From bacf449540530966df34f74339fcd7dc54818bf0 Mon Sep 17 00:00:00 2001 From: Matty Jones Date: Tue, 14 Sep 2021 21:35:10 -0400 Subject: [PATCH 01/10] add file header --- LinEnum.sh | 380 ++++++++++++++++++++++++++++------------------------- 1 file changed, 204 insertions(+), 176 deletions(-) diff --git a/LinEnum.sh b/LinEnum.sh index d8c69f2..26d0f01 100755 --- a/LinEnum.sh +++ b/LinEnum.sh @@ -1,12 +1,40 @@ -#!/bin/bash -#A script to enumerate local information from a Linux host +#!/bin/env bash + +# +# linenum +# +# AUTHOR: @rebootuser et al. +# +# DESCRIPTION: +# Linenum is a script designed to enumerate a linux box. It should work to varying +# degrees on OSX/MacOS and various flavors of BSD. +# +# OUTPUT: +# plain-text +# +# PLATFORMS: +# Linux, OSX/MacOS, BSD +# +# DEPENDENCIES: +# Bash +# +# USAGE: +# See the help text for additional details +# ./lineum +# +# NOTES: +# +# LICENSE: +# MIT +# + version="version 0.982" #@rebootuser #help function -usage () -{ -echo -e "\n\e[00;31m#########################################################\e[00m" +usage () +{ +echo -e "\n\e[00;31m#########################################################\e[00m" echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" echo -e "\e[00;31m#########################################################\e[00m" echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m" @@ -18,43 +46,43 @@ echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00 echo "-e Enter export location" echo "-s Supply user password for sudo checks (INSECURE)" echo "-t Include thorough (lengthy) tests" - echo "-r Enter report name" + echo "-r Enter report name" echo "-h Displays this help text" echo -e "\n" echo "Running with no options = limited scans/no output file" - -echo -e "\e[00;31m#########################################################\e[00m" + +echo -e "\e[00;31m#########################################################\e[00m" } header() { -echo -e "\n\e[00;31m#########################################################\e[00m" -echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" -echo -e "\e[00;31m#########################################################\e[00m" -echo -e "\e[00;33m# www.rebootuser.com\e[00m" -echo -e "\e[00;33m# $version\e[00m\n" +echo -e "\n\e[00;31m#########################################################\e[00m" +echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" +echo -e "\e[00;31m#########################################################\e[00m" +echo -e "\e[00;33m# www.rebootuser.com\e[00m" +echo -e "\e[00;33m# $version\e[00m\n" } debug_info() { -echo "[-] Debug Info" +echo "[-] Debug Info" -if [ "$keyword" ]; then - echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" +if [ "$keyword" ]; then + echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" fi -if [ "$report" ]; then - echo "[+] Report name = $report" +if [ "$report" ]; then + echo "[+] Report name = $report" fi -if [ "$export" ]; then - echo "[+] Export location = $export" +if [ "$export" ]; then + echo "[+] Export location = $export" fi -if [ "$thorough" ]; then - echo "[+] Thorough tests = Enabled" -else - echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m" +if [ "$thorough" ]; then + echo "[+] Thorough tests = Enabled" +else + echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m" fi sleep 2 @@ -65,17 +93,17 @@ if [ "$export" ]; then mkdir $format 2>/dev/null fi -if [ "$sudopass" ]; then +if [ "$sudopass" ]; then echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m" read -s userpassword - echo + echo fi -who=`whoami` 2>/dev/null -echo -e "\n" +who=`whoami` 2>/dev/null +echo -e "\n" -echo -e "\e[00;33mScan started at:"; date -echo -e "\e[00m\n" +echo -e "\e[00;33mScan started at:"; date +echo -e "\e[00m\n" } # useful binaries (thanks to https://gtfobins.github.io/) @@ -83,58 +111,58 @@ binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\ system_info() { -echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" +echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" #basic kernel info unameinfo=`uname -a 2>/dev/null` if [ "$unameinfo" ]; then - echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" - echo -e "\n" + echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" + echo -e "\n" fi procver=`cat /proc/version 2>/dev/null` if [ "$procver" ]; then - echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" - echo -e "\n" + echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" + echo -e "\n" fi #search all *-release files for version info release=`cat /etc/*-release 2>/dev/null` if [ "$release" ]; then - echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" - echo -e "\n" + echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" + echo -e "\n" fi #target hostname info hostnamed=`hostname 2>/dev/null` if [ "$hostnamed" ]; then - echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" - echo -e "\n" + echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" + echo -e "\n" fi } user_info() { -echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" +echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" #current user details currusr=`id 2>/dev/null` if [ "$currusr" ]; then - echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" + echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" echo -e "\n" fi #last logged on user information lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` if [ "$lastlogedonusrs" ]; then - echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" - echo -e "\n" + echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" + echo -e "\n" fi #who else is logged on loggedonusrs=`w 2>/dev/null` if [ "$loggedonusrs" ]; then - echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" + echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" echo -e "\n" fi @@ -156,14 +184,14 @@ fi #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` if [ "$hashesinpasswd" ]; then - echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" + echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" echo -e "\n" fi #contents of /etc/passwd readpasswd=`cat /etc/passwd 2>/dev/null` if [ "$readpasswd" ]; then - echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" + echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" echo -e "\n" fi @@ -175,7 +203,7 @@ fi #checks to see if the shadow file can be read readshadow=`cat /etc/shadow 2>/dev/null` if [ "$readshadow" ]; then - echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" + echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" echo -e "\n" fi @@ -187,7 +215,7 @@ fi #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` if [ "$readmasterpasswd" ]; then - echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" + echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" echo -e "\n" fi @@ -218,7 +246,7 @@ fi #can we sudo without supplying a password sudoperms=`echo '' | sudo -S -l -k 2>/dev/null` if [ "$sudoperms" ]; then - echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" + echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" echo -e "\n" fi @@ -229,7 +257,7 @@ if [ "$sudopass" ]; then else sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null` if [ "$sudoauth" ]; then - echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" + echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" echo -e "\n" fi fi @@ -242,7 +270,7 @@ if [ "$sudopass" ]; then else sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$sudopermscheck" ]; then - echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" + echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" echo -e "\n" fi fi @@ -251,28 +279,28 @@ fi #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$sudopwnage" ]; then - echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" + echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" echo -e "\n" fi #who has sudoed in the past whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null` if [ "$whohasbeensudo" ]; then - echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" + echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" echo -e "\n" fi #checks to see if roots home directory is accessible rthmdir=`ls -ahl /root/ 2>/dev/null` if [ "$rthmdir" ]; then - echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" + echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" echo -e "\n" fi #displays /home directory permissions - check if any are lax homedirperms=`ls -ahl /home/ 2>/dev/null` if [ "$homedirperms" ]; then - echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" + echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" echo -e "\n" fi @@ -280,7 +308,7 @@ fi if [ "$thorough" = "1" ]; then grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` if [ "$grfilesall" ]; then - echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" + echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" echo -e "\n" fi fi @@ -307,7 +335,7 @@ fi if [ "$thorough" = "1" ]; then wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` if [ "$wrfileshm" ]; then - echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" + echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" echo -e "\n" fi fi @@ -323,8 +351,8 @@ fi if [ "$thorough" = "1" ]; then homedircontents=`ls -ahl ~ 2>/dev/null` if [ "$homedircontents" ] ; then - echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" - echo -e "\n" + echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" + echo -e "\n" fi fi @@ -332,7 +360,7 @@ fi if [ "$thorough" = "1" ]; then sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;` if [ "$sshfiles" ]; then - echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" + echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" echo -e "\n" fi fi @@ -347,19 +375,19 @@ fi #is root permitted to login via ssh sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` if [ "$sshrootlogin" = "yes" ]; then - echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" + echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" echo -e "\n" fi } environmental_info() { -echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" +echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" #env information envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null` if [ "$envinfo" ]; then - echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" + echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" echo -e "\n" fi @@ -376,7 +404,7 @@ fi pathinfo=`echo $PATH 2>/dev/null` if [ "$pathinfo" ]; then pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")` - echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" + echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" echo -e "$pathswriteable" echo -e "\n" fi @@ -384,28 +412,28 @@ fi #lists available shells shellinfo=`cat /etc/shells 2>/dev/null` if [ "$shellinfo" ]; then - echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" + echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" echo -e "\n" fi #current umask value with both octal and symbolic output umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null` if [ "$umaskvalue" ]; then - echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" + echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" echo -e "\n" fi #umask value as in /etc/login.defs umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null` if [ "$umaskdef" ]; then - echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" + echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" echo -e "\n" fi #password policy information as stored in /etc/login.defs logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null` if [ "$logindefs" ]; then - echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" + echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" echo -e "\n" fi @@ -417,51 +445,51 @@ fi job_info() { -echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" +echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" #are there any cron jobs configured cronjobs=`ls -la /etc/cron* 2>/dev/null` if [ "$cronjobs" ]; then - echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" + echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" echo -e "\n" fi #can we manipulate these jobs in any way cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;` if [ "$cronjobwwperms" ]; then - echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" + echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" echo -e "\n" fi #contab contents crontabvalue=`cat /etc/crontab 2>/dev/null` if [ "$crontabvalue" ]; then - echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" + echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" echo -e "\n" fi crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` if [ "$crontabvar" ]; then - echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" + echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" echo -e "\n" fi anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` if [ "$anacronjobs" ]; then - echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" + echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" echo -e "\n" fi anacrontab=`ls -la /var/spool/anacron 2>/dev/null` if [ "$anacrontab" ]; then - echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" + echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" echo -e "\n" fi #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` if [ "$cronother" ]; then - echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" + echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" echo -e "\n" fi @@ -484,103 +512,103 @@ fi networking_info() { -echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" +echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" #nic information nicinfo=`/sbin/ifconfig -a 2>/dev/null` if [ "$nicinfo" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" + echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" echo -e "\n" fi #nic information (using ip) nicinfoip=`/sbin/ip a 2>/dev/null` if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" + echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" echo -e "\n" fi arpinfo=`arp -a 2>/dev/null` if [ "$arpinfo" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" + echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" echo -e "\n" fi arpinfoip=`ip n 2>/dev/null` if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" + echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" echo -e "\n" fi #dns settings nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null` if [ "$nsinfo" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" + echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" echo -e "\n" fi nsinfosysd=`systemd-resolve --status 2>/dev/null` if [ "$nsinfosysd" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" + echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" echo -e "\n" fi #default route configuration defroute=`route 2>/dev/null | grep default` if [ "$defroute" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" + echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" echo -e "\n" fi #default route configuration defrouteip=`ip r 2>/dev/null | grep default` if [ ! "$defroute" ] && [ "$defrouteip" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" + echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" echo -e "\n" fi #listening TCP tcpservs=`netstat -ntpl 2>/dev/null` if [ "$tcpservs" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" + echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" echo -e "\n" fi tcpservsip=`ss -t -l -n 2>/dev/null` if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" + echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" echo -e "\n" fi #listening UDP udpservs=`netstat -nupl 2>/dev/null` if [ "$udpservs" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" + echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" echo -e "\n" fi udpservsip=`ss -u -l -n 2>/dev/null` if [ ! "$udpservs" ] && [ "$udpservsip" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" + echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" echo -e "\n" fi } services_info() { -echo -e "\e[00;33m### SERVICES #############################################\e[00m" +echo -e "\e[00;33m### SERVICES #############################################\e[00m" #running processes psaux=`ps aux 2>/dev/null` if [ "$psaux" ]; then - echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" + echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" echo -e "\n" fi #lookup process binary path and permissisons procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null` if [ "$procperm" ]; then - echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" + echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" echo -e "\n" fi @@ -593,7 +621,7 @@ fi #anything 'useful' in inetd.conf inetdread=`cat /etc/inetd.conf 2>/dev/null` if [ "$inetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" + echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" echo -e "\n" fi @@ -605,13 +633,13 @@ fi #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$inetdbinperms" ]; then - echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" + echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" echo -e "\n" fi xinetdread=`cat /etc/xinetd.conf 2>/dev/null` if [ "$xinetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" + echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" echo -e "\n" fi @@ -622,53 +650,53 @@ fi xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null` if [ "$xinetdincd" ]; then - echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null + echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null echo -e "\n" fi #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$xinetdbinperms" ]; then - echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" + echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" echo -e "\n" fi initdread=`ls -la /etc/init.d 2>/dev/null` if [ "$initdread" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" + echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" echo -e "\n" fi #init.d files NOT belonging to root! initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$initdperms" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" + echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" echo -e "\n" fi rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` if [ "$rcdread" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" + echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" echo -e "\n" fi #init.d files NOT belonging to root! rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$rcdperms" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" + echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" echo -e "\n" fi usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` if [ "$usrrcdread" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" + echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" echo -e "\n" fi #rc.d files NOT belonging to root! usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$usrrcdperms" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" + echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" echo -e "\n" fi @@ -701,79 +729,79 @@ fi software_configs() { -echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" +echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" #sudo version - check to see if there are any known vulnerabilities with this sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` if [ "$sudover" ]; then - echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover" + echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover" echo -e "\n" fi #mysql details - if installed mysqlver=`mysql --version 2>/dev/null` if [ "$mysqlver" ]; then - echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver" + echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver" echo -e "\n" fi #checks to see if root/root will get us a connection mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` if [ "$mysqlconnect" ]; then - echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" + echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" echo -e "\n" fi #mysql version details mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` if [ "$mysqlconnectnopass" ]; then - echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" + echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" echo -e "\n" fi #postgres details - if installed postgver=`psql -V 2>/dev/null` if [ "$postgver" ]; then - echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver" + echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver" echo -e "\n" fi #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon1" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" echo -e "\n" fi postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon11" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" echo -e "\n" fi postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon2" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" echo -e "\n" fi postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon22" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" echo -e "\n" fi #apache details - if installed apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` if [ "$apachever" ]; then - echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever" + echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever" echo -e "\n" fi #what account is apache running under apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null` if [ "$apacheusr" ]; then - echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr" + echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr" echo -e "\n" fi @@ -785,7 +813,7 @@ fi #installed apache modules apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` if [ "$apachemodules" ]; then - echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules" + echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules" echo -e "\n" fi @@ -800,7 +828,7 @@ fi if [ "$thorough" = "1" ]; then apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` if [ "$apachehomedirs" ]; then - echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs" + echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs" echo -e "\n" fi fi @@ -809,28 +837,28 @@ fi interesting_files() { -echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" +echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" #checks to see if various files are installed -echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null -echo -e "\n" +echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null +echo -e "\n" #limited search for installed compilers compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null` if [ "$compiler" ]; then - echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" + echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" echo -e "\n" fi #manual check - lists out sensitive files, can we read/modify etc. -echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null -echo -e "\n" +echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null +echo -e "\n" #search for suid files allsuid=`find / -perm -4000 -type f 2>/dev/null` findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` if [ "$findsuid" ]; then - echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" + echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" echo -e "\n" fi @@ -842,21 +870,21 @@ fi #list of 'interesting' suid files - feel free to make additions intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$intsuid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" + echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" echo -e "\n" fi #lists world-writable suid files wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsuid" ]; then - echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" + echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" echo -e "\n" fi #lists world-writable suid files owned by root wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsuidrt" ]; then - echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" + echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" echo -e "\n" fi @@ -864,7 +892,7 @@ fi allsgid=`find / -perm -2000 -type f 2>/dev/null` findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` if [ "$findsgid" ]; then - echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" + echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" echo -e "\n" fi @@ -876,21 +904,21 @@ fi #list of 'interesting' sgid files intsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$intsgid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" + echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" echo -e "\n" fi #lists world-writable sgid files wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsgid" ]; then - echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" + echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" echo -e "\n" fi #lists world-writable sgid files owned by root wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsgidrt" ]; then - echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" + echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" echo -e "\n" fi @@ -971,7 +999,7 @@ fi if [ "$thorough" = "1" ]; then wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwfiles" ]; then - echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" + echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" echo -e "\n" fi fi @@ -986,7 +1014,7 @@ fi #are any .plan files accessible in /home (could contain useful information) usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` if [ "$usrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" + echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" echo -e "\n" fi @@ -997,7 +1025,7 @@ fi bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` if [ "$bsdusrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" + echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" echo -e "\n" fi @@ -1009,7 +1037,7 @@ fi #are there any .rhosts files accessible - these may allow us to login as another user etc. rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` if [ "$rhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" + echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" echo -e "\n" fi @@ -1020,7 +1048,7 @@ fi bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` if [ "$bsdrhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" + echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" echo -e "\n" fi @@ -1031,7 +1059,7 @@ fi rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` if [ "$rhostssys" ]; then - echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" + echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" echo -e "\n" fi @@ -1043,7 +1071,7 @@ fi #list nfs shares/permisisons etc. nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` if [ "$nfsexports" ]; then - echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" + echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" echo -e "\n" fi @@ -1077,7 +1105,7 @@ fi fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null` if [ "$fstabcred" ]; then - echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" + echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" echo -e "\n" fi @@ -1088,16 +1116,16 @@ fi #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ]; then - echo -e "[-] Can't search *.conf files as no keyword was entered\n" + echo -e "[-] Can't search *.conf files as no keyword was entered\n" else confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null` if [ "$confkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .conf files" - echo -e "\n" + echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .conf files" + echo -e "\n" fi fi @@ -1113,16 +1141,16 @@ fi #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ]; then - echo -e "[-] Can't search *.php files as no keyword was entered\n" + echo -e "[-] Can't search *.php files as no keyword was entered\n" else phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null` if [ "$phpkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" - echo -e "'$keyword' not found in any .php files" - echo -e "\n" + echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" + echo -e "'$keyword' not found in any .php files" + echo -e "\n" fi fi @@ -1138,16 +1166,16 @@ fi #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ];then - echo -e "[-] Can't search *.log files as no keyword was entered\n" + echo -e "[-] Can't search *.log files as no keyword was entered\n" else logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null` if [ "$logkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" + echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" echo -e "'$keyword' not found in any .log files" - echo -e "\n" + echo -e "\n" fi fi @@ -1163,15 +1191,15 @@ fi #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ];then - echo -e "[-] Can't search *.ini files as no keyword was entered\n" + echo -e "[-] Can't search *.ini files as no keyword was entered\n" else inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null` if [ "$inikey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .ini files" + echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .ini files" echo -e "\n" fi fi @@ -1189,7 +1217,7 @@ fi #quick extract of .conf files from /etc - only 1 level allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` if [ "$allconf" ]; then - echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" + echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" echo -e "\n" fi @@ -1201,7 +1229,7 @@ fi #extract any user history files that are accessible usrhist=`ls -la ~/.*_history 2>/dev/null` if [ "$usrhist" ]; then - echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" + echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" echo -e "\n" fi @@ -1213,7 +1241,7 @@ fi #can we read roots *_history files - could be passwords stored etc. roothist=`ls -la /root/.*_history 2>/dev/null` if [ "$roothist" ]; then - echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" + echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" echo -e "\n" fi @@ -1240,14 +1268,14 @@ fi #is there any mail accessible readmail=`ls -la /var/mail 2>/dev/null` if [ "$readmail" ]; then - echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" + echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" echo -e "\n" fi #can we read roots mail readmailroot=`head /var/mail/root 2>/dev/null` if [ "$readmailroot" ]; then - echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" + echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" echo -e "\n" fi @@ -1263,35 +1291,35 @@ docker_checks() #specific checks - check to see if we're in a docker container dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` if [ "$dockercontainer" ]; then - echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" + echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" echo -e "\n" fi #specific checks - check to see if we're a docker host dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` if [ "$dockerhost" ]; then - echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" + echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" echo -e "\n" fi #specific checks - are we a member of the docker group dockergrp=`id | grep -i docker 2>/dev/null` if [ "$dockergrp" ]; then - echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" + echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" echo -e "\n" fi #specific checks - are there any docker files present dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;` if [ "$dockerfiles" ]; then - echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" + echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" echo -e "\n" fi #specific checks - are there any docker files present dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;` if [ "$dockeryml" ]; then - echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" + echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" echo -e "\n" fi } @@ -1316,7 +1344,7 @@ fi footer() { -echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" +echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" } call_each() From 6e024cf89dbfa1a1627cc1fc67461b8a9be06a22 Mon Sep 17 00:00:00 2001 From: Matty Date: Tue, 14 Sep 2021 23:13:33 -0400 Subject: [PATCH 02/10] initial commit of breakup into libraries --- .gitignore | 1 + LinEnum.sh | 1213 ---------------------------------- includes/binary_info.sh | 448 +++++++++++++ includes/docker_info.sh | 40 ++ includes/environment_info.sh | 64 ++ includes/job_info.sh | 68 ++ includes/kube_info.sh | 48 ++ includes/lxc_info.sh | 19 + includes/network_info.sh | 85 +++ includes/services_info.sh | 134 ++++ includes/software_configs.sh | 109 +++ includes/system_info.sh | 33 + includes/user_info.sh | 240 +++++++ 13 files changed, 1289 insertions(+), 1213 deletions(-) create mode 100644 .gitignore create mode 100755 includes/binary_info.sh create mode 100755 includes/docker_info.sh create mode 100755 includes/environment_info.sh create mode 100755 includes/job_info.sh create mode 100755 includes/kube_info.sh create mode 100755 includes/lxc_info.sh create mode 100755 includes/network_info.sh create mode 100755 includes/services_info.sh create mode 100755 includes/software_configs.sh create mode 100755 includes/system_info.sh create mode 100755 includes/user_info.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..485dee6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea diff --git a/LinEnum.sh b/LinEnum.sh index 26d0f01..3d82b53 100755 --- a/LinEnum.sh +++ b/LinEnum.sh @@ -109,1238 +109,25 @@ echo -e "\e[00m\n" # useful binaries (thanks to https://gtfobins.github.io/) binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh' -system_info() -{ -echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" - -#basic kernel info -unameinfo=`uname -a 2>/dev/null` -if [ "$unameinfo" ]; then - echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" - echo -e "\n" -fi - -procver=`cat /proc/version 2>/dev/null` -if [ "$procver" ]; then - echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" - echo -e "\n" -fi - -#search all *-release files for version info -release=`cat /etc/*-release 2>/dev/null` -if [ "$release" ]; then - echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" - echo -e "\n" -fi - -#target hostname info -hostnamed=`hostname 2>/dev/null` -if [ "$hostnamed" ]; then - echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" - echo -e "\n" -fi -} - -user_info() -{ -echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" - -#current user details -currusr=`id 2>/dev/null` -if [ "$currusr" ]; then - echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" - echo -e "\n" -fi - -#last logged on user information -lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` -if [ "$lastlogedonusrs" ]; then - echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" - echo -e "\n" -fi - -#who else is logged on -loggedonusrs=`w 2>/dev/null` -if [ "$loggedonusrs" ]; then - echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" - echo -e "\n" -fi - -#lists all id's and respective group(s) -grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null` -if [ "$grpinfo" ]; then - echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo" - echo -e "\n" -fi - -#added by phackt - look for adm group (thanks patrick) -adm_users=$(echo -e "$grpinfo" | grep "(adm)") -if [[ ! -z $adm_users ]]; - then - echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users" - echo -e "\n" -fi - -#checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) -hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` -if [ "$hashesinpasswd" ]; then - echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" - echo -e "\n" -fi - -#contents of /etc/passwd -readpasswd=`cat /etc/passwd 2>/dev/null` -if [ "$readpasswd" ]; then - echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" - echo -e "\n" -fi - -if [ "$export" ] && [ "$readpasswd" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/passwd $format/etc-export/passwd 2>/dev/null -fi - -#checks to see if the shadow file can be read -readshadow=`cat /etc/shadow 2>/dev/null` -if [ "$readshadow" ]; then - echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" - echo -e "\n" -fi - -if [ "$export" ] && [ "$readshadow" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/shadow $format/etc-export/shadow 2>/dev/null -fi - -#checks to see if /etc/master.passwd can be read - BSD 'shadow' variant -readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` -if [ "$readmasterpasswd" ]; then - echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" - echo -e "\n" -fi - -if [ "$export" ] && [ "$readmasterpasswd" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null -fi - -#all root accounts (uid 0) -superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null` -if [ "$superman" ]; then - echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman" - echo -e "\n" -fi - -#pull out vital sudoers info -sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null` -if [ "$sudoers" ]; then - echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers" - echo -e "\n" -fi - -if [ "$export" ] && [ "$sudoers" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null -fi - -#can we sudo without supplying a password -sudoperms=`echo '' | sudo -S -l -k 