DevOps Pipeline Attack Surface

Interactive reference guide for penetration testing DevOps environments

Why Target DevOps?

DevOps platforms are target-rich environments with high-level permissions for managing credentials, creating infrastructure, configuring systems, building code, and deploying applications to production. In a security landscape that places heavy scrutiny on the endpoint, DevOps systems provide an opportunity to live off the land and escalate privileges while maintaining operational security.

Credits: Big love to Tom and Colbert from Accenture (formerly FusionX) for chopping game about this!
Loading... Click any tool card to expand attack details

Additional Info

Key Takeaways

Target Audience

Beginner/Intermediate Level - Offensive and defensive security practitioners:

Additional Resources

🔍 Internal Pentest - Quick Scan Commands

Use these commands to enumerate DevOps attack surface on internal network ranges.

Step 1: Generate Target List from IP Ranges

Create target lists from internal CIDR ranges:

# Generate IPs from CIDR ranges (using prips, nmap, or mapcidr) prips 10.0.0.0/24 > targets.txt prips 192.168.1.0/24 >> targets.txt prips 172.16.0.0/16 >> targets.txt # Or use mapcidr for large ranges echo "10.0.0.0/8" | mapcidr -silent > targets.txt echo "192.168.0.0/16" | mapcidr -silent >> targets.txt echo "172.16.0.0/12" | mapcidr -silent >> targets.txt # Or use nmap to generate list nmap -sL -n 10.0.0.0/24 | awk '/Nmap scan report/{print $NF}' > targets.txt

Step 2: HTTPX - DevOps Service Discovery

Probe internal IPs for DevOps services on common ports:

# Discover DevOps services on common ports (from IP list) cat targets.txt | httpx -p 80,443,8080,8443,9000,8000,8888,3000,5000,8081,8082,9090,9443,6443,1666,7990,8929,9001,5432,3306,27017,6379,1433,9200,5601,15672,8161,7001 -title -tech-detect -status-code -o live_devops.txt # Scan specific CIDR directly echo "10.0.0.0/24" | mapcidr -silent | httpx -p 80,443,8080,8443,9000,3000,8081,9090,6443 -title -tech-detect -o live_hosts.txt # Check for DevOps paths on discovered hosts cat live_hosts.txt | httpx -path "/jenkins/,/gitlab/,/artifactory/,/nexus/,/sonarqube/,/grafana/,/prometheus/,/kibana/,/argocd/,/.git/config,/api/v4/projects,/v2/_catalog" -mc 200,301,302,401,403 -o devops_paths.txt # Kubernetes API discovery cat targets.txt | httpx -p 6443,8443,10250,10255 -path "/api,/api/v1,/apis,/healthz,/version" -mc 200,401,403 -o k8s_endpoints.txt # Perforce server discovery (port 1666) cat targets.txt | httpx -p 1666 -title -status-code -o perforce_servers.txt

Step 3: Nuclei - Vulnerability Scanning

Scan discovered hosts for DevOps vulnerabilities:

# Full DevOps vulnerability scan nuclei -l live_devops.txt -tags devops,cicd,jenkins,gitlab,kubernetes,docker,grafana,prometheus,mysql,postgres,mongodb,redis,mssql,wordpress,drupal,joomla,tomcat,weblogic -severity medium,high,critical -o vulns_devops.txt # Default credentials (critical for internal pentest) nuclei -l live_devops.txt -tags default-login -severity info,low,medium,high,critical -o default_creds.txt # Jenkins-specific scans nuclei -l live_devops.txt -tags jenkins -severity info,low,medium,high,critical -o jenkins_vulns.txt # GitLab-specific scans nuclei -l live_devops.txt -tags gitlab -severity info,low,medium,high,critical -o gitlab_vulns.txt # Kubernetes & container scans nuclei -l live_devops.txt -tags kubernetes,k8s,docker,container -severity medium,high,critical -o k8s_vulns.txt # Exposed panels and dashboards nuclei -l live_devops.txt -tags panel,dashboard,exposed,config -severity info,low,medium,high -o exposed_panels.txt # CVE-specific scans for critical vulns nuclei -l live_devops.txt -tags cve -severity critical,high -o critical_cves.txt

Step 4: Combined Internal Recon Pipeline

Full internal network DevOps enumeration workflow:

# === COMPLETE INTERNAL DEVOPS ATTACK SURFACE ENUMERATION === # 1. Generate targets from multiple internal ranges for range in "10.0.0.0/24" "192.168.1.0/24" "172.16.0.0/24"; do echo "$range" | mapcidr -silent >> all_targets.txt done # 2. Fast port scan for DevOps services cat all_targets.txt | httpx -p 80,443,8080,8443,9000,3000,5000,8081,9090,6443,8929,7990,1666,9001,5601,9200,5432,3306,27017,6379,1433,15672,8161,7001,5984,9042 -title -tech-detect -status-code -threads 100 -o live_services.txt # 3. Extract just URLs for nuclei cat live_services.txt | cut -d' ' -f1 > live_urls.txt # 4. Run comprehensive nuclei scan nuclei -l live_urls.txt -tags devops,cicd,default-login,exposed,panel,jenkins,gitlab,kubernetes,docker,mysql,postgres,mongodb,redis,wordpress,drupal,tomcat,weblogic,activemq,rabbitmq -severity info,low,medium,high,critical -o all_findings.txt # 5. Check for exposed .git directories cat live_urls.txt | httpx -path "/.git/config,/.git/HEAD,/.svn/entries" -mc 200 -o exposed_repos.txt # 6. Screenshot all discovered services cat live_urls.txt | gowitness file -f - -P screenshots/