |
| Use case 2: Service Account Analysis | Identify services running with elevated service accounts. |
| Loot file(s) |
loot/cloudrun-commands.txt, loot/cloudrun-secret-refs.txt
|
Example:
❯ cloudfox gcp --project my-project cloudrun
[cloudrun] Enumerating Cloud Run services...
╭─────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Cloud Run Services │
╰─────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────┬──────────────┬──────────────────────────────────────────────────┬──────────┬──────────────────────────────╮
│ Service │ Region │ URL │ Public │ Service Account │
├─────────────────┼──────────────┼──────────────────────────────────────────────────┼──────────┼──────────────────────────────┤
│ api-backend │ us-east1 │ https://api-backend-abc123-ue.a.run.app │ No │ api-sa@project.iam.gsa │
│ public-website │ us-east1 │ https://public-website-xyz789-ue.a.run.app │ Yes │ compute default │
╰─────────────────┴──────────────┴──────────────────────────────────────────────────┴──────────┴──────────────────────────────╯
[cloudrun] Found 2 Cloud Run services
[cloudrun] WARNING: 1 service allows unauthenticated invocations
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP Cloud Functions with security analysis |
| Aliases |
function, gcf, cloud-functions
|
| Author | Bishop Fox |
| Background | Cloud Functions are serverless functions triggered by HTTP or events. They run with service accounts and can have environment variables containing secrets. This command enumerates functions with their triggers, service accounts, and checks for sensitive environment variables. |
| Use case 1: Public Function Discovery | Find functions that allow unauthenticated HTTP triggers. |
| Use case 2: Secret Discovery | Find secrets in function environment variables. |
| Use case 3: Privilege Escalation | Identify functions running with elevated service accounts. |
| Loot file(s) |
loot/functions-commands.txt, loot/functions-secrets.txt
|
Example:
❯ cloudfox gcp --project my-project functions
[functions] Enumerating Cloud Functions...
╭───────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Cloud Functions │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────┬──────────────┬─────────────────────────────────────────────┬──────────┬───────────────╮
│ Function │ Region │ URL │ Public │ Env Secrets │
├─────────────────┼──────────────┼─────────────────────────────────────────────┼──────────┼───────────────┤
│ process-orders │ us-east1 │ https://us-east1-project.cloudfunctions.net │ No │ 0 │
│ webhook-handler │ us-east1 │ https://us-east1-project.cloudfunctions.net │ Yes │ 2 │
╰─────────────────┴──────────────┴─────────────────────────────────────────────┴──────────┴───────────────╯
[functions] Found 2 Cloud Functions
[functions] WARNING: 1 function allows unauthenticated invocations
[functions] WARNING: 2 potential secrets found in environment variables
| Attribute | Value |
|---|---|
| Summary | Enumerate App Engine applications and security configurations |
| Aliases |
appengine, gae
|
| Author | Bishop Fox |
| Background | App Engine is Google's original PaaS offering. Applications can have multiple services and versions, each with their own configuration. This command enumerates App Engine apps with their services, versions, and security settings including public access and environment variables. |
| Use case 1: Service Enumeration | Discover all App Engine services and their endpoints. |
| Use case 2: Secret Discovery | Find secrets in environment variables. |
| Loot file(s) | loot/appengine-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Composer environments |
| Aliases | airflow |
| Author | Bishop Fox |
| Background | Cloud Composer is managed Apache Airflow for workflow orchestration. Composer environments have associated GKE clusters, storage buckets, and service accounts. This command enumerates environments with their configuration and access endpoints. |
| Use case 1: DAG Access | Find Composer environments where you might be able to modify DAGs. |
| Use case 2: Bucket Analysis | Identify DAG storage buckets for potential code injection. |
| Loot file(s) | loot/composer-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Dataproc clusters |
| Aliases |
dp, hadoop, spark
|
| Author | Bishop Fox |
| Background | Dataproc is managed Hadoop/Spark. Clusters have associated service accounts, buckets, and can expose Jupyter notebooks. This command enumerates clusters with their configuration, service accounts, and network exposure. |
| Use case 1: Cluster Access | Find Dataproc clusters you can submit jobs to. |
| Use case 2: Service Account Analysis | Identify clusters using elevated service accounts. |
| Loot file(s) | loot/dataproc-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Dataflow jobs and pipelines |
| Aliases |
df, pipelines
|
| Author | Bishop Fox |
| Background | Dataflow is managed Apache Beam for stream/batch processing. Jobs run with service accounts and can access various data sources. This command enumerates Dataflow jobs with their configuration and service accounts. |
| Loot file(s) | loot/dataflow-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Vertex AI Workbench notebooks |
| Aliases |
nb, jupyter, workbench
|
| Author | Bishop Fox |
| Background | Vertex AI Workbench (formerly AI Platform Notebooks) provides managed Jupyter environments. Notebooks run with service accounts and can have public IPs. This command enumerates notebooks with their access configuration and associated resources. |
| Use case 1: Notebook Access | Find notebooks that might be accessible for code execution. |
| Use case 2: Service Account Analysis | Identify notebooks running with elevated service accounts. |
| Loot file(s) | loot/notebooks-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate GKE Workload Identity and Workload Identity Federation |
| Aliases |
wi, gke-identity, workload-id
|
| Author | Bishop Fox |
| Background | Workload Identity allows GKE pods to authenticate as GCP service accounts without keys. Workload Identity Federation allows external identities (AWS, Azure, OIDC) to assume GCP service accounts. This command enumerates both configurations to understand cross-platform access paths. |
| Use case 1: GKE to GCP Access | Understand which K8s service accounts map to which GCP service accounts. |
| Use case 2: External Federation | Find AWS/Azure/OIDC identities that can assume GCP service accounts. |
| Loot file(s) | loot/workloadidentity-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Quick resource inventory - works without Cloud Asset API |
| Aliases |
inv, resources
|
| Author | Bishop Fox |
| Background | Quick resource inventory that works even when Cloud Asset API is not enabled. Enumerates resources across multiple GCP services (Compute, GKE, Cloud Run, Functions, Storage, BigQuery, Cloud SQL, and more) using individual service APIs. For deep analysis with IAM policies and resource dependencies, use asset-inventory instead. |
| Use case 1: Quick Overview | Get a fast overview of resources across projects without enabling Cloud Asset API. |
| Use case 2: Fallback Enumeration | When Cloud Asset API is not available, use this as a reliable alternative. |
| Loot file(s) | loot/inventory-resources.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP Cloud Storage buckets with security configuration |
| Aliases |
buckets, gcs
|
| Author | Bishop Fox |
| Background | Cloud Storage buckets are the primary object storage in GCP. Buckets can be public, have complex IAM policies, and contain sensitive data. This command enumerates buckets with their security configuration including public access prevention, uniform bucket-level access, and encryption settings. |
| Use case 1: Public Bucket Discovery | Find buckets exposed to allUsers or allAuthenticatedUsers. |
| Use case 2: Security Configuration Review | Identify buckets without recommended security settings. |
| Use case 3: Data Access | Generate commands to list and download bucket contents. |
| Loot file(s) | loot/buckets-commands.txt |
Example:
❯ cloudfox gcp --project my-project storage
[storage] Enumerating Cloud Storage buckets...
╭───────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Cloud Storage Buckets │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────────┬───────────────┬──────────┬──────────────┬────────────┬────────────────╮
│ Bucket │ Location │ Public │ Uniform ACL │ Versioning │ Encryption │
├─────────────────────────────┼───────────────┼──────────┼──────────────┼────────────┼────────────────┤
│ company-public-assets │ US │ Yes │ Yes │ No │ Google-managed │
│ company-internal-data │ us-east1 │ No │ Yes │ Yes │ CMEK │
│ company-backups │ us-east1 │ No │ No │ Yes │ Google-managed │
╰─────────────────────────────┴───────────────┴──────────┴──────────────┴────────────┴────────────────╯
[buckets] Found 3 buckets
[buckets] WARNING: 1 bucket is publicly accessible
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP BigQuery datasets and tables with security analysis |
| Aliases | bq |
| Author | Bishop Fox |
| Background | BigQuery is Google's serverless data warehouse. Datasets and tables have their own IAM policies and can be public. This command enumerates datasets with their location, encryption, and access configuration. |
| Use case 1: Public Dataset Discovery | Find datasets exposed to allUsers or allAuthenticatedUsers. |
| Use case 2: Data Inventory | Understand what data is available in BigQuery. |
| Loot file(s) | loot/bigquery-commands.txt |
Example:
❯ cloudfox gcp --project my-project bigquery
[bigquery] Enumerating BigQuery datasets...
