Now that we have covered the manual way of enumerating Jenkins, let's move on and look at the Metasploit Framework's auxiliary jenkins_enum, which takes enumeration one step further.

The Metasploit module also has an auxiliary that uses methods similar to the ones described in the previous section to perform the recon. This includes looking for the response header value, that is, X-Jenkins, as well as the HTML source for the keyword. The auxiliary can be loaded using the following command:

use auxiliary/scanner/http/jenkins_enum

The following screenshot shows the output of the preceding command:

After setting the options shown in the preceding screenshot, running the auxiliary will detect the version number, as well as perform basic checks:

Now, we can dive a little deeper and examine the source code of the auxiliary in order to understand what exactly the script is doing. By looking at the following screenshot, we can see that the script checks for the following: 

• /view/All/newJobs: Shows a list of jobs
• /asynchPeople: Shows a list of users
• /systemInfo: Prints the system's information:

The following command shows another auxiliary in Metasploit that allows us to brute-force the credentials of Jenkins:

auxiliary/scanner/http/jenkins_login

The following screenshot shows the output of the preceding command:

After we've set the required options and run the module, we'll see that the auxiliary returns the valid credentials. This can be seen in the following screenshot:

Let's now explore Jenkins in the next section.