• Stars
    star
    554
  • Rank 80,342 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created over 3 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Jenkins Attack Framework

Description

This project can currently perform the following tasks:

  • AccessCheck: Test credentials and provide a rough overview of their access levels

  • ConsoleOutput: Dump the console output of the last build of every job on the server (Can be Gigabytes of data, but good for finding credentials)

  • CreateAPIToken: Creates an API Token for the current user (Or another user if you have administrative credentials)

  • DeleteAPIToken: Deletes an API Token for the current user (Or another user if you have administrative credentials. Lists existing ones if no token supplied)

  • DeleteJob: Delete a Job, or failing that, attempt a number of follow-up mitigations from most-to-least effective.

  • DumpCreds: Dump credentials (Uses administrative credentials to dump credentials via Jenkins Console)

  • DumpCredsViaJob: Dump credentials via job creation and explicit enumeration (User needs at least Add Job permissions)

  • ListAPITokens: List existing API tokens for the current user (Or another user if you have administrative credentials)

  • ListJobs: List existing Jenkins Jobs (Good For finding specific jobs)

  • RunCommand: Run system command and get output/errors back (Uses administrative credentials and Jenkins Console)

  • RunJob: Upload a script and run it as a job. Also run "Ghost Jobs" that don't terminate or show up in Jenkins (after launch)

  • RunScript: Run Groovy scripts (Uses administrative credentials to run a Groovy Script via Jenkins Console)

  • UploadFile: Upload a file (Uses administrative credentials and chunked uploading via Jenkins Console)

  • WhoAmI: Get the credentialed user's Jenkins groups (Usually contains their domain groups)

  • More things are in the works...

Installing

Run the following commands:

git clone [email protected]:Accenture/jenkins-attack-framework.git 
cd jaf
chmod +x jaf
sudo ./jaf --install
./jaf --install

Before you can use the RunJob "ghost job" feature against Windows Jenkins Slaves, you will need to compile the following file data/cpp/windows_ghost_job_helper.cpp using Visual Studio's cl tool (see compile arguments in comment at the top of that file), and then drop the compiled file in data/exe/windows_ghost_job_helper.exe.

Command Line Help

The commandline help should be pretty straight forward, but is provided here with additional notes:

usage: jaf.py <Command> [-h]

Jenkins Attack Framework

positional arguments:
<Command>   Subcommand to run (pass sub command for more detailed help):
			AccessCheck ConsoleOutput CreateAPIToken DeleteAPIToken
			DeleteJob DumpCreds DumpCredsViaJob ListAPITokens ListJobs
			RunCommand RunJob RunScript UploadFile WhoAmI

optional arguments:
-h, --help  show this help message and exit

Common Usage Notes

For every subcommand, you can get more detailed help by calling JAF with the subcommand and no additional options (or the -h option).

Server URL

For every command (other than requesting help), the -s command is required. This should be the full, base URL to the Jenkins instance.

User Agent

JAF will use the following user agent with each request: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36. This was chosen, at least at the time of this release to fit in. If you wish to use a different user-agent, one can be specified with the -u option.

Output Redirection

For every command, you may pass the -o option with a file path. If passed, JAF will write all output (with the exception of some fatal or critical errors) to the file instead of stdout. This option is particularly useful on Windows where console redirection tends to break on random bytes unless you change the code page.

Credentials

If no credentials are provided, JAF will attempt to connect with anonymous credentials. Credentials can be provided via two methods. To provide a single set of credentials use the -a option. Credentials can take three forms: user:password, user:apitoken, or a Cookie string.

In the case of the latter option, the cookie should include the entire cookie (everthing after "Cookie: " in the browser header). Cookie authentication is particularly useful when the Jenkin server uses federation with another Jenkins server for authentication. In this scenario, normal user:password auth will not work. API tokens may still work. If not, authenticate in your browser, then pass the cookie. Cookie authentication can also include a Jenkins Crumb, which should be concatenated to the end of the cookie string to look something like: JSESSIONID.9922756a=node0rhre4wjrdcjz9m4tbqx0qwqn1567.node0|Jenkins-Crumb=f5cb5472851aad76fc45568ef1e4160928d075376fd78c436a58d39b99aae09a

Though JAF can usually determine your authentication type by parsing the string, you can also hint the correct type by prepending your credential string with one of the following (self-explanatory) tags: {USERPASS}, {APITOKEN}, {COOKIE}

For the following two commands, you may pass a single set of credentials using the -a option or you may pass multiple credentials with the -c option: AccessCheck and WhoAmI. The -c option takes either the path to a file which contains one of the aforementioned credential forms per line, or -. If - is passed, JAF will take credentials via stdin instead of from a file (formatting remains the same).