╭─────────────────────────────────────────────────────────────────────────────────────────╮
│ BigQuery Datasets │
╰─────────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────┬───────────────┬──────────┬────────────────┬───────────────────────╮
│ Dataset │ Location │ Public │ Encryption │ Tables │
├─────────────────────┼───────────────┼──────────┼────────────────┼───────────────────────┤
│ analytics │ US │ No │ Google-managed │ 15 │
│ public_data │ US │ Yes │ Google-managed │ 3 │
│ ml_training │ us-east1 │ No │ CMEK │ 8 │
╰─────────────────────┴───────────────┴──────────┴────────────────┴───────────────────────╯
[bigquery] Found 3 datasets with 26 tables
[bigquery] WARNING: 1 dataset is publicly accessible
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud SQL instances with security analysis |
| Aliases |
sql, database, db
|
| Author | Bishop Fox |
| Background | Cloud SQL provides managed MySQL, PostgreSQL, and SQL Server. Instances can have public IPs and various security configurations. This command enumerates instances with their network exposure, SSL requirements, and backup configuration. |
| Use case 1: Public Instance Discovery | Find Cloud SQL instances with public IP addresses. |
| Use case 2: Security Configuration Review | Identify instances without SSL enforcement or authorized networks. |
| Loot file(s) | loot/cloudsql-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Spanner instances and databases |
| Aliases | cloud-spanner |
| Author | Bishop Fox |
| Background | Cloud Spanner is Google's globally distributed relational database. This command enumerates Spanner instances and their databases with configuration details. |
| Loot file(s) | loot/spanner-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Bigtable instances and tables |
| Aliases | bt |
| Author | Bishop Fox |
| Background | Cloud Bigtable is a wide-column NoSQL database. Instances can have resource-level IAM policies. This command enumerates instances with their clusters, tables, and IAM configuration. |
| Loot file(s) | loot/bigtable-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Filestore NFS instances |
| Aliases |
nfs, files
|
| Author | Bishop Fox |
| Background | Filestore provides managed NFS file systems. Instances are network-attached and can be mounted from GCE instances and GKE clusters. This command enumerates instances with their network configuration and mount points. |
| Use case 1: Mount Target Discovery | Find Filestore instances that can be mounted from compromised instances. |
| Loot file(s) | loot/filestore-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Memorystore (Redis) instances |
| Aliases |
redis, cache
|
| Author | Bishop Fox |
| Background | Memorystore provides managed Redis and Memcached. Redis instances can contain cached credentials and session data. This command enumerates instances with their network configuration and access details. |
| Use case 1: Redis Access | Find Redis instances accessible from your network position. |
| Loot file(s) | loot/memorystore-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate VPC Networks |
| Aliases |
vpc, networks, net
|
| Author | Bishop Fox |
| Background | VPC networks define the network topology in GCP. This command enumerates networks with their subnets, peering connections, and routing configuration. Understanding the network topology is critical for planning lateral movement. Also generates an ASCII network diagram for quick visualization. |
| Use case 1: Network Topology | Understand the VPC structure and subnet layout. |
| Use case 2: Peering Analysis | Find VPC peering connections that enable cross-project access. |
| Use case 3: Visual Network Overview | Review ASCII diagram showing VPC topology with subnets and peerings. |
| Loot file(s) |
loot/vpcnetworks-commands.txt, loot/vpcnetworks-diagram.txt
|
ASCII Network Diagram Output (vpcnetworks-diagram.txt):
The module generates an ASCII diagram visualizing VPC network topology:
┌─────────────────────────────────────────────────────────────────────────────┐
│ VPC Network: prod-vpc │
│ Routing Mode: GLOBAL | Auto Subnets: No │
├─────────────────────────────────────────────────────────────────────────────┤
│ ┌──────────────────────┐ ┌──────────────────────┐ │
│ │ Subnet: prod-web │ │ Subnet: prod-app │ │
│ │ us-central1 │ │ us-central1 │ │
│ │ 10.128.0.0/20 │ │ 10.129.0.0/20 │ │
│ │ Private Access: Yes │ │ Private Access: Yes │ │
│ │ Flow Logs: Yes │ │ Flow Logs: No ⚠️ │ │
│ └──────────────────────┘ └──────────────────────┘ │
│ │
│ VPC Peerings: │
│ └─ prod-to-shared ←→ shared-vpc (shared-proj) [ACTIVE] │
└─────────────────────────────────────────────────────────────────────────────┘
| Attribute | Value |
|---|---|
| Summary | Enumerate VPC networks and firewall rules with security analysis |
| Aliases |
fw, firewall-rules, network-security
|
| Author | Bishop Fox |
| Background | GCP firewall rules control network access to instances. This command enumerates firewall rules with their targets, ports, and source/destination ranges. It identifies overly permissive rules that allow broad access. Also generates an ASCII network diagram for quick visualization. |
| Use case 1: Exposed Ports Discovery | Find firewall rules allowing internet access (0.0.0.0/0). |
| Use case 2: Lateral Movement Planning | Understand what network access is possible between resources. |
| Use case 3: Visual Security Assessment | Review ASCII diagram for quick overview of network security posture. |
| Loot file(s) |
loot/firewall-commands.txt, loot/firewall-diagram.txt
|
ASCII Network Diagram Output (firewall-diagram.txt):
The module generates an ASCII diagram visualizing firewall rules organized by network:
Network: prod-vpc
├─ Subnets: 5
├─ Peerings: prod-to-shared
│
├─ INGRESS Rules:
│ ├─ allow-ssh-corp [Priority: 1000]
│ │ └─ Source: 203.0.113.0/24 → tcp:22 → Tags: [allow-ssh]
│ │
│ ├─ allow-https [Priority: 1000]
│ │ └─ Source: 0.0.0.0/0 → tcp:443 → Tags: [web-server] ⚠️ PUBLIC
│ │
│ └─ allow-all-dev [Priority: 1000]
│ └─ Source: 0.0.0.0/0 → tcp:all → ALL ⚠️ CRITICAL: Public + All Ports
Legend:
⚠️ PUBLIC = Rule allows traffic from 0.0.0.0/0 (internet)
⚠️ CRITICAL = High-risk configuration (public + sensitive ports or all ports)
| Attribute | Value |
|---|---|
| Summary | Enumerate Load Balancers |
| Aliases |
lb, lbs
|
| Author | Bishop Fox |
| Background | Load balancers expose backend services to the internet or internal networks. This command enumerates all load balancer types (HTTP(S), TCP/UDP, Internal) with their frontends, backends, and health checks. Also generates an ASCII diagram for quick visualization of LB architecture and security status. |
| Use case 1: External Entry Points | Find load balancers exposing services to the internet. |
| Use case 2: WAF Coverage Analysis | Identify external LBs without Cloud Armor protection. |
| Use case 3: Visual Architecture Overview | Review ASCII diagram showing LB topology with WAF and SSL status. |
| Loot file(s) |
loot/loadbalancers-commands.txt, loot/loadbalancers-diagram.txt
|
ASCII Load Balancer Diagram Output (loadbalancers-diagram.txt):
The module generates an ASCII diagram visualizing load balancer architecture:
EXTERNAL LOAD BALANCERS
═══════════════════════
┌─────────────────────────────────────────────────────────────────────────────┐
│ 🌐 web-frontend (EXTERNAL HTTPS) │
│ IP: 34.120.1.100:443 | Region: global │
├─────────────────────────────────────────────────────────────────────────────┤
│ Internet → Cloud Armor (cloud-armor-policy) → SSL (TLS 1.2+ MODERN) │
│ │ │
│ ▼ │
│ Backend: web-backend (HTTPS:443) | CDN: Yes | Backends: web-ig-1, web-ig-2│
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────┐
│ ⚠️ api-gateway (EXTERNAL HTTPS) - NO WAF PROTECTION │
│ IP: 34.120.1.101:443 | Region: global │
