# Hostnames and Google Cloud Naming Conventions ## Introduction With the varied number of services that GCP provides, there is bound to be information floating around the Internet that can leak company asset information in the form of IP addresses, hostnames, GCP bucket names, open ports and services, leaked keys and secrets and accidentally exposed snapshots/backup. There are several techniques that can be used to find and isolate information to plan for attacks. Open Source Intelligence Gathering (OSINT) is the art of collecting information using various open source sources that can be used to weaponize and plan for attacks. ## What are we going to cover? This chapter covers various open source techniques that can be used to perform OSINT on cloud targets. ## OSINT Techniques ### GCP IP ranges * [GCP IP ranges](https://www.gstatic.com/ipranges/goog.json) * Open source data is any information that is readily available to the public or can be made available by request. * While most open source data is accessed via the open internet and may be indexed with the help of a search engine like Google, it can also be accessed via more closed forums that are not indexed by search engines. * In the context of OSINT, intelligence refers to the extraction and analysis of public data to gain insights, which are then used to improve decision making and inform activity. Traditionally, OSINT was a technique used by the national security and law enforcement communities. However, in recent years it has also become a foundational capability within cybersecurity. ### OSINT on GCP instances * Use the public `IP` of one of your running instances in Google Cloud to perform a reverse DNS PTR record lookup ![](/files/Sj3CGAcdOocMLhjDhpXE) * Now, try to dig for more information. Take a look at `bc.googleusercontent.com` ![](/files/8EWjYt3AvL7IBS33tHgJ) * Try searching for the instances which are available in the internet. we'll use some OSINT techniques to dig the information. We'll use the [censys](https://search.censys.io) to look for more instances. ![](/files/ucsZmPLln1KxC0d0N3W1) * As you can see here, the search engine helps us to identify the hostname, location, services running, port information. If you are exploring a particular service running on these instances, this would be more helpful. * Similarly, [Shodan](https://shodan.io) is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. To begin with, Shodan gives you the ability to start exploring some pre-selected search queries too. ![](/files/iBwJ7KSbDxjqSphhdMHu) * [crt.sh](https://crt.sh/) is a site that allows you to search the globally published Certificate Transparency Logs, which are updated whenever a new SSL/TLS certificate is issued. ![](/files/HIYudhTZgMTvBtoMETQV) * Once you have entered your target you get the certificate ID which can provide more information if you click further. Enter the target domain to search. Here we've used our domain `appsecco.com`. ![](/files/qKz0oJBj4t4mGRmT6zPc) * Now we got the information like the security algorithm it is following so there are two algorithms and the SHA-256 is currently in use and it also has SHA-1. ## Additional references * [OSINT Techniques](https://www.osinttechniques.com/) * [Open-Source Intelligence Collection in Cloud Platforms](https://resources.infosecinstitute.com/topic/open-source-intelligence-collection-in-cloud-platforms/) * [Multi-cloud OSINT tool](https://curatedpython.com/p/multi-cloud-osint-initstring-cloud-enum/index.html) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xcriminal.gitbook.io/about-me/cloudsec/osint-on-the-cloud/cloud-osint/hostnames-google-cloud-naming-conventions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.