Timeouts, Threads, and Waiting

HTTP Request Timeouts default to 30 seconds. If you would like a shorter or longer timeout, one can be configured with the -n option.

For certain multi-request methods (ConsoleOutput, AccessCheck, or WhoAmI), the number of threads (and thus number of simultaneous requests) can be configured. By default 4 threads are used. To specify a different number of threads pass the -t option.

For the RunCommand, RunJob, and RunScript methods, in addition to setting a total request timeout, you may pass the -x option to explicitly not wait for the request to return. This can be valuable when starting a SOCKS Proxy or similar long running task.

AccessCheck

This method provides a number of heuristic checks for access levels which are useful for an attacker. A negative result should be accurate. A positive result means that the user potentially has the access, but you will need to perform additonal validation. There are simply too many ways to restrict access in Jenkins and no API for determining granular access levels, so results are not always prefectly accurate. Currently this method checks for the following access: Basic Read Access (read), Create Job Access (build), Some level of Admin Access (admin), Script Console Access (script), Scriptler Groovy Script Plugin Access (scriptler)

usage: jaf.py AccessCheck [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-t <Threads>]
			[-a [<User>:[<Password>|<API Token>]|<Cookie>]]
			[-c <Credential File>]

Jenkins Attack Framework

positional arguments:
AccessCheck           Get Users Rough Level of Access on Jenkins Server

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-t <Threads>, --threads <Threads>
						Number of max concurrent HTTP requests. Defaults to: 4
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-c <Credential File>, --credentialfile <Credential File>
						Credential File ("-" for stdin). Creds in form
						"<User>:<Password>" or "<User>:<API Token>"

ConsoleOutput

This method dumps the console output for the last build of every job that the user can see. You need at least job viewing privileges which is not always possible to determine. This can and often does result in gigabytes (or even terabytes) of output.

usage: jaf.py ConsoleOutput [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-t <Threads>]
			[-a [<User>:[<Password>|<API Token>]|<Cookie>]]

Jenkins Attack Framework

positional arguments:
ConsoleOutput         Get Latest Console Output from All Jenkins Jobs

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-t <Threads>, --threads <Threads>
						Number of max concurrent HTTP requests. Defaults to: 4
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string

CreateAPIToken

Used to create an API Token for the user who's credentials are supplied. If the --user option is passed, this command will instead create an API token for the supplied user (but you must have administrative /script console access to do this).

Token Name is entirely optional and can be anything even a duplicate of an existing token name. Tokens are shown under the user's configure page (/user/<username>/configure), so pick a name that will blend in (or no name). If no Token Name is specified and you are creating the token for the current user, Jenkins will pick the name Token Created on <Date>. If creating a token with no Token Name as an admin for another user (or even yourself while using the --user option, the name will actually be blank, and the Jenkins API actually makes this kind of difficult to notice).

On successful token creation, the new API Token will be printed to the screen. You should capture this, as this token can never be viewed again.

usage: jaf.py CreateAPIToken [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
			[-U <User Name>] [<Token Name>]

Jenkins Attack Framework

positional arguments:
CreateAPIToken        Create an API Token for your user
<Token Name>          Token Name which is shown under the user's
						configuration page (so pick something that is not too
						suspicious). Can be duplicated (There do not appear to
						be any restrictions on token names). If not provided,
						only token creation date will be shown on user's page.

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-U <User Name>, --user <User Name>
						If provided, will use Jenkins Script Console to add
						token for this user. (Requires Admin "/script"
						permissions)

DeleteAPIToken

Used to delete an API Token for the user who's credentials are supplied. If the --user option is passed, this command will instead delete the API token for the supplied user (but you must have administrative /script console access to do this).

