Developing Trust and Gitting Betrayed

NCC Group
NCC Group
Aug 8, 2017 · 2 min read

Written by: Clint Gibler


At NCC Group, one of our core offerings for clients is performing external network penetration tests. In these tests, we attempt to compromise a company’s employee or server machines, perform reconnaissance on the internal network, and finally pivot into the production environment and extract sensitive data such as source code, payment information, or customer data. We then provide recommendations to the client on ways to prevent or mitigate the vulnerabilities we discovered as well as advice on network architecture changes to make future exploitation more difficult.

Over the past few years we’ve performed network penetration tests for a broad range of types of companies, but one interesting trend we’ve noticed is the network architecture decisions made by companies moving to an agile development software lifecycle, such as developer-focused companies based in the San Francisco Bay Area. These companies often push code to production several times a day and use continuous integration (CI) tools like Jenkins.

We’ve found ourselves in some interesting scenarios, such as:

  • Compromising a staging continuous integration server (Jenkins) from a developer’s machine, which then gave us access to the company’s production Chef repository, allowing us to push a reverse shell to a production server.
  • Using access to a dev/staging Jenkins server to modify code in repositories after they’ve been through code review, which were then replicated to production.

These examples and many others were largely manual processes. This got us thinking, are there any general lessons we can take away from these attack paths? Would it be possible to build any tooling to automate some of these processes and allow us to perform more effective penetration tests in the future?

These questions, and a fair amount of time coding, turned into a talk at BlackHat USA 2017 (Developing Trust and Gitting Betrayed), where we described our experiences attacking trust relationships within developer-focused organisations and released a tool, GitPwnd, to help us and others on future engagements.

GitPwnd is a network penetration tool that uses a git repository for command and control; that is, an attacker can push commands to compromised machines by specifying a custom payload in a git repository, the target machines will then git pull these commands, run them, commit the output to the repo, and git push them back so the attacker can view the results. By integrating into the standard developer workflow, GitPwnd avoids obvious indicators of compromise such as communication with untrusted and suspicious hostnames or IP addresses.

GitPwnd is free, open source, and on GitHub: https://github.com/nccgroup/gitpwnd. Check it out, and please let us know if you have any questions, find bugs, or want to contribute.

Published date: 07 August 2017

Originally published at www.nccgroup.trust.

Keylogged

A cyber security publication from NCC Group

NCC Group

Written by

NCC Group

NCC Group is a global expert in cyber security and risk mitigation.

Keylogged

Keylogged

A cyber security publication from NCC Group

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade