SlideShare ist ein Scribd-Unternehmen logo

Intro to Pentesting Jenkins

Als PPTX, PDF herunterladen
B
Brian Hysell

Conduct a few internal pen tests and you’re bound to come across Jenkins, the world’s most popular build automation server. When you encounter it, what do you do? Go beyond a 5-minute Google search and checking for open script consoles. This talk dives into various ways to exploit Jenkins and how to move laterally into sensitive systems.

Software
1 von 36
1 Intro to Pentesting Jenkins February 6th, 2020 Brian D. Hysell
2 • Consultant @ Synopsys Software Integrity Group – Application Pentesting, Network Pentesting, Secure Code Review / Guidelines / Training, etc. – Mostly just grep for passwords, rack up hotel status, write reports • Previously: Consultant @ Accenture Security Threat & Vulnerability Management • Like TV, travel, baking About Me
3 Intro to Jenkins • About Jenkins • Visual Tour • Why Care about Jenkins? • Finding Instances • Initial Access
4 About Jenkins • Most popular CI/CD system – probably 50- 70% marketshare – Open source – Rich plugin ecosystem – Long history of security vulnerabilities • Forked(-ish) from project called Hudson • Used for all sorts of common dev (& often ops) tasks: – Running builds, tests – Publishing built artifacts (NRM, Artifactory, etc.) – Deploying software – Checking uptime/health – Stopping/starting/restarting servers – Applying patches
5 Dashboard (https://gazelle.ihe.net/jenkins/) Visual Tour
6 Project Visual Tour
7 Workspace Visual Tour
8 Build Visual Tour
9 Securing Jenkins (internal or external) should be a major concern across red, purple, and blue teams: • Supply-Chain Integrity: Compromise could lead to backdoored apps deployed to production or customer environments • Intellectual Property Protection: Access to Jenkins can give an (possibly malicious) user source code, binaries, and knowledge of infrastructure/architecture • Privileged Access Management: Instances often contain credentials for source & artifact repositories, test & production systems, etc. • Segmentation: Jenkins supports distributed executors which may span different environments (dev/prod, PCI/non-PCI, different AD domains, etc.) Why Care about Jenkins?
10 Finding Instances • Usually port 8080, also check 8443,80,443, other alternates like 9090,8888 • Nmap Script Engine (NSE) (see right) • HTTP screenshot tools like Aquatone or WitnessMe Script Name Info http-title Look for titles containing “[Jenkins]”, e.g., “Sign In [Jenkins]” or “Dashboard [Jenkins]” (← anonymous read!) http-server-header Jenkins will usually use Jetty http-enum In case of context path issues http-headers Look for X-Hudson* and X- Jenkins* headers http-devframework Includes fingerprints for Jenkins (based on headers) broadcast-jenkins-discover See “Auto-discovering Jenkins on the network”
11 Initial Access • Some level of anonymous access is common, especially internally – Typically read-only – Sometimes administrative! • Check if sign-ups are enabled • Auth bypass: discussed in next section • Conventional techniques: password spraying, brute force, credential stuffing • Get creative; I have found Jenkins creds in: – Build logs of another Jenkins instance – Job env vars on another Jenkins instance – Python scripts in company Artifactory install – Entry point of a Docker container running on a compromised box • Look for both passwords and API keys From http://tuyenvuong.me/programming/deploy-web-application-jenkins-capistrano/ & https://commons.wikimedia.org/wiki/File:Emojione_1F630.svg
12 Scripting & Exploitation • Selected RCE Attack Vectors • Script Console • Build Steps • Dynamic Routing
13 Selected RCE Attack Vectors Vector CVE Access Level Script Console N/A • Overall/RunScripts enabled for anonymous; or • Compromised credentials for user with Overall/RunScripts Build Step N/A • Compromised credentials for user with Job/Build and Job/Configure permissions Script Security Plugin doCheckScript method CVE-2019-1003029, CVE-2019-1003005 (POC) • Overall/Read access enabled for anonymous; or • Compromised credentials; or • Authentication bypass CVE-2018-1000861 Jenkins Remoting (deserialization) CVE-2015-8103 (POC1) • Jenkins CLI port open 1 Protips: https://github.com/NickstaDB/ysoserial/tree/templatesimpl-reverse-shell & https://github.com/BrianOfTheCosmos/broodwich/blob/master/deserialization/src/main/java/party/itistimeto/broodwich/deserialization/CommonsCollectionsThreePayload.java
14 Script Console • Script console – Run arbitrary Groovy code: read/modify Jenkins internals, read/write files, run external commands – Requires Overall/RunScripts permission – should be restricted to admins, but could be applied to lower-privileged users, even anonymous (!) • REST API is convenient: https://support.cloudbees.com/hc/en- us/articles/217509228-execute-groovy-with-a- rest-call – On older versions (<2.96), need Jenkins-Crumb header from /crumbIssuer/api/json: https://wiki.jenkins.io/display/JENKINS/Remote+a ccess+API#RemoteaccessAPI-CSRFProtection • Jenkins CLI can also be nice (useful for other scripting / enumeration tasks as well) • Generic Java RCE tip: make sure to use Process.waitFor() From https://2019.pass-the-salt.org/files/slides/12-Hacking_Jenkins.pdf From https://issues.jenkins-ci.org/browse/JENKINS-46526
15 Build Steps • See if you can create or edit (and then run -- separate permissions!) projects/builds • Builds can contain “Execute shell” or “Execute Windows batch command” steps with code of your choice • Can choose which node to run build on, including master: https://stackoverflow.com/questions/9841156/stick- jobs-to-the-master • Be careful: – If you create a project, delete it after building (if able) – If you have to edit an existing project’s build steps: – Back up config (can do with Jenkins CLI) – Disable email, Slack, etc. notifications – Don’t deploy anything – Check relationships to other projects, triggered builds, etc. – Etc. Overview From https://docs.bitnami.com/installer/apps/jenkins/configuration/use-custom-executable/
