dash/weirdAAL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

iam checks + storage checks

Browse Source
This commit is contained in:
carnal0wnage
2018-09-26 15:58:15 -04:00
parent b49df03312
commit 2779af7787
4 changed files with 81 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libs/gcp/gcp_iam.py
View File

@@ -14,7 +14,7 @@ from googleapiclient.errors import HttpError
# [START iam_list_keys] # [START iam_list_keys]
def gcp_iam_list_keys(service_account_email,service): def gcp_iam_list_keys(service_account_email, service):
"""Lists all keys for a service account.""" """Lists all keys for a service account."""
# pylint: disable=no-member # pylint: disable=no-member
@@ -27,7 +27,7 @@ def gcp_iam_list_keys(service_account_email,service):
# [START iam_list_service_accounts] # [START iam_list_service_accounts]
def gcp_iam_list_service_accounts(project_id): def gcp_iam_list_service_accounts(project_id, service):
"""Lists all service accounts for the current project.""" """Lists all service accounts for the current project."""
# pylint: disable=no-member # pylint: disable=no-member

39
libs/gcp/gcp_storage.py Normal file
View File

@@ -0,0 +1,39 @@
'''
GCP Storage functions for WeirdAAL
'''
import google.auth
import googleapiclient.discovery
import os
import sys
from google.oauth2 import service_account
from googleapiclient.errors import HttpError
from google.cloud import storage, exceptions
from google.cloud.exceptions import *
def gcp_storage_list_buckets(credentials):
list_of_buckets = []
'''list Google storage buckets for account'''
storage_client = storage.Client()
buckets = storage_client.list_buckets()
for buck in buckets:
print(buck.name)
list_of_buckets.append(buck.name)
return list_of_buckets
def gcp_storage_list_blobs(credentials, bucket_name):
'''Lists all the blobs in the bucket.'''
storage_client = storage.Client()
bucket = storage_client.get_bucket(bucket_name)
blobs = bucket.list_blobs()
for blob in blobs:
print(blob.name)
print('\n')

42
modules/gcp/gcp_recon.py
View File

@@ -6,7 +6,7 @@ that have functions that done have arguments if we can access them :-)
from libs.gcp.gcp_iam import * from libs.gcp.gcp_iam import *
#from libs.gcp.gcp_storage import * from libs.gcp.gcp_storage import *
credentials = service_account.Credentials.from_service_account_file( credentials = service_account.Credentials.from_service_account_file(
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'], filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
@@ -21,10 +21,24 @@ def module_gcp_recon_all():
python3 weirdAAL.py -m gcp_recon_all -t demo python3 weirdAAL.py -m gcp_recon_all -t demo
''' '''
try: try:
print("IAM List Keys check") print("GCP IAM List Keys check")
#print(credentials) # print(credentials)
gcp_iam_list_keys(credentials.service_account_email, service) gcp_iam_list_keys(credentials.service_account_email, service)
#list_service_accounts('best-indian-restaurant-691ad') except HttpError as e:
# print(e)
if e.resp.status in [403, 500, 503]:
print("\tGCP IAM access denied for {}".format(credentials.service_account_email))
else:
print(e)
except google.auth.exceptions.RefreshError as f:
print(f)
print("Service key is invalid exiting")
sys.exit()
try:
print("GCP IAM list service accounts for the current project: {}.".format(credentials.project_id))
# print(credentials)
gcp_iam_list_service_accounts(credentials.project_id, service)
except HttpError as e: except HttpError as e:
# print(e) # print(e)
if e.resp.status in [403, 500, 503]: if e.resp.status in [403, 500, 503]:
@@ -36,3 +50,23 @@ def module_gcp_recon_all():
print("Service key is invalid exiting") print("Service key is invalid exiting")
sys.exit() sys.exit()
'''
Storage bucket access checks
'''
try:
print("Checking for storage buckets")
buckets = gcp_storage_list_buckets(credentials)
if buckets:
print("\nAttempting to list bucket contents")
for a in buckets:
print(a)
gcp_storage_list_blobs(credentials, a)
except googleapiclient.errors.HttpError as e:
print(e)
except exceptions.Forbidden as e:
print("Forbidden")
print(e)
except exceptions.PermissionDenied as e:
print("PermissionDenied")
except google.auth.exceptions.RefreshError as f:
print(f)

4
weirdAAL.py
View File

@@ -29,7 +29,7 @@ from google.cloud.exceptions import *
os.environ['AWS_SHARED_CREDENTIALS_FILE'] = '.env' os.environ['AWS_SHARED_CREDENTIALS_FILE'] = '.env'
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = 'key.json' os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = 'gcp_keys/4.json'
# If you want to use a transparent + supports SSL proxy you can put it here # If you want to use a transparent + supports SSL proxy you can put it here
# os.environ['HTTPS_PROXY'] = 'https://127.0.0.1:3128' # os.environ['HTTPS_PROXY'] = 'https://127.0.0.1:3128'
@@ -69,7 +69,7 @@ def perform_credential_check():
sys.exit(1) sys.exit(1)
# excepetion to catch the lack of aws cred here - temp fix # excepetion to catch the lack of aws cred here - temp fix
except Exception as e: except Exception as e:
print('\t {}'.format(e)) print('\t -')
def method_create(): def method_create():
try: try: