关于SCMKit
SCMKit,全称为Source Code Management Attack Toolkit,是一个可以用于对SCM源代码管理系统进行渗透测试的强大工具包。
SCMKit允许广大研究人员指定要使用的SCM系统和渗透测试模块,以及指定相应SCM系统的有效凭证(用户名/密码或API密钥)。当前版本SCMKit支持的SCM系统有GitHub Enterprise、GitLab Enterprise和Bitbucket Server。支持的渗透测试模块包含网络侦查、权限提升和持久化。
SCMKit是以模块化的方式构建的,因此信息安全社区将来可以根据自己的需求添加新的渗透测试模块和支持的SCM系统。
使用的第三方库
该项目使用了下列第三方库:
代码库 | URL | 许可证 |
Octokit | MIT | |
Fody | MIT | |
GitLabApiClient | MIT | |
Newtonsoft.Json | MIT |
工具下载
广大研究人员可以使用下列命令将该项目源码克隆至本地:
git clone https://github.com/h4wkst3r/SCMKit.git
代码构建
我们可以将项目源码导入到Visual Studio中自行构建项目,代码构建需要使用.NET库,可以通过NuGet包管理工具进行安装。
首先,加载Visual Studio项目,然后点击"Tools" --> "NuGet Package Manager" --> "Package Manager Settings"。
点击"NuGet Package Manager" --> "Package Sources"。
使用URL:https://api.nuget.org/v3/index.json添加一个包源地址。
安装下列NuGet包:
Install-Package Costura.Fody -Version 3.3.3
Install-Package Octokit
Install-Package GitLabApiClient
Install-Package Newtonsoft.Json
接下来,我们就可以开始构建项目代码了。
工具使用
参数/选项
-c, -credential - 身份验证凭据 (username:password或apiKey)
-s, -system - 目标系统(github,gitlab,bitbucket)
-u, -url - GitHub Enterprise, GitLab Enterprise或Bitbucket Server的URL地址
-m, -module - 要运行的模块
-o, -option - 参数选项
系统(-s,-system)
github: GitHub Enterprise
gitlab: GitLab Enterprise
bitbucket: Bitbucket Server
模块(-m,-module)
listrepo:列出当前用户可以看到的所有代码库
searchrepo:搜索给定的代码库
searchcode:搜索包含关键字搜索项的代码
searchfile:搜索包含关键字搜索项的文件名
listsnippet:列出当前用户的所有代码段
listrunner:列出当前用户可用的所有GitLab运行程序
listgist:列出当前用户的所有gist
listorg:列出当前用户所属的所有组织
privs:获取当前API令牌的privs
addadmin:将给定用户提升为管理员角色
removeadmin:将给定用户从管理员角色降级
createpat:为目标用户创建个人访问令牌
listpat:列出目标用户的个人访问令牌
removepat:删除目标用户的个人访问令牌
createsshkey:为当前用户创建SSH密钥
listsshkey:列出当前用户的SSH密钥
removeshkey:删除当前用户的SSH密钥
adminstats:获取管理员信息(用户、repo、orgs、gists)
protection:获取分支保护设置
工具使用样例
代码库枚举
GitHub Enterprise
SCMKit.exe -s github -m listrepo -c userName:password -u https://github.something.local SCMKit.exe -s github -m listrepo -c apiKey -u https://github.something.local
GitLab Enterprise
SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local
Bitbucket Server
SCMKit.exe -s bitbucket -m listrepo -c userName:password -u https://bitbucket.something.local SCMKit.exe -s bitbucket -m listrepo -c apiKey -u https://bitbucket.something.local
输出样例
C:\>SCMKit.exe -s gitlab -m listrepo -c username:password -u https://gitlab.hogwarts.local ================================================== Module: listrepo System: gitlab Auth Type: Username/Password Options: Target URL: https://gitlab.hogwarts.local Timestamp: 1/14/2022 8:30:47 PM ================================================== Name | Visibility | URL ---------------------------------------------------------------------------------------------------------- MaraudersMap | Private | https://gitlab.hogwarts.local/hpotter/maraudersmap testingStuff | Internal | https://gitlab.hogwarts.local/adumbledore/testingstuff Spellbook | Internal | https://gitlab.hogwarts.local/hpotter/spellbook findShortestPathToGryffindorSword | Internal | https://gitlab.hogwarts.local/hpotter/findShortestPathToGryffindorSword charms | Public | https://gitlab.hogwarts.local/hgranger/charms Secret-Spells | Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells Monitoring | Internal | https://gitlab.hogwarts.local/gitlab-instance-10590c85/Monitoring
代码库搜索
GitHub Enterprise
SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term" SCMKit.exe -s github -m searchrepo -c apikey -u https://github.something.local -o "some search term"
GitLab Enterprise
SCMKit.exe -s gitlab -m searchrepo -c userName:password -u https://gitlab.something.local -o "some search term" SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term"
Bitbucket Server
SCMKit.exe -s bitbucket -m searchrepo -c userName:password -u https://bitbucket.something.local -o "some search term" SCMKit.exe -s bitbucket -m searchrepo -c apikey -u https://bitbucket.something.local -o "some search term"
输出样例
C:\>SCMKit.exe -s gitlab -m searchrepo -c apiKey -u https://gitlab.hogwarts.local -o "spell" ================================================== Module: searchrepo System: gitlab Auth Type: API Key Options: spell Target URL: https://gitlab.hogwarts.local Timestamp: 1/14/2022 8:32:30 PM ================================================== Name | Visibility | URL ---------------------------------------------------------------------------------------------------------- Spellbook | Internal | https://gitlab.hogwarts.local/hpotter/spellbook Secret-Spells | Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells
代码搜索
GitHub Enterprise
SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term" SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term"
GitLab Enterprise
SCMKit.exe -s gitlab -m searchcode -c userName:password -u https://gitlab.something.local -o "some search term" SCMKit.exe -s gitlab -m searchcode -c apikey -u https://gitlab.something.local -o "some search term"