16 Build Steps • Many plugins allow execution of user-defined Groovy code, usually as part of build – E.g., Groovy plugin, workflow-cps (“Pipeline: Groovy”) plugin – Other examples: https://wiki.jenkins.io/display/JENKINS/Script+Security+Support+i n+Plugins • Most integrate with Script Security plugin: scripts must be approved by admin or run in sandbox – E.g., Groovy plugin’s “Execute system Groovy script” build step, “Use Groovy Sandbox” option • Sandbox blacklists various classes/methods; see https://github.com/jenkinsci/script-security- plugin/blob/master/src/main/resources/org/jenkinsci/plugins/script security/sandbox/whitelists/ • Sandbox escapes frequently identified; check regression tests in script-security repo for POC: – SECURITY-1579: https://github.com/jenkinsci/script-security- plugin/commit/415b6e2f3fa0c2e4bd2f9c4a589a9e1fc9cbac8b – SECURITY-1658: https://github.com/jenkinsci/script-security- plugin/commit/0e7da14171ed1d03ff72f6910392e630b40a8590 • Sandbox escapes occasionally applicable with only Overall/Read (!), see https://jenkins.io/security/advisory/2017-04-10/ Sandbox Escape Hint: Cause an exception to print output, e.g., java.nio.file.Paths.get(expression + "0") → InvalidPathException
17 Dynamic Routing • Jenkins uses a web framework called Stapler – Same original author as Jenkins (née Hudson) • Stapler parses URLs & calls methods in an EL-like manner against a root object fetched with ServletContext.getAttribute("app") • hudson.WebAppMain.contextInitialized (): “Creates the sole instance of jenkins.model.Jenkins and register it to the ServletContext” • TLDR: URLs in Jenkins are chains of getter and doer method calls against a Jenkins singleton or objects returned higher in the chain Introduction From https://jenkins.io/doc/developer/handling-requests/routing/ Note: if, like I did, you’re wondering about the inconsistency between Jenkins#getLog() and Hudson#getJob() (i.e., which is actually root?): Hudson is a subclass of Jenkins, and it’s an object of that type that hudson.WebAppMain.contextInitialized() registers as root
18 • Exploit URL: /descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox =True&value=[groovy code] – (Jenkins implements DescriptorByNameOwner) ServletContext.getAttribute("app"). – (SecureGroovyScript) getDescriptorByName("org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScr ipt"). – (FormValidation) doCheckScript("[groovy code]", true) • Part of Script Security plugin: not core Jenkins, but very common • Prerequisites: vulnerable plugin & Jenkins versions, read access (including anonymous) • Brian’s super-duper top-secret protip: public class x{public x(){org.kohsuke.stapler.Stapler.getCurrentResponse().getWriter().println("hello world")}} CVE-2019-1003029/CVE-2019-1003005 (doCheckScript) Dynamic Routing
19 • Exploit URL: /securityRealm/user/admin/descriptorByName/… – (Jenkins) ServletContext.getAttribute("app"). – (HudsonPrivateSecurityRealm) getSecurityRealm(). – (User implements DescriptorByNameOwner) getUser("admin"). – (Descriptor) getDescriptorByName("...") • https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing-en/ • Poorly-documented aspect of bypass: getUser(String) is method of HudsonPrivateSecurityRealm (default implementation), not of SecurityRealm abstract class CVE-2018-1000861 (Authentication Bypass Exploit) Dynamic Routing
20 Unauth RCE with CVE-2019-1003029/CVE-2019-1003005 (doCheckScript) Dynamic Routing Diagram from: https://2019.pass-the-salt.org/files/slides/12-Hacking_Jenkins.pdf See also: https://github.com/orangetw/awesome-jenkins-rce-2019, https://github.com/orangetw/awesome- jenkins-rce-2019/pull/2
21 Post-Exploitation & Lateral Movement • Embracing Groovy • Lateral Scripting • Scraping Jenkins • Raiding Stored Credentials • “Persistence” with API Keys • Password Cracking • Miscellaneous Post-Exploitation
22 Embracing Groovy Operation Code Spawn reverse shell https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76 List directory contents (non- recursive) new File('.').eachFile { println(it) } Print file contents println new File('/path/to/file').getText('UTF- 8') Nslookup println InetAddress.getByName('google.com').getHostAddr ess() • Groovy is a JVM-based scripting language • Essentially a superset of Java: supports Java syntax and APIs, plus its own syntax extensions and standard library • Some things you might normally do by dropping into an OS shell you can do straight in Groovy Basics
23 Embracing Groovy Jenkins Internals Programmatically add API token From https://support.cloudbees.com/hc/en-us/articles/115003090592-How-to-re- generate-my-Jenkins-user-token List all admin users From https://stackoverflow.com/a/34274738 If only these could be combined somehow… 😉 More script samples: • https://github.com/cloudbees/jenkins-scripts/ • https://github.com/samrocketman/jenkins-script-console-scripts
24 Lateral Scripting • Script console (when you have permission) & build steps can be run both on Jenkins instance itself and on build nodes/agents • Usually connected through either: – Master → agent SSH connection – Agent → master TCP connection • Agents may be different: – OS (e.g., Linux master with [potentially domain- joined] Windows agent for C# projects) – Environment/segment (e.g., master in dev, agent in / ACL’d to prod [CDE?!] for deployment) If you have Overall/RunScripts access, the “Script Console” menu item will show up for a specific machine when you go to its page (i.e., click it)
