Skip to content

CLI Module Reference

Jump to bottom
WebbinRoot edited this page May 9, 2026 · 1 revision

CLI Module Reference

If you are new to GCPwn, read Getting Started first.

This page is meant to be the operator-facing module catalog: what each module does and the custom flags it supports.

This reference is generated from the current module mappings and parser flags in source code.

Table of Contents

Runner Reference

modules list
modules search <keyword>
modules info <module_name>
modules run <module_name> [module_args...]
modules run <module_name> -h

Module Categories

Category Count
Enumeration 33
Exploit 8
Process 2
Unauthenticated 5

Runner Flags (modules run)

Flag Meaning
--iam Run testIamPermissions checks where supported
--get Perform deeper per-resource retrieval where supported
--download Download module-supported artifact/content output
--project-ids, --current-project, --all-projects Project-scoping selectors for modules that support project targeting
-v, --debug Verbose/debug output where supported

Always verify module-specific flags with modules run <module_name> -h.

High-Value Orchestrator Modules

enum_all

  • Category: Enumeration
  • Service Group: Everything
  • What It Does:
    • Runs GCPwn's cross-service enumeration workflow from a single module.
    • Supports deep IAM checks (--iam, --all-permissions) as part of the run.
    • Supports centralized download routing while collecting data.

Supported Flags

Flag(s) Description Details
--download-output Output directory for downloaded artifacts. string path
--threads Worker threads for region/zone fan-out. int, default 3
--regions-list Regions in comma-separated format. e.g. us-central1,us-east1
--zones-list Zones in comma-separated format. e.g. us-central1-a,us-east1-b
--all-resource-permissions, --all-permissions For Resource Manager, pass full large permission test set. alias pair, dest=all_resource_permissions
--download Enable download token routing. optional value, default token set when passed with no value
--dont-download Exclude download tokens/categories from --download. comma-separated
--iam Execute testIamPermissions wherever applicable. store_true
--get Fetch deeper per-resource metadata where supported. store_true
--debug Enable debug logging. store_true
Service selector flags Restrict run to selected services instead of full sweep. --api-keys, --app-engine, --artifact-registry, --cloud-batch, --cloud-bigquery, --cloud-bigtable, --cloud-build, --cloud-composer, --cloud-compute, --cloud-compute-lb, --cloud-compute-network, --cloud-compute-resources, --cloud-dns, --cloud-firestore, --cloud-functions, --cloud-iam, --cloud-kms, --cloud-pubsub, --cloud-redis, --cloud-run, --cloud-secretsmanager, --cloud-sql, --cloud-storage, --cloud-tasks, --gke, --resource-manager, --service-directory, --storage-transfer, --workspace-cloud-identity

Example Module Commands

# TLDR: Full baseline cross-service run with IAM checks
modules run enum_all --iam

# TLDR: Full baseline + broad permission brute checks at org/folder/project scope
modules run enum_all --iam --all-permissions

# TLDR: Run only compute + storage families with constrained regions
modules run enum_all --cloud-compute --cloud-storage --regions-list us-central1

# TLDR: Enable download routing, but exclude large content buckets
modules run enum_all --download --dont-download buckets

enum_policy_bindings

  • Category: Enumeration
  • Service Group: Everything
  • What It Does:
    • Collects IAM policy bindings across the discovered resource tree.
    • Uses Cloud Asset Inventory when available.
    • Falls back to per-service APIs for Storage, BigQuery, Compute, Functions, Secrets, KMS, Run, Pub/Sub, Spanner, Service Directory, Cloud Tasks, and Artifact Registry.