├─────────────────────────────────────────────────────────────────────────────┤
│ ⚠️ No Cloud Armor Policy Attached! │
└─────────────────────────────────────────────────────────────────────────────┘
SSL POLICIES SUMMARY
════════════════════
│ modern-policy │ TLS_1_2 │ MODERN │ ✅ Secure │
│ legacy-policy │ TLS_1_0 │ COMPATIBLE │ ⚠️ CRITICAL - Weak TLS Version │
Legend: 🌐 = External, 🔒 = Internal, ⚠️ = Security concern, ✅ = Secure
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud DNS zones and records with security analysis |
| Aliases |
zones, cloud-dns
|
| Author | Bishop Fox |
| Background | Cloud DNS manages DNS zones and records. This command enumerates DNS zones with their records, which can reveal internal hostnames and service endpoints. DNSSEC configuration is also analyzed. |
| Use case 1: Service Discovery | Find internal services through DNS records. |
| Use case 2: Subdomain Enumeration | Discover all DNS records for reconnaissance. |
| Loot file(s) | loot/dns-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate all network endpoints (external and internal) with IPs, ports, and hostnames |
| Aliases |
exposure, external, public-ips, internet-facing
|
| Author | Bishop Fox |
| Background | This command aggregates network endpoints from multiple services (Compute, GKE, Cloud Run, Functions, Load Balancers, etc.) into a single view. It's useful for understanding the complete attack surface. |
| Use case 1: Attack Surface Mapping | Get a comprehensive list of all endpoints in the environment. |
| Use case 2: External Exposure | Focus on externally accessible endpoints for initial access. |
| Loot file(s) |
loot/endpoints-external-commands.txt, loot/endpoints-internal-commands.txt
|
| Attribute | Value |
|---|---|
| Summary | Enumerate Private Service Connect endpoints and service attachments |
| Aliases |
psc, private-endpoints, internal-endpoints
|
| Author | Bishop Fox |
| Background | Private Service Connect enables private connectivity to Google APIs and services. This command enumerates PSC endpoints and service attachments to understand private network paths. |
| Loot file(s) | loot/private-service-connect-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Visualize VPC network topology, peering relationships, and trust boundaries |
| Aliases |
topology, network-map, vpc-topology
|
| Author | Bishop Fox |
| Background | This command creates a visualization of the network topology including VPC peering, shared VPCs, Cloud NAT, and interconnect. It helps understand the overall network architecture for planning lateral movement. Generates a comprehensive ASCII diagram. |
| Use case 1: Network Architecture Overview | Understand the complete network structure across projects. |
| Use case 2: Shared VPC Analysis | Identify Shared VPC host/service project relationships. |
| Use case 3: Lateral Movement Planning | Visualize connectivity paths between VPCs and projects. |
| Loot file(s) |
loot/network-topology-commands.txt, loot/network-topology-diagram.txt
|
ASCII Network Topology Diagram Output (network-topology-diagram.txt):
The module generates a comprehensive ASCII diagram visualizing network topology:
┌─────────────────────────────────────────────────────────────────────────────┐
│ VPC: prod-vpc (GLOBAL) [Shared VPC Host] │
├─────────────────────────────────────────────────────────────────────────────┤
│ Subnets: │
│ ├─ prod-subnet-1 (us-central1) - 10.128.0.0/20 │
│ │ Private Access: Yes | Flow Logs: Yes │
│ ├─ prod-subnet-2 (us-east1) - 10.129.0.0/20 │
│ │ Private Access: Yes | Flow Logs: No ⚠️ │
│ │
│ Cloud NAT: │
│ └─ prod-nat (us-central1) - NAT IPs: AUTO | Logging: Yes │
│ │
│ VPC Peerings: │
│ └─ prod-to-dev ←→ dev-vpc (dev-project-456) │
│ State: ACTIVE | Import Routes: Yes | Export Routes: Yes │
│ │
│ Service Projects (Shared VPC): │
│ └─ service-project-1, service-project-2 │
└─────────────────────────────────────────────────────────────────────────────┘
Network Connectivity Summary:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
prod-vpc ←→ dev-vpc (via peering)
Legend: ⚠️ = Security concern, ←→ = Bidirectional peering, [Shared VPC Host] = Hosts network for service projects
| Attribute | Value |
|---|---|
| Summary | Enumerate VPC Service Controls |
| Aliases |
vpcsc, service-controls, sc
|
| Author | Bishop Fox |
| Background | VPC Service Controls create security perimeters around GCP resources to prevent data exfiltration. This command enumerates access policies, perimeters, and access levels. Understanding VPC-SC configuration is critical for planning data exfiltration or understanding why certain operations fail. |
| Use case 1: Perimeter Analysis | Understand which resources are protected by VPC-SC. |
| Use case 2: Bypass Research | Identify ingress/egress policies that might allow data movement. |
| Flags |
--org: Organization ID to enumerate VPC-SC policies for |
| Loot file(s) | loot/vpcsc-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Access Context Manager access levels |
| Aliases |
conditional-access, ca
|
| Author | Bishop Fox |
| Background | Access levels define conditions for accessing resources (IP ranges, device policies, etc.). They work with VPC-SC and IAM Conditions. This command enumerates access levels with their conditions. |
| Flags |
--org: Organization ID to enumerate access levels for |
| Loot file(s) |
loot/access-levels-details.txt, loot/access-levels-allowed-ips.txt
|
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Armor security policies and find weaknesses |
| Aliases |
armor, waf, security-policies
|
| Author | Bishop Fox |
| Background | Cloud Armor provides WAF and DDoS protection for load balancers. This command enumerates security policies with their rules and identifies potential bypasses or misconfigurations. Outputs table files only (no loot files). |
| Attribute | Value |
|---|---|
| Summary | Enumerate Identity-Aware Proxy configurations |
| Aliases | identity-aware-proxy |
| Author | Bishop Fox |
| Background | Identity-Aware Proxy (IAP) controls access to applications based on user identity. This command enumerates IAP-protected resources and their access configuration. |
| Loot file(s) | loot/iap-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate BeyondCorp Enterprise configurations |
| Aliases |
bc, zero-trust
|
| Author | Bishop Fox |
| Background | BeyondCorp Enterprise provides zero-trust access to applications. This command enumerates BeyondCorp connectors and access policies. |
| Loot file(s) | loot/beyondcorp-details.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud KMS key rings and crypto keys with security analysis |
| Aliases |
crypto, encryption-keys
|
| Author | Bishop Fox |
| Background | Cloud KMS manages encryption keys used to protect data. Understanding KMS configuration is important for decrypting data and identifying key management weaknesses. This command enumerates key rings, keys, and their IAM policies. |
| Use case 1: Key Inventory | Find all encryption keys and their purposes. |
| Use case 2: IAM Analysis | Identify who can use or manage encryption keys. |
| Loot file(s) | loot/kms-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP Secret Manager secrets with security configuration |
| Aliases |
secretmanager, sm
|
| Author | Bishop Fox |
| Background | Secret Manager stores sensitive data like API keys, passwords, and certificates. This command enumerates secrets with their metadata and IAM policies. It identifies who can access each secret. |
| Use case 1: Secret Discovery | Find secrets that your identity can access. |
| Use case 2: Access Analysis | Identify overly permissive secret IAM policies. |
| Loot file(s) | loot/secrets-commands.txt |
Example:
❯ cloudfox gcp --project my-project secrets
[secrets] Enumerating Secret Manager secrets...