25 Scraping Jenkins • Internal Jenkins instances very often have Overall/Read permission set for anonymous users – Compromised credentials, sign-ups apply here too, of course • “Just” read access to Jenkins can be a goldmine – Build logs – Environment variables – Project workspace (source code) – Build artifacts • REST API is easiest, no need to parse HTML • Tools: – https://github.com/DolosGroup/Jenkins-Pillage: build logs, env vars; only lists URLs – https://github.com/lc/jenkinz: build logs – https://github.com/gquere/pwn_jenkins/blob/master/dum p_builds/jenkins_dump_builds.py: build logs, env vars – Jenkins CLI client + Bash Overview & Tools From https://medium.com/@aseem.shrey/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything- 603cf07fa85
26 • No magic, just search/grep for things like: – “-p”, “--password” – “Authorization: Basic” – “net use” and similar (Windows creds) – “jenkins-cli.jar” (Jenkins API keys) – eyJ… (JWT) • Have found lots of creds this way: domain users, Jenkins API keys w/ Overall/RunScripts, SSH creds, creds to other parts of deployment infra • Cannot emphasize enough how useful searching through this info can be for lateral movement • Don’t forget to check workspaces too – Artifacts if you’re desperate Finding Credentials Scraping Jenkins
27 Raiding Stored Credentials • Jenkins has a built-in mechanism to store credentials used by build pipelines • Symmetrically encrypted with key stored on disk • With script access: run a Groovy script like https://github.com/DolosGroup/Jenkins- Pillage/blob/master/groovy/decrypt-credentials.groovy • With file system access: grab secrets/master.key, secrets/hudson.util.Secret, and credentials.xml (or other files containing encrypted data) – https://github.com/gquere/pwn_jenkins#files-to-copy-after-compromission – https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py – https://gist.githubusercontent.com/menski/8f9980999ed43246b9b2/raw/ebac1b809ac4c10d4aa2c49b 8bb2a6c37dc4808a/jenkins-decrypt.py – https://github.com/tweksteen/jenkins-decrypt/blob/master/decrypt.py • N.B.: many plugins erroneously store passwords in plain-text config files and/or print them into the value attributes of password inputs on the config page Built-in Storage
28 Raiding Stored Credentials Plugins From https://plugins.jenkins.io/mask-passwords
29 “Persistence” with API Keys • Jenkins <= 2.128: API keys are stored in users/<USERNAME>/config.xml under same symmetric encryption scheme as credentials (may also apply to newer versions with legacy tokens carried over in upgrades) – Decrypt offline with aforementioned scripts – Or read value and then decrypt with println(hudson.util.Secret.decrypt("{...}")) – Or do 100% in-memory with script & Jenkins internal classes • Newer versions are hashed, but support multiple tokens per user – See previous slide for adding new tokens
30 Password Cracking • Potentially helpful for lateral movement to other Jenkins instances, other dev infrastructure (Artifactory, Nexus Repository Manager, GitHub Enterprise, JIRA, etc.) • Hashes stored in $JENKINS_HOME/users/[username]/config.xml • Modern versions of Jenkins use bcrypt – Potentially still worth it to try with a targeted wordlist + rules: jenkins, [company name], scm, password, etc. • Older versions & users that have not logged in since upgrade (I think?) use salted SHA256 – Format: salt:sha256("password{salt}") (from https://www.philipp.haussleiter.de/2011/11/jenkins- password-hash-format/) – Crack by replacing all salts with {salt} and using password.salt as format – echo "salt:hash" | awk -F: '{print $2":{"$1"}"}'
31 Miscellaneous Post-Exploitation • In theory, even when Jenkins does not creds to directly deploy artifacts, you may be able to move laterally by backdooring them – E.g., push backdoored JAR to private Maven repo & wait for it to be downloaded / deployed by another person / system – Probably too risky & too time-consuming for most pentests; difficult to control scope – This & similar attacks should still be kept in mind while threat modeling, though • Jenkins can serve arbitrary static files out of $JENKINS_HOME/userContent – may be good for exfiltration • Regular user session or remember me cookies and API keys can (Usually? Always?) be used interchangeably – Regular user session can access API – API key can access UI
32 Conclusion • Real-World Attack Paths • Recommendations for Security & Ops Engineers
33 • Searched for “jenkins” in an artifact store • Found several Python scripts containing Jenkins usernames and API keys • Hostnames in script incorrect/down, so sprayed against known Jenkins instances • Discovered one valid instance-username-key combination • Enumerated projects with Jenkins CLI; had configure access to one • Backed up config; replaced with system Groovy build step: sandbox escape, add & print API key for all admin users • Used admin key to access “Configure System”; Mask Passwords Plugin config contained password for master deployment service account in clear text Example #1 Real-World Attack Paths
34 • Found Jenkins instance A with anonymous read enabled • Scraped build logs & found API creds for Jenkins instance B • Used script console (over REST API) to grab SSH private key from agent X (connected to B) • SSH’d into Jenkins instance C, then from instance C into agent Y (on PCI network) • Using key on agent Y, SSH’d into prod PCI hosts Example #2 Real-World Attack Paths
35 • Inventory Jenkins systems and patch, patch, patch! • Apply least privilege via matrix-based authorization (preferably project-based matrix) – Never have anonymous script console access – Even “Logged-in users can do anything” is too risky – Anonymous read access may not be terribly risky per se – but disabling is an easy win • Don’t leak creds in build logs, environment variables, workspaces*, artifacts*, etc. – *Dependent on your org’s maturity WRT credential management • Pay requisite attention to Jenkins instances with privileged access: – Access to prod, CDE, publicly-released builds, etc. – Access to master deployment keys/passwords/accounts  Recommendations for Security & Ops Engineers
36 Questions? BrianHysell BrianOfTheCosmos

