How to decrypt Jenkins passwords from credentials.xml?

37

14

I've taken over the project where a lot of Jenkins credentials has passwords or passphrase strings which I need to know in order to progress with the project, unfortunately these weren't documented anywhere.

I've checked the credentials.xml file where these credentials are stored, but they're in not plain text, e.g.:

<passphrase>{AAAAAAAAAAAANzxft/rDzyt8mhxpn3O72dxvVqZksL5vBJ4jNKvAjAA=}</passphrase>

Note: I've changed it slightly for privacy reasons.

How can I decrypt its original password based on the string above?

kenorb

Posted 2017-09-28T16:42:49.333

Reputation: 5 011

I am getting error with the proposed answer: println(hudson.util.Secret.decrypt("{{xxx/wwww+yyyy/zzzz=}}")) The + symbol is breaking the script. Any suggestion?Jay Bau 2019-06-14T17:35:55.460

@JayBau Try with single brackets: "{...}", remove extra once.kenorb 2019-06-17T11:37:28.330

Answers

46

Luckily there is a hudson.util.Secret.decrypt() function which can be used for this, so:

  1. In Jenkins, go to: /script page.
  2. Run the following command:

    println(hudson.util.Secret.decrypt("{XXX=}"))
    

    or:

    println(hudson.util.Secret.fromString("{XXX=}").getPlainText())
    

    where {XXX=} is your encrypted password. This will print the plain password.

    To do opposite, run:

    println(hudson.util.Secret.fromString("some_text").getEncryptedValue())
    

Source: gist at tuxfight3r/jenkins-decrypt.groovy.


Alternatively check the following scripts: tweksteen/jenkins-decrypt, menski/jenkins-decrypt.py.


For more details, check: Credentials storage in Jenkins.

kenorb

Posted 2017-09-28T16:42:49.333

Reputation: 5 011

7

Here is a short snippet you can just run from the jenkins script console, to dump all of your credentials to plain text.

com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getCredentials().forEach{
  it.properties.each { prop, val ->
    println(prop + ' = "' + val + '"')
  }
  println("-----------------------")
}

A more complicated version that lists for non-system credential providers:

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.plugins.credentials.Credentials
import com.cloudbees.plugins.credentials.domains.Domain
import jenkins.model.Jenkins
def indent = { String text, int indentationCount ->
  def replacement = "\t" * indentationCount
  text.replaceAll("(?m)^", replacement)
}

Jenkins.get().allItems().collectMany{ CredentialsProvider.lookupStores(it).toList()}.unique().forEach { store ->
  Map<Domain, List<Credentials>> domainCreds = [:]
  store.domains.each { domainCreds.put(it, store.getCredentials(it))}
  if (domainCreds.collectMany{ it.value}.empty) {
    return
  }
  def shortenedClassName = store.getClass().name.substring(store.getClass().name.lastIndexOf(".") + 1)
  println "Credentials for store context: ${store.contextDisplayName}, of type $shortenedClassName"
  domainCreds.forEach { domain , creds ->
    println indent("Domain: ${domain.name}", 1)
    creds.each { cred ->
      cred.properties.each { prop, val ->
        println indent("$prop = \"$val\"", 2)
      }
      println indent("-----------------------", 2)
    }
  }
}

Magnus

Posted 2017-09-28T16:42:49.333

Reputation: 171

How to modify this to get credentials from all domains, from all folders ?jmary 2019-08-14T09:47:20.453

@jmary I have added another exampleMagnus 2019-08-15T00:58:17.880

Great thanks :-)jmary 2019-08-16T09:00:01.393

1

For the record, The following snippet to be pasted into the console also does the job :

def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
    com.cloudbees.plugins.credentials.common.StandardUsernameCredentials.class,
    Jenkins.instance,
    null,
    null
)

for(c in creds) {
  if(c instanceof com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey){
    println(String.format("id=%s  desc=%s key=%s\n", c.id, c.description, c.privateKeySource.getPrivateKeys()))
  }
  if (c instanceof com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl){
    println(String.format("id=%s  desc=%s user=%s pass=%s\n", c.id, c.description, c.username, c.password))
  }
}

jmary

Posted 2017-09-28T16:42:49.333

Reputation: 141