╭────────────────────────────────────────────────────────────────────────────────────╮
│ Secrets │
╰────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────┬────────────────┬──────────┬────────────┬─────────────────╮
│ Secret │ Encryption │ Versions │ Rotation │ IAM Members │
├─────────────────────────┼────────────────┼──────────┼────────────┼─────────────────┤
│ database-password │ Google-managed │ 3 │ No │ 2 │
│ api-key-production │ CMEK │ 5 │ Yes │ 4 │
│ service-account-key │ Google-managed │ 1 │ No │ 1 │
╰─────────────────────────┴────────────────┴──────────┴────────────┴─────────────────╯
[secrets] Found 3 secrets
| Attribute | Value |
|---|---|
| Summary | Enumerate SSL/TLS certificates and find expiring or misconfigured certs |
| Aliases |
certs, certificates, ssl
|
| Author | Bishop Fox |
| Background | Certificate Manager manages SSL/TLS certificates. This command enumerates certificates with their expiration dates and identifies certificates that need attention. Outputs table files only (no loot files). |
| Attribute | Value |
|---|---|
| Summary | Enumerate organization policies and identify security weaknesses |
| Aliases |
orgpolicy, policies
|
| Author | Bishop Fox |
| Background | Organization policies enforce constraints across the GCP hierarchy. This command enumerates policies and identifies where security-relevant constraints are not enforced. |
| Loot file(s) | loot/orgpolicies-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP Artifact Registry and Container Registry with security configuration |
| Aliases |
ar, artifacts, gcr
|
| Author | Bishop Fox |
| Background | Artifact Registry stores Docker images, language packages, and other artifacts. This command enumerates repositories with their access configuration and identifies public repositories. |
| Use case 1: Image Discovery | Find container images for analysis or supply chain attacks. |
| Use case 2: Public Repository Detection | Identify repositories exposed to allUsers. |
| Loot file(s) | loot/artifact-registry-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Build triggers and builds |
| Aliases |
cb, build, builds
|
| Author | Bishop Fox |
| Background | Cloud Build is GCP's CI/CD service. Build triggers can be configured to run with elevated service accounts. This command enumerates triggers, their source repositories, and associated service accounts. |
| Use case 1: CI/CD Attack Surface | Find build triggers that could be compromised. |
| Use case 2: Privilege Escalation | Identify triggers running with elevated service accounts. |
| Loot file(s) | loot/cloudbuild-details.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Source Repositories |
| Aliases |
repos, csr, git
|
| Author | Bishop Fox |
| Background | Cloud Source Repositories are Git repositories hosted in GCP. This command enumerates repositories with their access configuration. |
| Use case 1: Code Access | Find repositories you can clone for code analysis. |
| Loot file(s) | loot/sourcerepos-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Scheduler jobs with security analysis |
| Aliases |
cron, jobs
|
| Author | Bishop Fox |
| Background | Cloud Scheduler runs scheduled jobs that invoke HTTP endpoints, Pub/Sub, or App Engine. Jobs run with service accounts. This command enumerates jobs with their targets and credentials. |
| Use case 1: Scheduled Task Discovery | Find scheduled jobs and their targets. |
| Use case 2: Service Account Analysis | Identify jobs running with elevated service accounts. |
| Loot file(s) | loot/scheduler-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Pub/Sub topics and subscriptions with security analysis |
| Aliases |
ps, topics, subscriptions
|
| Author | Bishop Fox |
| Background | Pub/Sub is GCP's messaging service. Topics and subscriptions have their own IAM policies. This command enumerates Pub/Sub resources with their configuration and access policies. |
| Use case 1: Message Access | Find topics/subscriptions you can publish to or read from. |
| Use case 2: Event Flow Analysis | Understand event-driven architecture. |
| Loot file(s) | loot/pubsub-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Logging sinks and metrics with security analysis |
| Aliases |
logs, sinks, log-sinks, logging-gaps
|
| Author | Bishop Fox |
| Background | Cloud Logging exports logs to various destinations. This command enumerates log sinks, their destinations, and filters. Understanding logging configuration helps identify monitoring gaps. The logging-gaps alias runs the same analysis focusing on coverage gaps. |
| Use case 1: Log Sink Discovery | Find where logs are being exported. |
| Use case 2: Coverage Analysis | Identify what events are being logged. |
| Loot file(s) | loot/logging-commands.txt |
| Attribute | Value |
|---|---|
| Summary | Enumerate GCP organization hierarchy |
| Aliases |
org, orgs, hierarchy
|
| Author | Bishop Fox |
| Background | GCP organizations contain folders and projects in a hierarchy. This command enumerates the organization structure to understand the scope of access and IAM inheritance. |
| Use case 1: Scope Understanding | Map the organization hierarchy you have access to. |
| Loot file(s) |
loot/org-commands.txt, loot/org-map.txt, loot/org-tree.txt, loot/org-scope-hierarchy.txt
|
| Attribute | Value |
|---|---|
| Summary | Enumerate Cloud Asset Inventory with optional dependency analysis |
| Aliases |
assets, cai, resource-graph
|
| Author | Bishop Fox |
| Background | Cloud Asset Inventory provides a comprehensive view of all GCP resources. This command leverages the Asset API to enumerate resources across the organization with their relationships. |
| Use case 1: Complete Inventory | Get a comprehensive list of all resources. |
| Use case 2: Dependency Mapping | Understand resource relationships. |
| Flags |
--types: Filter by asset types, --counts: Show resource counts, --iam: Include IAM analysis, --dependencies: Include dependency analysis, --all: Run all analyses |
| Loot file(s) |
loot/asset-inventory-details.txt, loot/asset-inventory-commands.txt
|
| Attribute | Value |
|---|---|
| Summary | Enumerate backup policies, protected resources, and identify backup gaps |
| Aliases |
backups, backup, snapshots, dr
|
| Author | Bishop Fox |
| Background | This command enumerates backup configurations across services (snapshots, Cloud SQL backups, etc.) and identifies resources without adequate backup protection. |
| Use case 1: Backup Coverage | Understand what is and isn't backed up. |
| Loot file(s) | loot/backup-inventory-commands.txt |
CloudFox uses a unified attack path analysis system that combines privilege escalation, lateral movement, and data exfiltration analysis into a single attackpathService. This provides:
- Single analysis for all attack types: One pass analyzes privesc, lateral, and exfil capabilities
- Shared cache across modules: Results are cached and reusable by other modules
- IAM hierarchy coverage: Analyzes Organization → Folder → Project → Resource levels
When running compute/service modules, add --attack-paths to see attack path capabilities for service accounts:
# Run instances module with attack path analysis
cloudfox gcp instances -p my-project --attack-paths
# Run service accounts module with attack path analysis
cloudfox gcp serviceaccounts --all-projects --attack-paths
# Run GKE module with attack path analysis
cloudfox gcp gke -a --attack-pathsThis adds an "Attack Paths" column showing:
-
-- No analysis performed -
No- No attack paths found for this service account -
Yes (P:3 E:2 L:1)- Attack paths found:- P = Privilege Escalation count
- E = Data Exfiltration count
- L = Lateral Movement count
Modules supporting --attack-paths: instances, serviceaccounts, functions, cloudrun, gke, composer, dataproc, dataflow, notebooks, cloudbuild, scheduler, appengine
| Attribute | Value |
|---|---|
| Summary | Map lateral movement paths, credential theft vectors, and pivot opportunities |
| Aliases |
lateral, pivot
|
| Author | Bishop Fox |
| Scope | Organization, Folder, Project, and Resource levels |
| Backend |
attackpathService (unified with privesc and data-exfiltration) |
| Background | This command analyzes the environment across all IAM hierarchy levels to identify lateral movement opportunities including service account impersonation, SSH access, VPC connectivity, and more. |
| Use case 1: Attack Path Discovery | Find paths to move through the environment. |
| Use case 2: Pivot Planning | Identify next steps after initial access. |
| Loot file(s) | loot/lateral-movement-commands.txt |
Lateral Movement Permissions Analyzed:
| Category | Permission | Risk Level |
|---|---|---|
| SA Impersonation | iam.serviceAccounts.getAccessToken |
CRITICAL |
| SA Impersonation | iam.serviceAccounts.signBlob |
CRITICAL |
| Network | compute.networks.addPeering |
CRITICAL |
| Compute Access | compute.instances.osAdminLogin |
CRITICAL |
| GKE | container.clusters.getCredentials |
HIGH |
| Compute Access | compute.instances.setMetadata |
HIGH |
| Network | compute.firewalls.create |
HIGH |
| Attribute | Value |
|---|---|
| Summary | Identify data exfiltration paths, potential vectors, and missing security controls |
| Aliases |
exfil, data-exfil, exfiltration
|
| Author | Bishop Fox |
| Scope | Organization, Folder, Project, and Resource levels |
| Backend |
attackpathService (unified with privesc and lateral-movement) |
| Background | This command identifies data exfiltration risks by analyzing actual configurations across all IAM hierarchy levels. It produces three tables: (1) Misconfigurations - actual misconfigured resources like public snapshots, buckets, cross-project logging sinks; (2) Potential Vectors - services that could be used for exfiltration like BigQuery export, Cloud Functions, Cloud Run; (3) Hardening Recommendations - missing security controls like org policies and VPC-SC that should be enabled. |
| Use case 1: Exfiltration Planning | Identify methods to extract data from the environment. |
| Use case 2: Security Control Assessment | Find resources without adequate protection. |
| Use case 3: Hardening Guidance | Get recommendations for enabling missing security controls. |
| Loot file(s) | loot/data-exfiltration-commands.txt |
Output Tables:
Table 1: Misconfigurations (data-exfiltration-misconfigurations)
| Column | Description |
|---|---|
| Project ID | GCP project identifier |
| Project Name | Human-readable project name |
| Resource | Resource name |
| Type | Exfiltration path type (Public Snapshot, Logging Sink, Pub/Sub Push, etc.) |
| Destination | Where data can flow |
| Public | Yes/No - Is resource publicly accessible |
| Size | Resource size if applicable |
Table 2: Potential Vectors (data-exfiltration-vectors)
| Column | Description |
|---|---|
| Project ID | GCP project identifier |
| Project Name | Human-readable project name |
| Resource | Resource name or * for generic |
| Type | Vector type (BigQuery Export, Cloud Function, Cloud Run, Logging Sink, Pub/Sub) |
| Destination | Where data could flow |
| Public | Always No for vectors |
| Size | Always - for vectors |
Table 3: Hardening (data-exfiltration-hardening)
| Column | Description |
|---|---|
| Project ID | GCP project identifier |
| Project Name | Human-readable project name |
| Category | Service category (Storage, IAM, Cloud Functions, BigQuery, VPC Service Controls) |
| Control | Org policy or configuration name |
| Description | What the control protects against |
Security Controls Checked:
-
storage.publicAccessPrevention- Prevents public bucket access -
iam.allowedPolicyMemberDomains- Restricts IAM to approved domains -
sql.restrictPublicIp- Prevents public Cloud SQL IPs -
cloudfunctions.requireVPCConnector- Requires VPC connector for Cloud Functions -
run.allowedIngress- Restricts Cloud Run ingress -
bigquery.disableBQOmniAWS/Azure- Prevents BigQuery Omni cross-cloud connections - VPC-SC Perimeter - VPC Service Controls protection
Example:
❯ cloudfox gcp --project my-project data-exfiltration
[data-exfiltration] Identifying data exfiltration paths and potential vectors...
[data-exfiltration] Enumerating resources for 1 project(s)
[data-exfiltration] Found 3 actual misconfiguration(s)
[data-exfiltration] Found 4 potential exfiltration vector(s)
[data-exfiltration] Found 8 hardening recommendation(s)
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ data-exfiltration-misconfigurations │
├──────────────────┬────────────────┬────────────────────┬─────────────────┬─────────────────────────┬────────┬──┤
│ Project ID │ Project Name │ Resource │ Type │ Destination │ Public │ │
├──────────────────┼────────────────┼────────────────────┼─────────────────┼─────────────────────────┼────────┼──┤
│ prod-project-123 │ Production │ db-backup-snapshot │ Public Snapshot │ Anyone: allUsers │ Yes │ │
│ prod-project-123 │ Production │ audit-sink │ Logging Sink │ bigquery.googleapis.com │ No │ │
╰──────────────────┴────────────────┴────────────────────┴─────────────────┴─────────────────────────┴────────┴──╯
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ data-exfiltration-vectors │
├──────────────────┬────────────────┬──────────┬──────────────────────┬─────────────────────────────────┬────────┤
│ Project ID │ Project Name │ Resource │ Type │ Destination │ Public │
├──────────────────┼────────────────┼──────────┼──────────────────────┼─────────────────────────────────┼────────┤
│ prod-project-123 │ Production │ * │ BigQuery Export │ GCS bucket or external table │ No │
│ prod-project-123 │ Production │ * │ Cloud Function │ External HTTP endpoint │ No │
╰──────────────────┴────────────────┴──────────┴──────────────────────┴─────────────────────────────────┴────────╯
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ data-exfiltration-hardening │
├──────────────────┬────────────────┬─────────────────────┬────────────────────────────────┬─────────────────────┤
│ Project ID │ Project Name │ Category │ Control │ Description │
├──────────────────┼────────────────┼─────────────────────┼────────────────────────────────┼─────────────────────┤
│ prod-project-123 │ Production │ Storage │ storage.publicAccessPrevention │ Prevents public... │
│ prod-project-123 │ Production │ VPC Service Controls│ VPC-SC Perimeter │ Creates perimeter...│
╰──────────────────┴────────────────┴─────────────────────┴────────────────────────────────┴─────────────────────╯
| Attribute | Value |
|---|---|
| Summary | Find resources with allUsers/allAuthenticatedUsers access across 16 GCP services |
| Aliases |
public, allUsers, public-resources
|
| Author | Bishop Fox |
| Background | This command scans 16 GCP services to find resources with IAM policies granting access to allUsers (anonymous) or allAuthenticatedUsers (any Google account). These bindings make resources publicly accessible and represent significant security risks. Services checked include: Cloud Storage Buckets, BigQuery Datasets, Compute Snapshots, VM Images, Cloud Functions, Cloud Run, App Engine, Pub/Sub Topics, KMS Keys, Secret Manager, Artifact Registry, Spanner, Dataflow, Dataproc, Notebooks, and Source Repositories. |
| Use case 1: Public Resource Discovery | Find all resources exposed to the internet or any Google account. |
| Use case 2: Compliance Assessment | Identify resources violating "no public access" policies. |
| Use case 3: Attack Surface Mapping | Understand external attack surface through public resources. |
| Loot file(s) | loot/public-access-commands.txt |
Output Columns:
| Column | Description |
|---|---|
| Project ID | GCP project identifier |
| Project Name | Human-readable project name |
| Resource Type | Type of resource (Bucket, Function, Snapshot, etc.) |
| Resource Name | Specific resource identifier |
| Location | Resource location/region |
| Access Level |
allUsers or allAuthenticatedUsers
|
| Role | IAM role granted to public |
| Size | Resource size if applicable |
| Additional Info | Extra context (URL, description) |
Example:
❯ cloudfox gcp --project my-project public-access
[public-access] Checking 16 GCP services for public access...
[public-access] Checking Cloud Storage buckets...
[public-access] Checking Compute snapshots and images...
[public-access] Checking Cloud Functions...
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ public-access │
├──────────────────┬──────────────┬───────────────┬─────────────────────┬──────────────┬──────────────────────┬────────────────┬───────┬───────┤
│ Project ID │ Project Name │ Resource Type │ Resource Name │ Location │ Access Level │ Role │ Size │ Info │
├──────────────────┼──────────────┼───────────────┼─────────────────────┼──────────────┼──────────────────────┼────────────────┼───────┼───────┤
│ prod-project-123 │ Production │ Bucket │ public-assets │ us-central1 │ allUsers │ storage.viewer │ 50 GB │ │
│ prod-project-123 │ Production │ Cloud Run │ public-api │ us-central1 │ allUsers │ run.invoker │ - │ URL │
│ prod-project-123 │ Production │ Function │ webhook-handler │ us-central1 │ allAuthenticatedUsers│ invoker │ - │ URL │
│ dev-project-456 │ Development │ Snapshot │ db-backup-snapshot │ global │ allUsers │ compute.user │ 100GB │ │
│ dev-project-456 │ Development │ Secret │ api-key │ global │ allAuthenticatedUsers│ accessor │ - │ │
╰──────────────────┴──────────────┴───────────────┴─────────────────────┴──────────────┴──────────────────────┴────────────────┴───────┴───────╯
[public-access] Found 5 publicly accessible resource(s) in 2 project(s)
| Attribute | Value |
|---|---|
| Summary | Analyze cross-project IAM bindings, logging sinks, and Pub/Sub exports for lateral movement |
| Aliases |
cross-project, xproject
|
| Author | Bishop Fox |
| Background | This command analyzes cross-project access patterns to identify lateral movement paths between GCP projects. It maps service accounts with multi-project access, IAM bindings granting cross-project roles, logging sinks exporting to other projects (data exfiltration via logs), and Pub/Sub subscriptions exporting messages to BigQuery/GCS/push endpoints in other projects. All findings are merged into a single unified table with a Type column. |
| Use case 1: Lateral Movement Planning | Find paths to move between projects. |
| Use case 2: Trust Analysis | Understand cross-project trust relationships. |
| Use case 3: External Access Detection | Find external principals (cross-tenant) with access to your projects. |
| Use case 4: Data Flow Analysis | Identify logging sinks and Pub/Sub exports crossing project boundaries. |
| Loot file(s) | loot/crossproject-commands.txt |
Output Columns:
| Column | Description |
|---|---|
| Source Project Name | Where the principal/resource originates |
| Source Project ID | Source project identifier |
| Principal/Resource | SA, user, sink name, or subscription |
| Type | IAM Binding, Service Account, Lateral Movement, Logging Sink, or Pub/Sub Export |
| Action/Destination | Role granted or export destination |
| Target Project Name | Project being accessed or receiving data |
| Target Project ID | Target project identifier |
| External | Yes/No - Cross-tenant principal (supply chain risk indicator) |
Example:
❯ cloudfox gcp --project-list projects.txt cross-project
[cross-project] Analyzing cross-project access patterns...