Empfohlen

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 

Empfohlen

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 

Weitere ähnliche Inhalte

Was ist angesagt?

Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 

Was ist angesagt? (20)

Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 

Ähnlich wie Intro to Pentesting Jenkins

Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
2017 jenkins world
2017 jenkins world2017 jenkins world
2017 jenkins worldBrent Laster
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityMandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...CloudBees
 
Automated testing with Drupal
Automated testing with DrupalAutomated testing with Drupal
Automated testing with DrupalPromet Source
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployJohn Smith
 
Atlanta Jenkins Area Meetup October 22nd 2015
Atlanta Jenkins Area Meetup October 22nd 2015Atlanta Jenkins Area Meetup October 22nd 2015
Atlanta Jenkins Area Meetup October 22nd 2015Kurt Madel
 
XPages -Beyond the Basics
XPages -Beyond the BasicsXPages -Beyond the Basics
XPages -Beyond the BasicsUlrich Krause
 
Pipeline as code - new feature in Jenkins 2
Pipeline as code - new feature in Jenkins 2Pipeline as code - new feature in Jenkins 2
Pipeline as code - new feature in Jenkins 2Michal Ziarnik
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...E. Camden Fisher
 
UKLUG 2012 - XPages, Beyond the basics
UKLUG 2012 - XPages, Beyond the basicsUKLUG 2012 - XPages, Beyond the basics
UKLUG 2012 - XPages, Beyond the basicsUlrich Krause
 

Ähnlich wie Intro to Pentesting Jenkins (20)

Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
2017 jenkins world
2017 jenkins world2017 jenkins world
2017 jenkins world
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...
 
