-
You can use Shodan, ZoomEye, Censys, and so on to identify the Jenkins instance. By default, the Jenkins service runs on port 8080.
-
There are multiple ways to identify Jenkins, but the most common way is to use HTTP headers. The X-Hudson, X-Jenkins, X-Jenkins-Session, and X-Permission-Implied-By headers are the custom HTTP headers used by Jenkins.
- You can play with the HTTP headers to see if there's any kind of header blocking your access to the Jenkins instance. You can also add an X-Forwarded-For: 127.0.0.1 header to bypass any kind of ingress access restriction.
- Jenkins is an open source tool that's built in Java, which helps with CI and CD by using the plugins-based mechanisms available. If you have access to the Jenkins instance, you can disrupt the CI/CD pipeline in order to bring down the production/non-production environment. Since Jenkins holds all the code for the applications, you can download the source code to get the hardcoded credentials and sensitive information, which can then be used for further exploitation.