Token Name or UUID is required to actually delete a token. If not supplied, this function effectively acts like ListAPITokens and returns a list of existing tokens. If a Token Name is supplied this command will try to delete that token and alert you on success or failure. If the name matches multiple tokens, no token will be deleted, and you will receive an error message. In that case, you should instead list tokens (either by calling DeleteAPIToken with no additional arguments, or via calling ListAPITokens), then try again with a Token UUID. Deleted tokens cannot be restored, so make sure you are certain before attempting.

usage: jaf.py DeleteAPIToken [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
          [-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
          [-U <User Name>] [<Token Name or UUID>]

Jenkins Attack Framework

positional arguments:
DeleteAPIToken        Delete an API Token for your user
<Token Name or UUID>  If not specified, command will return list of tokens
						for subsequent calls.

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-U <User Name>, --user <User Name>
						If provided, will use Jenkins Script Console to delete
						token for this user. (Requires Admin "/script"
						permissions)

DeleteJob

Attempts to delete a Jenkins job. If the user does not have the rights, this will instead, attempt to delete all build logs, overwrite the job with a blank job, and then disable the job.

usage: jaf.py DeleteJob [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
			<Task Name>

Jenkins Attack Framework

positional arguments:
DeleteJob             Delete Jenkins Jobs
<Task Name>           Task to Delete

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string

DumpCreds

Should be self explanatory, but this does require administrative credentials with /script access.

usage: jaf.py DumpCreds [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
          [-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
          [-N <Node>]

Jenkins Attack Framework

positional arguments:
DumpCreds             Dump all Stored Credentials on Jenkins

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-N <Node>, --node <Node>
						Node (Slave) to execute against. Executes against
						"master" if not specified.

DumpCredsViaJob

Dump credentials by creating a Job and explicitly enumerating echoing out all the credentials that are stored and accessible to the user. These credentials are then Base64 encoded so as to prevent Jenkins from redacting them. The credentials are retrieved and formatted. User must have at least Job creation privileges.

usage: jaf.py DumpCredsViaJob [-h] -s <Server> [-u <User-Agent>]
			[-n <Timeout>] [-o Output File]
			[-a [<User>:[<Password>|<API Token>]|<Cookie>]] [-N <Node>]
			[-T <Node Type>] <Task Name>


Jenkins Attack Framework

positional arguments:
DumpCredsViaJob       Dump credentials via explicit enumeration of shared
						credentials in a job (Only requires job creation
						permissions and some shared credentials)
<Task Name>           Task to Create, must be unique (may not be deleted if
						user doesn't have job deletion permissions, so pick
						something that blends in)

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-N <Node>, --node <Node>
						Node to execute against. If specified, you must also
						pass -T
-T <Node Type>, --nodetype <Node Type>
						Node Type, either: "posix" or "windows". If specified,
						you must also pass -N

ListAPITokens

Method simply lists all existing API Tokens for the user who's creds you supplied. If the --user option is passed, this command will instead list the API tokens for the supplied user (but you must have administrative /script console access to do this).

The actual API Tokens cannot be recovered as only a hash is stored, and only Admin users can even access these hashes. So this method is really only useful for getting a list before trying to use CreateAPIToken or DeleteAPIToken.

usage: jaf.py ListAPITokens [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
			[-U <User Name>]

Jenkins Attack Framework

positional arguments:
ListAPITokens         List API Tokens for your user

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-U <User Name>, --user <User Name>
						If provided, will use Jenkins Script Console to query
						tokens for this user. (Requires Admin "/script"
						permissions)

ListJobs

Method simply lists all jobs on the server, recursively.

usage: jaf.py ListJobs [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]

Jenkins Attack Framework

positional arguments:
ListJobs              Get List of All Jenkins Job Names

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string

RunCommand

This method wraps passed system commands to capture stdout and stderr and return it. Requires administrative credentials with /script access.

usage: jaf.py RunCommand [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
			[-x] [-N <Node>] <System Command> 

Jenkins Attack Framework

positional arguments:
RunCommand            Run System Command on Jenkins via Jenkins Console
<System Command>      System Command To Run

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-x, --no_wait         Do not wait for Output
-N <Node>, --node <Node>
						Node (Slave) to execute against. Executes against
						"master" if not specified.