Supported Flags

Flag(s) Description Details
--ensure-tree If hierarchy data is missing, run Resource Manager collection first. store_true
--resource-manager Enumerate org/folder/project IAM policies. store_true; service filter
--storage Enumerate Cloud Storage bucket IAM policies. store_true; service filter
--bigquery Enumerate BigQuery dataset IAM policies. store_true; service filter
--functions Enumerate Cloud Functions IAM policies. store_true; service filter
--compute Enumerate Compute Engine instance IAM policies. store_true; service filter
--service-accounts Enumerate service account IAM policies. store_true; service filter
--secrets Enumerate Secret Manager IAM policies. store_true; service filter
--cloud-run Enumerate Cloud Run service/job IAM policies. store_true; service filter
--cloud-tasks Enumerate Cloud Tasks queue IAM policies. store_true; service filter
--artifact-registry Enumerate Artifact Registry repository IAM policies. store_true; service filter
--cloud-kms Enumerate KMS keyring/cryptokey IAM policies. store_true; service filter
--pubsub Enumerate Pub/Sub topic/subscription/snapshot/schema IAM policies. store_true; service filter
--service-directory Enumerate Service Directory namespace/service IAM policies. store_true; service filter
-v, --debug Enable low-level debug logging. store_true

Example Module Commands

# TLDR: Enumerate IAM policies across all supported services
modules run enum_policy_bindings

# TLDR: Ensure hierarchy exists first, then collect only selected services
modules run enum_policy_bindings --ensure-tree --resource-manager --storage --bigquery

# TLDR: Focus on service-account and Cloud Run policy surfaces with debug logging
modules run enum_policy_bindings --service-accounts --cloud-run --debug

process_iam_bindings

  • Category: Process
  • Service Group: Everything
  • What It Does:
    • Processes enumerated IAM role/binding data for risky permission patterns.
    • Supports both convenience and custom roles alongside predefined GCP roles.
    • Exports findings to CSV or TXT formats.

Supported Flags

Flag(s) Description Details
--force-refresh-bindings Re-enumerate IAM bindings before processing. store_true; useful after new enumeration data
--csv Write CSV output report. store_true
--txt Write TXT output report. store_true
--output Output directory for report files. optional path
--silent Suppress stdout summary output. store_true
-v, --debug Enable verbose processing logs. store_true

Example Module Commands

# TLDR: Process existing IAM bindings with default console output
modules run process_iam_bindings

# TLDR: Force refresh IAM bindings first, then export CSV report
modules run process_iam_bindings --force-refresh-bindings --csv --output ./gcpwn_output/reports

# TLDR: Produce TXT output quietly for file-only workflows
modules run process_iam_bindings --txt --silent --output ./gcpwn_output/reports

enum_gcp_cloud_hound_data

  • Category: Enumeration
  • Service Group: OpenGraph
  • What It Does:
    • Builds OpenGraph-oriented IAM/resource context from collected workspace data.
    • Exports BloodHound-compatible GCP OpenGraph JSON.

Supported Flags

Flag(s) Description Details
--out Set JSON export path for generated graph. optional path
--reset Delete existing OpenGraph rows before rebuilding. store_true
--include-all Include generic IAM binding edges, not only dangerous built-in edges. store_true
--expand-inherited Expand inherited IAM bindings from org/folder to child resources. store_true
--cond-eval Enable conditional evaluation pass-through mode. store_true; currently no-op filtering
--groups Run only the users/groups mapping step. store_true; step selector
--iam-bindings Run only the IAM bindings graph step. store_true; step selector
--inferred-permissions Run only the inferred credential-permissions graph step. store_true; step selector
--resource-expansion Run only the resource expansion graph step. store_true; step selector
--push-custom-node-attributes-url BloodHound custom-node endpoint for node-attribute push. default from GCPWN_CUSTOM_NODES_URL when set
--push-custom-node-attributes-token Bearer token used for custom-node push. optional string token
-v, --debug Enable verbose graph-build logging. store_true

Example Module Commands

# TLDR: Full OpenGraph build and export
modules run enum_gcp_cloud_hound_data --reset --out Bloodhound_Output.json

# TLDR: Expand inherited IAM edges and include broader IAM edge set
modules run enum_gcp_cloud_hound_data --expand-inherited --include-all --out Bloodhound_Output.json

# TLDR: Run only targeted graph stages
modules run enum_gcp_cloud_hound_data --iam-bindings --resource-expansion --out Bloodhound_Output.json

