ADOKit
A modular attack toolkit for Azure DevOps Services that leverages the REST API for reconnaissance, privilege escalation, and persistence.
What is ADOKit?
ADOKit is an open-source attack toolkit specifically designed for Azure DevOps Services. It exploits the Azure DevOps REST API to perform security assessments, including reconnaissance, privilege escalation, and establishing persistence. The tool helps security professionals identify vulnerabilities and misconfigurations in Azure DevOps environments that could be leveraged by attackers.
Penetration testers, red teamers, and security researchers focused on cloud and DevOps security, particularly those assessing Azure DevOps Services instances for organizations.
ADOKit provides a specialized, modular toolkit for attacking Azure DevOps, filling a niche not covered by general-purpose security tools. Its deep integration with Azure DevOps APIs allows for precise emulation of attack techniques relevant to CI/CD pipelines, making it a valuable resource for offensive security assessments.
Overview
Azure DevOps Services Attack Toolkit
Use Cases
Best For
- Security assessments of Azure DevOps Services instances
- Red team exercises targeting CI/CD pipelines
- Identifying exposed credentials and secrets in Azure DevOps code repositories
- Testing privilege escalation paths within Azure DevOps projects and collections
- Demonstrating persistence techniques in Azure DevOps environments
- Educating defenders on Azure DevOps attack vectors and detection strategies
Not Ideal For
- Teams performing compliance audits that require detailed reporting and logging features
- Developers seeking a GUI-based tool for routine Azure DevOps management tasks
- Security assessments targeting other CI/CD platforms like GitHub Actions or GitLab CI
Pros & Cons
Pros
Built with a community-driven, modular approach that allows easy addition of new attack modules as techniques evolve, as highlighted in the philosophy and features sections.
Supports multiple authentication types including stolen cookies (UserAuthentication, AadAuthentication), Personal Access Tokens, and Azure access tokens, detailed in the Authentication Options with clear examples.
Includes extensive recon capabilities such as enumerating organizations, projects, repositories, users, and searching for credentials in code and build logs, with over 20 modules listed in the Command Modules section.
Provides a detailed Module Details Table specifying exact permissions required for each module, helping users understand access requirements and plan attacks effectively.
Cons
Only targets Azure DevOps Services, making it useless for security assessments of other CI/CD platforms, which limits its applicability in heterogeneous environments.
Lacks a graphical user interface, which may be less accessible for users preferring visual tools or automated workflows, relying solely on CLI execution as shown in all examples.
Building from source requires installing specific .NET libraries like Costura.Fody via Visual Studio and NuGet, which can be cumbersome for those unfamiliar with the .NET ecosystem, as noted in the Installation/Building section.
Frequently Asked Questions
Related Projects
zizmorStatic analysis for GitHub Actions
git-dumperA tool to dump a git repository from a website
pwn_jenkinsNotes about attacking Jenkins servers
Secrets Patterns DatabaseSecrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.