RunJob

Allows you to run jobs via Jenkins. The command will upload your script or executable and then execute it. The -e option allows you to specify what program is called to execute your uploaded script, otherwise the script is executed by the default handler. The -A allows you to specify an argument string to pass to your script or executable. For exmple, if both the -e and -A option were passed, your file would be executed in this fashion: <executor> <payload name> <argument string>.

The -g option allows you to run "Ghost Jobs". Ghost jobs are jobs which are launched then terminated and deleted so that they do not continue to show up in Jenkins. Due to some clever hackery with this feature, Jenkins does not terminate these jobs (or mark an executor as in-use), and the jobs can run indefinitely on the executing system. This is an excellent way to upload a SOCKS5 server to a slave and run it on a high port to tunnel traffic with only Create Job permissions.

GHOSTJOB OPSEC WARNING 1: In the case of running a GHOST job on a Windows slave, a helper executable is uploaded. If the slave is running as an administrative user, wmic process call create is used as part of the job termination bypass. You should not use this technique if the Windows Slaves are running EDR.

GHOSTJOB OPSEC WARNING 2: You should ensure that your payloads are designed in such a way as to handle deleting themselves upon completion as in the case of Windows slaves, JAF cannot automatically do this.

usage: jaf.py RunJob [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
			[-x] [-g] [-N <Node>] [-T <Node Type>] [-e <Executor String>]
			[-A <Additional Arguments String>] <Task Name> <Executable File>

Jenkins Attack Framework

positional arguments:
RunJob                Run Jenkins Jobs
<Task Name>           Task to Create, must be unique (may not be deleted if
						user doesn't have job deletion permissions, so pick
						something that blends in)
<Executable File>     Local path to script to upload and run. Should be
						compatible with OS and with expected extension.

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-x, --no_wait         Do not wait for Job. Cannot be specified if -g is
						passed
-g, --ghost           Launch "ghost job", does not show up as a running job
						after initial launch, does not tie up executors, and
						runs indefinitely. Cannot be specified with the -x
						option.
-N <Node>, --node <Node>
						Node (Slave) to execute against. Executes against any
						available node if not specified.
-T <Node Type>, --nodetype <Node Type>
						Node Type, either: "posix" or "windows". If specified,
						you must also pass -N
-e <Executor String>, --executor <Executor String>
						If passed, this command string will be prepended to
						command string ([<Executor String>] <Executable File>
						[<Additional Arguments String>]).
-A <Additional Arguments String>, --args <Additional Arguments String>
						If passed, this will be concatonated to the end of the
						command string ([<Executor String>] <Executable File>
						[<Additional Arguments String>]).

RunScript

Should be self explanatory, but this does require administrative credentials with /script access.

usage: jaf.py RunScript [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
          [-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
          [-x] [-N <Node>] <Groovy File Path> 

Jenkins Attack Framework

positional arguments:
RunScript             Run Specified Groovy Script via Jenkins Console
<Groovy File Path>    Groovy File Path to Run via Script Console

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-x, --no_wait         Do not wait for Output
-N <Node>, --node <Node>
						Node (Slave) to execute against. Executes against
						"master" if not specified.

UploadFile

This method requires administrative credentials with /script access. This method works by chunking files into pieces small enough to post to the Jenkins server as base64 encoded chunks that are decoded via groovy commands in the console and appended to a file. For this to work, you should ensure that the upload file path is:

  1. a full path (no ~ or other expansion will be done, nor folders created).

  2. write-able by the jenkin's system user.

  3. In the path format for the OS in use.

In addition, it is critical that the file does not already exist. Due to the mulitiple chunk nature, this process is additive. An existing file will result in the upload file being appended to the existing file.

usage: jaf.py UploadFile [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
          [-o Output File] [-a [<User>:[<Password>|<API Token>]|<Cookie>]]
          [-N <Node>] <Upload File> <Upload File Path> 

Jenkins Attack Framework

positional arguments:
UploadFile            Upload file to Jenkins Server via chunked upload
						through Jenkins Console (slow for large files)
<Upload File>         Local Path to File to Upload
<Upload File Path>    Remote Full File Path to Upload To. SHOULD NOT ALREADY
						EXIST! (Upload is appended to existing file)

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-N <Node>, --node <Node>
						Node (Slave) to execute against. Executes against
						"master" if not specified.

