-
Introduction
- About Me
- Why this talk ?
- Agenda
-
Jenkins Basics
-
Offensive Jenkins
- Enumeration
- Pipeline Attacks
- Credentials Dumping
- Privilege Escalations
- Forensics
- Lateral Movement
- Backdooring
-
Jenkins Security Automation
- Build Log Analysis
- Script Console Automation
-
Q&A
- Jenkills - https://github.com/dibsy/jenkills
I wrote some quick hacky scripts during my research work which can be found here.
- Found an exposed jenkins instance belonging to HPE and reported them - https://oxhat.blogspot.com/2023/10/responsible-disclosure-security.html
- https://medium.com/@gustavo.guss/jenkins-archive-artifact-save-file-in-pipeline-ac6d8b569c2c
- https://www.codurance.com/publications/2019/05/30/accessing-and-dumping-jenkins-credentials
- https://owasp.org/www-project-top-10-ci-cd-security-risks/
- DISCLAIMER : NO PUBLIC JENKINS CONTROLLERS WERE EXPLOITED DURING MY RESEARCH
- USE WITH CAUTION : I WILL NOT BE RESPONSIBLE IF THESE TECHNIQUES ARE MISUSED !