2>/dev/null` -if [ "$sudoperms" ]; then - echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" - echo -e "\n" -fi - -#check sudo perms - authenticated -if [ "$sudopass" ]; then - if [ "$sudoperms" ]; then - : - else - sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null` - if [ "$sudoauth" ]; then - echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" - echo -e "\n" - fi - fi -fi - -##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated -if [ "$sudopass" ]; then - if [ "$sudoperms" ]; then - : - else - sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` - if [ "$sudopermscheck" ]; then - echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" - echo -e "\n" - fi - fi -fi - -#known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) -sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` -if [ "$sudopwnage" ]; then - echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" - echo -e "\n" -fi - -#who has sudoed in the past -whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null` -if [ "$whohasbeensudo" ]; then - echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" - echo -e "\n" -fi - -#checks to see if roots home directory is accessible -rthmdir=`ls -ahl /root/ 2>/dev/null` -if [ "$rthmdir" ]; then - echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" - echo -e "\n" -fi - -#displays /home directory permissions - check if any are lax -homedirperms=`ls -ahl /home/ 2>/dev/null` -if [ "$homedirperms" ]; then - echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" - echo -e "\n" -fi - -#looks for files we can write to that don't belong to us -if [ "$thorough" = "1" ]; then - grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` - if [ "$grfilesall" ]; then - echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" - echo -e "\n" - fi -fi - -#looks for files that belong to us -if [ "$thorough" = "1" ]; then - ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` - if [ "$ourfilesall" ]; then - echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall" - echo -e "\n" - fi -fi - -#looks for hidden files -if [ "$thorough" = "1" ]; then - hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` - if [ "$hiddenfiles" ]; then - echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles" - echo -e "\n" - fi -fi - -#looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch -if [ "$thorough" = "1" ]; then -wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` - if [ "$wrfileshm" ]; then - echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" - echo -e "\n" - fi -fi - -if [ "$thorough" = "1" ]; then - if [ "$export" ] && [ "$wrfileshm" ]; then - mkdir $format/wr-files/ 2>/dev/null - for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null - fi -fi - -#lists current user's home directory contents -if [ "$thorough" = "1" ]; then -homedircontents=`ls -ahl ~ 2>/dev/null` - if [ "$homedircontents" ] ; then - echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" - echo -e "\n" - fi -fi - -#checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch -if [ "$thorough" = "1" ]; then -sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;` - if [ "$sshfiles" ]; then - echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" - echo -e "\n" - fi -fi - -if [ "$thorough" = "1" ]; then - if [ "$export" ] && [ "$sshfiles" ]; then - mkdir $format/ssh-files/ 2>/dev/null - for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null - fi -fi - -#is root permitted to login via ssh -sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` -if [ "$sshrootlogin" = "yes" ]; then - echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" - echo -e "\n" -fi -} - -environmental_info() -{ -echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" - -#env information -envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null` -if [ "$envinfo" ]; then - echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" - echo -e "\n" -fi - -#check if selinux is enabled -sestatus=`sestatus 2>/dev/null` -if [ "$sestatus" ]; then - echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus" - echo -e "\n" -fi - -#phackt - -#current path configuration -pathinfo=`echo $PATH 2>/dev/null` -if [ "$pathinfo" ]; then - pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")` - echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" - echo -e "$pathswriteable" - echo -e "\n" -fi - -#lists available shells -shellinfo=`cat /etc/shells 2>/dev/null` -if [ "$shellinfo" ]; then - echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" - echo -e "\n" -fi - -#current umask value with both octal and symbolic output -umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null` -if [ "$umaskvalue" ]; then - echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" - echo -e "\n" -fi - -#umask value as in /etc/login.defs -umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null` -if [ "$umaskdef" ]; then - echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" - echo -e "\n" -fi - -#password policy information as stored in /etc/login.defs -logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null` -if [ "$logindefs" ]; then - echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" - echo -e "\n" -fi - -if [ "$export" ] && [ "$logindefs" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null -fi -} - -job_info() -{ -echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" - -#are there any cron jobs configured -cronjobs=`ls -la /etc/cron* 2>/dev/null` -if [ "$cronjobs" ]; then - echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" - echo -e "\n" -fi - -#can we manipulate these jobs in any way -cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;` -if [ "$cronjobwwperms" ]; then - echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" - echo -e "\n" -fi - -#contab contents -crontabvalue=`cat /etc/crontab 2>/dev/null` -if [ "$crontabvalue" ]; then - echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" - echo -e "\n" -fi - -crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` -if [ "$crontabvar" ]; then - echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" - echo -e "\n" -fi - -anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` -if [ "$anacronjobs" ]; then - echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" - echo -e "\n" -fi - -anacrontab=`ls -la /var/spool/anacron 2>/dev/null` -if [ "$anacrontab" ]; then - echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" - echo -e "\n" -fi - -#pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) -cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` -if [ "$cronother" ]; then - echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" - echo -e "\n" -fi - -# list systemd timers -if [ "$thorough" = "1" ]; then - # include inactive timers in thorough mode - systemdtimers="$(systemctl list-timers --all 2>/dev/null)" - info="" -else - systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)" - # replace the info in the output with a hint towards thorough mode - info="\e[2mEnable thorough tests to see inactive timers\e[00m" -fi -if [ "$systemdtimers" ]; then - echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info" - echo -e "\n" -fi - -} - -networking_info() -{ -echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" - -#nic information -nicinfo=`/sbin/ifconfig -a 2>/dev/null` -if [ "$nicinfo" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" - echo -e "\n" -fi - -#nic information (using ip) -nicinfoip=`/sbin/ip a 2>/dev/null` -if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" - echo -e "\n" -fi - -arpinfo=`arp -a 2>/dev/null` -if [ "$arpinfo" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" - echo -e "\n" -fi - -arpinfoip=`ip n 2>/dev/null` -if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" - echo -e "\n" -fi - -#dns settings -nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null` -if [ "$nsinfo" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" - echo -e "\n" -fi - -nsinfosysd=`systemd-resolve --status 2>/dev/null` -if [ "$nsinfosysd" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" - echo -e "\n" -fi - -#default route configuration -defroute=`route 2>/dev/null | grep default` -if [ "$defroute" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" - echo -e "\n" -fi - -#default route configuration -defrouteip=`ip r 2>/dev/null | grep default` -if [ ! "$defroute" ] && [ "$defrouteip" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" - echo -e "\n" -fi - -#listening TCP -tcpservs=`netstat -ntpl 2>/dev/null` -if [ "$tcpservs" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" - echo -e "\n" -fi - -tcpservsip=`ss -t -l -n 2>/dev/null` -if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" - echo -e "\n" -fi - -#listening UDP -udpservs=`netstat -nupl 2>/dev/null` -if [ "$udpservs" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" - echo -e "\n" -fi - -udpservsip=`ss -u -l -n 2>/dev/null` -if [ ! "$udpservs" ] && [ "$udpservsip" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" - echo -e "\n" -fi -} - -services_info() -{ -echo -e "\e[00;33m### SERVICES #############################################\e[00m" - -#running processes -psaux=`ps aux 2>/dev/null` -if [ "$psaux" ]; then - echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" - echo -e "\n" -fi - -#lookup process binary path and permissisons -procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null` -if [ "$procperm" ]; then - echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" - echo -e "\n" -fi - -if [ "$export" ] && [ "$procperm" ]; then -procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null` - mkdir $format/ps-export/ 2>/dev/null - for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null -fi - -#anything 'useful' in inetd.conf -inetdread=`cat /etc/inetd.conf 2>/dev/null` -if [ "$inetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" - echo -e "\n" -fi - -if [ "$export" ] && [ "$inetdread" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null -fi - -#very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each -inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$inetdbinperms" ]; then - echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" - echo -e "\n" -fi - -xinetdread=`cat /etc/xinetd.conf 2>/dev/null` -if [ "$xinetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" - echo -e "\n" -fi - -if [ "$export" ] && [ "$xinetdread" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null -fi - -xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null` -if [ "$xinetdincd" ]; then - echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null - echo -e "\n" -fi - -#very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each -xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$xinetdbinperms" ]; then - echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" - echo -e "\n" -fi - -initdread=`ls -la /etc/init.d 2>/dev/null` -if [ "$initdread" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" - echo -e "\n" -fi - -#init.d files NOT belonging to root! -initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$initdperms" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" - echo -e "\n" -fi - -rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` -if [ "$rcdread" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" - echo -e "\n" -fi - -#init.d files NOT belonging to root! -rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$rcdperms" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" - echo -e "\n" -fi - -usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` -if [ "$usrrcdread" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" - echo -e "\n" -fi - -#rc.d files NOT belonging to root! -usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$usrrcdperms" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" - echo -e "\n" -fi - -initread=`ls -la /etc/init/ 2>/dev/null` -if [ "$initread" ]; then - echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread" - echo -e "\n" -fi - -# upstart scripts not belonging to root -initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$initperms" ]; then - echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms" - echo -e "\n" -fi - -systemdread=`ls -lthR /lib/systemd/ 2>/dev/null` -if [ "$systemdread" ]; then - echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread" - echo -e "\n" -fi - -# systemd files not belonging to root -systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$systemdperms" ]; then - echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms" - echo -e "\n" -fi -} - -software_configs() -{ -echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" - -#sudo version - check to see if there are any known vulnerabilities with this -sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` -if [ "$sudover" ]; then - echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover" - echo -e "\n" -fi - -#mysql details - if installed -mysqlver=`mysql --version 2>/dev/null` -if [ "$mysqlver" ]; then - echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver" - echo -e "\n" -fi - -#checks to see if root/root will get us a connection -mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` -if [ "$mysqlconnect" ]; then - echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" - echo -e "\n" -fi - -#mysql version details -mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` -if [ "$mysqlconnectnopass" ]; then - echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" - echo -e "\n" -fi - -#postgres details - if installed -postgver=`psql -V 2>/dev/null` -if [ "$postgver" ]; then - echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver" - echo -e "\n" -fi - -#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this -postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version` -if [ "$postcon1" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" - echo -e "\n" -fi - -postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version` -if [ "$postcon11" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" - echo -e "\n" -fi - -postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version` -if [ "$postcon2" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" - echo -e "\n" -fi - -postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version` -if [ "$postcon22" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" - echo -e "\n" -fi - -#apache details - if installed -apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` -if [ "$apachever" ]; then - echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever" - echo -e "\n" -fi - -#what account is apache running under -apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null` -if [ "$apacheusr" ]; then - echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr" - echo -e "\n" -fi - -if [ "$export" ] && [ "$apacheusr" ]; then - mkdir --parents $format/etc-export/apache2/ 2>/dev/null - cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null -fi - -#installed apache modules -apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` -if [ "$apachemodules" ]; then - echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules" - echo -e "\n" -fi - -#htpasswd check -htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null` -if [ "$htpasswd" ]; then - echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd" - echo -e "\n" -fi - -#anything in the default http home dirs (a thorough only check as output can be large) -if [ "$thorough" = "1" ]; then - apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` - if [ "$apachehomedirs" ]; then - echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs" - echo -e "\n" - fi -fi - -} - -interesting_files() -{ -echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" - -#checks to see if various files are installed -echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null -echo -e "\n" - -#limited search for installed compilers -compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null` -if [ "$compiler" ]; then - echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" - echo -e "\n" -fi - -#manual check - lists out sensitive files, can we read/modify etc. -echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null -echo -e "\n" - -#search for suid files -allsuid=`find / -perm -4000 -type f 2>/dev/null` -findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$findsuid" ]; then - echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" - echo -e "\n" -fi - -if [ "$export" ] && [ "$findsuid" ]; then - mkdir $format/suid-files/ 2>/dev/null - for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null -fi - -#list of 'interesting' suid files - feel free to make additions -intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` -if [ "$intsuid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" - echo -e "\n" -fi - -#lists world-writable suid files -wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$wwsuid" ]; then - echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" - echo -e "\n" -fi - -#lists world-writable suid files owned by root -wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$wwsuidrt" ]; then - echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" - echo -e "\n" -fi - -#search for sgid files -allsgid=`find / -perm -2000 -type f 2>/dev/null` -findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$findsgid" ]; then - echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" - echo -e "\n" -fi - -if [ "$export" ] && [ "$findsgid" ]; then - mkdir $format/sgid-files/ 2>/dev/null - for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null -fi - -#list of 'interesting' sgid files -intsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` -if [ "$intsgid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" - echo -e "\n" -fi - -#lists world-writable sgid files -wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$wwsgid" ]; then - echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" - echo -e "\n" -fi - -#lists world-writable sgid files owned by root -wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$wwsgidrt" ]; then - echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" - echo -e "\n" -fi - -#list all files with POSIX capabilities set along with there capabilities -fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null` -if [ "$fileswithcaps" ]; then - echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps" - echo -e "\n" -fi - -if [ "$export" ] && [ "$fileswithcaps" ]; then - mkdir $format/files_with_capabilities/ 2>/dev/null - for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null -fi - -#searches /etc/security/capability.conf for users associated capapilies -userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null` -if [ "$userswithcaps" ]; then - echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps" - echo -e "\n" -fi - -if [ "$userswithcaps" ] ; then -#matches the capabilities found associated with users with the current user -matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null` - if [ "$matchedcaps" ]; then - echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps" - echo -e "\n" - #matches the files with capapbilities with capabilities associated with the current user - matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null` - if [ "$matchedfiles" ]; then - echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles" - echo -e "\n" - #lists the permissions of the files having the same capabilies associated with the current user - matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null` - echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms" - echo -e "\n" - if [ "$matchedfilesperms" ]; then - #checks if any of the files with same capabilities associated with the current user is writable - writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null` - if [ "$writablematchedfiles" ]; then - echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles" - echo -e "\n" - fi - fi - fi - fi -fi - -#look for private keys - thanks djhohnstein -if [ "$thorough" = "1" ]; then -privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home 2>/dev/null` - if [ "$privatekeyfiles" ]; then - echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles" - echo -e "\n" - fi -fi - -#look for AWS keys - thanks djhohnstein -if [ "$thorough" = "1" ]; then -awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null` - if [ "$awskeyfiles" ]; then - echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles" - echo -e "\n" - fi -fi - -#look for git credential files - thanks djhohnstein -if [ "$thorough" = "1" ]; then -gitcredfiles=`find / -name ".git-credentials" 2>/dev/null` - if [ "$gitcredfiles" ]; then - echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles" - echo -e "\n" - fi -fi - -#list all world-writable files excluding /proc and /sys -if [ "$thorough" = "1" ]; then -wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;` - if [ "$wwfiles" ]; then - echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" - echo -e "\n" - fi -fi - -if [ "$thorough" = "1" ]; then - if [ "$export" ] && [ "$wwfiles" ]; then - mkdir $format/ww-files/ 2>/dev/null - for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null - fi -fi - -#are any .plan files accessible in /home (could contain useful information) -usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` -if [ "$usrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" - echo -e "\n" -fi - -if [ "$export" ] && [ "$usrplan" ]; then - mkdir $format/plan_files/ 2>/dev/null - for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null -fi - -bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` -if [ "$bsdusrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" - echo -e "\n" -fi - -if [ "$export" ] && [ "$bsdusrplan" ]; then - mkdir $format/plan_files/ 2>/dev/null - for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null -fi - -#are there any .rhosts files accessible - these may allow us to login as another user etc. -rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` -if [ "$rhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" - echo -e "\n" -fi -if [ "$export" ] && [ "$rhostsusr" ]; then - mkdir $format/rhosts/ 2>/dev/null - for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null -fi -bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` -if [ "$bsdrhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" - echo -e "\n" -fi -if [ "$export" ] && [ "$bsdrhostsusr" ]; then - mkdir $format/rhosts 2>/dev/null - for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null -fi -rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` -if [ "$rhostssys" ]; then - echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" - echo -e "\n" -fi -if [ "$export" ] && [ "$rhostssys" ]; then - mkdir $format/rhosts/ 2>/dev/null - for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null -fi -#list nfs shares/permisisons etc. -nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` -if [ "$nfsexports" ]; then - echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" - echo -e "\n" -fi -if [ "$export" ] && [ "$nfsexports" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/exports $format/etc-export/exports 2>/dev/null -fi -if [ "$thorough" = "1" ]; then - #phackt - #displaying /etc/fstab - fstab=`cat /etc/fstab 2>/dev/null` - if [ "$fstab" ]; then - echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m" - echo -e "$fstab" - echo -e "\n" - fi -fi - -#looking for credentials in /etc/fstab -fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null` -if [ "$fstab" ]; then - echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" - echo -e "\n" -fi -if [ "$export" ] && [ "$fstab" ]; then - mkdir $format/etc-exports/ 2>/dev/null - cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null -fi -fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null` -if [ "$fstabcred" ]; then - echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" - echo -e "\n" -fi -if [ "$export" ] && [ "$fstabcred" ]; then - mkdir $format/etc-exports/ 2>/dev/null - cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null -fi -#use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located -if [ "$keyword" = "" ]; then - echo -e "[-] Can't search *.conf files as no keyword was entered\n" - else - confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null` - if [ "$confkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .conf files" - echo -e "\n" - fi -fi -if [ "$keyword" = "" ]; then - : - else - if [ "$export" ] && [ "$confkey" ]; then - confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null` - mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null - for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null - fi -fi -#use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located -if [ "$keyword" = "" ]; then - echo -e "[-] Can't search *.php files as no keyword was entered\n" - else - phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null` - if [ "$phpkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" - echo -e "'$keyword' not found in any .php files" - echo -e "\n" - fi -fi -if [ "$keyword" = "" ]; then - : - else - if [ "$export" ] && [ "$phpkey" ]; then - phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null` - mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null - for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null - fi -fi -#use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located -if [ "$keyword" = "" ];then - echo -e "[-] Can't search *.log files as no keyword was entered\n" - else - logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null` - if [ "$logkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .log files" - echo -e "\n" - fi -fi -if [ "$keyword" = "" ];then - : - else - if [ "$export" ] && [ "$logkey" ]; then - logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null` - mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null - for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null - fi -fi -#use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located -if [ "$keyword" = "" ];then - echo -e "[-] Can't search *.ini files as no keyword was entered\n" - else - inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null` - if [ "$inikey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .ini files" - echo -e "\n" - fi -fi -if [ "$keyword" = "" ];then - : - else - if [ "$export" ] && [ "$inikey" ]; then - inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null` - mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null - for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null - fi -fi - -#quick extract of .conf files from /etc - only 1 level -allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` -if [ "$allconf" ]; then - echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" - echo -e "\n" -fi - -if [ "$export" ] && [ "$allconf" ]; then - mkdir $format/conf-files/ 2>/dev/null - for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null -fi - -#extract any user history files that are accessible -usrhist=`ls -la ~/.*_history 2>/dev/null` -if [ "$usrhist" ]; then - echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" - echo -e "\n" -fi - -if [ "$export" ] && [ "$usrhist" ]; then - mkdir $format/history_files/ 2>/dev/null - for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null -fi - -#can we read roots *_history files - could be passwords stored etc. -roothist=`ls -la /root/.*_history 2>/dev/null` -if [ "$roothist" ]; then - echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" - echo -e "\n" -fi - -if [ "$export" ] && [ "$roothist" ]; then - mkdir $format/history_files/ 2>/dev/null - cp $roothist $format/history_files/ 2>/dev/null -fi - -#all accessible .bash_history files in /home -checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \;` -if [ "$checkbashhist" ]; then - echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\e[00m\n$checkbashhist" - echo -e "\n" -fi - -#any .bak files that may be of interest -bakfiles=`find / -name *.bak -type f 2/dev/null` -if [ "$readmail" ]; then - echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" - echo -e "\n" -fi - -#can we read roots mail -readmailroot=`head /var/mail/root 2>/dev/null` -if [ "$readmailroot" ]; then - echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" - echo -e "\n" -fi - -if [ "$export" ] && [ "$readmailroot" ]; then - mkdir $format/mail-from-root/ 2>/dev/null - cp $readmailroot $format/mail-from-root/ 2>/dev/null -fi -} - -docker_checks() -{ - -#specific checks - check to see if we're in a docker container -dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` -if [ "$dockercontainer" ]; then - echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" - echo -e "\n" -fi - -#specific checks - check to see if we're a docker host -dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` -if [ "$dockerhost" ]; then - echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" - echo -e "\n" -fi - -#specific checks - are we a member of the docker group -dockergrp=`id | grep -i docker 2>/dev/null` -if [ "$dockergrp" ]; then - echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" - echo -e "\n" -fi - -#specific checks - are there any docker files present -dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;` -if [ "$dockerfiles" ]; then - echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" - echo -e "\n" -fi - -#specific checks - are there any docker files present -dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;` -if [ "$dockeryml" ]; then - echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" - echo -e "\n" -fi -} - -lxc_container_checks() -{ - -#specific checks - are we in an lxd/lxc container -lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` -if [ "$lxccontainer" ]; then - echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer" - echo -e "\n" -fi - -#specific checks - are we a member of the lxd group -lxdgroup=`id | grep -i lxd 2>/dev/null` -if [ "$lxdgroup" ]; then - echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup" - echo -e "\n" -fi -} footer() { diff --git a/includes/binary_info.sh b/includes/binary_info.sh new file mode 100755 index 0000000..ce2558f --- /dev/null +++ b/includes/binary_info.sh @@ -0,0 +1,448 @@ +#!/bin/bash + +interesting_files() +{ +echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" + +#checks to see if various files are installed +echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null; which tshark 2>/dev/null; which tcpdump 2>/dev/null; which wireshark 2>/dev/null +echo -e "\n" + +#limited search for installed compilers +compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null` +if [ "$compiler" ]; then + echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" + echo -e "\n" +fi + +#manual check - lists out sensitive files, can we read/modify etc. +echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null +echo -e "\n" + +#search for suid files +allsuid=`find / -perm -4000 -type f 2>/dev/null` +findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` +if [ "$findsuid" ]; then + echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" + echo -e "\n" +fi + +if [ "$export" ] && [ "$findsuid" ]; then + mkdir $format/suid-files/ 2>/dev/null + for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null +fi + +#list of 'interesting' suid files - feel free to make additions +intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` +if [ "$intsuid" ]; then + echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" + echo -e "\n" +fi + +#lists world-writable suid files +wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` +if [ "$wwsuid" ]; then + echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" + echo -e "\n" +fi + +#lists world-writable suid files owned by root +wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` +if [ "$wwsuidrt" ]; then + echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" + echo -e "\n" +fi + +#search for sgid files +allsgid=`find / -perm -2000 -type f 2>/dev/null` +findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` +if [ "$findsgid" ]; then + echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" + echo -e "\n" +fi + +if [ "$export" ] && [ "$findsgid" ]; then + mkdir $format/sgid-files/ 2>/dev/null + for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null +fi + +#list of 'interesting' sgid files +intsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` +if [ "$intsgid" ]; then + echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" + echo -e "\n" +fi + +#lists world-writable sgid files +wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` +if [ "$wwsgid" ]; then + echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" + echo -e "\n" +fi + +#lists world-writable sgid files owned by root +wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` +if [ "$wwsgidrt" ]; then + echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" + echo -e "\n" +fi + +#list all files with POSIX capabilities set along with there capabilities +fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null` +if [ "$fileswithcaps" ]; then + echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps" + echo -e "\n" +fi + +if [ "$export" ] && [ "$fileswithcaps" ]; then + mkdir $format/files_with_capabilities/ 2>/dev/null + for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null +fi + +#searches /etc/security/capability.conf for users associated capapilies +userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null` +if [ "$userswithcaps" ]; then + echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps" + echo -e "\n" +fi + +if [ "$userswithcaps" ] ; then +#matches the capabilities found associated with users with the current user +matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null` + if [ "$matchedcaps" ]; then + echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps" + echo -e "\n" + #matches the files with capapbilities with capabilities associated with the current user + matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null` + if [ "$matchedfiles" ]; then + echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles" + echo -e "\n" + #lists the permissions of the files having the same capabilies associated with the current user + matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null` + echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms" + echo -e "\n" + if [ "$matchedfilesperms" ]; then + #checks if any of the files with same capabilities associated with the current user is writable + writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null` + if [ "$writablematchedfiles" ]; then + echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles" + echo -e "\n" + fi + fi + fi + fi +fi + +#look for private keys - thanks djhohnstein +if [ "$thorough" = "1" ]; then +privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home 2>/dev/null` + if [ "$privatekeyfiles" ]; then + echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles" + echo -e "\n" + fi +fi + +#look for AWS keys - thanks djhohnstein +if [ "$thorough" = "1" ]; then +awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null` + if [ "$awskeyfiles" ]; then + echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles" + echo -e "\n" + fi +fi + +#look for git credential files - thanks djhohnstein +if [ "$thorough" = "1" ]; then +gitcredfiles=`find / -name ".git-credentials" 2>/dev/null` + if [ "$gitcredfiles" ]; then + echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles" + echo -e "\n" + fi +fi + +#list all world-writable files excluding /proc and /sys +if [ "$thorough" = "1" ]; then +wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;` + if [ "$wwfiles" ]; then + echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" + echo -e "\n" + fi +fi + +if [ "$thorough" = "1" ]; then + if [ "$export" ] && [ "$wwfiles" ]; then + mkdir $format/ww-files/ 2>/dev/null + for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null + fi +fi + +#are any .plan files accessible in /home (could contain useful information) +usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` +if [ "$usrplan" ]; then + echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" + echo -e "\n" +fi + +if [ "$export" ] && [ "$usrplan" ]; then + mkdir $format/plan_files/ 2>/dev/null + for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null +fi + +bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` +if [ "$bsdusrplan" ]; then + echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" + echo -e "\n" +fi + +if [ "$export" ] && [ "$bsdusrplan" ]; then + mkdir $format/plan_files/ 2>/dev/null + for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null +fi + +#are there any .rhosts files accessible - these may allow us to login as another user etc. +rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` +if [ "$rhostsusr" ]; then + echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" + echo -e "\n" +fi + +if [ "$export" ] && [ "$rhostsusr" ]; then + mkdir $format/rhosts/ 2>/dev/null + for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null +fi + +bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` +if [ "$bsdrhostsusr" ]; then + echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" + echo -e "\n" +fi + +if [ "$export" ] && [ "$bsdrhostsusr" ]; then + mkdir $format/rhosts 2>/dev/null + for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null +fi + +rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` +if [ "$rhostssys" ]; then + echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" + echo -e "\n" +fi + +if [ "$export" ] && [ "$rhostssys" ]; then + mkdir $format/rhosts/ 2>/dev/null + for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null +fi + +#list nfs shares/permisisons etc. +nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` +if [ "$nfsexports" ]; then + echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" + echo -e "\n" +fi + +if [ "$export" ] && [ "$nfsexports" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/exports $format/etc-export/exports 2>/dev/null +fi + +if [ "$thorough" = "1" ]; then + #phackt + #displaying /etc/fstab + fstab=`cat /etc/fstab 2>/dev/null` + if [ "$fstab" ]; then + echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m" + echo -e "$fstab" + echo -e "\n" + fi +fi + +#looking for credentials in /etc/fstab +fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null` +if [ "$fstab" ]; then + echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" + echo -e "\n" +fi + +if [ "$export" ] && [ "$fstab" ]; then + mkdir $format/etc-exports/ 2>/dev/null + cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null +fi + +fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null` +if [ "$fstabcred" ]; then + echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" + echo -e "\n" +fi + +if [ "$export" ] && [ "$fstabcred" ]; then + mkdir $format/etc-exports/ 2>/dev/null + cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null +fi + +#use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located +if [ "$keyword" = "" ]; then + echo -e "[-] Can't search *.conf files as no keyword was entered\n" + else + confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null` + if [ "$confkey" ]; then + echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .conf files" + echo -e "\n" + fi +fi + +if [ "$keyword" = "" ]; then + : + else + if [ "$export" ] && [ "$confkey" ]; then + confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null` + mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null + for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null + fi +fi + +#use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located +if [ "$keyword" = "" ]; then + echo -e "[-] Can't search *.php files as no keyword was entered\n" + else + phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null` + if [ "$phpkey" ]; then + echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" + echo -e "'$keyword' not found in any .php files" + echo -e "\n" + fi +fi + +if [ "$keyword" = "" ]; then + : + else + if [ "$export" ] && [ "$phpkey" ]; then + phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null` + mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null + for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null + fi +fi + +#use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located +if [ "$keyword" = "" ];then + echo -e "[-] Can't search *.log files as no keyword was entered\n" + else + logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null` + if [ "$logkey" ]; then + echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .log files" + echo -e "\n" + fi +fi + +if [ "$keyword" = "" ];then + : + else + if [ "$export" ] && [ "$logkey" ]; then + logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null` + mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null + for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null + fi +fi + +#use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located +if [ "$keyword" = "" ];then + echo -e "[-] Can't search *.ini files as no keyword was entered\n" + else + inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null` + if [ "$inikey" ]; then + echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .ini files" + echo -e "\n" + fi +fi + +if [ "$keyword" = "" ];then + : + else + if [ "$export" ] && [ "$inikey" ]; then + inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null` + mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null + for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null + fi +fi + +#quick extract of .conf files from /etc - only 1 level +allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` +if [ "$allconf" ]; then + echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" + echo -e "\n" +fi + +if [ "$export" ] && [ "$allconf" ]; then + mkdir $format/conf-files/ 2>/dev/null + for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null +fi + +#extract any user history files that are accessible +usrhist=`ls -la ~/.*_history 2>/dev/null` +if [ "$usrhist" ]; then + echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" + echo -e "\n" +fi + +if [ "$export" ] && [ "$usrhist" ]; then + mkdir $format/history_files/ 2>/dev/null + for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null +fi + +#can we read roots *_history files - could be passwords stored etc. +roothist=`ls -la /root/.*_history 2>/dev/null` +if [ "$roothist" ]; then + echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" + echo -e "\n" +fi + +if [ "$export" ] && [ "$roothist" ]; then + mkdir $format/history_files/ 2>/dev/null + cp $roothist $format/history_files/ 2>/dev/null +fi + +#all accessible .bash_history, fish_history[.*], .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files in /home +checkbashhist=`find /home -regex '.*\.?\(bash_\|fish_\|zsh_\|z\|tcsh_\|csh_\|nano_\|python_\)history\(\..*\)?' -print -exec cat {} 2>/dev/null \;` +if [ "$checkbashhist" ]; then + echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history, fish_history, .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files:\e[00m\n$checkbashhist" + echo -e "\n" +fi + +#any .bak files that may be of interest +echo -e "\e[00;31m[-] Location and Permissions (if accessible) of .bak file(s):\e[00m" +find / -name *.bak -type f -exec ls -la {} \; 2>/dev/null +echo -e "\n" + +#is there any mail accessible +readmail=`ls -la /var/mail 2>/dev/null` +if [ "$readmail" ]; then + echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" + echo -e "\n" +fi + +#can we read roots mail +readmailroot=`head /var/mail/root 2>/dev/null` +if [ "$readmailroot" ]; then + echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" + echo -e "\n" +fi + +if [ "$export" ] && [ "$readmailroot" ]; then + mkdir $format/mail-from-root/ 2>/dev/null + cp $readmailroot $format/mail-from-root/ 2>/dev/null +fi +} diff --git a/includes/docker_info.sh b/includes/docker_info.sh new file mode 100755 index 0000000..ad6dd8d --- /dev/null +++ b/includes/docker_info.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +docker_checks() +{ + +#specific checks - check to see if we're in a docker container +dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` +if [ "$dockercontainer" ]; then + echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" + echo -e "\n" +fi + +#specific checks - check to see if we're a docker host +dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` +if [ "$dockerhost" ]; then + echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" + echo -e "\n" +fi + +#specific checks - are we a member of the docker group +dockergrp=`id | grep -i docker 2>/dev/null` +if [ "$dockergrp" ]; then + echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" + echo -e "\n" +fi + +#specific checks - are there any docker files present +dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;` +if [ "$dockerfiles" ]; then + echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" + echo -e "\n" +fi + +#specific checks - are there any docker files present +dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;` +if [ "$dockeryml" ]; then + echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" + echo -e "\n" +fi +} diff --git a/includes/environment_info.sh b/includes/environment_info.sh new file mode 100755 index 0000000..bb106ad --- /dev/null +++ b/includes/environment_info.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +environmental_info() +{ +echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" + +#env information +envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null` +if [ "$envinfo" ]; then + echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" + echo -e "\n" +fi + +#check if selinux is enabled +sestatus=`sestatus 2>/dev/null` +if [ "$sestatus" ]; then + echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus" + echo -e "\n" +fi + +#phackt + +#current path configuration +pathinfo=`echo $PATH 2>/dev/null` +if [ "$pathinfo" ]; then + pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")` + echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" + echo -e "$pathswriteable" + echo -e "\n" +fi + +#lists available shells +shellinfo=`cat /etc/shells 2>/dev/null` +if [ "$shellinfo" ]; then + echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" + echo -e "\n" +fi + +#current umask value with both octal and symbolic output +umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null` +if [ "$umaskvalue" ]; then + echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" + echo -e "\n" +fi + +#umask value as in /etc/login.defs +umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null` +if [ "$umaskdef" ]; then + echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" + echo -e "\n" +fi + +#password policy information as stored in /etc/login.defs +logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null` +if [ "$logindefs" ]; then + echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" + echo -e "\n" +fi + +if [ "$export" ] && [ "$logindefs" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null +fi +} diff --git a/includes/job_info.sh b/includes/job_info.sh new file mode 100755 index 0000000..310dfaf --- /dev/null +++ b/includes/job_info.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +job_info() +{ +echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" + +#are there any cron jobs configured +cronjobs=`ls -la /etc/cron* 2>/dev/null` +if [ "$cronjobs" ]; then + echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" + echo -e "\n" +fi + +#can we manipulate these jobs in any way +cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;` +if [ "$cronjobwwperms" ]; then + echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" + echo -e "\n" +fi + +#contab contents +crontabvalue=`cat /etc/crontab 2>/dev/null` +if [ "$crontabvalue" ]; then + echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" + echo -e "\n" +fi + +crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` +if [ "$crontabvar" ]; then + echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" + echo -e "\n" +fi + +anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` +if [ "$anacronjobs" ]; then + echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" + echo -e "\n" +fi + +anacrontab=`ls -la /var/spool/anacron 2>/dev/null` +if [ "$anacrontab" ]; then + echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" + echo -e "\n" +fi + +#pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) +cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` +if [ "$cronother" ]; then + echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" + echo -e "\n" +fi + +# list systemd timers +if [ "$thorough" = "1" ]; then + # include inactive timers in thorough mode + systemdtimers="$(systemctl list-timers --all 2>/dev/null)" + info="" +else + systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)" + # replace the info in the output with a hint towards thorough mode + info="\e[2mEnable thorough tests to see inactive timers\e[00m" +fi +if [ "$systemdtimers" ]; then + echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info" + echo -e "\n" +fi + +} diff --git a/includes/kube_info.sh b/includes/kube_info.sh new file mode 100755 index 0000000..31a4fe2 --- /dev/null +++ b/includes/kube_info.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +k8s_checks() +{ + +k8sconfig=`kubectl config view 2>/dev/null` + +if [ "$k8sconfig" ]; then + echo -e "\e[00;33m[+] Looks like there is a Kubernetes Cluster running \e[00m\n$k8sconfig" + echo -e "\n" + + +k8sservices=`kubectl get services 2>/dev/null` +if [ "$k8sservices" ]; then + echo -e "\e[00;33m[+] Services Running on Kubernetes cluster. \e[00m\n$k8sservices" + echo -e "\n" +fi + +k8spodswithlabels=`kubectl get pods --all-namespaces 2>/dev/null` +if [ "$k8spodswithlabels" ]; then + echo -e "\e[00;33m[+] Kubernetes Pods with Labels \e[00m\n$k8spodswithlabels" + echo -e "\e[00;33m[+] Run 'kubectl logs ' to search for interesting information in logs\e[00m\n" + echo -e "\e[00;33m[+] Run 'kubectl exec -it -- sh' to gain shell access into pods and extract information like 'printenv' etc \e[00m\n" + echo -e "\n" +fi + +k8snodes=`kubectl get nodes 2>/dev/null` +if [ "$k8snodes" ]; then + echo -e "\e[00;33m[+] Kubernetes Nodes \e[00m\n$k8snodes" + echo -e "\n" +fi + +k8sevents=`kubectl get events 2>/dev/null` +if [ "$k8sevents" ]; then + echo -e "\e[00;33m[+] Kubernetes Events. Check here for interesting \e[00m\n$k8sevents" + echo -e "\n" +fi + +k8ssecrets=`kubectl get secret -o json 2>/dev/null` +if [ "$k8ssecrets" ]; then + echo -e "\e[00;33m[+] Fetch all Secrets stored in Kubernetes Cluster \e[00m\n$k8ssecrets" + echo -e "\n" +fi + +fi + +} + diff --git a/includes/lxc_info.sh b/includes/lxc_info.sh new file mode 100755 index 0000000..0d292c6 --- /dev/null +++ b/includes/lxc_info.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +lxc_container_checks() +{ + +#specific checks - are we in an lxd/lxc container +lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` +if [ "$lxccontainer" ]; then + echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer" + echo -e "\n" +fi + +#specific checks - are we a member of the lxd group +lxdgroup=`id | grep -i lxd 2>/dev/null` +if [ "$lxdgroup" ]; then + echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup" + echo -e "\n" +fi +} diff --git a/includes/network_info.sh b/includes/network_info.sh new file mode 100755 index 0000000..64c57b9 --- /dev/null +++ b/includes/network_info.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +networking_info() +{ +echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" + +#nic information +nicinfo=`/sbin/ifconfig -a 2>/dev/null` +if [ "$nicinfo" ]; then + echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" + echo -e "\n" +fi + +#nic information (using ip) +nicinfoip=`/sbin/ip a 2>/dev/null` +if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then + echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" + echo -e "\n" +fi + +arpinfo=`arp -a 2>/dev/null` +if [ "$arpinfo" ]; then + echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" + echo -e "\n" +fi + +arpinfoip=`ip n 2>/dev/null` +if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then + echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" + echo -e "\n" +fi + +#dns settings +nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null` +if [ "$nsinfo" ]; then + echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" + echo -e "\n" +fi + +nsinfosysd=`systemd-resolve --status 2>/dev/null` +if [ "$nsinfosysd" ]; then + echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" + echo -e "\n" +fi + +#default route configuration +defroute=`route 2>/dev/null | grep default` +if [ "$defroute" ]; then + echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" + echo -e "\n" +fi + +#default route configuration +defrouteip=`ip r 2>/dev/null | grep default` +if [ ! "$defroute" ] && [ "$defrouteip" ]; then + echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" + echo -e "\n" +fi + +#listening TCP +tcpservs=`netstat -ntpl 2>/dev/null` +if [ "$tcpservs" ]; then + echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" + echo -e "\n" +fi + +tcpservsip=`ss -t -l -n 2>/dev/null` +if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then + echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" + echo -e "\n" +fi + +#listening UDP +udpservs=`netstat -nupl 2>/dev/null` +if [ "$udpservs" ]; then + echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" + echo -e "\n" +fi + +udpservsip=`ss -u -l -n 2>/dev/null` +if [ ! "$udpservs" ] && [ "$udpservsip" ]; then + echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" + echo -e "\n" +fi +} diff --git a/includes/services_info.sh b/includes/services_info.sh new file mode 100755 index 0000000..a17a9eb --- /dev/null +++ b/includes/services_info.sh @@ -0,0 +1,134 @@ +#!/bin/bash + +services_info() +{ +echo -e "\e[00;33m### SERVICES #############################################\e[00m" + +#running processes +psaux=`ps aux 2>/dev/null` +if [ "$psaux" ]; then + echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" + echo -e "\n" +fi + +#lookup process binary path and permissisons +procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null` +if [ "$procperm" ]; then + echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" + echo -e "\n" +fi + +if [ "$export" ] && [ "$procperm" ]; then +procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null` + mkdir $format/ps-export/ 2>/dev/null + for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null +fi + +#anything 'useful' in inetd.conf +inetdread=`cat /etc/inetd.conf 2>/dev/null` +if [ "$inetdread" ]; then + echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" + echo -e "\n" +fi + +if [ "$export" ] && [ "$inetdread" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null +fi + +#very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each +inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` +if [ "$inetdbinperms" ]; then + echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" + echo -e "\n" +fi + +xinetdread=`cat /etc/xinetd.conf 2>/dev/null` +if [ "$xinetdread" ]; then + echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" + echo -e "\n" +fi + +if [ "$export" ] && [ "$xinetdread" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null +fi + +xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null` +if [ "$xinetdincd" ]; then + echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null + echo -e "\n" +fi + +#very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each +xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` +if [ "$xinetdbinperms" ]; then + echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" + echo -e "\n" +fi + +initdread=`ls -la /etc/init.d 2>/dev/null` +if [ "$initdread" ]; then + echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" + echo -e "\n" +fi + +#init.d files NOT belonging to root! +initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` +if [ "$initdperms" ]; then + echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" + echo -e "\n" +fi + +rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` +if [ "$rcdread" ]; then + echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" + echo -e "\n" +fi + +#init.d files NOT belonging to root! +rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` +if [ "$rcdperms" ]; then + echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" + echo -e "\n" +fi + +usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` +if [ "$usrrcdread" ]; then + echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" + echo -e "\n" +fi + +#rc.d files NOT belonging to root! +usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` +if [ "$usrrcdperms" ]; then + echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" + echo -e "\n" +fi + +initread=`ls -la /etc/init/ 2>/dev/null` +if [ "$initread" ]; then + echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread" + echo -e "\n" +fi + +# upstart scripts not belonging to root +initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` +if [ "$initperms" ]; then + echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms" + echo -e "\n" +fi + +systemdread=`ls -lthR /lib/systemd/ 2>/dev/null` +if [ "$systemdread" ]; then + echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread" + echo -e "\n" +fi + +# systemd files not belonging to root +systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` +if [ "$systemdperms" ]; then + echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms" + echo -e "\n" +fi +} diff --git a/includes/software_configs.sh b/includes/software_configs.sh new file mode 100755 index 0000000..0f35c51 --- /dev/null +++ b/includes/software_configs.sh @@ -0,0 +1,109 @@ +#!