WhoAmI

This method is basically a useability wrapper around /api/whoAmI. This page shows the current logged-in users all the Jenkins groups they are in. In the case of a LDAP/Domain-Connected Jenkins, this also includes all domain groups for the user (recursively or not depends on admin settings).

usage: jaf.py WhoAmI [-h] -s <Server> [-u <User-Agent>] [-n <Timeout>]
			[-o Output File] [-t <Threads>]
			[-a [<User>:[<Password>|<API Token>]|<Cookie>]]
			[-c <Credential File>]

Jenkins Attack Framework

positional arguments:
WhoAmI                Get Users Roles and Possibly Domain Groups

optional arguments:
-h, --help            show this help message and exit
-s <Server>, --server <Server>
						Jenkins Server
-u <User-Agent>, --useragent <User-Agent>
						JAF User-Agent. Defaults to: Mozilla/5.0 (Windows NT
						10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
						Gecko) Chrome/80.0.3987.149 Safari/537.36
-n <Timeout>, --timeout <Timeout>
						HTTP Request Timeout (in seconds). Defaults to: 30
-o Output File, --output Output File
						Write Output to File
-t <Threads>, --threads <Threads>
						Number of max concurrent HTTP requests. Defaults to: 4
-a [<User>:[<Password>|<API Token>]|<Cookie>], --authentication [<User>:[<Password>|<API Token>]|<Cookie>]
						User + Password or API Token, or full JSESSIONID
						cookie string
-c <Credential File>, --credentialfile <Credential File>
						Credential File ("-" for stdin). Creds in form
						"<User>:<Password>" or "<User>:<API Token>"

Version Info:

This should be kept up to date with the lastest version info at the top.

1.5.2

Added a bit more postive confirmation when using RunJob with the -g or -x options.

1.5.1

Added the DeleteJob feature to complement RunJob and ListJob.

1.5

Added the RunJob feature including the very powerful GhostJob feature.

Other minor bug fixes, more unit tests, and templating updates.

1.4.1

More code improvements and clean ups.

Added --user option for these commands: CreateAPIToken, DeleteAPIToken, ListAPITokens

1.4

More code improvements and clean ups.

Added three new API Token Commands (and corresponding unit tests): CreateAPIToken, DeleteAPIToken, ListAPITokens

1.3

Fixed a bunch of little bugs.

Wrote a Unit Test Framework for this tool.

Many minor code clean-ups.

Pulled the install_dependencies.sh script into the main jaf wrapper script.

1.2

Major Code Refactor with Plugin Framework.

Added new "DumpCredsViaJob" method.

Added node/slave specification for many of the commands: DumpCreds, DumpCredsViaJob, RunCommand, RunScript, UploadFile

Fixed a bug in UploadFile where back slashes were not being properly escaped in paths.

Updated Credential Dumping Script to dump more types of credentials and domain and ldap binding credentials.

1.1

Fixed some authentication bugs.

1.0

Due to the full re-write/rebranding of Jenkins Miner, this is now version 1.0 of the Jenkins Attack Framework.

Credit

This project was originally developed by Shelby Spencer (@shellster) with the gracious support, funding, and resources of Accenture. The project is wholly owned by Accenture, but is licensed under the MIT license (see LICENSE file).

