One of the most common ways of detecting a Jenkins instance is by analyzing the HTTP response headers. Jenkins puts a lot of information into its response headers, such as the version's disclosure information, command-line interface (CLI) port, user and group permissions, and more, all of which can be used for further exploitation. A response header from a Jenkins instance can be seen in the following screenshot:
The following are some of the HTTP server response headers for Jenkins instances that can be used for detection:
- X-Hudson
- X-Jenkins
- X-Jenkins-Session
- X-You-Are-Authenticated-As
- X-You-Are-In-Group-Disabled
- X-Required-Permission
- X-Permission-Implied-By
- X-Hudson-CLI-Port
- X-Jenkins-CLI-Port
- X-Jenkins-CLI2-Port
- X-SSH-Endpoint
- X-Hudson-JNLP-Port
- X-Jenkins-JNLP-Port
- X-Jenkins-JNLP-Host
- X-Instance-Identity
- X-Jenkins-Agent-Protocols
Now that we have learned some common ways to detect Jenkins manually, let's move on to the next phase of penetration testing – enumeration.