/bin/bash + +software_configs() +{ +echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" + +#sudo version - check to see if there are any known vulnerabilities with this +sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` +if [ "$sudover" ]; then + echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover" + echo -e "\n" +fi + +#mysql details - if installed +mysqlver=`mysql --version 2>/dev/null` +if [ "$mysqlver" ]; then + echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver" + echo -e "\n" +fi + +#checks to see if root/root will get us a connection +mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` +if [ "$mysqlconnect" ]; then + echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" + echo -e "\n" +fi + +#mysql version details +mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` +if [ "$mysqlconnectnopass" ]; then + echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" + echo -e "\n" +fi + +#postgres details - if installed +postgver=`psql -V 2>/dev/null` +if [ "$postgver" ]; then + echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver" + echo -e "\n" +fi + +#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this +postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version` +if [ "$postcon1" ]; then + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" + echo -e "\n" +fi + +postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version` +if [ "$postcon11" ]; then + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" + echo -e "\n" +fi + +postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version` +if [ "$postcon2" ]; then + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" + echo -e "\n" +fi + +postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version` +if [ "$postcon22" ]; then + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" + echo -e "\n" +fi + +#apache details - if installed +apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` +if [ "$apachever" ]; then + echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever" + echo -e "\n" +fi + +#what account is apache running under +apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null` +if [ "$apacheusr" ]; then + echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr" + echo -e "\n" +fi + +if [ "$export" ] && [ "$apacheusr" ]; then + mkdir --parents $format/etc-export/apache2/ 2>/dev/null + cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null +fi + +#installed apache modules +apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` +if [ "$apachemodules" ]; then + echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules" + echo -e "\n" +fi + +#htpasswd check +htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null` +if [ "$htpasswd" ]; then + echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd" + echo -e "\n" +fi + +#anything in the default http home dirs (a thorough only check as output can be large) +if [ "$thorough" = "1" ]; then + apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` + if [ "$apachehomedirs" ]; then + echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs" + echo -e "\n" + fi +fi + +} diff --git a/includes/system_info.sh b/includes/system_info.sh new file mode 100755 index 0000000..2e3aa06 --- /dev/null +++ b/includes/system_info.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +system_info() +{ +echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" + +#basic kernel info +unameinfo=`uname -a 2>/dev/null` +if [ "$unameinfo" ]; then + echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" + echo -e "\n" +fi + +procver=`cat /proc/version 2>/dev/null` +if [ "$procver" ]; then + echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" + echo -e "\n" +fi + +#search all *-release files for version info +release=`cat /etc/*-release 2>/dev/null` +if [ "$release" ]; then + echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" + echo -e "\n" +fi + +#target hostname info +hostnamed=`hostname 2>/dev/null` +if [ "$hostnamed" ]; then + echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" + echo -e "\n" +fi +} diff --git a/includes/user_info.sh b/includes/user_info.sh new file mode 100755 index 0000000..677ec4d --- /dev/null +++ b/includes/user_info.sh @@ -0,0 +1,240 @@ +#!/bin/bash + +user_info() +{ +echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" + +#current user details +currusr=`id 2>/dev/null` +if [ "$currusr" ]; then + echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" + echo -e "\n" +fi + +#last logged on user information +lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` +if [ "$lastlogedonusrs" ]; then + echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" + echo -e "\n" +fi + +#who else is logged on +loggedonusrs=`w 2>/dev/null` +if [ "$loggedonusrs" ]; then + echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" + echo -e "\n" +fi + +#lists all id's and respective group(s) +grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do echo -e "$i : $(id $i)";done 2>/dev/null` +if [ "$grpinfo" ]; then + echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo" + echo -e "\n" +fi + +#added by phackt - look for adm group (thanks patrick) +adm_users=$(echo -e "$grpinfo" | grep "(adm)") +if [[ ! -z $adm_users ]]; + then + echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users" + echo -e "\n" +fi + +#checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) +hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` +if [ "$hashesinpasswd" ]; then + echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" + echo -e "\n" +fi + +#contents of /etc/passwd +readpasswd=`cat /etc/passwd 2>/dev/null` +if [ "$readpasswd" ]; then + echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" + echo -e "\n" +fi + +if [ "$export" ] && [ "$readpasswd" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/passwd $format/etc-export/passwd 2>/dev/null +fi + +#checks to see if the shadow file can be read +readshadow=`cat /etc/shadow 2>/dev/null` +if [ "$readshadow" ]; then + echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" + echo -e "\n" +fi + +if [ "$export" ] && [ "$readshadow" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/shadow $format/etc-export/shadow 2>/dev/null +fi + +#checks to see if /etc/master.passwd can be read - BSD 'shadow' variant +readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` +if [ "$readmasterpasswd" ]; then + echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" + echo -e "\n" +fi + +if [ "$export" ] && [ "$readmasterpasswd" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null +fi + +#all root accounts (uid 0) +superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null` +if [ "$superman" ]; then + echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman" + echo -e "\n" +fi + +#pull out vital sudoers info +sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null` +if [ "$sudoers" ]; then + echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers" + echo -e "\n" +fi + +if [ "$export" ] && [ "$sudoers" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null +fi + +#can we sudo without supplying a password +sudoperms=`echo '' | sudo -S -l -k 2>/dev/null` +if [ "$sudoperms" ]; then + echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" + echo -e "\n" +fi + +#check sudo perms - authenticated +if [ "$sudopass" ]; then + if [ "$sudoperms" ]; then + : + else + sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null` + if [ "$sudoauth" ]; then + echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" + echo -e "\n" + fi + fi +fi + +##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated +if [ "$sudopass" ]; then + if [ "$sudoperms" ]; then + : + else + sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` + if [ "$sudopermscheck" ]; then + echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" + echo -e "\n" + fi + fi +fi + +#known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) +sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` +if [ "$sudopwnage" ]; then + echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" + echo -e "\n" +fi + +#who has sudoed in the past +whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null` +if [ "$whohasbeensudo" ]; then + echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" + echo -e "\n" +fi + +#checks to see if roots home directory is accessible +rthmdir=`ls -ahl /root/ 2>/dev/null` +if [ "$rthmdir" ]; then + echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" + echo -e "\n" +fi + +#displays /home directory permissions - check if any are lax +homedirperms=`ls -ahl /home/ 2>/dev/null` +if [ "$homedirperms" ]; then + echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" + echo -e "\n" +fi + +#looks for files we can write to that don't belong to us +if [ "$thorough" = "1" ]; then + grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` + if [ "$grfilesall" ]; then + echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" + echo -e "\n" + fi +fi + +#looks for files that belong to us +if [ "$thorough" = "1" ]; then + ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` + if [ "$ourfilesall" ]; then + echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall" + echo -e "\n" + fi +fi + +#looks for hidden files +if [ "$thorough" = "1" ]; then + hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` + if [ "$hiddenfiles" ]; then + echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles" + echo -e "\n" + fi +fi + +#looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch +if [ "$thorough" = "1" ]; then +wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` + if [ "$wrfileshm" ]; then + echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" + echo -e "\n" + fi +fi + +if [ "$thorough" = "1" ]; then + if [ "$export" ] && [ "$wrfileshm" ]; then + mkdir $format/wr-files/ 2>/dev/null + for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null + fi +fi + +#lists current user's home directory contents +if [ "$thorough" = "1" ]; then +homedircontents=`ls -ahl ~ 2>/dev/null` + if [ "$homedircontents" ] ; then + echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" + echo -e "\n" + fi +fi + +#checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch +if [ "$thorough" = "1" ]; then +sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;` + if [ "$sshfiles" ]; then + echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" + echo -e "\n" + fi +fi + +if [ "$thorough" = "1" ]; then + if [ "$export" ] && [ "$sshfiles" ]; then + mkdir $format/ssh-files/ 2>/dev/null + for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null + fi +fi + +#is root permitted to login via ssh +sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` +if [ "$sshrootlogin" = "yes" ]; then + echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" + echo -e "\n" +fi +} From 9c790d445f92637fec0eb3c90e0d462326c84b6a Mon Sep 17 00:00:00 2001 From: Matty Jones Date: Wed, 15 Sep 2021 21:38:59 -0400 Subject: [PATCH 03/10] Update sourcing --- LinEnum | 112 +++++ LinEnum.sh | 167 ------- .../{software_configs.sh => applications} | 0 includes/binaries | 468 ++++++++++++++++++ includes/binary_info.sh | 448 ----------------- includes/docker | 45 ++ includes/docker_info.sh | 40 -- includes/environment | 66 +++ includes/environment_info.sh | 64 --- includes/job_info.sh | 68 --- includes/jobs | 70 +++ includes/k8s | 45 ++ includes/kube_info.sh | 48 -- includes/lxc | 18 + includes/lxc_info.sh | 19 - includes/network_info.sh | 85 ---- includes/networking | 84 ++++ includes/services | 134 +++++ includes/services_info.sh | 134 ----- includes/system | 32 ++ includes/system_info.sh | 33 -- includes/user_info.sh | 240 --------- includes/users | 239 +++++++++ includes/util | 82 +++ 24 files changed, 1395 insertions(+), 1346 deletions(-) create mode 100755 LinEnum delete mode 100755 LinEnum.sh rename includes/{software_configs.sh => applications} (100%) create mode 100755 includes/binaries delete mode 100755 includes/binary_info.sh create mode 100755 includes/docker delete mode 100755 includes/docker_info.sh create mode 100755 includes/environment delete mode 100755 includes/environment_info.sh delete mode 100755 includes/job_info.sh create mode 100755 includes/jobs create mode 100755 includes/k8s delete mode 100755 includes/kube_info.sh create mode 100755 includes/lxc delete mode 100755 includes/lxc_info.sh delete mode 100755 includes/network_info.sh create mode 100755 includes/networking create mode 100755 includes/services delete mode 100755 includes/services_info.sh create mode 100755 includes/system delete mode 100755 includes/system_info.sh delete mode 100755 includes/user_info.sh create mode 100755 includes/users create mode 100755 includes/util diff --git a/LinEnum b/LinEnum new file mode 100755 index 0000000..9d2711d --- /dev/null +++ b/LinEnum @@ -0,0 +1,112 @@ +#!/bin/bash + +# +# linenum +# +# AUTHOR: @rebootuser et al. +# +# DESCRIPTION: +# Linenum is a script designed to enumerate a linux box. It should work to varying +# degrees on OSX/MacOS and various flavors of BSD. +# +# OUTPUT: +# plain-text +# +# PLATFORMS: +# Linux, OSX/MacOS, BSD +# +# DEPENDENCIES: +# Bash +# +# USAGE: +# See the help text for additional details +# ./lineum +# +# NOTES: +# +# LICENSE: +# MIT +# + +version="version 0.982" +#@rebootuser + +# Set the path to include the libraries. These are searched for in the same directory or within the path. We capture +# the original path statement and then prepend the library directory. Once we have sourced all the functions we drop +# back to the original path to minimize possible detections and avoid mangling. +library_import() { + + local ORIG_PATH="$PATH" + export PATH="includes:$PATH" + + source applications + source binaries + source docker + source environment + source jobs + source k8s + source lxc + source networking + source services + source system + source users + source util + + export PATH="$ORIG_PATH" + + return 0 +} + +library_import + +call_each() { + header + # debug_info + # system_info + # user_info + # environmental_info + # job_info + # networking_info + # services_info + # software_configs + # interesting_files + # docker_checks + # lxc_container_checks + footer +} + +while getopts "h:k:r:e:st" option; do + case "${option}" in + k) keyword=${OPTARG} ;; + r) report=${OPTARG}"-"$(date +"%d-%m-%y") ;; + e) export=${OPTARG} ;; + s) sudopass=1 ;; + t) thorough=1 ;; + h) + usage + exit + ;; + *) + usage + exit + ;; + esac +done + +call_each | tee -a $report 2>/dev/null +#EndOfScript + +## linuxprivchecker.py +## htb enum +## suid3num +## linux-smart-enumeration +## uptux + +## hidden processes? +## jails? +## random pids +## kernel msg buffer +## process debugging + +## can/should we use posix +## we should also provide a document for exploiting this diff --git a/LinEnum.sh b/LinEnum.sh deleted file mode 100755 index 3d82b53..0000000 --- a/LinEnum.sh +++ /dev/null @@ -1,167 +0,0 @@ -#!/bin/env bash - -# -# linenum -# -# AUTHOR: @rebootuser et al. -# -# DESCRIPTION: -# Linenum is a script designed to enumerate a linux box. It should work to varying -# degrees on OSX/MacOS and various flavors of BSD. -# -# OUTPUT: -# plain-text -# -# PLATFORMS: -# Linux, OSX/MacOS, BSD -# -# DEPENDENCIES: -# Bash -# -# USAGE: -# See the help text for additional details -# ./lineum -# -# NOTES: -# -# LICENSE: -# MIT -# - -version="version 0.982" -#@rebootuser - -#help function -usage () -{ -echo -e "\n\e[00;31m#########################################################\e[00m" -echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" -echo -e "\e[00;31m#########################################################\e[00m" -echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m" -echo -e "\e[00;33m# $version\e[00m\n" -echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n" - - echo "OPTIONS:" - echo "-k Enter keyword" - echo "-e Enter export location" - echo "-s Supply user password for sudo checks (INSECURE)" - echo "-t Include thorough (lengthy) tests" - echo "-r Enter report name" - echo "-h Displays this help text" - echo -e "\n" - echo "Running with no options = limited scans/no output file" - -echo -e "\e[00;31m#########################################################\e[00m" -} -header() -{ -echo -e "\n\e[00;31m#########################################################\e[00m" -echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" -echo -e "\e[00;31m#########################################################\e[00m" -echo -e "\e[00;33m# www.rebootuser.com\e[00m" -echo -e "\e[00;33m# $version\e[00m\n" - -} - -debug_info() -{ -echo "[-] Debug Info" - -if [ "$keyword" ]; then - echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" -fi - -if [ "$report" ]; then - echo "[+] Report name = $report" -fi - -if [ "$export" ]; then - echo "[+] Export location = $export" -fi - -if [ "$thorough" ]; then - echo "[+] Thorough tests = Enabled" -else - echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m" -fi - -sleep 2 - -if [ "$export" ]; then - mkdir $export 2>/dev/null - format=$export/LinEnum-export-`date +"%d-%m-%y"` - mkdir $format 2>/dev/null -fi - -if [ "$sudopass" ]; then - echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m" - read -s userpassword - echo -fi - -who=`whoami` 2>/dev/null -echo -e "\n" - -echo -e "\e[00;33mScan started at:"; date -echo -e "\e[00m\n" -} - -# useful binaries (thanks to https://gtfobins.github.io/) -binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh' - - - - - - - - - - - - - - - - - - - - - -footer() -{ -echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" -} - -call_each() -{ - header - debug_info - system_info - user_info - environmental_info - job_info - networking_info - services_info - software_configs - interesting_files - docker_checks - lxc_container_checks - footer -} - -while getopts "h:k:r:e:st" option; do - case "${option}" in - k) keyword=${OPTARG};; - r) report=${OPTARG}"-"`date +"%d-%m-%y"`;; - e) export=${OPTARG};; - s) sudopass=1;; - t) thorough=1;; - h) usage; exit;; - *) usage; exit;; - esac -done - -call_each | tee -a $report 2> /dev/null -#EndOfScript diff --git a/includes/software_configs.sh b/includes/applications similarity index 100% rename from includes/software_configs.sh rename to includes/applications diff --git a/includes/binaries b/includes/binaries new file mode 100755 index 0000000..891bf1a --- /dev/null +++ b/includes/binaries @@ -0,0 +1,468 @@ +#!