[ER] Scanning Google services



All information and guides regarding Google services scanning for Enterprise Recon shall be documented here.


  • Google Applications for Business
  • Admin role for the above
  • To scan unknown users, provisioning API is required


Creating a Service Account for scanning

You will need to create a Google service account to be used by Enterprise Recon.
During this procedure, you will have to gather 2 items/information that will be used for the Google Apps domain-wide delegation of authority and in your code to authorize with your service account.

  • Client ID
  • Private key file
  • Service account ID (for use in Enterprise Recon configuration)

To do this, you first need a working Google API Console project with the Google Drive API enabled.
Follow these instructions:

  1. Login to the Google API Console
  2. Create a new project or open your existing project

  3. From the API library, search for and enable the following API
    - Admin SDK

    - Google Drive API

    - Gmail API

    - Google Calendar API
  4. From the API Manager menu on the left, go to the 'Credentials' page
  5. Click on the 'Create credentials' drop-down menu and select 'Service account key'

  6. Select 'New service account' from the 'Service account' drop-down menu
    Enter a 'Service account name'
    Note down your full 'Service account ID'
    Change the 'Role' to 'Owner'
    Select the 'P12' key type

  7. Once you click 'Create', your .p12 private key file will be downloaded and a window showing the password for your key file will appear, note down that password
  8. Afterwards, you will be brought back to the 'Credentials' page, note down your 'ID'

    ... then click 'Manage service accounts'
  9. You will be brought to the 'Service Accounts' page, click on the dots on the right of your new service account and select 'Edit'

  10. The edit window will come up, tick 'Enable Google Apps Domain-wide Delegation' and enter "Enterprise Recon" as the product name and click 'Save'

Authorize API client domains

The service account that you created now needs to be granted access to your Google Apps domain's user data that you want to access.
The following tasks have to be performed by an administrator of your Google Apps domain.

  1. Login to your Google Apps domain Admin Console
    (eg. https://www.google.com/a/cpanel/<MY DOMAIN.com>)
  2. Go to Security > Advanced Settings > (Authentication) Manage API client access

  3. Here's where you add an API client
    Under 'Client Name', enter your Client ID
    Then enter these API Scopes (you may copy & paste this entire line);
    https://www.googleapis.com/auth/admin.directory.user.readonly , https://mail.google.com/ , https://www.googleapis.com/auth/calendar.readonly , https://www.googleapis.com/auth/drive.readonly , https://www.googleapis.com/auth/tasks.readonly

    ... and click 'Authorize'

Now you're all set to scan Google services in Enterprise Recon.


Enterprise Recon scan configuration

In your Enterprise Recon web console, choose to start a new search and add an unlisted target, then select any Google services.

  • Google Apps Domain
    Your Google Apps domain
    (eg. example-gapps-domain.com)
  • Stored Credentials
    Choose to select a set of credentials you've previously saved
  • Credential Label
    Give your new credential set a name
  • Username
    This should be an administrator account for your Google Apps Domain
    (eg. admin@example-gapps-domain.com)
  • Password
    This should be your Google Service account ID
    (eg. example@foobar.iam.gserviceaccount.com)
  • Private Key
    Upload your .p12 private key file from Google
  • Agent to act as proxy host
    Choose a Node Agent

You may now proceed with the scan.


All information in this article is accurate and true as of the last edited date.

0 out of 0 found this helpful



Please sign in to leave a comment.