Jenkins Attack Framework

At my previous employer (FusionX/Accenture), I wrote a tool for RedTeam security people to help attack and exploit vulnerabilities in Jenkins Applications. These attacks are for the most part publicly known, but are time consuming to execute by hand.

Accenture has graciously agreed to opensource the project, and I am excited to share it with the world. Besides the “bog standard” attacks that this tool simplifies and enables, it also brings some new-ish attacks to the public. These attacks include the ability to execute “ghost jobs” which are jobs that do not show-up in Jenkins as executing and can be run indefinitely. These jobs allow an attacker with “create job” permissions to effectively gain persistence on a Jenkins server. In conjunction with other tools, this ability can be used to pivot through a Jenkins server.

Another feature of this tool is the ability to dump all shared credentials in plaintext, even if the attacker only has “create job” permissions and not admin access. The final unique functionality allows an attacker with Administrative access to create API tokens for any arbitrary user (something that is not possibly through the Jenkins menu).

These and more common attacks are all laid out in the README for the project which is available here: https://github.com/Accenture/jenkins-attack-framework. Accenture has allowed me to have access to this repository and help maintain it, and new features PRs are encouraged. The tool is called a “Framework” because it has been designed to make adding additional features (plugins) fairly easy.

Please also check out Accenture’s announcement blog for a more in-depth overview of the tool: https://www.accenture.com/us-en/blogs/cyber-defense/red-teaming-jenkins-attack-framework (link is now dead so I have replaced the actual link with a wayback link)