gcpHound v2.0 : Django Web UI To Analyze IAM Permissions

Madhav Bhatt
3 min readApr 26, 2022

--

In this article, we will talk about recent functionalities added to the gcpHound as well as how to use them.

This is third article in the gcpHound series.

You can read about how to use other gcpHound functions here : gcpHoundv 1.1-beta and gcpHound v1.2

Setup

Setup is as simple as followed. You can use alternate means to authenticate such as service accounts.

$ docker pull desijarvis/gcphound:v2.0$ docker run --name gcpHound -p 127.0.0.1:443:443 -it desijarvis/gcphound:v2.0 /bin/bashroot@<containerID># cd /root/gcpHound/root@<containerID># gcloud auth login --no-launch-browserroot@<containerID># gcloud config set project <project-id>root@<containerID># service mysql startroot@<containerID># service apache2 start

gcpHoundWebUI

Before Logging In

Make sure you run following command before you start using the UI. The data you would see is dependent on the data collected via CLI function.

This function collects and analyzes ALL organization permissions.

However, for projects, while it COLLECTS ALL permissions, it will ONLY analyze the ones mentioned in rolesOfInterest.txt

Make sure you modify that file if you wish to analyzer additional permissions.

./gcpHound --runGCPHound

Logging In

Once you have followed these steps , go to https://localhost to access Hound UI.

Credentialsusername : admin
password : gcphoundadminUserPassword1!
gcpHound Login Page

Troubleshooting

If you can’t use this credential, follow this steps to change password for the admin account.

root@<containerID># cd /var/www/gcpHoundWebUIroot@<containerID># python3 manage.py changepassword admin

Changing Password

First thing you may want to do is change the password for the admin account from the left panel. Alternatively, you can use the method mentioned above to do the same.

Analyzing IAM

Once you log in, you will see the IAM permissions for the account you used to collect GCP IAM data.

The search bar allows you to query for different accounts you wish to see IAM permissions for.

The screenshots below show hypothetical organization called redteam.com, its hierarchy and IAM permissions.

Hypothetical GCP Organization redteam.com
IAM Permissions for redteam-operator-1@redteam.com on Home Page
IAM Permissions for redteam-operator-1@redteam.com
IAM Permissions for redteam-operator-7@redteam.com

Caveats

It is recommended when you use docker container, only allow Web UI to be connected locally.

In The End

This update allows for seamless querying of different accounts and its permissions via Web UI.

You can alternatively use “enumPrivileges” function via CLI. However, future development for analyzing IAM permissions will be focused on Web UI.

CREDITS

This tool has been developed alongside Brad Richardson.

--

--

Madhav Bhatt
Madhav Bhatt

Written by Madhav Bhatt

Effective collaboration between red and blue can produce offensive defense a.k.a blue team quickly detecting, responding and disrupting attackers activities.