SCMKit v1.2 releases: attack SCM systems
SCMKit
Source Code Management Attack Toolkit – SCMKit is a toolkit that can be used to attack SCM systems. SCMKit allows the user to specify the SCM system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise, and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation, and persistence. SCMKit was built in a modular approach so that new modules and SCM systems can be added in the future by the information security community.
Module Details Table
The below table shows where each module is supported
| Attack Scenario | Module | Requires Admin? | GitHub Enterprise | GitLab Enterprise | Bitbucket Server |
|---|---|---|---|---|---|
| Reconnaissance | listrepo |
No | X | X | X |
| Reconnaissance | searchrepo |
No | X | X | X |
| Reconnaissance | searchcode |
No | X | X | X |
| Reconnaissance | searchfile |
No | X | X | X |
| Reconnaissance | listsnippet |
No | X | ||
| Reconnaissance | listrunner |
No | X | ||
| Reconnaissance | listgist |
No | X | ||
| Reconnaissance | listorg |
No | X | ||
| Reconnaissance | privs |
No | X | X | |
| Persistence | listsshkey |
No | X | X | X |
| Persistence | removesshkey |
No | X | X | X |
| Persistence | createsshkey |
No | X | X | X |
| Persistence | listpat |
No | X | X | |
| Persistence | removepat |
No | X | X | |
| Persistence | createpat |
Yes (GitLab Enterprise only) | X | X | |
| Privilege Escalation | addadmin |
Yes | X | X | X |
| Privilege Escalation | removeadmin |
Yes | X | X | X |
| Reconnaissance | adminstats |
Yes | X |
Usage
Arguments/Options
- -c, -credential – credential for authentication (username:password or apiKey)
- -s, -system – system to attack (github,gitlab,bitbucket)
- -u, -url – URL for GitHub Enterprise, GitLab Enterprise, or Bitbucket Server
- -m, -module – module to run
- -o, -option – options (when applicable)
Systems (-s, -system)
- github: GitHub Enterprise
- gitlab: GitLab Enterprise
- bitbucket: Bitbucket Server
Modules (-m, -module)
- listrepo: list all repos the current user can see
- searchrepo: search for a given repo
- searchcode: search for code containing keyword search term
- searchfile: search for filename containing keyword search term
- listsnippet: list all snippets of current user
- listrunner: list all GitLab runners available to current user
- listgist: list all gists of current user
- listorg: list all orgs current user belongs to
- privs: get privs of current API token
- addadmin: promote given user to admin role
- removeadmin: demote given user from admin role
- createpat: create personal access token for target user
- listpat: list personal access tokens for a target user
- removepat: remove personal access token for a target user
- createsshkey: create SSH key for current user
- listsshkey: list SSH keys for current user
- removesshkey: remove SSH key for current user
- adminstats: get admin stats (users, repos, orgs, gists)
Changelog v1.2
- Added ability to list shared and group runners in GitLab Enterprise
Download & Use
Copyright 2022 Brett Hawkins