More Repositories

1

AmpliGraph

Python library for Representation Learning on Knowledge Graphs https://docs.ampligraph.org
Python
2,147
star
2

Spartacus

Spartacus DLL/COM Hijacking Toolkit
C#
989
star
3

adop-docker-compose

Talk to us on Gitter: https://gitter.im/Accenture/ADOP
Shell
765
star
4

reactive-interaction-gateway

Create low-latency, interactive user experiences for stateless microservices.
Elixir
590
star
5

VulFi

IDA Pro plugin for query based searching within the binary useful mainly for vulnerability research.
Python
532
star
6

Codecepticon

.NET/PowerShell/VBA Offensive Security Obfuscator
C#
481
star
7

Ocaramba

C# Framework to automate tests using Selenium WebDriver
C#
277
star
8

CLRvoyance

Managed assembly shellcode generation
Assembly
263
star
9

protobuf-finder

IDA Pro plugin for reconstructing original .proto files from binary.
Python
256
star
10

alexia

A Framework for creating Amazon Echo (Alexa) skills using Node.js
JavaScript
164
star
11

adop-jenkins

Groovy
152
star
12

sfmc-devtools

Fast-track your developers and devops engineers by allowing them to programmatically copy-paste / deploy changes and work offline
JavaScript
137
star
13

Labs-Federated-Learning

Accenture Labs Federated Learning
92
star
14

FirmLoader

Python
90
star
15

mercury

Reference engine for composable applications
Java
81
star
16

serverless-ephemeral

This is a Serverless Framework plugin that helps bundling any stateless zipped library to AWS Lambda.
JavaScript
67
star
17

adop-platform-management

Groovy
60
star
18

adop-cartridge-java

Groovy
59
star
19

Condstanta

Python
56
star
20

EcoSonar

EcoSonar, the ecodesign audit tool
JavaScript
54
star
21

bdd-for-all

Flexible and easy to use library to enable your behavorial driven development (BDD) teams to easily collaborate while promoting automation, transparency and reporting.
Java
51
star
22

Cymple

Cymple - a productivity tool for creating Cypher queries in Python
Python
49
star
23

adop-gerrit

Shell
45
star
24

adop-aws

This repository contains a hardened, 2-tiered implementation of the DevOps Platform -> https://github.com/Accenture/adop-docker-compose
35
star
25

AARO-Bugs

Vulnerabilities, exploits, and PoCs
C
34
star
26

AIR

A deep learning object detector framework written in Python for supporting Land Search and Rescue Missions.
Python
30
star
27

generator-mario

Generator for Backbone/Marionette applications with lots of bells and whistles to help keep a non-trivial sized application moving forward at a breakneck pace!
JavaScript
29
star
28

sfmc-customapp

JavaScript
28
star
29

DBTestCompare

Application to compare results of two SQL queries
Java
25
star
30

AutoFixture.XUnit2.AutoMock

Autofixture auto-mocking for XUnit2 using a mocking library of your choice.
C#
22
star
31

kx.as.code

kx.as.code
Shell
19
star
32

openathon-2019-angular

IV OpenAthon CSE - Angular
TypeScript
19
star
33

OSDU-Ontology

An ontology designed for oil and gas, and subsurface energy data based on the industry standards.
HTML
18
star
34

alexia-starter-kit

Starter Kit project with sample Amazon Echo skill created using Alexia Framework
JavaScript
17
star
35

mv-unreal-aws

C++
16
star
36

tldr

The Lightweight Docker Runtime
Shell
15
star
37

pyheal

PyHeal is a Python wrapper for Microsoft SEAL aimed at making operations easier to use.
Python
15
star
38

openathon-2019-react

Openathon edition organised for the Accenture Technology Custom Open Cloud community where we will have again the opportunity to discover, in a practical way, the possibilities offered by the different architectures and leading frameworks in the market.
JavaScript
15
star
39

openathon-2019-docker

13
star
40

mercury-python

Python language pack for Mercury
Python
12
star
41

openathon-2020-serverless

Openathon VI - Custom Software Engineering
HTML
11
star
42

adop-sonar

Shell
11
star
43

waterfall-config

A simplistic configuration library for Java, heavily based on Typesafehub Config with some additional opinionated features
Java
9
star
44

sfmc-connector

Apex
8
star
45

askme

askme is a simple application designed to solicit immediate feedback during public speaking engagements, and is used as a demo app for multiple application architecture and dev process demos. It's also a cool and useful application in its own right.
JavaScript
8
star
46

adop-nexus

Shell
7
star
47

sfmc-devtools-copado

SFMC DevTools made easy using Copado Multi-Cloud's webinterface
JavaScript
7
star
48

mercury-composable

Reference implementation toolkit for writing composable applications
Java
7
star
49