Automated testing with Drupal
Automated testing with DrupalAutomated testing with Drupal
Automated testing with Drupal
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - Deploy
 
Atlanta Jenkins Area Meetup October 22nd 2015
Atlanta Jenkins Area Meetup October 22nd 2015Atlanta Jenkins Area Meetup October 22nd 2015
Atlanta Jenkins Area Meetup October 22nd 2015
 
XPages -Beyond the Basics
XPages -Beyond the BasicsXPages -Beyond the Basics
XPages -Beyond the Basics
 
Pipeline as code - new feature in Jenkins 2
Pipeline as code - new feature in Jenkins 2Pipeline as code - new feature in Jenkins 2
Pipeline as code - new feature in Jenkins 2
 
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
CT Software Developers Meetup: Using Docker and Vagrant Within A GitHub Pull ...
 
UKLUG 2012 - XPages, Beyond the basics
UKLUG 2012 - XPages, Beyond the basicsUKLUG 2012 - XPages, Beyond the basics
UKLUG 2012 - XPages, Beyond the basics
 

Kürzlich hochgeladen

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 

Kürzlich hochgeladen (20)

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 

Intro to Pentesting Jenkins

  • 1. 1 Intro to Pentesting Jenkins February 6th, 2020 Brian D. Hysell
  • 2. 2 • Consultant @ Synopsys Software Integrity Group – Application Pentesting, Network Pentesting, Secure Code Review / Guidelines / Training, etc. – Mostly just grep for passwords, rack up hotel status, write reports • Previously: Consultant @ Accenture Security Threat & Vulnerability Management • Like TV, travel, baking About Me
  • 3. 3 Intro to Jenkins • About Jenkins • Visual Tour • Why Care about Jenkins? • Finding Instances • Initial Access
  • 4. 4 About Jenkins • Most popular CI/CD system – probably 50- 70% marketshare – Open source – Rich plugin ecosystem – Long history of security vulnerabilities • Forked(-ish) from project called Hudson • Used for all sorts of common dev (& often ops) tasks: – Running builds, tests – Publishing built artifacts (NRM, Artifactory, etc.) – Deploying software – Checking uptime/health – Stopping/starting/restarting servers – Applying patches
  • 9. 9 Securing Jenkins (internal or external) should be a major concern across red, purple, and blue teams: • Supply-Chain Integrity: Compromise could lead to backdoored apps deployed to production or customer environments • Intellectual Property Protection: Access to Jenkins can give an (possibly malicious) user source code, binaries, and knowledge of infrastructure/architecture • Privileged Access Management: Instances often contain credentials for source & artifact repositories, test & production systems, etc. • Segmentation: Jenkins supports distributed executors which may span different environments (dev/prod, PCI/non-PCI, different AD domains, etc.) Why Care about Jenkins?
  • 10. 10 Finding Instances • Usually port 8080, also check 8443,80,443, other alternates like 9090,8888 • Nmap Script Engine (NSE) (see right) • HTTP screenshot tools like Aquatone or WitnessMe Script Name Info http-title Look for titles containing “[Jenkins]”, e.g., “Sign In [Jenkins]” or “Dashboard [Jenkins]” (← anonymous read!) http-server-header Jenkins will usually use Jetty http-enum In case of context path issues http-headers Look for X-Hudson* and X- Jenkins* headers http-devframework Includes fingerprints for Jenkins (based on headers) broadcast-jenkins-discover See “Auto-discovering Jenkins on the network”
  • 11. 11 Initial Access • Some level of anonymous access is common, especially internally – Typically read-only – Sometimes administrative! • Check if sign-ups are enabled • Auth bypass: discussed in next section • Conventional techniques: password spraying, brute force, credential stuffing • Get creative; I have found Jenkins creds in: – Build logs of another Jenkins instance – Job env vars on another Jenkins instance – Python scripts in company Artifactory install – Entry point of a Docker container running on a compromised box • Look for both passwords and API keys From http://tuyenvuong.me/programming/deploy-web-application-jenkins-capistrano/ & https://commons.wikimedia.org/wiki/File:Emojione_1F630.svg
  • 12. 12 Scripting & Exploitation • Selected RCE Attack Vectors • Script Console • Build Steps • Dynamic Routing
  • 13. 13 Selected RCE Attack Vectors Vector CVE Access Level Script Console N/A • Overall/RunScripts enabled for anonymous; or • Compromised credentials for user with Overall/RunScripts Build Step N/A • Compromised credentials for user with Job/Build and Job/Configure permissions Script Security Plugin doCheckScript method CVE-2019-1003029, CVE-2019-1003005 (POC) • Overall/Read access enabled for anonymous; or • Compromised credentials; or • Authentication bypass CVE-2018-1000861 Jenkins Remoting (deserialization) CVE-2015-8103 (POC1) • Jenkins CLI port open 1 Protips: https://github.com/NickstaDB/ysoserial/tree/templatesimpl-reverse-shell & https://github.com/BrianOfTheCosmos/broodwich/blob/master/deserialization/src/main/java/party/itistimeto/broodwich/deserialization/CommonsCollectionsThreePayload.java
