SCMKit,全称为Source Code Management Attack Toolkit,是一个可以用于对SCM源代码管理系统进行渗透测试的强大工具包。
SCMKit允许广大研究人员指定要使用的SCM系统和渗透测试模块,以及指定相应SCM系统的有效凭证(用户名/密码或API密钥)。当前版本SCMKit支持的SCM系统有GitHub Enterprise、GitLab Enterprise和Bitbucket Server。支持的渗透测试模块包含网络侦查、权限提升和持久化。
SCMKit是以模块化的方式构建的,因此信息安全社区将来可以根据自己的需求添加新的渗透测试模块和支持的SCM系统。
该项目使用了下列第三方库:
代码库 | URL | 许可证 |
---|---|---|
Octokit | https://github.com/octokit/octokit.net | MIT |
Fody | https://github.com/Fody/Fody | MIT |
GitLabApiClient | https://github.com/nmklotas/GitLabApiClient | MIT |
Newtonsoft.Json | https://github.com/JamesNK/Newtonsoft.Json | MIT |
广大研究人员可以使用下列命令将该项目源码克隆至本地:
git clone https://github.com/h4wkst3r/SCMKit.git
我们可以将项目源码导入到Visual Studio中自行构建项目,代码构建需要使用.NET库,可以通过NuGet包管理工具进行安装。
首先,加载Visual Studio项目,然后点击"Tools" --> "NuGet Package Manager" --> "Package Manager Settings"。
点击"NuGet Package Manager" --> "Package Sources"。
使用URL:https://api.nuget.org/v3/index.json添加一个包源地址。
安装下列NuGet包:
Install-Package Costura.Fody -Version 3.3.3 Install-Package Octokit Install-Package GitLabApiClient Install-Package Newtonsoft.Json
接下来,我们就可以开始构建项目代码了。
-c, -credential - 身份验证凭据 (username:password或apiKey) -s, -system - 目标系统(github,gitlab,bitbucket) -u, -url - GitHub Enterprise, GitLab Enterprise或Bitbucket Server的URL地址 -m, -module - 要运行的模块 -o, -option - 参数选项
github: GitHub Enterprise gitlab: GitLab Enterprise bitbucket: Bitbucket Server
listrepo:列出当前用户可以看到的所有代码库 searchrepo:搜索给定的代码库 searchcode:搜索包含关键字搜索项的代码 searchfile:搜索包含关键字搜索项的文件名 listsnippet:列出当前用户的所有代码段 listrunner:列出当前用户可用的所有GitLab运行程序 listgist:列出当前用户的所有gist listorg:列出当前用户所属的所有组织 privs:获取当前API令牌的privs addadmin:将给定用户提升为管理员角色 removeadmin:将给定用户从管理员角色降级 createpat:为目标用户创建个人访问令牌 listpat:列出目标用户的个人访问令牌 removepat:删除目标用户的个人访问令牌 createsshkey:为当前用户创建SSH密钥 listsshkey:列出当前用户的SSH密钥 removeshkey:删除当前用户的SSH密钥 adminstats:获取管理员信息(用户、repo、orgs、gists) protection:获取分支保护设置
GitHub Enterprise
SCMKit.exe -s github -m listrepo -c userName:password -u https://github.something.localSCMKit.exe -s github -m listrepo -c apiKey -u https://github.something.local
GitLab Enterprise
SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.localSCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local
Bitbucket Server
SCMKit.exe -s bitbucket -m listrepo -c userName:password -u https://bitbucket.something.localSCMKit.exe -s bitbucket -m listrepo -c apiKey -u https://bitbucket.something.local
输出样例
C:\>SCMKit.exe -s gitlab -m listrepo -c username:password -u https://gitlab.hogwarts.local==================================================Module: listrepoSystem: gitlabAuth Type: Username/PasswordOptions:Target URL: https://gitlab.hogwarts.localTimestamp: 1/14/2022 8:30:47 PM================================================== Name | Visibility | URL---------------------------------------------------------------------------------------------------------- MaraudersMap | Private | https://gitlab.hogwarts.local/hpotter/maraudersmap testingStuff | Internal | https://gitlab.hogwarts.local/adumbledore/testingstuff Spellbook | Internal | https://gitlab.hogwarts.local/hpotter/spellbook findShortestPathToGryffindorSword | Internal | https://gitlab.hogwarts.local/hpotter/findShortestPathToGryffindorSword charms | Public | https://gitlab.hogwarts.local/hgranger/charms Secret-Spells | Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells Monitoring | Internal | https://gitlab.hogwarts.local/gitlab-instance-10590c85/Monitoring
GitHub Enterprise
SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term"SCMKit.exe -s github -m searchrepo -c apikey -u https://github.something.local -o "some search term"
GitLab Enterprise
SCMKit.exe -s gitlab -m searchrepo -c userName:password -u https://gitlab.something.local -o "some search term"SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term"
Bitbucket Server
SCMKit.exe -s bitbucket -m searchrepo -c userName:password -u https://bitbucket.something.local -o "some search term"SCMKit.exe -s bitbucket -m searchrepo -c apikey -u https://bitbucket.something.local -o "some search term"
输出样例
C:\>SCMKit.exe -s gitlab -m searchrepo -c apiKey -u https://gitlab.hogwarts.local -o "spell"==================================================Module: searchrepoSystem: gitlabAuth Type: API KeyOptions: spellTarget URL: https://gitlab.hogwarts.localTimestamp: 1/14/2022 8:32:30 PM================================================== Name | Visibility | URL---------------------------------------------------------------------------------------------------------- Spellbook | Internal | https://gitlab.hogwarts.local/hpotter/spellbook Secret-Spells | Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells
GitHub Enterprise
SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term"SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term"
GitLab Enterprise
SCMKit.exe -s gitlab -m searchcode -c userName:password -u https://gitlab.something.local -o "some search term"SCMKit.exe -s gitlab -m searchcode -c apikey -u https://gitlab.something.local -o "some search term"