adop-nginx

CSS
6
star
50

openathon-2020-python

openathon-2020-python
Python
6
star
51

ALM-SF-Metadata-API-Python-Tools

ALM SF Metadata API Python Tools
Python
6
star
52

DX-Mate

DX Mate
TypeScript
5
star
53

sfmc-devtools-vscode

Accenture SFMC DevTools for VS Code
TypeScript
5
star
54

Off-chain-storage-verification

A Blockchain-based Auditing Framework for Off-chain Storage
JavaScript
5
star
55

grails-spring-security-oauth-azure

grails-spring-security-oauth-azure
Groovy
5
star
56

mac-enablement

Shell
5
star
57

ALM-SF-DX-Python-Tools

ALM SF DX Python Tools
Python
5
star
58

adop-jenkins-worker

Dockerfile
4
star
59

adop-ldap-phpadmin

Shell
4
star
60

hiera-aws-sm

A Hiera 5 backend for AWS Secrets Manager
Ruby
4
star
61

Cockpit

Java
4
star
62

digital-products-boosters

digital-products-boosters
JavaScript
4
star
63

ALM-SF-DX-Pipelines

ALM SF DX Pipelines
Groovy
4
star
64

ALM-SF-Metadata-API-Pipelines

ALM SF Metadata API Pipelines
Groovy
4
star
65

openathon-2018-spring-boot-cloud

Materials (detailed guideline and exemplar solution) for the first Openathon organized by Accenture Technology Custom Software Engineering practice in Spain, focused on learning the basic to microservice development with Spring Boot and Spring Cloud.
Java
4
star
66

adop-cartridge-java-regression-tests

Java
3
star
67

speech2spikes

Python
3
star
68

mercury-nodejs

Reference engine for composable applications
TypeScript
3
star
69

alexa-pokitdok

JavaScript
3
star
70

cna-aws-cdk-patterns

TypeScript
3
star
71

openathon-2019-appian

OpenAthon 2019 - Appian
3
star
72

openathon-2021-quarkus

openathon-2021-quarkus
Shell
3
star
73

adop-cartridge-specification

Shell
3
star
74

adop-sensu

Ruby
3
star
75

azure-arc-playground-builder

Azure Arc Quickstart showcasing Arc-enabled App Service & Data Services
Shell
3
star
76

can_dlc_fuzzer

C++
3
star
77

tldr-alb

Application Load Balancer container for the The Lightweight Docker Runtime
Shell
2
star
78

evil_update

C
2
star
79

adop-cartridge-java-pipeline

Groovy
2
star
80

energy-consumption-measuring-toolkit

Python
2
star
81

openathon-2019-docker-spring-boot-app

Java
2
star
82

adop-cartridge-java-environment-template

2
star
83

DBTestCompareGenerator

Tool for generating database tests
C#
2
star
84

Mendix.RecaptchaWidget

JavaScript
2
star
85

adop-ldap-ltb

PHP
2
star
86

morpheus-data-api

Python client to Morpheus Data API https://apidocs.morpheusdata.com
Python
2
star
87

reactive_technologylearningpills

Technology Learning Pills: Reactive
TypeScript
2
star
88

adop-platform-extension-chef

Chef Server v12 extension for the ADOP platform.
2
star
89

Docknet

A pure Numpy implementation of neural networks for educational purposes
Jupyter Notebook
2
star
90

NEC850_Architecture

C++
2
star
91

Mendix.ObjectivityCommons

Java
1
star
92

Mendix.GlobusTheme

Objectivityโ€™s UI resources module and theme for building apps on the Mendix 9 platform.
SCSS
1
star
93

Mendix.IfElse

JavaScript
1
star
94

adop-logstash

1
star
95

Shakespeare_RNN

Python
1
star
96

adop-gitlab

Shell
1
star
97

CIFR_Yara

YARA
1
star
98

Mendix.CssClassSwitcher

A Mendix widget that adds CSS classes determined by a microflow (or nanoflow) to elements determined by CSS selector.
CSS
1
star
99

docker-plaso

Makefile
1
star
100

openathon-2019-docker-angular-app

TypeScript
1
star