Module Catalog

Enumeration Modules

enum_agentplatform

  • Service Group: AgentPlatform
  • What It Does: Enumerate AgentPlatform (aiplatform) datasets, endpoints, models, featurestores, entity types, feature groups, feature online stores, feature views, reasoning engines, and notebook runtime templates.
  • Custom Flags: none discovered in module parser

enum_all

  • Service Group: Everything
  • What It Does:
    • Runs cross-service enumeration from one command.
    • Can include IAM permission checks and broad permission brute checks.
    • Can route module download outputs during enumeration.
  • Custom Flags: See the enum_all Supported Flags section in High-Value Orchestrator Modules above.

enum_apigateway

  • Service Group: API Gateway
  • What It Does: Enumerate API Gateway gateways, APIs, and API configs, with optional direct targeting by ID and TestIamPermissions.
  • Key Flags: --all-regions (enumerate all regions), --regions-list/--regions-file (scope regions), --api-ids/--gateway-ids/--config-ids plus *-file variants (target specific resources). Run modules run enum_apigateway -h for full options.

enum_apikeys

  • Service Group: API Keys
  • What It Does: Enumerate API Keys for the selected project (global location).
  • Key Flags: --include-key-string (attempt to include key strings), --key-ids/--key-ids-file (target specific keys). Run modules run enum_apikeys -h for full options.

enum_appengine

  • Service Group: App Engine
  • What It Does: Enumerate App Engine application, services, versions, and instances.
  • Key Flags: --app-name (target a specific app), --service-ids/--version-ids/--instance-ids plus *-file variants (target specific resources). Run modules run enum_appengine -h for full options.

enum_artifactregistry

  • Service Group: Artifact Registry
  • What It Does: Enumerate Artifact Registry repositories, packages, and versions from one service module. Dependency layers use cache automatically or accept explicit parent flags.
  • Key Flags: --all-regions or --regions-list/--regions-file (region scope), --repository-names/--repository-ids plus *-file variants (target repos), --package-names/--package-names-file (target packages), --download and --limit (artifact retrieval controls). Run modules run enum_artifactregistry -h for full options.

enum_batch

  • Service Group: Batch
  • What It Does: Enumerate Batch jobs.
  • Key Flags: --all-regions, --regions-list, --regions-file (region scope). Run modules run enum_batch -h for full options.

enum_bigquery

  • Service Group: BigQuery
  • What It Does: Enumerate BigQuery datasets and tables, with optional direct targeting by dataset or table ID.
  • Key Flags: --dataset-ids/--table-ids/--routine-ids plus *-file variants (target datasets/tables/routines), --download and --download-limit (data retrieval controls). Run modules run enum_bigquery -h for full options.

enum_bigtable

  • Service Group: Bigtable
  • What It Does: Enumerate Cloud Bigtable instances, clusters, and tables.
  • Custom Flags: none discovered in module parser

enum_cloud_identity

  • Service Group: Google Workspace
  • What It Does: Enumerate Google Workspace / Cloud Identity groups and memberships. Uses directory customer ID (directoryCustomerId) where available.
  • Key Flags: --customer-id/--directory-customer (tenant scope), --query/--filter (search controls), --transitive (nested membership resolution), --view and --page-size (result detail/pagination). Run modules run enum_cloud_identity -h for full options.

enum_cloudbuild

  • Service Group: Cloud Build
  • What It Does: Enumerate Cloud Build triggers, builds, and connections across regions for the selected project.
  • Key Flags: --all-regions or --regions-list/--regions-file (region scope), --trigger-ids/--build-ids/--connection-ids plus *-file variants (target resources), --download and --download-limit (artifact retrieval), --page-size (API page sizing). Run modules run enum_cloudbuild -h for full options.

enum_cloudcomposer

  • Service Group: Cloud Composer
  • What It Does: Enumerate Cloud Composer environments across regions and optionally download software config overrides from retrieved metadata.
  • Key Flags: --all-regions, --regions-list, --regions-file (region scope). Run modules run enum_cloudcomposer -h for full options.

