Created
December 3, 2019 02:26
-
-
Save rhovelz/59fe4456545e272a8094c26d42d6fc32 to your computer and use it in GitHub Desktop.
Changed a bit from original LinEnum.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| version="version 0.981" | |
| Thorough = 1 | |
| #A script to enumerate local information from a Linux host | |
| #Special Thanks to @rebootuser | |
| #help function | |
| usage () | |
| { | |
| echo -e "\n\e[00;31m#########################################################\e[00m" | |
| echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" | |
| echo -e "\e[00;31m#########################################################\e[00m" | |
| echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m" | |
| echo -e "\e[00;33m# $version\e[00m\n" | |
| echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n" | |
| echo "OPTIONS:" | |
| echo "-k Enter keyword" | |
| echo "-e Enter export location" | |
| echo "-s Supply user password for sudo checks (INSECURE)" | |
| echo "-t Include thorough (lengthy) tests" | |
| echo "-r Enter report name" | |
| echo "-h Displays this help text" | |
| echo -e "\n" | |
| echo "Running with no options = limited scans/no output file" | |
| echo -e "\e[00;31m#########################################################\e[00m" | |
| } | |
| header() | |
| { | |
| echo -e "\n\e[00;31m#########################################################\e[00m" | |
| echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" | |
| echo -e "\e[00;31m#########################################################\e[00m" | |
| echo -e "\e[00;33m# www.rebootuser.com\e[00m" | |
| echo -e "\e[00;33m# $version\e[00m\n" | |
| } | |
| debug_info() | |
| { | |
| echo "[-] Debug Info" | |
| if [ "$keyword" ]; then | |
| echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" | |
| fi | |
| if [ "$report" ]; then | |
| echo "[+] Report name = $report" | |
| fi | |
| if [ "$export" ]; then | |
| echo "[+] Export location = $export" | |
| fi | |
| if [ "$thorough" ]; then | |
| echo "[+] Thorough tests = Enabled" | |
| else | |
| echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m" | |
| fi | |
| sleep 2 | |
| if [ "$export" ]; then | |
| mkdir $export 2>/dev/null | |
| format=$export/LinEnum-export-`date +"%d-%m-%y"` | |
| mkdir $format 2>/dev/null | |
| fi | |
| if [ "$sudopass" ]; then | |
| echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m" | |
| read -s userpassword | |
| echo | |
| fi | |
| who=`whoami` 2>/dev/null | |
| echo -e "\n" | |
| echo -e "\e[00;33mScan started at:"; date | |
| echo -e "\e[00m\n" | |
| } | |
| # useful binaries (thanks to https://gtfobins.github.io/) | |
| binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh' | |
| system_info() | |
| { | |
| echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" | |
| #basic kernel info | |
| unameinfo=`uname -a 2>/dev/null` | |
| if [ "$unameinfo" ]; then | |
| echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" | |
| echo -e "\n" | |
| fi | |
| procver=`cat /proc/version 2>/dev/null` | |
| if [ "$procver" ]; then | |
| echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" | |
| echo -e "\n" | |
| fi | |
| #search all *-release files for version info | |
| release=`cat /etc/*-release 2>/dev/null` | |
| if [ "$release" ]; then | |
| echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" | |
| echo -e "\n" | |
| fi | |
| #target hostname info | |
| hostnamed=`hostname 2>/dev/null` | |
| if [ "$hostnamed" ]; then | |
| echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" | |
| echo -e "\n" | |
| fi | |
| } | |
| user_info() | |
| { | |
| echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" | |
| #current user details | |
| currusr=`id 2>/dev/null` | |
| if [ "$currusr" ]; then | |
| echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" | |
| echo -e "\n" | |
| fi | |
| #last logged on user information | |
| lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` | |
| if [ "$lastlogedonusrs" ]; then | |
| echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" | |
| echo -e "\n" | |
| fi | |
| #who else is logged on | |
| loggedonusrs=`w 2>/dev/null` | |
| if [ "$loggedonusrs" ]; then | |
| echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" | |
| echo -e "\n" | |
| fi | |
| #lists all id's and respective group(s) | |
| grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null` | |
| if [ "$grpinfo" ]; then | |
| echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo" | |
| echo -e "\n" | |
| fi | |
| #added by phackt - look for adm group (thanks patrick) | |
| adm_users=$(echo -e "$grpinfo" | grep "(adm)") | |
| if [[ ! -z $adm_users ]]; | |
| then | |
| echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users" | |
| echo -e "\n" | |
| fi | |
| #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) | |
| hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` | |
| if [ "$hashesinpasswd" ]; then | |
| echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" | |
| echo -e "\n" | |
| fi | |
| #contents of /etc/passwd | |
