All information and guides regarding Google services scanning for Enterprise Recon shall be documented here.
- Google Applications for Business
- Admin role for the above
- To scan unknown users, provisioning API is required
Creating a Service Account for scanning
You will need to create a Google service account to be used by Enterprise Recon.
During this procedure, you will have to gather 2 items/information that will be used for the Google Apps domain-wide delegation of authority and in your code to authorize with your service account.
- Client ID
- Private key file
- Service account ID (for use in Enterprise Recon configuration)
To do this, you first need a working Google API Console project with the Google Drive API enabled.
Follow these instructions:
- Login to the Google API Console
- Create a new project or open your existing project
- From the API library, search for and enable the following API
- Admin SDK
- Google Drive API
- Gmail API
- Google Calendar API
- From the API Manager menu on the left, go to the 'Credentials' page
- Click on the 'Create credentials' drop-down menu and select 'Service account key'
- Select 'New service account' from the 'Service account' drop-down menu
Enter a 'Service account name'
Note down your full 'Service account ID'
Change the 'Role' to 'Owner'
Select the 'P12' key type
- Once you click 'Create', your .p12 private key file will be downloaded and a window showing the password for your key file will appear, note down that password
- Afterwards, you will be brought back to the 'Credentials' page, note down your 'ID'
... then click 'Manage service accounts'
- You will be brought to the 'Service Accounts' page, click on the dots on the right of your new service account and select 'Edit'
- The edit window will come up, tick 'Enable Google Apps Domain-wide Delegation' and enter "Enterprise Recon" as the product name and click 'Save'
Authorize API client domains
The service account that you created now needs to be granted access to your Google Apps domain's user data that you want to access.
The following tasks have to be performed by an administrator of your Google Apps domain.
- Login to your Google Apps domain Admin Console
(eg. https://www.google.com/a/cpanel/<MY DOMAIN.com>)
- Go to Security > Advanced Settings > (Authentication) Manage API client access
- Here's where you add an API client
Under 'Client Name', enter your Client ID
Then enter these API Scopes (you may copy & paste this entire line);
https://www.googleapis.com/auth/admin.directory.user.readonly , https://mail.google.com/ , https://www.googleapis.com/auth/calendar.readonly , https://www.googleapis.com/auth/drive.readonly , https://www.googleapis.com/auth/tasks.readonly
... and click 'Authorize'
Now you're all set to scan Google services in Enterprise Recon.
Enterprise Recon scan configuration
In your Enterprise Recon web console, choose to start a new search and add an unlisted target, then select any Google services.
- Google Apps Domain
Your Google Apps domain
- Stored Credentials
Choose to select a set of credentials you've previously saved
- Credential Label
Give your new credential set a name
This should be an administrator account for your Google Apps Domain
This should be your Google Service account ID
- Private Key
Upload your .p12 private key file from Google
- Agent to act as proxy host
Choose a Node Agent
You may now proceed with the scan.
All information in this article is accurate and true as of the last edited date.