/bin/bash + +interesting_files() { + echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" + + #checks to see if various files are installed + echo -e "\e[00;31m[-] Useful file locations:\e[00m" + which nc 2>/dev/null + which netcat 2>/dev/null + which wget 2>/dev/null + which nmap 2>/dev/null + which gcc 2>/dev/null + which curl 2>/dev/null + which tshark 2>/dev/null + which tcpdump 2>/dev/null + which wireshark 2>/dev/null + echo -e "\n" + + #limited search for installed compilers + compiler=$(dpkg --list 2>/dev/null | grep compiler | grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null) + if [ "$compiler" ]; then + echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" + echo -e "\n" + fi + + #manual check - lists out sensitive files, can we read/modify etc. + echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" + ls -la /etc/passwd 2>/dev/null + ls -la /etc/group 2>/dev/null + ls -la /etc/profile 2>/dev/null + ls -la /etc/shadow 2>/dev/null + ls -la /etc/master.passwd 2>/dev/null + echo -e "\n" + + #search for suid files + allsuid=$(find / -perm -4000 -type f 2>/dev/null) + findsuid=$(find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null) + if [ "$findsuid" ]; then + echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" + echo -e "\n" + fi + + if [ "$export" ] && [ "$findsuid" ]; then + mkdir $format/suid-files/ 2>/dev/null + for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null + fi + + #list of 'interesting' suid files - feel free to make additions + intsuid=$(find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null) + if [ "$intsuid" ]; then + echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" + echo -e "\n" + fi + + #lists world-writable suid files + wwsuid=$(find $allsuid -perm -4002 -type f -exec ls -la {} \; 2>/dev/null) + if [ "$wwsuid" ]; then + echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" + echo -e "\n" + fi + + #lists world-writable suid files owned by root + wwsuidrt=$(find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} \; 2>/dev/null) + if [ "$wwsuidrt" ]; then + echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" + echo -e "\n" + fi + + #search for sgid files + allsgid=$(find / -perm -2000 -type f 2>/dev/null) + findsgid=$(find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null) + if [ "$findsgid" ]; then + echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" + echo -e "\n" + fi + + if [ "$export" ] && [ "$findsgid" ]; then + mkdir $format/sgid-files/ 2>/dev/null + for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null + fi + + #list of 'interesting' sgid files + intsgid=$(find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null) + if [ "$intsgid" ]; then + echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" + echo -e "\n" + fi + + #lists world-writable sgid files + wwsgid=$(find $allsgid -perm -2002 -type f -exec ls -la {} \; 2>/dev/null) + if [ "$wwsgid" ]; then + echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" + echo -e "\n" + fi + + #lists world-writable sgid files owned by root + wwsgidrt=$(find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} \; 2>/dev/null) + if [ "$wwsgidrt" ]; then + echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" + echo -e "\n" + fi + + #list all files with POSIX capabilities set along with there capabilities + fileswithcaps=$(getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null) + if [ "$fileswithcaps" ]; then + echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps" + echo -e "\n" + fi + + if [ "$export" ] && [ "$fileswithcaps" ]; then + mkdir $format/files_with_capabilities/ 2>/dev/null + for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null + fi + + #searches /etc/security/capability.conf for users associated capapilies + userswithcaps=$(grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null) + if [ "$userswithcaps" ]; then + echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps" + echo -e "\n" + fi + + if [ "$userswithcaps" ]; then + #matches the capabilities found associated with users with the current user + matchedcaps=$(echo -e "$userswithcaps" | grep $(whoami) | awk '{print $1}' 2>/dev/null) + if [ "$matchedcaps" ]; then + echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps" + echo -e "\n" + #matches the files with capapbilities with capabilities associated with the current user + matchedfiles=$(echo -e "$matchedcaps" | while read -r cap; do echo -e "$fileswithcaps" | grep "$cap"; done 2>/dev/null) + if [ "$matchedfiles" ]; then + echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles" + echo -e "\n" + #lists the permissions of the files having the same capabilies associated with the current user + matchedfilesperms=$(echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f; done 2>/dev/null) + echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms" + echo -e "\n" + if [ "$matchedfilesperms" ]; then + #checks if any of the files with same capabilities associated with the current user is writable + writablematchedfiles=$(echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} +; done 2>/dev/null) + if [ "$writablematchedfiles" ]; then + echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles" + echo -e "\n" + fi + fi + fi + fi + fi + + #look for private keys - thanks djhohnstein + if [ "$thorough" = "1" ]; then + privatekeyfiles=$(grep -rl "PRIVATE KEY-----" /home 2>/dev/null) + if [ "$privatekeyfiles" ]; then + echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles" + echo -e "\n" + fi + fi + + #look for AWS keys - thanks djhohnstein + if [ "$thorough" = "1" ]; then + awskeyfiles=$(grep -rli "aws_secret_access_key" /home 2>/dev/null) + if [ "$awskeyfiles" ]; then + echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles" + echo -e "\n" + fi + fi + + #look for git credential files - thanks djhohnstein + if [ "$thorough" = "1" ]; then + gitcredfiles=$(find / -name ".git-credentials" 2>/dev/null) + if [ "$gitcredfiles" ]; then + echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles" + echo -e "\n" + fi + fi + + #list all world-writable files excluding /proc and /sys + if [ "$thorough" = "1" ]; then + wwfiles=$(find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} \; 2>/dev/null) + if [ "$wwfiles" ]; then + echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" + echo -e "\n" + fi + fi + + if [ "$thorough" = "1" ]; then + if [ "$export" ] && [ "$wwfiles" ]; then + mkdir $format/ww-files/ 2>/dev/null + for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null + fi + fi + + #are any .plan files accessible in /home (could contain useful information) + usrplan=$(find /home -iname *.plan -exec ls -la {} \; -exec cat {} \; 2>/dev/null) + if [ "$usrplan" ]; then + echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" + echo -e "\n" + fi + + if [ "$export" ] && [ "$usrplan" ]; then + mkdir $format/plan_files/ 2>/dev/null + for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null + fi + + bsdusrplan=$(find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} \; 2>/dev/null) + if [ "$bsdusrplan" ]; then + echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" + echo -e "\n" + fi + + if [ "$export" ] && [ "$bsdusrplan" ]; then + mkdir $format/plan_files/ 2>/dev/null + for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null + fi + + #are there any .rhosts files accessible - these may allow us to login as another user etc. + rhostsusr=$(find /home -iname *.rhosts -exec ls -la {} \; -exec cat {} \; 2>/dev/null 2>/dev/null) + if [ "$rhostsusr" ]; then + echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" + echo -e "\n" + fi + + if [ "$export" ] && [ "$rhostsusr" ]; then + mkdir $format/rhosts/ 2>/dev/null + for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null + fi + + bsdrhostsusr=$(find /usr/home -iname *.rhosts -exec ls -la {} \; -exec cat {} \; 2>/dev/null 2>/dev/null) + if [ "$bsdrhostsusr" ]; then + echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" + echo -e "\n" + fi + + if [ "$export" ] && [ "$bsdrhostsusr" ]; then + mkdir $format/rhosts 2>/dev/null + for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null + fi + + rhostssys=$(find /etc -iname hosts.equiv -exec ls -la {} \; -exec cat {} \; 2>/dev/null 2>/dev/null) + if [ "$rhostssys" ]; then + echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" + echo -e "\n" + fi + + if [ "$export" ] && [ "$rhostssys" ]; then + mkdir $format/rhosts/ 2>/dev/null + for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null + fi + + #list nfs shares/permisisons etc. + nfsexports=$( + ls -la /etc/exports 2>/dev/null + cat /etc/exports 2>/dev/null + ) + if [ "$nfsexports" ]; then + echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" + echo -e "\n" + fi + + if [ "$export" ] && [ "$nfsexports" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/exports $format/etc-export/exports 2>/dev/null + fi + + if [ "$thorough" = "1" ]; then + #phackt + #displaying /etc/fstab + fstab=$(cat /etc/fstab 2>/dev/null) + if [ "$fstab" ]; then + echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m" + echo -e "$fstab" + echo -e "\n" + fi + fi + + #looking for credentials in /etc/fstab + fstab=$( + grep username /etc/fstab 2>/dev/null | awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -r echo username: 2>/dev/null + grep password /etc/fstab 2>/dev/null | awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -r echo password: 2>/dev/null + grep domain /etc/fstab 2>/dev/null | awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -r echo domain: 2>/dev/null + ) + if [ "$fstab" ]; then + echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" + echo -e "\n" + fi + + if [ "$export" ] && [ "$fstab" ]; then + mkdir $format/etc-exports/ 2>/dev/null + cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null + fi + + fstabcred=$(grep cred /etc/fstab 2>/dev/null | awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null) + if [ "$fstabcred" ]; then + echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" + echo -e "\n" + fi + + if [ "$export" ] && [ "$fstabcred" ]; then + mkdir $format/etc-exports/ 2>/dev/null + cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null + fi + + #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located + if [ "$keyword" = "" ]; then + echo -e "[-] Can't search *.conf files as no keyword was entered\n" + else + confkey=$(find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null) + if [ "$confkey" ]; then + echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .conf files" + echo -e "\n" + fi + fi + + if [ "$keyword" = "" ]; then + : + else + if [ "$export" ] && [ "$confkey" ]; then + confkeyfile=$(find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null) + mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null + for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/; done 2>/dev/null + fi + fi + + #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located + if [ "$keyword" = "" ]; then + echo -e "[-] Can't search *.php files as no keyword was entered\n" + else + phpkey=$(find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null) + if [ "$phpkey" ]; then + echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" + echo -e "'$keyword' not found in any .php files" + echo -e "\n" + fi + fi + + if [ "$keyword" = "" ]; then + : + else + if [ "$export" ] && [ "$phpkey" ]; then + phpkeyfile=$(find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null) + mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null + for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/; done 2>/dev/null + fi + fi + + #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located + if [ "$keyword" = "" ]; then + echo -e "[-] Can't search *.log files as no keyword was entered\n" + else + logkey=$(find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null) + if [ "$logkey" ]; then + echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .log files" + echo -e "\n" + fi + fi + + if [ "$keyword" = "" ]; then + : + else + if [ "$export" ] && [ "$logkey" ]; then + logkeyfile=$(find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null) + mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null + for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/; done 2>/dev/null + fi + fi + + #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located + if [ "$keyword" = "" ]; then + echo -e "[-] Can't search *.ini files as no keyword was entered\n" + else + inikey=$(find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null) + if [ "$inikey" ]; then + echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .ini files" + echo -e "\n" + fi + fi + + if [ "$keyword" = "" ]; then + : + else + if [ "$export" ] && [ "$inikey" ]; then + inikey=$(find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null) + mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null + for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/; done 2>/dev/null + fi + fi + + #quick extract of .conf files from /etc - only 1 level + allconf=$(find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null) + if [ "$allconf" ]; then + echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" + echo -e "\n" + fi + + if [ "$export" ] && [ "$allconf" ]; then + mkdir $format/conf-files/ 2>/dev/null + for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null + fi + + #extract any user history files that are accessible + usrhist=$(ls -la ~/.*_history 2>/dev/null) + if [ "$usrhist" ]; then + echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" + echo -e "\n" + fi + + if [ "$export" ] && [ "$usrhist" ]; then + mkdir $format/history_files/ 2>/dev/null + for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null + fi + + #can we read roots *_history files - could be passwords stored etc. + roothist=$(ls -la /root/.*_history 2>/dev/null) + if [ "$roothist" ]; then + echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" + echo -e "\n" + fi + + if [ "$export" ] && [ "$roothist" ]; then + mkdir $format/history_files/ 2>/dev/null + cp $roothist $format/history_files/ 2>/dev/null + fi + + #all accessible .bash_history, fish_history[.*], .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files in /home + checkbashhist=$(find /home -regex '.*\.?\(bash_\|fish_\|zsh_\|z\|tcsh_\|csh_\|nano_\|python_\)history\(\..*\)?' -print -exec cat {} \; 2>/dev/null) + if [ "$checkbashhist" ]; then + echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history, fish_history, .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files:\e[00m\n$checkbashhist" + echo -e "\n" + fi + + #any .bak files that may be of interest + echo -e "\e[00;31m[-] Location and Permissions (if accessible) of .bak file(s):\e[00m" + find / -name *.bak -type f -exec ls -la {} \; 2>/dev/null + echo -e "\n" + + #is there any mail accessible + readmail=$(ls -la /var/mail 2>/dev/null) + if [ "$readmail" ]; then + echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" + echo -e "\n" + fi + + #can we read roots mail + readmailroot=$(head /var/mail/root 2>/dev/null) + if [ "$readmailroot" ]; then + echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" + echo -e "\n" + fi + + if [ "$export" ] && [ "$readmailroot" ]; then + mkdir $format/mail-from-root/ 2>/dev/null + cp $readmailroot $format/mail-from-root/ 2>/dev/null + fi +} diff --git a/includes/binary_info.sh b/includes/binary_info.sh deleted file mode 100755 index ce2558f..0000000 --- a/includes/binary_info.sh +++ /dev/null @@ -1,448 +0,0 @@ -#!