Bitbucket Server
SCMKit.exe -s bitbucket -m searchcode -c userName:password -u https://bitbucket.something.local -o "some search term"SCMKit.exe -s bitbucket -m searchcode -c apikey -u https://bitbucket.something.local -o "some search term"
输出样例
C:\>SCMKit.exe -s gitlab -m searchcode -c username:password -u https://gitlab.hogwarts.local -o "api_key"==================================================Module: searchcodeSystem: gitlabAuth Type: Username/PasswordOptions: api_keyTarget URL: https://gitlab.hogwarts.localTimestamp: 1/14/2022 8:34:14 PM==================================================[>] URL: https://gitlab.hogwarts.local/adumbledore/secret-spells/stuff.txt |_ API_KEY=abc123Total number of items matching code search: 1(向右滑动、查看更多)
GitHub Enterprise
SCMKit.exe -s github -m searchfile -c userName:password -u https://github.something.local -o "some search term"SCMKit.exe -s github -m searchfile -c apikey -u https://github.something.local -o "some search term"
GitLab Enterprise
SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term"SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term"
Bitbucket Server
SCMKit.exe -s bitbucket -m searchfile -c userName:password -u https://bitbucket.something.local -o "some search term"SCMKit.exe -s bitbucket -m searchfile -c apikey -u https://bitbucket.something.local -o "some search term"
输出样例
C:\source\SCMKit\SCMKit\bin\Release>SCMKit.exe -s bitbucket -m searchfile -c apikey -u http://bitbucket.hogwarts.local:7990 -o jenkinsfile==================================================Module: searchfileSystem: bitbucketAuth Type: API KeyOptions: jenkinsfileTarget URL: http://bitbucket.hogwarts.local:7990Timestamp: 1/14/2022 10:17:59 PM==================================================[>] REPO: http://bitbucket.hogwarts.local:7990/scm/~HPOTTER/hpotter [>] FILE: Jenkinsfile[>] REPO: http://bitbucket.hogwarts.local:7990/scm/STUD/cred-decryption [>] FILE: subDir/JenkinsfileTotal matching results: 2(向右滑动、查看更多)
GitLab Enterprise
SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.localSCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local
输出样例
C:\>SCMKit.exe -s gitlab -m listsnippet -c username:password -u https://gitlab.hogwarts.local==================================================Module: listsnippetSystem: gitlabAuth Type: Username/PasswordOptions:Target URL: https://gitlab.hogwarts.localTimestamp: 1/14/2022 9:17:36 PM================================================== Title | Raw URL--------------------------------------------------------------------------------------------- spell-script | https://gitlab.hogwarts.local/-/snippets/2/raw
GitHub Enterprise
SCMKit.exe -s github -m addadmin -c userName:password -u https://github.something.local -o targetUserNameSCMKit.exe -s github -m addadmin -c apikey -u https://github.something.local -o targetUserName
GitLab Enterprise
SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserNameSCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserNameBitbucket ServerSCMKit.exe -s bitbucket -m addadmin -c userName:password -u https://bitbucket.something.local -o targetUserName
输出样例
C:\>SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.hogwarts.local -o hgranger==================================================Module: addadminSystem: gitlabAuth Type: API KeyOptions: hgrangerTarget URL: https://gitlab.hogwarts.localTimestamp: 1/14/2022 9:19:32 PM==================================================[+] SUCCESS: The hgranger user was successfully added to the admin role.
GitHub Enterprise
SCMKit.exe -s github -m removeadmin -c userName:password -u https://github.something.local -o targetUserNameSCMKit.exe -s github -m removeadmin -c apikey -u https://github.something.local -o targetUserName
GitLab Enterprise
SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserNameSCMKit.exe -s gitlab -m removeadmin -c apikey -u https://gitlab.something.local -o targetUserName
Bitbucket Server
SCMKit.exe -s bitbucket -m removeadmin -c userName:password -u https://bitbucket.something.local -o targetUserName
输出样例
C:\>SCMKit.exe -s gitlab -m removeadmin -c username:password -u https://gitlab.hogwarts.local -o hgranger==================================================Module: removeadminSystem: gitlabAuth Type: Username/PasswordOptions: hgrangerTarget URL: https://gitlab.hogwarts.localTimestamp: 1/14/2022 9:20:12 PM==================================================[+] SUCCESS: The hgranger user was successfully removed from the admin role.
本项目的开发与发布遵循Apache-2.0开源许可证协议。
SCMKit:https://github.com/h4wkst3r/SCMKit
https://developer.atlassian.com/server/bitbucket/reference/rest-api/ https://octokitnet.readthedocs.io/en/latest/ https://github.com/octokit/octokit.net https://docs.github.com/en/rest/overview https://docs.gitlab.com/ee/api/api_resources.html https://github.com/nmklotas/GitLabApiClient
精彩推荐