| readpasswd=`cat /etc/passwd 2>/dev/null` | |
| if [ "$readpasswd" ]; then | |
| echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$readpasswd" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/passwd $format/etc-export/passwd 2>/dev/null | |
| fi | |
| #checks to see if the shadow file can be read | |
| readshadow=`cat /etc/shadow 2>/dev/null` | |
| if [ "$readshadow" ]; then | |
| echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$readshadow" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/shadow $format/etc-export/shadow 2>/dev/null | |
| fi | |
| #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant | |
| readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` | |
| if [ "$readmasterpasswd" ]; then | |
| echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$readmasterpasswd" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null | |
| fi | |
| #all root accounts (uid 0) | |
| superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null` | |
| if [ "$superman" ]; then | |
| echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman" | |
| echo -e "\n" | |
| fi | |
| #pull out vital sudoers info | |
| sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null` | |
| if [ "$sudoers" ]; then | |
| echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$sudoers" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null | |
| fi | |
| #can we sudo without supplying a password | |
| sudoperms=`echo '' | sudo -S -l -k 2>/dev/null` | |
| if [ "$sudoperms" ]; then | |
| echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" | |
| echo -e "\n" | |
| fi | |
| #check sudo perms - authenticated | |
| if [ "$sudopass" ]; then | |
| if [ "$sudoperms" ]; then | |
| : | |
| else | |
| sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null` | |
| if [ "$sudoauth" ]; then | |
| echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" | |
| echo -e "\n" | |
| fi | |
| fi | |
| fi | |
| ##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated | |
| if [ "$sudopass" ]; then | |
| if [ "$sudoperms" ]; then | |
| : | |
| else | |
| sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` | |
| if [ "$sudopermscheck" ]; then | |
| echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" | |
| echo -e "\n" | |
| fi | |
| fi | |
| fi | |
| #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) | |
| sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` | |
| if [ "$sudopwnage" ]; then | |
| echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" | |
| echo -e "\n" | |
| fi | |
| #who has sudoed in the past | |
| whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null` | |
| if [ "$whohasbeensudo" ]; then | |
| echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" | |
| echo -e "\n" | |
| fi | |
| #checks to see if roots home directory is accessible | |
| rthmdir=`ls -ahl /root/ 2>/dev/null` | |
| if [ "$rthmdir" ]; then | |
| echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" | |
| echo -e "\n" | |
| fi | |
| #displays /home directory permissions - check if any are lax | |
| homedirperms=`ls -ahl /home/ 2>/dev/null` | |
| if [ "$homedirperms" ]; then | |
| echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" | |
| echo -e "\n" | |
| fi | |
| #looks for files we can write to that don't belong to us | |
| if [ "$thorough" = "1" ]; then | |
| grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` | |
| if [ "$grfilesall" ]; then | |
| echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #looks for files that belong to us | |
| if [ "$thorough" = "1" ]; then | |
| ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` | |
| if [ "$ourfilesall" ]; then | |
| echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #looks for hidden files | |
| if [ "$thorough" = "1" ]; then | |
| hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` | |
| if [ "$hiddenfiles" ]; then | |
| echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch | |
| if [ "$thorough" = "1" ]; then | |
| wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` | |
| if [ "$wrfileshm" ]; then | |
| echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$thorough" = "1" ]; then | |
| if [ "$export" ] && [ "$wrfileshm" ]; then | |
| mkdir $format/wr-files/ 2>/dev/null | |
| for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #lists current user's home directory contents | |
| if [ "$thorough" = "1" ]; then | |
| homedircontents=`ls -ahl ~ 2>/dev/null` | |
| if [ "$homedircontents" ] ; then | |
| echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch | |
| if [ "$thorough" = "1" ]; then | |
| sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;` | |
| if [ "$sshfiles" ]; then | |
| echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$thorough" = "1" ]; then | |
| if [ "$export" ] && [ "$sshfiles" ]; then | |
| mkdir $format/ssh-files/ 2>/dev/null | |
| for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null | |
| fi | |
| fi | |
| #is root permitted to login via ssh | |
| sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` | |