enum_cloudcompute_lb

  • Service Group: Compute
  • What It Does:
    • Enumerates Compute Engine load balancer surfaces.
    • Covers backend buckets/services, forwarding rules, URL maps, and target proxies.
  • Key Flags: --all-regions or --regions-list/--regions-file (region scope), --threads (parallelism). Run modules run enum_cloudcompute_lb -h for full options.

enum_cloudcompute_network

  • Service Group: Compute
  • What It Does:
    • Enumerates Compute Engine networking resources.
    • Covers VPCs, subnetworks, firewalls, routers/NAT, VPN, attachments, and interconnect surfaces.
  • Key Flags: --all-regions or --regions-list/--regions-file (region scope), --threads (parallelism). Run modules run enum_cloudcompute_network -h for full options.

enum_cloudcompute_resources

  • Service Group: Compute
  • What It Does:
    • Enumerates core Compute Engine resource-plane objects.
    • Covers projects, instances, disks, images, snapshots, machine images, node resources, reservations, and instance groups.
  • Key Flags: --all-regions/--all-zones (broad scope), --regions-list/--zones-list and *-file variants (targeted scope), --instance-names/--instance-names-file (instance targeting), --download-serial and --take-screenshot (artifact capture), --output (output path control). Run modules run enum_cloudcompute_resources -h for full options.

enum_clouddns

  • Service Group: Cloud DNS
  • What It Does: Enumerate Cloud DNS managed zones and record sets. Use --zones and/or --record-sets to control depth; record sets can be filtered by --record-type.
  • Key Flags: --zone-names/--zone-names-file (target specific zones), --record-type (filter DNS record types). Run modules run enum_clouddns -h for full options.

enum_cloudfunctions

  • Service Group: Cloud Functions
  • What It Does:
    • Enumerates Cloud Functions resources from one service module.
    • Supports regional scoping, source download, external curl checks, and testIamPermissions when enabled.
  • Key Flags: --version (v1/v2 targeting), --v1-regions/--v2-regions/--v1v2-regions or --regions-list/--regions-file (region scope), --function-names/--function-names-file (target functions), --external-curl and --output (content checks/output controls). Run modules run enum_cloudfunctions -h for full options.

enum_cloudrun

  • Service Group: Cloud Run
  • What It Does: Enumerate Cloud Run services and jobs across locations (defaults to locations/-). Use --get to enrich per-resource metadata.
  • Key Flags: --all-regions or --regions-list/--regions-file (location scope), --service-ids/--job-ids plus *-file variants (target specific resources). Run modules run enum_cloudrun -h for full options.

enum_cloudsql

  • Service Group: Cloud SQL
  • What It Does: Enumerate Cloud SQL instances, cached instance configs, databases, and users using the SQL Admin API.
  • Key Flags: --instance-names/--instance-names-file (target specific SQL instances). Run modules run enum_cloudsql -h for full options.

enum_cloudstorage

  • Service Group: Cloud Storage
  • What It Does:
    • Enumerates Cloud Storage resources from one service module.
    • Collection depth is controlled by flags such as buckets, blobs, and HMAC-key paths.
  • Key Flags: --bucket-names/--blob-names plus *-file variants (target buckets/objects), --access-keys/--hmac-secret/--access-id (HMAC workflows), --file-size, --time-limit, and --threads (download/runtime controls), --output and --good-regex (output/filtering controls). Run modules run enum_cloudstorage -h for full options.

enum_cloudtasks

  • Service Group: Cloud Tasks
  • What It Does: Enumerate Cloud Tasks queues and tasks across supported locations, with optional HTTP task request sample downloads.
  • Key Flags: --all-regions or --regions-list/--regions-file (region scope), --queue-ids/--queue-ids-file (target queues), --output (output control). Run modules run enum_cloudtasks -h for full options.

enum_firestore

  • Service Group: Firestore
  • What It Does: Enumerate Firestore databases via the Firestore Admin API.
  • Key Flags: --database-ids/--database-ids-file (target databases), --download-limit (cap retrieved content). Run modules run enum_firestore -h for full options.