[cross-project] Processing 5 projects...
[cross-project] Analyzing IAM bindings for cross-project principals...
[cross-project] Finding cross-project logging sinks...
[cross-project] Finding cross-project Pub/Sub exports...
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ crossproject │
├──────────────────┬──────────────────┬────────────────────────────────────┬─────────────────┬───────────────────────────┬──────────────────┬──────┤
│ Source Proj Name │ Source Proj ID │ Principal/Resource │ Type │ Action/Destination │ Target Proj ID │ Ext │
├──────────────────┼──────────────────┼────────────────────────────────────┼─────────────────┼───────────────────────────┼──────────────────┼──────┤
│ Dev Project │ dev-project-123 │ deploy-sa@dev-project.iam.gserv...│ IAM Binding │ roles/owner │ prod-project-456 │ No │
│ External │ ext-project-789 │ external-sa@ext-project.iam.gs... │ IAM Binding │ roles/storage.admin │ prod-project-456 │ Yes │
│ Dev Project │ dev-project-123 │ deploy-sa@dev-project.iam.gserv...│ Service Account │ roles/compute.admin │ prod-project-456 │ No │
│ Prod Project │ prod-project-456 │ audit-sink │ Logging Sink │ BigQuery: (all logs) │ audit-proj-789 │ No │
│ Prod Project │ prod-project-456 │ export-subscription │ Pub/Sub Export │ BigQuery -> audit.events │ audit-proj-789 │ No │
╰──────────────────┴──────────────────┴────────────────────────────────────┴─────────────────┴───────────────────────────┴──────────────────┴──────╯
[cross-project] Found 2 binding(s), 1 SA(s), 0 lateral path(s), 1 logging sink(s), 1 pubsub export(s)
| Attribute | Value |
|---|---|
| Summary | Run FoxMapper (graph-based IAM analysis) for privilege escalation path discovery |
| Aliases |
fm, pmapper
|
| Author | Bishop Fox |
| Background | FoxMapper builds a graph of IAM relationships and analyzes privilege escalation paths. It integrates with PMapper-style analysis to find paths from any principal to higher-privilege roles. This command runs the FoxMapper analysis and outputs results that other commands (like privesc, hidden-admins, etc.) can consume via --attack-paths. |
| Use case 1: Privilege Escalation Discovery | Find paths from current identity to admin/owner roles. |
| Use case 2: Attack Path Analysis | Map all privilege escalation paths across the environment. |
| Flags |
--org: Organization ID, --project: Project ID, --foxmapper-path: Custom path to FoxMapper data |
| Loot file(s) |
loot/foxmapper.txt, loot/foxmapper-paths.txt
|
These modules scan GCP resources for sensitive data indicators. They use a centralized pattern library to detect credentials, secrets, tokens, PII, and compliance-labeled data across different services. These modules are not included in all-checks and must be run individually.
| Attribute | Value |
|---|---|
| Summary | Enumerate GCS buckets for sensitive files (credentials, secrets, configs) |
| Aliases |
bucket-enum, bucket-scan, gcs-enum, sensitive-files
|
| Author | Bishop Fox |
| Background | Beyond just finding buckets, this command searches for sensitive files within accessible buckets. It looks for common credential patterns, configuration files, and secrets that are often accidentally exposed in cloud storage. Use --all-objects to enumerate ALL bucket contents (not just sensitive files) for comprehensive inventory. |
| Use case 1: Credential Discovery | Find leaked service account keys, API keys, or passwords. |
| Use case 2: Configuration Files | Discover .env files, config.json, terraform.tfstate, etc. |
| Use case 3: Full Bucket Inventory | Use --all-objects to enumerate all objects in buckets for complete visibility. |
| Flags |
--max-objects: Maximum objects to scan per bucket (default 1000, 0 for unlimited)--all-objects: Enumerate ALL bucket contents, not just sensitive files (implies --no-limit unless --max-objects is set)--no-limit: Remove the object limit (enumerate all objects in each bucket) |
| Loot file(s) |
loot/storage-enum-sensitive-commands.txt, loot/storage-enum-commands.txt, loot/storage-enum-all-commands.txt (with --all-objects) |
Example 1: Scan for sensitive files (default)
❯ cloudfox gcp --project my-project storage-enum
[storage-enum] Scanning buckets for sensitive files (1000 objects per bucket)...
[storage-enum] Found 5 bucket(s) in project my-project
[storage-enum] Found 23 potentially sensitive file(s) (8 CRITICAL, 12 HIGH)
╭────────────┬──────────────────────┬──────────────────────────────────────────┬────────────┬──────────┬────────┬────────────────┬──────────────────────────────╮
│ Project │ Bucket │ Object Name │ Category │ Size │ Public │ Encryption │ Description │
├────────────┼──────────────────────┼──────────────────────────────────────────┼────────────┼──────────┼────────┼────────────────┼──────────────────────────────┤
│ My Project │ company-backups │ keys/prod-service-account.json │ Credential │ 2.3 KB │ No │ Google-managed │ Service account key file │
│ My Project │ company-backups │ ssh/id_rsa │ Credential │ 1.7 KB │ No │ Google-managed │ SSH private key │
│ My Project │ company-config │ .env.production │ Secret │ 512 B │ Yes │ Google-managed │ Environment variables │
╰────────────┴──────────────────────┴──────────────────────────────────────────┴────────────┴──────────┴────────┴────────────────┴──────────────────────────────╯
Example 2: Enumerate ALL bucket contents
❯ cloudfox gcp --project my-project storage-enum --all-objects
[storage-enum] Enumerating ALL bucket contents (unlimited objects per bucket)...
[storage-enum] Found 3 bucket(s) in project my-project
[storage-enum] Found 1,247 object(s) across all buckets (15 public)
Example 3: Full enumeration with limit
❯ cloudfox gcp --project my-project storage-enum --all-objects --max-objects 500
[storage-enum] Enumerating ALL bucket contents (500 objects per bucket)...
| Attribute | Value |
|---|---|
| Summary | Scan Cloud Logging entries for sensitive data (credentials, tokens, PII) |
| Aliases |
log-enum, log-scan, sensitive-logs
|
| Author | Bishop Fox |
| Background | Applications and infrastructure often inadvertently log sensitive data: credentials in debug output, tokens in HTTP headers, PII in application logs. This command reads recent Cloud Logging entries and applies regex-based content matching to detect credentials, secrets, tokens, and PII that may have been logged. |
| Use case 1: Credential Leakage | Find GCP service account keys, AWS access keys, private keys, or API keys in log output. |
| Use case 2: Token Discovery | Detect JWTs, OAuth tokens, bearer tokens, or GitHub tokens logged during normal operations. |
| Use case 3: PII Detection | Identify credit card numbers, SSNs, or other PII in application logs. |
| Flags |
--hours: Hours of logs to scan (default 168 = 7 days)--max-entries: Maximum log entries to process per project (default 50000)--log-name: Optional filter to a specific log name |
| Loot file(s) | loot/logging-enum-commands.txt |
Example 1: Scan last 7 days of logs (default)
❯ cloudfox gcp --project my-project logging-enum
[logging-enum] Scanning log entries (last 168 hours, max 50000 entries per project)...
