[CR/DR] Scanning Google services

Introduction

All information and guides regarding Google services scanning for Card/Data Recon shall be documented here.

Requirements

  • Google Applications for Business
  • Admin role for the above
  • To scan unknown users, provisioning API is required

 

Creating a Service Account for scanning

You will need to create a Google service account to be used by Enterprise Recon.
During this procedure, you will have to gather 2 items/information that will be used for the Google Apps domain-wide delegation of authority and in your code to authorize with your service account.

  • Client ID
  • Private key file
  • Service account ID (for use in Card/Data Recon configuration)

To do this, you first need a working Google API Console project with the Google Drive API enabled.
Follow these instructions:

  1. Login to the Google API Console
  2. Create a new project or open your existing project



  3. From the API library, search for and enable the following API
    - Admin SDK

    - Google Drive API

    - Gmail API

    - Google Calendar API
  4. From the API Manager menu on the left, go to the 'Credentials' page
  5. Click on the 'Create credentials' drop-down menu and select 'Service account key'



  6. Select 'New service account' from the 'Service account' drop-down menu
    Enter a 'Service account name'
    Note down your full 'Service account ID'
    Change the 'Role' to 'Owner'
    Select the 'P12' key type



  7. Once you click 'Create', your .P12 Private Key file will be downloaded and a window showing the password for your key file will appear, note down that password
    Place this .P12 Key file in the same directory as your CR/DR executable.
  8. Afterwards, you will be brought back to the 'Credentials' page, note down your 'ID'



    ... then click 'Manage service accounts'
  9. You will be brought to the 'Service Accounts' page, click on the dots on the right of your new service account and select 'Edit'



  10. The edit window will come up, tick 'Enable Google Apps Domain-wide Delegation' and enter "Card Recon" as the product name and click 'Save'



Authorize API client domains

The service account that you created now needs to be granted access to your Google Apps domain's user data that you want to access.
The following tasks have to be performed by an administrator of your Google Apps domain.

  1. Login to your Google Apps domain Admin Console
    (eg. https://www.google.com/a/cpanel/<MY DOMAIN.com>)
  2. Go to Security > Advanced Settings > (Authentication) Manage API client access





  3. Here's where you add an API client
    Under 'Client Name', enter your Client ID
    Then enter these API Scopes (you may copy & paste this entire line);
    https://www.googleapis.com/auth/admin.directory.user.readonly , https://mail.google.com/ , https://www.googleapis.com/auth/calendar.readonly , https://www.googleapis.com/auth/drive.readonly , https://www.googleapis.com/auth/tasks.readonly



    ... and click 'Authorize'

Now you're all set to scan Google services in Card/Data Recon.

 

Card/Data Recon scan configuration

For each Google Target you wish to scan, you would need to create 2 sets of credentials.

1 - Google domain name
2 - Google Service Account ID
3 - Google domain username (must be Administrator account)
4 - Full name of your .P12 Key file (including the .p12 extension)

You may now proceed with the scan.

 

All information in this article is accurate and true as of the last edited date.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.