Bitbucket Server
SCMKit.exe -s bitbucket -m searchcode -c userName:password -u https://bitbucket.something.local -o "some search term" SCMKit.exe -s bitbucket -m searchcode -c apikey -u https://bitbucket.something.local -o "some search term"
输出样例
C:\>SCMKit.exe -s gitlab -m searchcode -c username:password -u https://gitlab.hogwarts.local -o "api_key" ================================================== Module: searchcode System: gitlab Auth Type: Username/Password Options: api_key Target URL: https://gitlab.hogwarts.local Timestamp: 1/14/2022 8:34:14 PM ================================================== [>] URL: https://gitlab.hogwarts.local/adumbledore/secret-spells/stuff.txt |_ API_KEY=abc123 Total number of items matching code search: 1
搜索文件
GitHub Enterprise
SCMKit.exe -s github -m searchfile -c userName:password -u https://github.something.local -o "some search term" SCMKit.exe -s github -m searchfile -c apikey -u https://github.something.local -o "some search term"
GitLab Enterprise
SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term" SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term"
Bitbucket Server
SCMKit.exe -s bitbucket -m searchfile -c userName:password -u https://bitbucket.something.local -o "some search term" SCMKit.exe -s bitbucket -m searchfile -c apikey -u https://bitbucket.something.local -o "some search term"
输出样例
C:\source\SCMKit\SCMKit\bin\Release>SCMKit.exe -s bitbucket -m searchfile -c apikey -u http://bitbucket.hogwarts.local:7990 -o jenkinsfile ================================================== Module: searchfile System: bitbucket Auth Type: API Key Options: jenkinsfile Target URL: http://bitbucket.hogwarts.local:7990 Timestamp: 1/14/2022 10:17:59 PM ================================================== [>] REPO: http://bitbucket.hogwarts.local:7990/scm/~HPOTTER/hpotter [>] FILE: Jenkinsfile [>] REPO: http://bitbucket.hogwarts.local:7990/scm/STUD/cred-decryption [>] FILE: subDir/Jenkinsfile Total matching results: 2
列举代码段
GitLab Enterprise
SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.local SCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local
输出样例
C:\>SCMKit.exe -s gitlab -m listsnippet -c username:password -u https://gitlab.hogwarts.local ================================================== Module: listsnippet System: gitlab Auth Type: Username/Password Options: Target URL: https://gitlab.hogwarts.local Timestamp: 1/14/2022 9:17:36 PM ================================================== Title | Raw URL --------------------------------------------------------------------------------------------- spell-script | https://gitlab.hogwarts.local/-/snippets/2/raw
添加管理员
GitHub Enterprise
SCMKit.exe -s github -m addadmin -c userName:password -u https://github.something.local -o targetUserName SCMKit.exe -s github -m addadmin -c apikey -u https://github.something.local -o targetUserName
GitLab Enterprise
SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName Bitbucket Server SCMKit.exe -s bitbucket -m addadmin -c userName:password -u https://bitbucket.something.local -o targetUserName
输出样例
C:\>SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.hogwarts.local -o hgranger ================================================== Module: addadmin System: gitlab Auth Type: API Key Options: hgranger Target URL: https://gitlab.hogwarts.local Timestamp: 1/14/2022 9:19:32 PM ================================================== [+] SUCCESS: The hgranger user was successfully added to the admin role.
删除管理员
GitHub Enterprise
SCMKit.exe -s github -m removeadmin -c userName:password -u https://github.something.local -o targetUserName SCMKit.exe -s github -m removeadmin -c apikey -u https://github.something.local -o targetUserName
GitLab Enterprise
SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName SCMKit.exe -s gitlab -m removeadmin -c apikey -u https://gitlab.something.local -o targetUserName
Bitbucket Server
SCMKit.exe -s bitbucket -m removeadmin -c userName:password -u https://bitbucket.something.local -o targetUserName
输出样例
C:\>SCMKit.exe -s gitlab -m removeadmin -c username:password -u https://gitlab.hogwarts.local -o hgranger ================================================== Module: removeadmin System: gitlab Auth Type: Username/Password Options: hgranger Target URL: https://gitlab.hogwarts.local Timestamp: 1/14/2022 9:20:12 PM ================================================== [+] SUCCESS: The hgranger user was successfully removed from the admin role.
许可证协议
本项目的开发与发布遵循Apache-2.0开源许可证协议。
项目地址
SCMKit:【GitHub传送门】
参考资料
https://developer.atlassian.com/server/bitbucket/reference/rest-api/
https://octokitnet.readthedocs.io/en/latest/
https://github.com/octokit/octokit.net
https://docs.github.com/en/rest/overview