gcpHound: This hound has learned some new tricks
Since the initial release of gcpHound back in September, three new capabilities have been added to give the hound more bite. As with previous gcpHound commands each of the three still “live off the cloud” for convenience and stealth. If you missed or aren’t already familiar with gcpHound then checkout Madhav Bhatt’s detailed writeup here
Setup
If you just need to get gcpHound running then setup is super simple. You can use alternate means to authenticate such as service accounts. While setting project ID, you want to make sure the account you’re using has sufficient permissions on that project.
$ docker pull desijarvis/gcphound:v1.2$ docker run --name gcpHound -it desijarvis/gcphound:v1.2 /bin/bashroot@<containerID># cd /root/gcpHound/root@<containerID># gcloud auth login --no-launch-browserroot@<containerID># gcloud config set project <project-id>
Yes — Here’s what’s new and how to use them on your next red team engagement.
- persistWindowsAccount
- createServiceAccountKey
- bruteDecrypt
persistWindowsAccount
First up is gcpHound persistWindowsAccount
The persistWindowsAccount trick is an easy method for stealthy persistence on Windows Compute Instances
You can use this trick to create or abuse valid accounts on Windows based compute instances. Unlike adding accounts using worn out and typically detected Windows “net” commands, this command will create a new account on the target GCP Windows instance (assuming it doesn’t already exist) and it will add the account to the local administrator group in a single step. If the account does exists, then the password is automatically reset and the new password displayed to the user.
Here’s all that’s needed for persistWindowsAccount.
- Target compute instance name
- Username to be created or target user’s password to be reset
- The zone the instance runs in. That’s it.
Here’s an example of using persistWindowsAccount.
USAGE : $ ./gcpHound persistWindowsAccount --instance windows2019 --user vpnuser1 --zone us-central1-a
createServiceAccountKey
gcpHound createServiceAccountKey
This another way to have long-lived persistence. Service accounts aren’t subject to the relatively short session lifetimes that user accounts normally have, but they can make use of the same API calls to read, write, create, modify, delete, etc. and can use all the powerful features in GCP. For red teams you can create your own service accounts that blend in with other often ignored service accounts to perform recon or other activities for the entire duration of your operation.
The createServiceAccountKey feature in gcpHound lets you quickly add a service account to an existing project and returns you the key value. If the service account already exists, then an additional key is created for that service account and the key value is returned for use.
Here’s all that’s needed to have gcpHound add your service account and key.
- Target projectId
- The target service account name
- Service account “display name” (optional)
- A service account “description”. (optional)
NOTE: Only –projectId must match an existing project ID and service account must be provided. Display name and service account description are optional.
USAGE :$ ./gcpHound createServiceAccountKey --projectId redteam-project1 --serviceAccountName redteam-svc-account-1 --serviceAccountDisplayName dev-jenkins-svc-account-1 --serviceAccountDescription JenkinsServiceAccount
bruteDecrypt
gcpHound bruteDecrypt
gcpHound Sniffs Out the Right Key using this function — GCP makes it literally possible to use a separate key to encrypt each stored file in Google Cloud Storage. This Cloud capability means it could take a painfully long time to go through the steps to download the files, find the decryption key in the Key Management Service, download the key, and decrypt the file. No reason for it to be this hard now that gcpHound can quickly do this for us by downloading the stored keys, performing a brute force of the encrypted file until it finds the right key, and then write the decrypted version.
To use the gcpHound bruteDecrypt feature all we need to do is provide…
- The correct target projectId,
- The “key ring assigned location”
- The name of the downloaded encrypted file
- The chosen filename you want for the decrypted file.
USAGE :$ ./gcpHound bruteDecrypt --projectId redteam-project1 --keyRingRegion global --cipherTextFile /tmp/ciphertext.txt$ ./gcpHound bruteDecrypt --projectId redteam-project1 --keyRingRegion us-central1 --cipherTextFile /tmp/ciphertext.txt
That’s all for now, but stay tuned for other new tricks and features that we will be adding to gcpHound later.