Jenkins Attack Framework (JAF), a new free tool for pentesters to analyze security of automation servers

The Accenture developer group announced the launch of the Jenkins Attack Framework (JAF), a pentesting tool capable of evaluating the multiple ways a Jenkins automation server can be abused. As you’ll remember, Jenkins is an open source CI/CD pipeline that allows developers to create and deploy new code very quickly.

Shelby Spencer, developer of JAF, mentions that the tool is based on the knowledge that historically, Jenkins does not have secure default configurations, plus it is usually configured and maintained by developers, not by specialized personnel.

“Any network team member or pentesting specialist can set out the 10 most common goals in an IT environment and will undoubtedly include a Jenkins implementation. Our automated tool simplifies many of the best-known attacks and introduces some new insights,” Spencer says.

The expert adds that, for developers, the main feature of JAF is the ability to dump credentials using only the “Create Job” feature, which in practice is one way Jenkins shares stored credentials with any user by default.

Experts report that many attackers are familiar with pouring credentials using Groovy Console with administrator access, although it is also possible to do so as a normal user in a normal Jenkins job: “For this, simply list all credentials one by one; This may be a tedious process but the tool is able to automate this attack regardless of the slave operating system,” adds the developer.

The tool can also start what in Jenkins is known as “ghost jobs”: that are jobs running on a Jenkins slave that do not appear in the console and that can run indefinitely in the background. In other words, an operator with relatively limited privileges for the “Create Job” and “Run Job” functions might configure long-running socks, proxies, or shells on a Jenkins slave unnoticed by other users.

Spencer concludes by mentioning that he hopes the pentesting community will be very welcome to the tool: “The JAF developer team has been using the tool for almost a year, getting more than satisfactory results,” he says. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.