  • 14. 14 Script Console • Script console – Run arbitrary Groovy code: read/modify Jenkins internals, read/write files, run external commands – Requires Overall/RunScripts permission – should be restricted to admins, but could be applied to lower-privileged users, even anonymous (!) • REST API is convenient: https://support.cloudbees.com/hc/en- us/articles/217509228-execute-groovy-with-a- rest-call – On older versions (<2.96), need Jenkins-Crumb header from /crumbIssuer/api/json: https://wiki.jenkins.io/display/JENKINS/Remote+a ccess+API#RemoteaccessAPI-CSRFProtection • Jenkins CLI can also be nice (useful for other scripting / enumeration tasks as well) • Generic Java RCE tip: make sure to use Process.waitFor() From https://2019.pass-the-salt.org/files/slides/12-Hacking_Jenkins.pdf From https://issues.jenkins-ci.org/browse/JENKINS-46526
  • 15. 15 Build Steps • See if you can create or edit (and then run -- separate permissions!) projects/builds • Builds can contain “Execute shell” or “Execute Windows batch command” steps with code of your choice • Can choose which node to run build on, including master: https://stackoverflow.com/questions/9841156/stick- jobs-to-the-master • Be careful: – If you create a project, delete it after building (if able) – If you have to edit an existing project’s build steps: – Back up config (can do with Jenkins CLI) – Disable email, Slack, etc. notifications – Don’t deploy anything – Check relationships to other projects, triggered builds, etc. – Etc. Overview From https://docs.bitnami.com/installer/apps/jenkins/configuration/use-custom-executable/
  • 16. 16 Build Steps • Many plugins allow execution of user-defined Groovy code, usually as part of build – E.g., Groovy plugin, workflow-cps (“Pipeline: Groovy”) plugin – Other examples: https://wiki.jenkins.io/display/JENKINS/Script+Security+Support+i n+Plugins • Most integrate with Script Security plugin: scripts must be approved by admin or run in sandbox – E.g., Groovy plugin’s “Execute system Groovy script” build step, “Use Groovy Sandbox” option • Sandbox blacklists various classes/methods; see https://github.com/jenkinsci/script-security- plugin/blob/master/src/main/resources/org/jenkinsci/plugins/script security/sandbox/whitelists/ • Sandbox escapes frequently identified; check regression tests in script-security repo for POC: – SECURITY-1579: https://github.com/jenkinsci/script-security- plugin/commit/415b6e2f3fa0c2e4bd2f9c4a589a9e1fc9cbac8b – SECURITY-1658: https://github.com/jenkinsci/script-security- plugin/commit/0e7da14171ed1d03ff72f6910392e630b40a8590 • Sandbox escapes occasionally applicable with only Overall/Read (!), see https://jenkins.io/security/advisory/2017-04-10/ Sandbox Escape Hint: Cause an exception to print output, e.g., java.nio.file.Paths.get(expression + "0") → InvalidPathException
  • 17. 17 Dynamic Routing • Jenkins uses a web framework called Stapler – Same original author as Jenkins (née Hudson) • Stapler parses URLs & calls methods in an EL-like manner against a root object fetched with ServletContext.getAttribute("app") • hudson.WebAppMain.contextInitialized (): “Creates the sole instance of jenkins.model.Jenkins and register it to the ServletContext” • TLDR: URLs in Jenkins are chains of getter and doer method calls against a Jenkins singleton or objects returned higher in the chain Introduction From https://jenkins.io/doc/developer/handling-requests/routing/ Note: if, like I did, you’re wondering about the inconsistency between Jenkins#getLog() and Hudson#getJob() (i.e., which is actually root?): Hudson is a subclass of Jenkins, and it’s an object of that type that hudson.WebAppMain.contextInitialized() registers as root
  • 18. 18 • Exploit URL: /descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox =True&value=[groovy code] – (Jenkins implements DescriptorByNameOwner) ServletContext.getAttribute("app"). – (SecureGroovyScript) getDescriptorByName("org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScr ipt"). – (FormValidation) doCheckScript("[groovy code]", true) • Part of Script Security plugin: not core Jenkins, but very common • Prerequisites: vulnerable plugin & Jenkins versions, read access (including anonymous) • Brian’s super-duper top-secret protip: public class x{public x(){org.kohsuke.stapler.Stapler.getCurrentResponse().getWriter().println("hello world")}} CVE-2019-1003029/CVE-2019-1003005 (doCheckScript) Dynamic Routing