[logging-enum] Found 7 sensitive log entries (2 CRITICAL, 3 HIGH)
╭────────────┬─────────────────────┬──────────────────────────┬────────────┬────────────┬──────────────────────────┬───────────────────┬────────────────────╮
│ Project │ Log Name │ Timestamp │ Category │ Risk Level │ Description │ Resource Type │ Snippet │
├────────────┼─────────────────────┼──────────────────────────┼────────────┼────────────┼──────────────────────────┼───────────────────┼────────────────────┤
│ My Project │ cloudaudit.activity │ 2026-02-25T14:30:00Z │ Credential │ CRITICAL │ GCP service account key │ gce_instance │ "type": "servic... │
│ My Project │ stderr │ 2026-02-25T12:15:00Z │ Token │ HIGH │ JWT token │ cloud_function │ token=eyJhbGci... │
│ My Project │ stdout │ 2026-02-24T09:00:00Z │ Secret │ HIGH │ Password assignment │ gke_container │ db_password=Sup... │
╰────────────┴─────────────────────┴──────────────────────────┴────────────┴────────────┴──────────────────────────┴───────────────────┴────────────────────╯
Example 2: Scan last hour with specific log
❯ cloudfox gcp --project my-project logging-enum --hours 1 --log-name stderr
[logging-enum] Scanning log entries (last 1 hours, max 50000 entries per project)...
| Attribute | Value |
|---|---|
| Summary | Scan BigQuery datasets, tables, and columns for sensitive data indicators |
| Aliases |
bq-enum, bq-scan
|
| Author | Bishop Fox |
| Background | BigQuery datasets often store sensitive data that can be identified by examining resource names. This command scans dataset names, table names, and column names against patterns that indicate credentials, PII, financial data, or compliance-labeled resources. An optional data sampling mode can read rows from flagged tables and scan actual content for embedded secrets. |
| Use case 1: Schema Analysis | Identify tables and columns with names suggesting they contain passwords, tokens, SSNs, credit cards, or other sensitive data. |
| Use case 2: Compliance Data Discovery | Find datasets and tables labeled with PII, PHI, HIPAA, or GDPR keywords. |
| Use case 3: Content Scanning | Use --sample-data to read rows from flagged tables and detect embedded credentials or tokens. |
| Flags |
--sample-data: Enable data sampling on flagged tables (default off)--max-rows: Maximum rows to sample per table (default 100)--max-tables: Maximum tables to scan per project (default 50) |
| Loot file(s) | loot/bigquery-enum-commands.txt |
Example 1: Metadata scan (default)
❯ cloudfox gcp --project my-project bigquery-enum
[bigquery-enum] Scanning BigQuery resources (metadata scan, max 50 tables per project)...
[bigquery-enum] Found 12 sensitive BigQuery resources (1 CRITICAL, 6 HIGH)
╭────────────┬───────────────┬──────────────────┬──────────────────┬────────────┬────────────┬────────────┬──────────────────────────────────╮
│ Project │ Dataset │ Table │ Column │ Match Type │ Category │ Risk Level │ Description │
├────────────┼───────────────┼──────────────────┼──────────────────┼────────────┼────────────┼────────────┼──────────────────────────────────┤
│ My Project │ raw_pii_data │ │ │ name │ Compliance │ HIGH │ Dataset name: PII-labeled │
│ My Project │ users │ user_credentials │ │ name │ Credential │ HIGH │ Table name: Credential-related │
│ My Project │ users │ user_credentials │ password_hash │ name │ Credential │ HIGH │ Column name: Password-related │
│ My Project │ payments │ transactions │ credit_card │ name │ PII │ HIGH │ Column name: Credit card │
╰────────────┴───────────────┴──────────────────┴──────────────────┴────────────┴────────────┴────────────┴──────────────────────────────────╯
Example 2: Metadata scan with data sampling
❯ cloudfox gcp --project my-project bigquery-enum --sample-data --max-rows 50
[bigquery-enum] Scanning BigQuery resources (metadata scan + data sampling, max 50 tables per project)...
[bigquery-enum] Found 15 sensitive BigQuery resources (3 CRITICAL, 8 HIGH)
| Attribute | Value |
|---|---|
| Summary | Scan Bigtable instances, tables, and column families for sensitive data indicators |
| Aliases |
bt-enum, bt-scan
|
| Author | Bishop Fox |
| Background | Bigtable instances can store sensitive data identifiable through resource naming conventions. This command scans instance names, table names, and column family names against patterns that suggest the presence of credentials, PII, financial data, or compliance-labeled resources. |
| Use case 1: Schema Analysis | Identify tables and column families with names suggesting they contain passwords, tokens, or personal data. |
| Use case 2: Compliance Data Discovery | Find instances or tables labeled with PII, HIPAA, or GDPR keywords. |
| Loot file(s) | loot/bigtable-enum-commands.txt |
Example:
❯ cloudfox gcp --project my-project bigtable-enum
[bigtable-enum] Scanning Bigtable resources for sensitive data indicators...
[bigtable-enum] Found 4 sensitive Bigtable resources (0 CRITICAL, 3 HIGH)
╭────────────┬──────────────┬──────────────────┬──────────────────┬────────────┬────────────┬──────────────────────────────────────╮
│ Project │ Instance │ Table │ Column Family │ Category │ Risk Level │ Description │
├────────────┼──────────────┼──────────────────┼──────────────────┼────────────┼────────────┼──────────────────────────────────────┤
│ My Project │ user-store │ auth_tokens │ │ Credential │ HIGH │ Table name: Token-related resource │
│ My Project │ user-store │ auth_tokens │ credentials │ Credential │ HIGH │ Column family: Credential-related │
│ My Project │ analytics │ payment_events │ │ Financial │ HIGH │ Table name: Payment-related resource │
╰────────────┴──────────────┴──────────────────┴──────────────────┴────────────┴────────────┴──────────────────────────────────────╯
| Attribute | Value |
|---|---|
| Summary | Scan Spanner database schemas for sensitive table and column names |
| Aliases | spanner-scan |
| Author | Bishop Fox |
| Background | Spanner databases store structured data with schemas defined via DDL. This command retrieves the DDL (CREATE TABLE statements) for all accessible databases, parses table and column names, and checks them against sensitive data patterns. It can detect resources storing credentials, PII, financial data, or compliance-labeled data based on naming conventions. |
| Use case 1: Schema Analysis | Identify tables and columns with names suggesting they contain passwords, tokens, SSNs, or credit cards. |
| Use case 2: Compliance Data Discovery | Find databases with tables labeled as PII, PHI, HIPAA, or GDPR resources. |
| Loot file(s) | loot/spanner-enum-commands.txt |
Example:
❯ cloudfox gcp --project my-project spanner-enum
[spanner-enum] Scanning Spanner database schemas for sensitive data indicators...
[spanner-enum] Found 5 sensitive Spanner resources (1 CRITICAL, 3 HIGH)
╭────────────┬──────────────┬──────────────┬──────────────────┬──────────────────┬────────────┬────────────┬──────────────────────────────────────╮
│ Project │ Instance │ Database │ Table │ Column │ Category │ Risk Level │ Description │
├────────────┼──────────────┼──────────────┼──────────────────┼──────────────────┼────────────┼────────────┼──────────────────────────────────────┤
│ My Project │ main-db │ accounts │ user_secrets │ │ Credential │ HIGH │ Table name: Secret-related resource │
│ My Project │ main-db │ accounts │ user_secrets │ api_key │ Credential │ HIGH │ Column name: API key resource │
│ My Project │ main-db │ accounts │ user_secrets │ private_key │ Credential │ CRITICAL │ Column name: Private key resource │
│ My Project │ main-db │ finance │ salary_records │ │ Financial │ HIGH │ Table name: Salary-related resource │
╰────────────┴──────────────┴──────────────┴──────────────────┴──────────────────┴────────────┴────────────┴──────────────────────────────────────╯
All GCP commands support these common flags:
| Flag | Description |
|---|---|
--project |
Target project ID (can be specified multiple times) |
--folder |
Target folder ID (enumerates all projects in folder) |
--organization |
Target organization ID (enumerates all projects in org) |
-l, --project-list |
Path to file containing project IDs (one per line) |
-a, --all-projects |
Enumerate all accessible projects |
-o, --output |
Output directory (default: ~/.cloudfox/cloudfox-output) |
-v, --verbosity |
Verbosity level (0-3) |
--format |
Output format: table, csv, json (default: all) |
--flat |
Use flat output structure instead of hierarchical |
CloudFox GCP uses a hierarchical output structure that mirrors your GCP organization hierarchy. This makes it easy to find results for specific projects and understand cross-project relationships.