| if [ "$sshrootlogin" = "yes" ]; then | |
| echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | |
| echo -e "\n" | |
| fi | |
| } | |
| environmental_info() | |
| { | |
| echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" | |
| #env information | |
| envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null` | |
| if [ "$envinfo" ]; then | |
| echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" | |
| echo -e "\n" | |
| fi | |
| #check if selinux is enabled | |
| sestatus=`sestatus 2>/dev/null` | |
| if [ "$sestatus" ]; then | |
| echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus" | |
| echo -e "\n" | |
| fi | |
| #phackt | |
| #current path configuration | |
| pathinfo=`echo $PATH 2>/dev/null` | |
| if [ "$pathinfo" ]; then | |
| pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")` | |
| echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" | |
| echo -e "$pathswriteable" | |
| echo -e "\n" | |
| fi | |
| #lists available shells | |
| shellinfo=`cat /etc/shells 2>/dev/null` | |
| if [ "$shellinfo" ]; then | |
| echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" | |
| echo -e "\n" | |
| fi | |
| #current umask value with both octal and symbolic output | |
| umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null` | |
| if [ "$umaskvalue" ]; then | |
| echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" | |
| echo -e "\n" | |
| fi | |
| #umask value as in /etc/login.defs | |
| umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null` | |
| if [ "$umaskdef" ]; then | |
| echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" | |
| echo -e "\n" | |
| fi | |
| #password policy information as stored in /etc/login.defs | |
| logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null` | |
| if [ "$logindefs" ]; then | |
| echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$logindefs" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null | |
| fi | |
| } | |
| job_info() | |
| { | |
| echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" | |
| #are there any cron jobs configured | |
| cronjobs=`ls -la /etc/cron* 2>/dev/null` | |
| if [ "$cronjobs" ]; then | |
| echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" | |
| echo -e "\n" | |
| fi | |
| #can we manipulate these jobs in any way | |
| cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;` | |
| if [ "$cronjobwwperms" ]; then | |
| echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" | |
| echo -e "\n" | |
| fi | |
| #contab contents | |
| crontabvalue=`cat /etc/crontab 2>/dev/null` | |
| if [ "$crontabvalue" ]; then | |
| echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" | |
| echo -e "\n" | |
| fi | |
| crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` | |
| if [ "$crontabvar" ]; then | |
| echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" | |
| echo -e "\n" | |
| fi | |
| anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` | |
| if [ "$anacronjobs" ]; then | |
| echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" | |
| echo -e "\n" | |
| fi | |
| anacrontab=`ls -la /var/spool/anacron 2>/dev/null` | |
| if [ "$anacrontab" ]; then | |
| echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" | |
| echo -e "\n" | |
| fi | |
| #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) | |
| cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` | |
| if [ "$cronother" ]; then | |
| echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" | |
| echo -e "\n" | |
| fi | |
| # list systemd timers | |
| if [ "$thorough" = "1" ]; then | |
| # include inactive timers in thorough mode | |
| systemdtimers="$(systemctl list-timers --all 2>/dev/null)" | |
| info="" | |
| else | |
| systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)" | |
| # replace the info in the output with a hint towards thorough mode | |
| info="\e[2mEnable thorough tests to see inactive timers\e[00m" | |
| fi | |
| if [ "$systemdtimers" ]; then | |
| echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info" | |
| echo -e "\n" | |
| fi | |
| } | |
| networking_info() | |
| { | |
| echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" | |
| #nic information | |
| nicinfo=`/sbin/ifconfig -a 2>/dev/null` | |
| if [ "$nicinfo" ]; then | |
| echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" | |
| echo -e "\n" | |
| fi | |
| #nic information (using ip) | |
| nicinfoip=`/sbin/ip a 2>/dev/null` | |
| if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then | |
| echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" | |
| echo -e "\n" | |
| fi | |
| arpinfo=`arp -a 2>/dev/null` | |
| if [ "$arpinfo" ]; then | |
| echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" | |
| echo -e "\n" | |
| fi | |
| arpinfoip=`ip n 2>/dev/null` | |
| if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then | |
| echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" | |
| echo -e "\n" | |
| fi | |
| #dns settings | |
| nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null` | |
| if [ "$nsinfo" ]; then | |
| echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" | |
| echo -e "\n" | |
| fi | |
| nsinfosysd=`systemd-resolve --status 2>/dev/null` | |
| if [ "$nsinfosysd" ]; then | |
| echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" | |
| echo -e "\n" | |
| fi | |
| #default route configuration | |
| defroute=`route 2>/dev/null | grep default` | |
| if [ "$defroute" ]; then | |
| echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" | |
| echo -e "\n" | |
| fi | |
| #default route configuration | |
| defrouteip=`ip r 2>/dev/null | grep default` | |
| if [ ! "$defroute" ] && [ "$defrouteip" ]; then | |
| echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" | |
| echo -e "\n" | |
| fi | |
| #listening TCP | |
| tcpservs=`netstat -ntpl 2>/dev/null` | |
| if [ "$tcpservs" ]; then | |
| echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" | |
| echo -e "\n" | |
| fi | |
| tcpservsip=`ss -t -l -n 2>/dev/null` | |
| if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then | |
| echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" | |
| echo -e "\n" | |
| fi | |
| #listening UDP | |
| udpservs=`netstat -nupl 2>/dev/null` | |
| if [ "$udpservs" ]; then | |
| echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" | |
| echo -e "\n" | |
| fi | |
| udpservsip=`ss -u -l -n 2>/dev/null` | |
| if [ ! "$udpservs" ] && [ "$udpservsip" ]; then | |
| echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" | |
| echo -e "\n" | |
| fi | |
| } | |
| services_info() | |
| { | |
| echo -e "\e[00;33m### SERVICES #############################################\e[00m" | |
| #running processes | |
| psaux=`ps aux 2>/dev/null` | |
| if [ "$psaux" ]; then | |
| echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" | |
| echo -e "\n" | |
| fi | |
| #lookup process binary path and permissisons | |
| procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null` | |
| if [ "$procperm" ]; then | |
| echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$procperm" ]; then | |
| procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null` | |
| mkdir $format/ps-export/ 2>/dev/null | |
| for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null | |
| fi | |
| #anything 'useful' in inetd.conf | |
| inetdread=`cat /etc/inetd.conf 2>/dev/null` | |
| if [ "$inetdread" ]; then | |
| echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$inetdread" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null | |
| fi | |
| #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each | |
| inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$inetdbinperms" ]; then | |
| echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" | |
| echo -e "\n" | |
| fi | |
| xinetdread=`cat /etc/xinetd.conf 2>/dev/null` | |
| if [ "$xinetdread" ]; then | |
| echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$xinetdread" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null | |
| fi | |
| xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null` | |
| if [ "$xinetdincd" ]; then | |
| echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null | |
| echo -e "\n" | |
| fi | |
| #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each | |
| xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$xinetdbinperms" ]; then | |
| echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" | |
| echo -e "\n" | |
| fi | |
| initdread=`ls -la /etc/init.d 2>/dev/null` | |
| if [ "$initdread" ]; then | |
| echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" | |
| echo -e "\n" | |
| fi | |
| #init.d files NOT belonging to root! | |
| initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$initdperms" ]; then | |
| echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" | |
| echo -e "\n" | |
| fi | |
| rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` | |
| if [ "$rcdread" ]; then | |
| echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" | |
| echo -e "\n" | |
| fi | |
| #init.d files NOT belonging to root! | |
| rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$rcdperms" ]; then | |
| echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" | |
| echo -e "\n" | |
| fi | |
| usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` | |
| if [ "$usrrcdread" ]; then | |
| echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" | |
| echo -e "\n" | |
| fi | |
| #rc.d files NOT belonging to root! | |
| usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$usrrcdperms" ]; then | |
| echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" | |
| echo -e "\n" | |
| fi | |
| initread=`ls -la /etc/init/ 2>/dev/null` | |
| if [ "$initread" ]; then | |
| echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread" | |
| echo -e "\n" | |
| fi | |
| # upstart scripts not belonging to root | |
| initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$initperms" ]; then | |
| echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms" | |
| echo -e "\n" | |
| fi | |
| systemdread=`ls -lthR /lib/systemd/ 2>/dev/null` | |
| if [ "$systemdread" ]; then | |
| echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread" | |
| echo -e "\n" | |
| fi | |
| # systemd files not belonging to root | |
| systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$systemdperms" ]; then | |
| echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms" | |
| echo -e "\n" | |
| fi | |
| } | |
| software_configs() | |
| { | |
| echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" | |
| #sudo version - check to see if there are any known vulnerabilities with this | |
| sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` | |
| if [ "$sudover" ]; then | |
| echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover" | |
| echo -e "\n" | |
| fi | |
| #mysql details - if installed | |
| mysqlver=`mysql --version 2>/dev/null` | |
| if [ "$mysqlver" ]; then | |
| echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver" | |
| echo -e "\n" | |
| fi | |
| #checks to see if root/root will get us a connection | |
| mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` | |
| if [ "$mysqlconnect" ]; then | |
| echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" | |
| echo -e "\n" | |
| fi | |
| #mysql version details | |
| mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` | |
| if [ "$mysqlconnectnopass" ]; then | |
| echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" | |
| echo -e "\n" | |
| fi | |
| #postgres details - if installed | |
| postgver=`psql -V 2>/dev/null` | |
| if [ "$postgver" ]; then | |
| echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver" | |
| echo -e "\n" | |
| fi | |
| #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this | |
| postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version` | |
| if [ "$postcon1" ]; then | |
| echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" | |
| echo -e "\n" | |
| fi | |
| postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version` | |
| if [ "$postcon11" ]; then | |
| echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" | |
| echo -e "\n" | |
| fi | |
| postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version` | |
| if [ "$postcon2" ]; then | |
| echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" | |
| echo -e "\n" | |
| fi | |
| postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version` | |
| if [ "$postcon22" ]; then | |
| echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" | |
| echo -e "\n" | |
| fi | |
| #apache details - if installed | |
| apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` | |
| if [ "$apachever" ]; then | |
| echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever" | |
| echo -e "\n" | |
| fi | |
| #what account is apache running under | |
| apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null` | |
| if [ "$apacheusr" ]; then | |
| echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$apacheusr" ]; then | |
| mkdir --parents $format/etc-export/apache2/ 2>/dev/null | |
| cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null | |
| fi | |
| #installed apache modules | |
| apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` | |
| if [ "$apachemodules" ]; then | |
| echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules" | |
| echo -e "\n" | |
| fi | |
| #htpasswd check | |
| htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null` | |
| if [ "$htpasswd" ]; then | |
| echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd" | |
| echo -e "\n" | |
| fi | |
| #anything in the default http home dirs (a thorough only check as output can be large) | |
| if [ "$thorough" = "1" ]; then | |
| apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` | |
| if [ "$apachehomedirs" ]; then | |
| echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs" | |
| echo -e "\n" | |
| fi | |
| fi | |
| } | |
| interesting_files() | |
| { | |
| echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" | |
| #checks to see if various files are installed | |
| echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null | |
| echo -e "\n" | |
| #limited search for installed compilers | |
| compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null` | |
| if [ "$compiler" ]; then | |
| echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" | |
| echo -e "\n" | |
| fi | |
| #manual check - lists out sensitive files, can we read/modify etc. | |
| echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null | |
| echo -e "\n" | |
| #search for suid files | |
| findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$findsuid" ]; then | |
| echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$findsuid" ]; then | |
| mkdir $format/suid-files/ 2>/dev/null | |
| for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null | |
| fi | |
| #list of 'interesting' suid files - feel free to make additions | |
| intsuid=`find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` | |
| if [ "$intsuid" ]; then | |
| echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" | |
| echo -e "\n" | |
| fi | |
| #lists word-writable suid files | |
