documentation/modules/auxiliary/scanner/http/jenkins_enum.md
This module performs unauthenticated enumeration on Jenkins servers. It attempts to discover the Jenkins version, identify unauthenticated accessible endpoints, and gather useful system information when possible.
Jenkins servers that do not enforce strict authentication on certain URLs (such as /script) are susceptible to this enumeration. This module helps penetration testers quickly identify such information leakage.
Jenkins instances may expose sensitive information through misconfigured endpoints. Many companies unintentionally leave URLs like /script and /manage open without authentication, allowing attackers to retrieve system details. If these endpoints return data, it’s a sign that authentication settings might need to be tightened.
msfconsoleuse auxiliary/scanner/http/jenkins_enumset RHOSTS <target IP or CIDR>, set RPORT 8080, set TARGETURI /jenkins/, etcrun[+] 192.168.1.100:8080 - Jenkins Version: 2.319.1
[+] 192.168.1.100:8080 - /script is accessible without authentication (HTTP 200)
[+] 192.168.1.100:8080 - Enumerating plugins...
[+] 192.168.1.100:8080 - Plugin detected: Git Plugin 4.11.3
[+] 192.168.1.100:8080 - System Information:
OS: Linux
OS Version: 5.4.0-77-generic
Architecture: amd64
Jenkins Home: /var/lib/jenkins
[*] 192.168.1.100:8080 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Specifies the target host(s) or IP range to scan. You can input a single IP address, a range, or a CIDR subnet. Default: None (required)
Defines the target port for HTTP connections. Jenkins often runs on port 8080, but the default for this module is 80. Adjust accordingly. Default: 80
The base path of the Jenkins application on the target server. Usually /jenkins/ but can differ based on installation or proxy setup. Default: /jenkins/
The number of concurrent threads to use for faster scanning. Increasing this number can speed up scans but may generate more network traffic or load on the target. Default: 1
Specify a virtual host name for the HTTP Host header if Jenkins is running behind a virtual host or reverse proxy. Default: None
This example demonstrates how to use the jenkins_enum module to enumerate information from a Jenkins server running on the local network at IP 192.168.1.100 on port 8080, where Jenkins is installed at the default /jenkins/ path.
msf > use auxiliary/scanner/http/jenkins_enum
msf auxiliary(scanner/http/jenkins_enum) > set RHOSTS 192.168.1.100
msf auxiliary(scanner/http/jenkins_enum) > set RPORT 8080
msf auxiliary(scanner/http/jenkins_enum) > set TARGETURI /jenkins/
msf auxiliary(scanner/http/jenkins_enum) > run
[*] 192.168.1.100:8080 - Jenkins Version: 2.319.1
[+] 192.168.1.100:8080 - /script is accessible without authentication (HTTP 200)
[*] 192.168.1.100:8080 - Enumerating plugins...
[+] 192.168.1.100:8080 - Plugin detected: Git Plugin 4.11.3
[+] 192.168.1.100:8080 - Plugin detected: Matrix Authorization Strategy 2.6.7
[+] 192.168.1.100:8080 - Plugin detected: Workflow CPS 2.92
[*] 192.168.1.100:8080 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The module retrieves the Jenkins version and installed plugins without requiring credentials, which can help identify vulnerable plugin versions or configuration weaknesses.