  • 19. 19 • Exploit URL: /securityRealm/user/admin/descriptorByName/… – (Jenkins) ServletContext.getAttribute("app"). – (HudsonPrivateSecurityRealm) getSecurityRealm(). – (User implements DescriptorByNameOwner) getUser("admin"). – (Descriptor) getDescriptorByName("...") • https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing-en/ • Poorly-documented aspect of bypass: getUser(String) is method of HudsonPrivateSecurityRealm (default implementation), not of SecurityRealm abstract class CVE-2018-1000861 (Authentication Bypass Exploit) Dynamic Routing
  • 20. 20 Unauth RCE with CVE-2019-1003029/CVE-2019-1003005 (doCheckScript) Dynamic Routing Diagram from: https://2019.pass-the-salt.org/files/slides/12-Hacking_Jenkins.pdf See also: https://github.com/orangetw/awesome-jenkins-rce-2019, https://github.com/orangetw/awesome- jenkins-rce-2019/pull/2
  • 21. 21 Post-Exploitation & Lateral Movement • Embracing Groovy • Lateral Scripting • Scraping Jenkins • Raiding Stored Credentials • “Persistence” with API Keys • Password Cracking • Miscellaneous Post-Exploitation
  • 22. 22 Embracing Groovy Operation Code Spawn reverse shell https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76 List directory contents (non- recursive) new File('.').eachFile { println(it) } Print file contents println new File('/path/to/file').getText('UTF- 8') Nslookup println InetAddress.getByName('google.com').getHostAddr ess() • Groovy is a JVM-based scripting language • Essentially a superset of Java: supports Java syntax and APIs, plus its own syntax extensions and standard library • Some things you might normally do by dropping into an OS shell you can do straight in Groovy Basics
  • 23. 23 Embracing Groovy Jenkins Internals Programmatically add API token From https://support.cloudbees.com/hc/en-us/articles/115003090592-How-to-re- generate-my-Jenkins-user-token List all admin users From https://stackoverflow.com/a/34274738 If only these could be combined somehow… 😉 More script samples: • https://github.com/cloudbees/jenkins-scripts/ • https://github.com/samrocketman/jenkins-script-console-scripts
  • 24. 24 Lateral Scripting • Script console (when you have permission) & build steps can be run both on Jenkins instance itself and on build nodes/agents • Usually connected through either: – Master → agent SSH connection – Agent → master TCP connection • Agents may be different: – OS (e.g., Linux master with [potentially domain- joined] Windows agent for C# projects) – Environment/segment (e.g., master in dev, agent in / ACL’d to prod [CDE?!] for deployment) If you have Overall/RunScripts access, the “Script Console” menu item will show up for a specific machine when you go to its page (i.e., click it)
  • 25. 25 Scraping Jenkins • Internal Jenkins instances very often have Overall/Read permission set for anonymous users – Compromised credentials, sign-ups apply here too, of course • “Just” read access to Jenkins can be a goldmine – Build logs – Environment variables – Project workspace (source code) – Build artifacts • REST API is easiest, no need to parse HTML • Tools: – https://github.com/DolosGroup/Jenkins-Pillage: build logs, env vars; only lists URLs – https://github.com/lc/jenkinz: build logs – https://github.com/gquere/pwn_jenkins/blob/master/dum p_builds/jenkins_dump_builds.py: build logs, env vars – Jenkins CLI client + Bash Overview & Tools From https://medium.com/@aseem.shrey/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything- 603cf07fa85
  • 26. 26 • No magic, just search/grep for things like: – “-p”, “--password” – “Authorization: Basic” – “net use” and similar (Windows creds) – “jenkins-cli.jar” (Jenkins API keys) – eyJ… (JWT) • Have found lots of creds this way: domain users, Jenkins API keys w/ Overall/RunScripts, SSH creds, creds to other parts of deployment infra • Cannot emphasize enough how useful searching through this info can be for lateral movement • Don’t forget to check workspaces too – Artifacts if you’re desperate Finding Credentials Scraping Jenkins