enum_gcp_cloud_hound_data

  • Service Group: OpenGraph
  • What It Does: Turnkey: collect IAM/resource context and emit OpenGraph JSON (GCP).
  • Custom Flags: See the enum_gcp_cloud_hound_data Supported Flags section in High-Value Orchestrator Modules above.

enum_gke

  • Service Group: GKE
  • What It Does: Enumerate GKE clusters across locations (defaults to locations/-). Use --get to fetch per-cluster metadata.
  • Key Flags: --all-regions or --regions-list/--regions-file (location scope), --cluster-names/--cluster-names-file (target clusters), --node-pool-names/--node-pool-names-file (target node pools). Run modules run enum_gke -h for full options.

enum_iam

  • Service Group: IAM
  • What It Does:
    • Enumerates IAM resources from one service module.
    • Covers service accounts, custom roles, policy bindings, and Workload Identity pools/providers plus service-account IAM policies.
  • Key Flags: --org and --project (scope IAM enumeration), --role-names/--role-names-file (target custom roles), --sa-account-names/--sa-account-names-file (target service accounts). Run modules run enum_iam -h for full options.

enum_kms

  • Service Group: Cloud KMS
  • What It Does: Enumerate Cloud KMS keyrings/keys/versions across locations (defaults to locations/-). Use --get to fetch per-key metadata.
  • Key Flags: --all-regions, --regions-list, --regions-file (location scope). Run modules run enum_kms -h for full options.

enum_memorystore

  • Service Group: Memorystore
  • What It Does: Enumerate Memorystore Redis resources from one service module.
  • Key Flags: --all-regions or --regions-list/--regions-file (region scope), --redis-instance-names/--redis-instance-names-file (target specific instances). Run modules run enum_memorystore -h for full options.

enum_policy_bindings

  • Service Group: Everything
  • What It Does:
    • Enumerates IAM policy bindings across already-enumerated resources.
    • Uses Cloud Asset Inventory when available.
    • Falls back to per-service APIs for Storage, BigQuery, Compute, Functions, Secrets, KMS, Run, Pub/Sub, Spanner, Service Directory, Cloud Tasks, and Artifact Registry.
  • Custom Flags: See the enum_policy_bindings Supported Flags section in High-Value Orchestrator Modules above.

enum_pubsub

  • Service Group: Pub/Sub
  • What It Does: Enumerate Pub/Sub topics, subscriptions, schemas, and snapshots, with optional direct targeting by full resource name.
  • Key Flags: --topic-names/--subscription-names/--schema-names/--snapshot-names plus *-file variants (target specific Pub/Sub resources). Run modules run enum_pubsub -h for full options.

enum_resources

  • Service Group: Resource Manager
  • What It Does: Enumerate projects/folders/organizations. Pass in --iam to perform testIAMPermissions on each resource. Adding --all-permissions will enumerate ~9000 individual permission in batches and is the most comprehensive.
  • Key Flags: --all-permissions (full ~9000 permission checks), --no-recursive (disable recursive traversal), --record-failed-permissions (persist denied checks). Run modules run enum_resources -h for full options.

enum_secretsmanager

  • Service Group: Secrets
  • What It Does: Enumerate Secret Manager resources from one service module. Use flags like --secrets, --versions, and --values to control depth.
  • Key Flags: --secret-names/--secret-names-file (target specific secrets), --version-range (version scope). Run modules run enum_secretsmanager -h for full options.

enum_servicedirectory

  • Service Group: Service Directory
  • What It Does: Enumerate Service Directory namespaces, services, and endpoints across regions (defaults to locations/-).
  • Key Flags: --all-regions, --regions-list, --regions-file (location scope). Run modules run enum_servicedirectory -h for full options.

enum_storagetransfer

  • Service Group: Storage Transfer
  • What It Does: Enumerate Storage Transfer resources from one service module.
  • Key Flags: --transfer-job-ids/--transfer-job-ids-file (target specific transfer jobs). Run modules run enum_storagetransfer -h for full options.