| wwsuid=`find / -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwsuid" ]; then | |
| echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" | |
| echo -e "\n" | |
| fi | |
| #lists world-writable suid files owned by root | |
| wwsuidrt=`find / -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwsuidrt" ]; then | |
| echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" | |
| echo -e "\n" | |
| fi | |
| #search for sgid files | |
| findsgid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$findsgid" ]; then | |
| echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$findsgid" ]; then | |
| mkdir $format/sgid-files/ 2>/dev/null | |
| for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null | |
| fi | |
| #list of 'interesting' sgid files | |
| intsgid=`find / -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` | |
| if [ "$intsgid" ]; then | |
| echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" | |
| echo -e "\n" | |
| fi | |
| #lists world-writable sgid files | |
| wwsgid=`find / -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwsgid" ]; then | |
| echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" | |
| echo -e "\n" | |
| fi | |
| #lists world-writable sgid files owned by root | |
| wwsgidrt=`find / -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwsgidrt" ]; then | |
| echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" | |
| echo -e "\n" | |
| fi | |
| #list all files with POSIX capabilities set along with there capabilities | |
| fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null` | |
| if [ "$fileswithcaps" ]; then | |
| echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$fileswithcaps" ]; then | |
| mkdir $format/files_with_capabilities/ 2>/dev/null | |
| for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null | |
| fi | |
| #searches /etc/security/capability.conf for users associated capapilies | |
| userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null` | |
| if [ "$userswithcaps" ]; then | |
| echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps" | |
| echo -e "\n" | |
| fi | |
| if [ "$userswithcaps" ] ; then | |
| #matches the capabilities found associated with users with the current user | |
| matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null` | |
| if [ "$matchedcaps" ]; then | |
| echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps" | |
| echo -e "\n" | |
| #matches the files with capapbilities with capabilities associated with the current user | |
| matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null` | |
| if [ "$matchedfiles" ]; then | |
| echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles" | |
| echo -e "\n" | |
| #lists the permissions of the files having the same capabilies associated with the current user | |
| matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null` | |
| echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms" | |
| echo -e "\n" | |
| if [ "$matchedfilesperms" ]; then | |
| #checks if any of the files with same capabilities associated with the current user is writable | |
| writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null` | |
| if [ "$writablematchedfiles" ]; then | |
| echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| fi | |
| fi | |
| fi | |
| #look for private keys - thanks djhohnstein | |
| if [ "$thorough" = "1" ]; then | |
| privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home 2>/dev/null` | |
| if [ "$privatekeyfiles" ]; then | |
| echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #look for AWS keys - thanks djhohnstein | |
| if [ "$thorough" = "1" ]; then | |
| awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null` | |
| if [ "$awskeyfiles" ]; then | |
| echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #look for git credential files - thanks djhohnstein | |
| if [ "$thorough" = "1" ]; then | |
| gitcredfiles=`find / -name ".git-credentials" 2>/dev/null` | |
| if [ "$gitcredfiles" ]; then | |
| echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #list all world-writable files excluding /proc and /sys | |
| if [ "$thorough" = "1" ]; then | |
| wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwfiles" ]; then | |
| echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$thorough" = "1" ]; then | |
| if [ "$export" ] && [ "$wwfiles" ]; then | |
| mkdir $format/ww-files/ 2>/dev/null | |
| for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null | |
| fi | |
| fi | |
| #are any .plan files accessible in /home (could contain useful information) | |
| usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` | |
| if [ "$usrplan" ]; then | |
| echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$usrplan" ]; then | |
| mkdir $format/plan_files/ 2>/dev/null | |
| for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null | |
| fi | |
| bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` | |
| if [ "$bsdusrplan" ]; then | |
| echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$bsdusrplan" ]; then | |
| mkdir $format/plan_files/ 2>/dev/null | |