  • 27. 27 Raiding Stored Credentials • Jenkins has a built-in mechanism to store credentials used by build pipelines • Symmetrically encrypted with key stored on disk • With script access: run a Groovy script like https://github.com/DolosGroup/Jenkins- Pillage/blob/master/groovy/decrypt-credentials.groovy • With file system access: grab secrets/master.key, secrets/hudson.util.Secret, and credentials.xml (or other files containing encrypted data) – https://github.com/gquere/pwn_jenkins#files-to-copy-after-compromission – https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py – https://gist.githubusercontent.com/menski/8f9980999ed43246b9b2/raw/ebac1b809ac4c10d4aa2c49b 8bb2a6c37dc4808a/jenkins-decrypt.py – https://github.com/tweksteen/jenkins-decrypt/blob/master/decrypt.py • N.B.: many plugins erroneously store passwords in plain-text config files and/or print them into the value attributes of password inputs on the config page Built-in Storage
  • 28. 28 Raiding Stored Credentials Plugins From https://plugins.jenkins.io/mask-passwords
  • 29. 29 “Persistence” with API Keys • Jenkins <= 2.128: API keys are stored in users/<USERNAME>/config.xml under same symmetric encryption scheme as credentials (may also apply to newer versions with legacy tokens carried over in upgrades) – Decrypt offline with aforementioned scripts – Or read value and then decrypt with println(hudson.util.Secret.decrypt("{...}")) – Or do 100% in-memory with script & Jenkins internal classes • Newer versions are hashed, but support multiple tokens per user – See previous slide for adding new tokens
  • 30. 30 Password Cracking • Potentially helpful for lateral movement to other Jenkins instances, other dev infrastructure (Artifactory, Nexus Repository Manager, GitHub Enterprise, JIRA, etc.) • Hashes stored in $JENKINS_HOME/users/[username]/config.xml • Modern versions of Jenkins use bcrypt – Potentially still worth it to try with a targeted wordlist + rules: jenkins, [company name], scm, password, etc. • Older versions & users that have not logged in since upgrade (I think?) use salted SHA256 – Format: salt:sha256("password{salt}") (from https://www.philipp.haussleiter.de/2011/11/jenkins- password-hash-format/) – Crack by replacing all salts with {salt} and using password.salt as format – echo "salt:hash" | awk -F: '{print $2":{"$1"}"}'
  • 31. 31 Miscellaneous Post-Exploitation • In theory, even when Jenkins does not creds to directly deploy artifacts, you may be able to move laterally by backdooring them – E.g., push backdoored JAR to private Maven repo & wait for it to be downloaded / deployed by another person / system – Probably too risky & too time-consuming for most pentests; difficult to control scope – This & similar attacks should still be kept in mind while threat modeling, though • Jenkins can serve arbitrary static files out of $JENKINS_HOME/userContent – may be good for exfiltration • Regular user session or remember me cookies and API keys can (Usually? Always?) be used interchangeably – Regular user session can access API – API key can access UI
  • 32. 32 Conclusion • Real-World Attack Paths • Recommendations for Security & Ops Engineers
  • 33. 33 • Searched for “jenkins” in an artifact store • Found several Python scripts containing Jenkins usernames and API keys • Hostnames in script incorrect/down, so sprayed against known Jenkins instances • Discovered one valid instance-username-key combination • Enumerated projects with Jenkins CLI; had configure access to one • Backed up config; replaced with system Groovy build step: sandbox escape, add & print API key for all admin users • Used admin key to access “Configure System”; Mask Passwords Plugin config contained password for master deployment service account in clear text Example #1 Real-World Attack Paths
  • 34. 34 • Found Jenkins instance A with anonymous read enabled • Scraped build logs & found API creds for Jenkins instance B • Used script console (over REST API) to grab SSH private key from agent X (connected to B) • SSH’d into Jenkins instance C, then from instance C into agent Y (on PCI network) • Using key on agent Y, SSH’d into prod PCI hosts Example #2 Real-World Attack Paths
  • 35. 35 • Inventory Jenkins systems and patch, patch, patch! • Apply least privilege via matrix-based authorization (preferably project-based matrix) – Never have anonymous script console access – Even “Logged-in users can do anything” is too risky – Anonymous read access may not be terribly risky per se – but disabling is an easy win • Don’t leak creds in build logs, environment variables, workspaces*, artifacts*, etc. – *Dependent on your org’s maturity WRT credential management • Pay requisite attention to Jenkins instances with privileged access: – Access to prod, CDE, publicly-released builds, etc. – Access to master deployment keys/passwords/accounts  Recommendations for Security & Ops Engineers

Hinweis der Redaktion

  1. https://support.cloudbees.com/hc/en-us/articles/115003090592-How-to-re-generate-my-Jenkins-user-token https://stackoverflow.com/questions/28953687/how-to-identify-admins-on-jenkins-using-groovy-scripts