Exploit Modules

exploit_bucket_upload

  • Service Group: Cloud Storage
  • What It Does: Authenticated upload of a local file or STDIN to a Cloud Storage Bucket. You can specify the arbitrary path you want to send the file contents/STDIN to. See wiki for more details.
  • Key Flags: --bucket and --remote-blob-path (upload destination), --local-blob-path or --data-string-base64 (payload source), --access-id/--hmac-secret (HMAC auth), --debug/-v (verbose output). Run modules run exploit_bucket_upload -h for full options.

exploit_functions_invoke

  • Service Group: Cloud Functions
  • What It Does: Upload or modify function code. Subsequently invoke it to get the Oauth token for a attached service account. Can auto-assume new role if desired. Can also be used to standalone call a function.
  • Key Flags: --create/--update/--invoke (action mode), --function-name (target function), --v1/--v2 (platform version), --bucket-src, --entry-point, and --service-account (deployment settings), --assume-creds (auto-assume returned creds). Run modules run exploit_functions_invoke -h for full options.

exploit_generate_access_token

  • Service Group: IAM
  • What It Does: Generate an access token for a service account and assume it within GCPwn (--assume) to pivot to a different user. Note this also handles implicit delegation with the --delegation flag relying on you to either supply the role chain or checking whats been enumerated thus far to help you build the delegation chain.
  • Key Flags: --target-sa (service account to impersonate), --delegation and --delegation-target (explicit delegation chain), --all-delegation (enumerate possible delegation paths), --debug/-v (verbose output). Run modules run exploit_generate_access_token -h for full options.

exploit_instance_ssh_keys

  • Service Group: Compute
  • What It Does: Upload the public portion of an SSH key either to a projec tor instance. This might allow for SSH access depending on if no other restrictions are in place. Project edits will impact all instances in the project. Ergo uploading SSH keys to a project grants SSH access to all instances
  • Key Flags: --project-level or --instance-level (where to place key), --instance-name (instance target), --ssh-key/--ssh-key-file and --username (key identity), --brute (additional key path logic), --debug/-v (verbose output). Run modules run exploit_instance_ssh_keys -h for full options.

exploit_instance_startup_script

  • Service Group: Compute
  • What It Does: Create an instance or edit an existing one (through a restart) and upload a startup script that will exfiltrate the compute metadata to a URL of the caller's choice. These need to be manually added via creds add in gcpwn. Note a service account needs to be attached to the compute instance requiring those permissions.
  • Key Flags: --create-new-instance or --update-via-shutdown (execution path), --instance-name (target/new instance), --startup-script-path and --external-url (script/exfil settings), --service-account/--no-service-account (identity behavior), --debug/-v (verbose output). Run modules run exploit_instance_startup_script -h for full options.

exploit_service_account_keys

  • Service Group: IAM
  • What It Does: Generate an account key for a service account and assume it within GCPwn (--assume) to pivot to a different user. Note unlike the access token which usually lasts for around 1 hour, a service key can last for much longer and is a much more permanent pivot.
  • Key Flags: --create/--enable/--disable (key lifecycle action), --sa or --sa-key (target account/key), --assume (load issued key into creds set), --debug/-v (verbose output). Run modules run exploit_service_account_keys -h for full options.

exploit_setiampolicy

  • Service Group: Everything
  • What It Does:
    • Unified setIamPolicy helper for adding a member/role binding.
    • Supports prompt-driven or flag-driven execution.
    • Supports Resource Manager, Storage, Compute, Functions, Secrets, Cloud Run, Artifact Registry, KMS, Pub/Sub, Spanner, Service Directory, and Cloud Tasks.
  • Key Flags: --service and --resource (select API/resource type), service-specific resource selectors (for example --bucket, --project-id, --function-name, --topic-name), --member and --role (binding target), --default-role and --overwrite (role/write behavior), --location/--zone/--version (resource scoping), --debug/-v (verbose output). Run modules run exploit_setiampolicy -h for full options.

exploit_storage_hmac

  • Service Group: Cloud Storage
  • What It Does: Create a new HMAC Key tied to a service account. Subsequently use this key to try to enumerate/download Cloud Bucket Data using the SigV4 XML API. The module can also activate/deactivate existing keys
  • Key Flags: --create or --update (action mode), --sa-email (target service account), --access-id and --state (operate on existing key state), --debug/-v (verbose output). Run modules run exploit_storage_hmac -h for full options.