| for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null | |
| fi | |
| #are there any .rhosts files accessible - these may allow us to login as another user etc. | |
| rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` | |
| if [ "$rhostsusr" ]; then | |
| echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$rhostsusr" ]; then | |
| mkdir $format/rhosts/ 2>/dev/null | |
| for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null | |
| fi | |
| bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` | |
| if [ "$bsdrhostsusr" ]; then | |
| echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$bsdrhostsusr" ]; then | |
| mkdir $format/rhosts 2>/dev/null | |
| for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null | |
| fi | |
| rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` | |
| if [ "$rhostssys" ]; then | |
| echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$rhostssys" ]; then | |
| mkdir $format/rhosts/ 2>/dev/null | |
| for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null | |
| fi | |
| #list nfs shares/permisisons etc. | |
| nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` | |
| if [ "$nfsexports" ]; then | |
| echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$nfsexports" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/exports $format/etc-export/exports 2>/dev/null | |
| fi | |
| if [ "$thorough" = "1" ]; then | |
| #phackt | |
| #displaying /etc/fstab | |
| fstab=`cat /etc/fstab 2>/dev/null` | |
| if [ "$fstab" ]; then | |
| echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m" | |
| echo -e "$fstab" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #looking for credentials in /etc/fstab | |
| fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null` | |
| if [ "$fstab" ]; then | |
| echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$fstab" ]; then | |
| mkdir $format/etc-exports/ 2>/dev/null | |
| cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null | |
| fi | |
| fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null` | |
| if [ "$fstabcred" ]; then | |
| echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$fstabcred" ]; then | |
| mkdir $format/etc-exports/ 2>/dev/null | |
| cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null | |
| fi | |
| #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located | |
| if [ "$keyword" = "" ]; then | |
| echo -e "[-] Can't search *.conf files as no keyword was entered\n" | |
| else | |
| confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null` | |
| if [ "$confkey" ]; then | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" | |
| echo -e "\n" | |
| else | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" | |
| echo -e "'$keyword' not found in any .conf files" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$keyword" = "" ]; then | |
| : | |
| else | |
| if [ "$export" ] && [ "$confkey" ]; then | |
| confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null` | |
| mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null | |
| for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located | |
| if [ "$keyword" = "" ]; then | |
| echo -e "[-] Can't search *.php files as no keyword was entered\n" | |
| else | |
| phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null` | |
| if [ "$phpkey" ]; then | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" | |
| echo -e "\n" | |
| else | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" | |
| echo -e "'$keyword' not found in any .php files" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$keyword" = "" ]; then | |
| : | |
| else | |
| if [ "$export" ] && [ "$phpkey" ]; then | |
| phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null` | |
| mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null | |
| for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located | |
| if [ "$keyword" = "" ];then | |
| echo -e "[-] Can't search *.log files as no keyword was entered\n" | |
| else | |
| logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null` | |
| if [ "$logkey" ]; then | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" | |
| echo -e "\n" | |
| else | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" | |
| echo -e "'$keyword' not found in any .log files" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$keyword" = "" ];then | |
| : | |
| else | |
| if [ "$export" ] && [ "$logkey" ]; then | |
| logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null` | |
| mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null | |
| for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located | |
| if [ "$keyword" = "" ];then | |
| echo -e "[-] Can't search *.ini files as no keyword was entered\n" | |
| else | |
| inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null` | |
| if [ "$inikey" ]; then | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" | |
| echo -e "\n" | |
| else | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" | |
| echo -e "'$keyword' not found in any .ini files" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$keyword" = "" ];then | |
