Manual exfiltration is so last year

The work of some pen testers may have just become easier following the release of a new tool said to make data exfiltration from exposed Jenkins servers a walk in the park.

Released by Dolos Group, a network security testing firm, the Jenkins-Pillage tool aims to pull data from Jenkins servers in one automated swoop – eliminating the need for multiple manual steps that can make grabbing credentials, private keys, and source code repositories a tedious venture.

“This tool will attempt to pull console output, environment variables, and workspaces associated with Jenkins builds,” Dolos Group writes on GitHub.

“It works both against unauthenticated and authenticated (with creds) servers.”

Jenkins is an open source automation server that helps developers build, test, and maintain their software.

Despite its intent to streamline the development process, sites running Jenkins have previously fallen prey to widespread cryptomining campaigns due to critical vulnerabilities in its system – some of which are yet to be patched, The Daily Swig reported in May.

Misconfigured Jenkins servers can also lead to remote code execution (RCE), Dolos Group said.

“Jenkins tends to be a treasure trove of information in certain organizations, and it’s all too easy for a developer or operations team to leave something behind ‘just to get things done’,” the firm writes in a blog post published on Monday.

“These ‘builds’ that Jenkins runs, can contain things like the console output of the build process, (basically stdout of a bunch of commands and scripts), associated files in the form of ‘workspaces’, inherited environment variables, and much more.”

But some techniques used to obtain Jenkins data via its console output, environment variables, and workspaces can be lengthy, Dolos Group explained.

“If you come across a Jenkins server during a pen test, we highly recommend taking a look at the accessible internals.” 

“Unfortunately, grabbing all these pieces manually from the web interface can be tedious and a hassle.

“We are releasing Jenkins-Pillage to automatically gather this information more quickly and easily.”

Jenkins-Pillage is available for free through GitHub.