Process Modules

analyze_vulns

  • Service Group: Everything
  • What It Does: Coming soon.
  • Key Flags: --csv or --txt (export format), --output (output path), --silent (quiet mode), --debug/-v (verbose output). Run modules run analyze_vulns -h for full options.

process_iam_bindings

  • Service Group: Everything
  • What It Does: Review org-wide security issues that might arise mainly with roles/permissions. Export the data to a csv or txt with --csv or --txt respectively. Note this will handle both convenience and custom roles in addition to normal predefined GCP roles, but not constraints or anything more advanced.
  • Custom Flags: See the process_iam_bindings Supported Flags section in High-Value Orchestrator Modules above.

Unauthenticated Modules

unauth_apikey_enum_all_scopes

  • Service Group: API Keys
  • What It Does: MIT-ported gmapsapiscanner-style module to enumerate unauthenticated Google Maps and related API scope for an exposed Google API key.
  • Key Flags: --api-key / -a (target API key), --proxy / -p (proxy traffic), --debug/-v (verbose output). Run modules run unauth_apikey_enum_all_scopes -h for full options.

unauth_apikey_gemini_exploit

  • Service Group: API Keys
  • What It Does: Exploit an exposed Gemini API key by enumerating Gemini files and cached contents, then exercising the token-counting and embeddings REST endpoints.
  • Key Flags: --api-key / -a (target API key), --question and --question-model (prompt path), --embedding-model and --token-model (API endpoint checks), --model-scan-mode and --page-size (enumeration depth), --sample-text (content for model tests), --debug/-v (verbose output). Run modules run unauth_apikey_gemini_exploit -h for full options.

unauth_apikey_vertex_exploit

  • Service Group: API Keys
  • What It Does: Exploit an exposed Vertex AI express-mode API key by discovering working publisher models and opening an interactive prompt shell.
  • Key Flags: --api-key / -a (target API key), --model / -m (specific model), --model-discovery-mode (automatic model discovery behavior), --debug/-v (verbose output). Run modules run unauth_apikey_vertex_exploit -h for full options.

unauth_bucketbrute

  • Service Group: Cloud Storage
  • What It Does: A copy of Rhino Security GCP Brute tool. Will brute force GCP buckets given a keyterm and can check for anonymous permissions. Should not leverage credentials to try authenticated permisision checks, although that might be added in the future
  • Key Flags: --keyword/-k and --wordlist/-w (bruteforce input), --check / --check-list (anonymous permission checks), --authenticated (add authenticated checks), --subprocesses/-s and --throttle (rate/concurrency control), --out-file/-o and --all-tlds (output/candidate expansion), --debug/-v (verbose output). Run modules run unauth_bucketbrute -h for full options.

unauth_functionbrute

  • Service Group: Cloud Functions
  • What It Does: Based off Rhino Security code here: https://github.com/RhinoSecurityLabs/GCPBucketBrute. Same concept but modified slightly to brute forcue functions by URLs unauth.
  • Key Flags: --region (target region), --wordlist/-w (name source), --check / --check-list (unauth checks), --subprocesses/-s (concurrency), --debug/-v (verbose output). Run modules run unauth_functionbrute -h for full options.

Typical Run Flow

modules run enum_all --iam
modules run enum_policy_bindings --ensure-tree
modules run process_iam_bindings
modules run enum_gcp_cloud_hound_data --expand-inherited --reset --out Bloodhound_Output.json

Home | Getting Started | Auth | Workspace | CLI Modules | Downloads | Data View/Export | IAM Workflow | OpenGraph Overview | OpenGraph Add Content

GCPwn Wiki

Core Operations

OpenGraph

Development

Clone this wiki locally