Open supply utility automates and simplifies testing for identified Jenkins exploits
Accenture has launched Jenkins Assault Framework (JAF), a brand new instrument aimed toward pen testers and purple teamers that may reveal methods through which the favored automation server will be abused.
Jenkins is an open source CI/CD pipeline that permits builders to quickly construct, take a look at, and deploy their code. The DevOps instrument typically shops highly effective credentials, proprietary code, and extra.
“Traditionally, Jenkins just isn’t securely configured by default,” JAF developer Shelby Spencer, previously of Accenture, tells The Day by day Swig. “It’s typically arrange and maintained by builders and never safety or IT personnel, so it’s typically a smooth goal.”
“When you ask any purple crew or pen tester what their 10 most typical targets are in an atmosphere, most of them would checklist Jenkins in that checklist – and but there aren’t any all-in-one instruments for attacking Jenkins that I may discover.”
The instrument automates and simplifies many frequent Jenkins assaults and introduces some that will not be well-known, Spencer stated.
Simply the job
Essentially the most distinctive characteristic of the Jenkins Attack Framework, says Spencer, is the flexibility to dump credentials utilizing solely the ‘Create Job’ characteristic.
“By default, Jenkins shares saved credentials with all customers,” the developer stated.
“Many attackers are acquainted with dumping credentials by way of the Groovy Console as an admin, however it is usually potential to do that as a traditional person in a traditional job – you simply need to checklist all of the credentials out one-by-one in your job (which was laborious), then obfuscate them, or Jenkins will redact them within the log.
“My instrument automates this assault, and it really works irrespective of the working system of the Jenkins .”
The instrument also can launch what Spencer phrases ‘ghost jobs’ – jobs that run on a Jenkins that don’t present up within the Jenkins console, and may execute indefinitely within the background.
Which means that an operator with the comparatively restricted privileges of ‘create job’ and ‘run job’ can doubtlessly arrange long-running socks, proxies, or shells on a Jenkins that aren’t seen inside Jenkins.
“I count on and hope that the instrument will see vast use and adoption by the purple crew/pen testing neighborhood,” says Spencer.
“I’ve been utilizing it extensively for over a yr on engagements as have all my buddies at my prior employer, Accenture.”
“I feel the instrument additionally has some priceless options for regular Jenkins customers as nicely, such because the characteristic that permits the dumping of all Jenkin construct logs. I hope that the neighborhood gives suggestions and have requests.”
READ MORE Latest web hacking tools – Q1 2021