| : | |
| else | |
| if [ "$export" ] && [ "$inikey" ]; then | |
| inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null` | |
| mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null | |
| for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #quick extract of .conf files from /etc - only 1 level | |
| allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` | |
| if [ "$allconf" ]; then | |
| echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$allconf" ]; then | |
| mkdir $format/conf-files/ 2>/dev/null | |
| for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null | |
| fi | |
| #extract any user history files that are accessible | |
| usrhist=`ls -la ~/.*_history 2>/dev/null` | |
| if [ "$usrhist" ]; then | |
| echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$usrhist" ]; then | |
| mkdir $format/history_files/ 2>/dev/null | |
| for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null | |
| fi | |
| #can we read roots *_history files - could be passwords stored etc. | |
| roothist=`ls -la /root/.*_history 2>/dev/null` | |
| if [ "$roothist" ]; then | |
| echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$roothist" ]; then | |
| mkdir $format/history_files/ 2>/dev/null | |
| cp $roothist $format/history_files/ 2>/dev/null | |
| fi | |
| #all accessible .bash_history files in /home | |
| checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \;` | |
| if [ "$checkbashhist" ]; then | |
| echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\e[00m\n$checkbashhist" | |
| echo -e "\n" | |
| fi | |
| #any .bak files that may be of interest | |
| bakfiles=`find / -name *.bak -type f 2</dev/null` | |
| if [ "$bakfiles" ]; then | |
| echo -e "\e[00;31m[-] Location and Permissions (if accessible) of .bak file(s):\e[00m" | |
| for bak in `echo $bakfiles`; do ls -la $bak;done | |
| echo -e "\n" | |
| fi | |
| #is there any mail accessible | |
| readmail=`ls -la /var/mail 2>/dev/null` | |
| if [ "$readmail" ]; then | |
| echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" | |
| echo -e "\n" | |
| fi | |
| #can we read roots mail | |
| readmailroot=`head /var/mail/root 2>/dev/null` | |
| if [ "$readmailroot" ]; then | |
| echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$readmailroot" ]; then | |
| mkdir $format/mail-from-root/ 2>/dev/null | |
| cp $readmailroot $format/mail-from-root/ 2>/dev/null | |
| fi | |
| } | |
| docker_checks() | |
| { | |
| #specific checks - check to see if we're in a docker container | |
| dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` | |
| if [ "$dockercontainer" ]; then | |
| echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" | |
| echo -e "\n" | |
| fi | |
| #specific checks - check to see if we're a docker host | |
| dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` | |
| if [ "$dockerhost" ]; then | |
| echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" | |
| echo -e "\n" | |
| fi | |
| #specific checks - are we a member of the docker group | |
| dockergrp=`id | grep -i docker 2>/dev/null` | |
| if [ "$dockergrp" ]; then | |
| echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" | |
| echo -e "\n" | |
| fi | |
| #specific checks - are there any docker files present | |
| dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;` | |
| if [ "$dockerfiles" ]; then | |
| echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" | |
| echo -e "\n" | |
| fi | |
| #specific checks - are there any docker files present | |
| dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;` | |
| if [ "$dockeryml" ]; then | |
| echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" | |
| echo -e "\n" | |
| fi | |
| } | |
| lxc_container_checks() | |
| { | |
| #specific checks - are we in an lxd/lxc container | |
| lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` | |
| if [ "$lxccontainer" ]; then | |
| echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer" | |
| echo -e "\n" | |
| fi | |
| #specific checks - are we a member of the lxd group | |
| lxdgroup=`id | grep -i lxd 2>/dev/null` | |
| if [ "$lxdgroup" ]; then | |
| echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup" | |
| echo -e "\n" | |
| fi | |
| } | |
| footer() | |
| { | |
| echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" | |
| } | |
| call_each() | |
| { | |
| header | |
| debug_info | |
| system_info | |
| user_info | |
| environmental_info | |
| job_info | |
| networking_info | |
| services_info | |
| software_configs | |
| interesting_files | |
| docker_checks | |
| lxc_container_checks | |
| footer | |
| } | |
| while getopts "h:k:r:e:st" option; do | |
| case "${option}" in | |
| k) keyword=${OPTARG};; | |
| r) report=${OPTARG}"-"`date +"%d-%m-%y"`;; | |
| e) export=${OPTARG};; | |
| s) sudopass=1;; | |
| t) thorough=1;; | |
| h) usage; exit;; | |
| *) usage; exit;; | |
| esac | |
| done | |
| call_each | tee -a $report 2> /dev/null | |
| #EndOfScript |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment