Hostnames and Google Cloud Naming Conventions
Introduction
With the varied number of services that GCP provides, there is bound to be information floating around the Internet that can leak company asset information in the form of IP addresses, hostnames, GCP bucket names, open ports and services, leaked keys and secrets and accidentally exposed snapshots/backup.
There are several techniques that can be used to find and isolate information to plan for attacks. Open Source Intelligence Gathering (OSINT) is the art of collecting information using various open source sources that can be used to weaponize and plan for attacks.
What are we going to cover?
This chapter covers various open source techniques that can be used to perform OSINT on cloud targets.
OSINT Techniques
GCP IP ranges
Open source data is any information that is readily available to the public or can be made available by request.
While most open source data is accessed via the open internet and may be indexed with the help of a search engine like Google, it can also be accessed via more closed forums that are not indexed by search engines.
In the context of OSINT, intelligence refers to the extraction and analysis of public data to gain insights, which are then used to improve decision making and inform activity. Traditionally, OSINT was a technique used by the national security and law enforcement communities. However, in recent years it has also become a foundational capability within cybersecurity.
OSINT on GCP instances
Use the public
IPof one of your running instances in Google Cloud to perform a reverse DNS PTR record lookup
Now, try to dig for more information. Take a look at
bc.googleusercontent.com
Try searching for the instances which are available in the internet. we'll use some OSINT techniques to dig the information. We'll use the censys to look for more instances.
As you can see here, the search engine helps us to identify the hostname, location, services running, port information. If you are exploring a particular service running on these instances, this would be more helpful.
Similarly, Shodan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. To begin with, Shodan gives you the ability to start exploring some pre-selected search queries too.
crt.sh is a site that allows you to search the globally published Certificate Transparency Logs, which are updated whenever a new SSL/TLS certificate is issued.
Once you have entered your target you get the certificate ID which can provide more information if you click further. Enter the target domain to search. Here we've used our domain
appsecco.com.
Now we got the information like the security algorithm it is following so there are two algorithms and the SHA-256 is currently in use and it also has SHA-1.
Additional references
Last updated