When CloudFox can discover your organization hierarchy, output is organized as:
~/.cloudfox/cloudfox-output/gcp/{account}/
├── [O]{org-name}/ # Organization-level data
│ ├── table/
│ │ ├── iam.txt # Complete aggregated IAM across all projects
│ │ ├── permissions.txt # Complete permissions explosion
│ │ └── whoami.txt # Identity context
│ └── loot/
│ └── iam-commands.txt
├── [O]{org-name}/[F]{folder-name}/ # Folder level (if applicable)
│ └── [P]{project-name}/ # Project-level data
│ ├── table/
│ │ ├── buckets.txt # Project-specific buckets
│ │ ├── instances.txt # Project-specific instances
│ │ ├── iam.txt # Project-filtered IAM
│ │ └── permissions.txt # Project-filtered permissions
│ └── loot/
│ └── buckets-commands.txt
└── [O]{org-name}/[P]{project-name}/ # Projects directly under org
└── ...
Certain modules that aggregate data across projects provide dual output:
| Module | Org-Level Output | Project-Level Output |
|---|---|---|
iam |
Complete IAM bindings across all scopes | Project-filtered bindings only |
permissions |
All permissions explosion | Project-scoped permissions only |
compliancedashboard |
Complete compliance assessment | Project-specific findings |
costsecurity |
All cost/security issues | Project-specific issues |
This allows you to:
- View the complete picture at the org level
- Drill down to project-specific data when reviewing individual projects
Some modules output only at the organization level (with project fallback):
| Module | Reason |
|---|---|
whoami |
Identity info is account-level |
organizations |
Hierarchy data is inherently org-level |
vpcsc |
VPC Service Controls are org-level resources |
Most modules output at the project level since they enumerate project-scoped resources:
-
buckets,instances,gke,functions,cloudrun,secrets, etc.
When using --flat or when hierarchy cannot be determined, output uses a flat structure:
~/.cloudfox/cloudfox-output/gcp/{account}/
└── [P]{project-name}_and_{N}_more/ # Combined output for multiple projects
├── table/
│ ├── buckets.txt # All buckets from all projects
│ └── instances.txt # All instances from all projects
└── loot/
└── ...
The _and_{N}_more suffix indicates data from multiple projects is combined in a single directory.
When the organization cannot be determined:
- Org-level modules fall back to outputting at the first project level
- Data is not lost - it's placed in the project folder instead
Example: If you run cloudfox gcp --project my-project whoami and org discovery fails, output goes to:
~/.cloudfox/cloudfox-output/gcp/{account}/[P]{my-project}/table/whoami.txt
CloudFox uses Application Default Credentials (ADC). You can authenticate using:
Option 1: User credentials (recommended for interactive use)
gcloud auth application-default loginOption 2: Service account key
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/key.json"Option 3: Workload Identity (on GCP) CloudFox automatically uses the attached service account.
CloudFox GCP works with read-only permissions. Here's a tiered approach based on your assessment scope:
For basic enumeration of a single project:
| Scope | Role | Purpose |
|---|---|---|
| Project | roles/viewer |
Read access to most resources |
This provides basic visibility but may miss some resources and cross-project relationships.
For thorough security assessments across an entire organization, grant these roles at the appropriate scope:
Organization-Level Roles:
| Role | Purpose |
|---|---|
roles/resourcemanager.organizationViewer |
View organization structure and metadata |
roles/iam.securityReviewer |
Review IAM policies across the organization |
roles/cloudasset.viewer |
Query Cloud Asset Inventory for all resources |
roles/cloudidentity.groupsViewer |
Enumerate Google Groups and memberships |
Folder-Level Roles:
| Role | Purpose |
|---|---|
roles/resourcemanager.folderViewer |
View folder hierarchy and metadata |
Project-Level Roles:
| Role | Purpose |
|---|---|
roles/viewer |
Read access to most project resources |
roles/monitoring.viewer |
View monitoring metrics and dashboards |
roles/logging.viewer |
Read audit logs and log-based metrics |
roles/compute.networkViewer |
View network configurations, firewall rules, VPCs |
roles/serviceusage.viewer |
View enabled APIs and service configurations |
Optional (Tooling/Quota Project Only):
| Role | Purpose |
|---|---|
roles/serviceusage.serviceUsageAdmin |
Manage API quotas for CloudFox operations |
Organization-level:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="user:pentester@company.com" \
--role="roles/resourcemanager.organizationViewer"
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="user:pentester@company.com" \
--role="roles/iam.securityReviewer"
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="user:pentester@company.com" \
--role="roles/cloudasset.viewer"
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member="user:pentester@company.com" \
--role="roles/cloudidentity.groupsViewer"Folder-level:
gcloud resource-manager folders add-iam-policy-binding FOLDER_ID \
--member="user:pentester@company.com" \
--role="roles/resourcemanager.folderViewer"Project-level:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:pentester@company.com" \
--role="roles/viewer"Note: Roles granted at higher levels (organization, folder) inherit down to child resources. For penetration testing engagements, granting roles at the organization level provides the broadest coverage with the least administrative overhead.
CloudFox GCP requires certain APIs to be enabled for comprehensive enumeration. APIs must be enabled in each project you want to assess - GCP APIs are project-scoped, so if you're assessing multiple projects, each target project needs the relevant APIs enabled.
| API | Service Name | Purpose | Required For |
|---|---|---|---|
| Cloud Identity API | cloudidentity.googleapis.com |
Query Google Groups and memberships | Group enumeration, inherited role analysis |
| Cloud Asset API | cloudasset.googleapis.com |
Query resource inventory across projects | Cross-project resource discovery |
| Cloud Resource Manager API | cloudresourcemanager.googleapis.com |
Access organization/folder/project hierarchy | Organization mapping, IAM enumeration |
| IAM API | iam.googleapis.com |
Query IAM policies and service accounts | IAM analysis, privilege escalation detection |
| Compute Engine API | compute.googleapis.com |
Access VM, network, and firewall data | Instance enumeration, network security |
| Secret Manager API | secretmanager.googleapis.com |
List secrets and access policies | Secrets enumeration |
| Cloud Functions API | cloudfunctions.googleapis.com |
List Cloud Functions | Serverless enumeration |
| Cloud Run API | run.googleapis.com |
List Cloud Run services | Serverless enumeration |
| Kubernetes Engine API | container.googleapis.com |
Access GKE cluster information | Container security analysis |
| BigQuery API | bigquery.googleapis.com |
List datasets and access controls | Data security analysis |
# Enable all recommended APIs for a single project
PROJECT_ID="target-project-id"
gcloud services enable \
cloudidentity.googleapis.com \
cloudasset.googleapis.com \
cloudresourcemanager.googleapis.com \
iam.googleapis.com \
compute.googleapis.com \
secretmanager.googleapis.com \
cloudfunctions.googleapis.com \
run.googleapis.com \
container.googleapis.com \
bigquery.googleapis.com \
--project=$PROJECT_ID# Enable APIs across all projects in a list
for PROJECT_ID in $(cat projects.txt); do
echo "Enabling APIs for $PROJECT_ID..."
gcloud services enable \
cloudidentity.googleapis.com \
cloudasset.googleapis.com \
cloudresourcemanager.googleapis.com \
iam.googleapis.com \
compute.googleapis.com \
secretmanager.googleapis.com \
cloudfunctions.googleapis.com \
run.googleapis.com \
container.googleapis.com \
bigquery.googleapis.com \
--project=$PROJECT_ID
doneNote: Some APIs may already be enabled by default. CloudFox will gracefully skip modules if the required API is not enabled in a project, but results for that project will be incomplete.