/bin/bash - -interesting_files() -{ -echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" - -#checks to see if various files are installed -echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null; which tshark 2>/dev/null; which tcpdump 2>/dev/null; which wireshark 2>/dev/null -echo -e "\n" - -#limited search for installed compilers -compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null` -if [ "$compiler" ]; then - echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" - echo -e "\n" -fi - -#manual check - lists out sensitive files, can we read/modify etc. -echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null -echo -e "\n" - -#search for suid files -allsuid=`find / -perm -4000 -type f 2>/dev/null` -findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$findsuid" ]; then - echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" - echo -e "\n" -fi - -if [ "$export" ] && [ "$findsuid" ]; then - mkdir $format/suid-files/ 2>/dev/null - for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null -fi - -#list of 'interesting' suid files - feel free to make additions -intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` -if [ "$intsuid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" - echo -e "\n" -fi - -#lists world-writable suid files -wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$wwsuid" ]; then - echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" - echo -e "\n" -fi - -#lists world-writable suid files owned by root -wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$wwsuidrt" ]; then - echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" - echo -e "\n" -fi - -#search for sgid files -allsgid=`find / -perm -2000 -type f 2>/dev/null` -findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$findsgid" ]; then - echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" - echo -e "\n" -fi - -if [ "$export" ] && [ "$findsgid" ]; then - mkdir $format/sgid-files/ 2>/dev/null - for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null -fi - -#list of 'interesting' sgid files -intsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` -if [ "$intsgid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" - echo -e "\n" -fi - -#lists world-writable sgid files -wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$wwsgid" ]; then - echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" - echo -e "\n" -fi - -#lists world-writable sgid files owned by root -wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` -if [ "$wwsgidrt" ]; then - echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" - echo -e "\n" -fi - -#list all files with POSIX capabilities set along with there capabilities -fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null` -if [ "$fileswithcaps" ]; then - echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps" - echo -e "\n" -fi - -if [ "$export" ] && [ "$fileswithcaps" ]; then - mkdir $format/files_with_capabilities/ 2>/dev/null - for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null -fi - -#searches /etc/security/capability.conf for users associated capapilies -userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null` -if [ "$userswithcaps" ]; then - echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps" - echo -e "\n" -fi - -if [ "$userswithcaps" ] ; then -#matches the capabilities found associated with users with the current user -matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null` - if [ "$matchedcaps" ]; then - echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps" - echo -e "\n" - #matches the files with capapbilities with capabilities associated with the current user - matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null` - if [ "$matchedfiles" ]; then - echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles" - echo -e "\n" - #lists the permissions of the files having the same capabilies associated with the current user - matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null` - echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms" - echo -e "\n" - if [ "$matchedfilesperms" ]; then - #checks if any of the files with same capabilities associated with the current user is writable - writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null` - if [ "$writablematchedfiles" ]; then - echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles" - echo -e "\n" - fi - fi - fi - fi -fi - -#look for private keys - thanks djhohnstein -if [ "$thorough" = "1" ]; then -privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home 2>/dev/null` - if [ "$privatekeyfiles" ]; then - echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles" - echo -e "\n" - fi -fi - -#look for AWS keys - thanks djhohnstein -if [ "$thorough" = "1" ]; then -awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null` - if [ "$awskeyfiles" ]; then - echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles" - echo -e "\n" - fi -fi - -#look for git credential files - thanks djhohnstein -if [ "$thorough" = "1" ]; then -gitcredfiles=`find / -name ".git-credentials" 2>/dev/null` - if [ "$gitcredfiles" ]; then - echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles" - echo -e "\n" - fi -fi - -#list all world-writable files excluding /proc and /sys -if [ "$thorough" = "1" ]; then -wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;` - if [ "$wwfiles" ]; then - echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" - echo -e "\n" - fi -fi - -if [ "$thorough" = "1" ]; then - if [ "$export" ] && [ "$wwfiles" ]; then - mkdir $format/ww-files/ 2>/dev/null - for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null - fi -fi - -#are any .plan files accessible in /home (could contain useful information) -usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` -if [ "$usrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" - echo -e "\n" -fi - -if [ "$export" ] && [ "$usrplan" ]; then - mkdir $format/plan_files/ 2>/dev/null - for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null -fi - -bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` -if [ "$bsdusrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" - echo -e "\n" -fi - -if [ "$export" ] && [ "$bsdusrplan" ]; then - mkdir $format/plan_files/ 2>/dev/null - for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null -fi - -#are there any .rhosts files accessible - these may allow us to login as another user etc. -rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` -if [ "$rhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" - echo -e "\n" -fi - -if [ "$export" ] && [ "$rhostsusr" ]; then - mkdir $format/rhosts/ 2>/dev/null - for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null -fi - -bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` -if [ "$bsdrhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" - echo -e "\n" -fi - -if [ "$export" ] && [ "$bsdrhostsusr" ]; then - mkdir $format/rhosts 2>/dev/null - for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null -fi - -rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` -if [ "$rhostssys" ]; then - echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" - echo -e "\n" -fi - -if [ "$export" ] && [ "$rhostssys" ]; then - mkdir $format/rhosts/ 2>/dev/null - for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null -fi - -#list nfs shares/permisisons etc. -nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` -if [ "$nfsexports" ]; then - echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" - echo -e "\n" -fi - -if [ "$export" ] && [ "$nfsexports" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/exports $format/etc-export/exports 2>/dev/null -fi - -if [ "$thorough" = "1" ]; then - #phackt - #displaying /etc/fstab - fstab=`cat /etc/fstab 2>/dev/null` - if [ "$fstab" ]; then - echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m" - echo -e "$fstab" - echo -e "\n" - fi -fi - -#looking for credentials in /etc/fstab -fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null` -if [ "$fstab" ]; then - echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" - echo -e "\n" -fi - -if [ "$export" ] && [ "$fstab" ]; then - mkdir $format/etc-exports/ 2>/dev/null - cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null -fi - -fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null` -if [ "$fstabcred" ]; then - echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" - echo -e "\n" -fi - -if [ "$export" ] && [ "$fstabcred" ]; then - mkdir $format/etc-exports/ 2>/dev/null - cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null -fi - -#use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located -if [ "$keyword" = "" ]; then - echo -e "[-] Can't search *.conf files as no keyword was entered\n" - else - confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null` - if [ "$confkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .conf files" - echo -e "\n" - fi -fi - -if [ "$keyword" = "" ]; then - : - else - if [ "$export" ] && [ "$confkey" ]; then - confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null` - mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null - for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null - fi -fi - -#use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located -if [ "$keyword" = "" ]; then - echo -e "[-] Can't search *.php files as no keyword was entered\n" - else - phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null` - if [ "$phpkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" - echo -e "'$keyword' not found in any .php files" - echo -e "\n" - fi -fi - -if [ "$keyword" = "" ]; then - : - else - if [ "$export" ] && [ "$phpkey" ]; then - phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null` - mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null - for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null - fi -fi - -#use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located -if [ "$keyword" = "" ];then - echo -e "[-] Can't search *.log files as no keyword was entered\n" - else - logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null` - if [ "$logkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .log files" - echo -e "\n" - fi -fi - -if [ "$keyword" = "" ];then - : - else - if [ "$export" ] && [ "$logkey" ]; then - logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null` - mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null - for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null - fi -fi - -#use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located -if [ "$keyword" = "" ];then - echo -e "[-] Can't search *.ini files as no keyword was entered\n" - else - inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null` - if [ "$inikey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .ini files" - echo -e "\n" - fi -fi - -if [ "$keyword" = "" ];then - : - else - if [ "$export" ] && [ "$inikey" ]; then - inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null` - mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null - for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null - fi -fi - -#quick extract of .conf files from /etc - only 1 level -allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` -if [ "$allconf" ]; then - echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" - echo -e "\n" -fi - -if [ "$export" ] && [ "$allconf" ]; then - mkdir $format/conf-files/ 2>/dev/null - for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null -fi - -#extract any user history files that are accessible -usrhist=`ls -la ~/.*_history 2>/dev/null` -if [ "$usrhist" ]; then - echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" - echo -e "\n" -fi - -if [ "$export" ] && [ "$usrhist" ]; then - mkdir $format/history_files/ 2>/dev/null - for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null -fi - -#can we read roots *_history files - could be passwords stored etc. -roothist=`ls -la /root/.*_history 2>/dev/null` -if [ "$roothist" ]; then - echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" - echo -e "\n" -fi - -if [ "$export" ] && [ "$roothist" ]; then - mkdir $format/history_files/ 2>/dev/null - cp $roothist $format/history_files/ 2>/dev/null -fi - -#all accessible .bash_history, fish_history[.*], .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files in /home -checkbashhist=`find /home -regex '.*\.?\(bash_\|fish_\|zsh_\|z\|tcsh_\|csh_\|nano_\|python_\)history\(\..*\)?' -print -exec cat {} 2>/dev/null \;` -if [ "$checkbashhist" ]; then - echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history, fish_history, .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files:\e[00m\n$checkbashhist" - echo -e "\n" -fi - -#any .bak files that may be of interest -echo -e "\e[00;31m[-] Location and Permissions (if accessible) of .bak file(s):\e[00m" -find / -name *.bak -type f -exec ls -la {} \; 2>/dev/null -echo -e "\n" - -#is there any mail accessible -readmail=`ls -la /var/mail 2>/dev/null` -if [ "$readmail" ]; then - echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" - echo -e "\n" -fi - -#can we read roots mail -readmailroot=`head /var/mail/root 2>/dev/null` -if [ "$readmailroot" ]; then - echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" - echo -e "\n" -fi - -if [ "$export" ] && [ "$readmailroot" ]; then - mkdir $format/mail-from-root/ 2>/dev/null - cp $readmailroot $format/mail-from-root/ 2>/dev/null -fi -} diff --git a/includes/docker b/includes/docker new file mode 100755 index 0000000..b8b93b5 --- /dev/null +++ b/includes/docker @@ -0,0 +1,45 @@ +#!/bin/bash + +docker_checks() { + + #specific checks - check to see if we're in a docker container + dockercontainer=$( + grep -i docker /proc/self/cgroup 2>/dev/null + find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null + ) + if [ "$dockercontainer" ]; then + echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" + echo -e "\n" + fi + + #specific checks - check to see if we're a docker host + dockerhost=$( + docker --version 2>/dev/null + docker ps -a 2>/dev/null + ) + if [ "$dockerhost" ]; then + echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" + echo -e "\n" + fi + + #specific checks - are we a member of the docker group + dockergrp=$(id | grep -i docker 2>/dev/null) + if [ "$dockergrp" ]; then + echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" + echo -e "\n" + fi + + #specific checks - are there any docker files present + dockerfiles=$(find / -name Dockerfile -exec ls -l {} \; 2>/dev/null) + if [ "$dockerfiles" ]; then + echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" + echo -e "\n" + fi + + #specific checks - are there any docker files present + dockeryml=$(find / -name docker-compose.yml -exec ls -l {} \; 2>/dev/null) + if [ "$dockeryml" ]; then + echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" + echo -e "\n" + fi +} diff --git a/includes/docker_info.sh b/includes/docker_info.sh deleted file mode 100755 index ad6dd8d..0000000 --- a/includes/docker_info.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -docker_checks() -{ - -#specific checks - check to see if we're in a docker container -dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` -if [ "$dockercontainer" ]; then - echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" - echo -e "\n" -fi - -#specific checks - check to see if we're a docker host -dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` -if [ "$dockerhost" ]; then - echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" - echo -e "\n" -fi - -#specific checks - are we a member of the docker group -dockergrp=`id | grep -i docker 2>/dev/null` -if [ "$dockergrp" ]; then - echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" - echo -e "\n" -fi - -#specific checks - are there any docker files present -dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;` -if [ "$dockerfiles" ]; then - echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" - echo -e "\n" -fi - -#specific checks - are there any docker files present -dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;` -if [ "$dockeryml" ]; then - echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" - echo -e "\n" -fi -} diff --git a/includes/environment b/includes/environment new file mode 100755 index 0000000..cf48be7 --- /dev/null +++ b/includes/environment @@ -0,0 +1,66 @@ +#!/bin/bash + +environmental_info() { + echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" + + #env information + envinfo=$(env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null) + if [ "$envinfo" ]; then + echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" + echo -e "\n" + fi + + #check if selinux is enabled + sestatus=$(sestatus 2>/dev/null) + if [ "$sestatus" ]; then + echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus" + echo -e "\n" + fi + + #phackt + + #current path configuration + pathinfo=$(echo $PATH 2>/dev/null) + if [ "$pathinfo" ]; then + pathswriteable=$(ls -ld $(echo $PATH | tr ":" " ")) + echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" + echo -e "$pathswriteable" + echo -e "\n" + fi + + #lists available shells + shellinfo=$(cat /etc/shells 2>/dev/null) + if [ "$shellinfo" ]; then + echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" + echo -e "\n" + fi + + #current umask value with both octal and symbolic output + umaskvalue=$( + umask -S 2>/dev/null & + umask 2>/dev/null + ) + if [ "$umaskvalue" ]; then + echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" + echo -e "\n" + fi + + #umask value as in /etc/login.defs + umaskdef=$(grep -i "^UMASK" /etc/login.defs 2>/dev/null) + if [ "$umaskdef" ]; then + echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" + echo -e "\n" + fi + + #password policy information as stored in /etc/login.defs + logindefs=$(grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null) + if [ "$logindefs" ]; then + echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" + echo -e "\n" + fi + + if [ "$export" ] && [ "$logindefs" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null + fi +} diff --git a/includes/environment_info.sh b/includes/environment_info.sh deleted file mode 100755 index bb106ad..0000000 --- a/includes/environment_info.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -environmental_info() -{ -echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" - -#env information -envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null` -if [ "$envinfo" ]; then - echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" - echo -e "\n" -fi - -#check if selinux is enabled -sestatus=`sestatus 2>/dev/null` -if [ "$sestatus" ]; then - echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus" - echo -e "\n" -fi - -#phackt - -#current path configuration -pathinfo=`echo $PATH 2>/dev/null` -if [ "$pathinfo" ]; then - pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")` - echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" - echo -e "$pathswriteable" - echo -e "\n" -fi - -#lists available shells -shellinfo=`cat /etc/shells 2>/dev/null` -if [ "$shellinfo" ]; then - echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" - echo -e "\n" -fi - -#current umask value with both octal and symbolic output -umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null` -if [ "$umaskvalue" ]; then - echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" - echo -e "\n" -fi - -#umask value as in /etc/login.defs -umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null` -if [ "$umaskdef" ]; then - echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" - echo -e "\n" -fi - -#password policy information as stored in /etc/login.defs -logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null` -if [ "$logindefs" ]; then - echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" - echo -e "\n" -fi - -if [ "$export" ] && [ "$logindefs" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null -fi -} diff --git a/includes/job_info.sh b/includes/job_info.sh deleted file mode 100755 index 310dfaf..0000000 --- a/includes/job_info.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -job_info() -{ -echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" - -#are there any cron jobs configured -cronjobs=`ls -la /etc/cron* 2>/dev/null` -if [ "$cronjobs" ]; then - echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" - echo -e "\n" -fi - -#can we manipulate these jobs in any way -cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;` -if [ "$cronjobwwperms" ]; then - echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" - echo -e "\n" -fi - -#contab contents -crontabvalue=`cat /etc/crontab 2>/dev/null` -if [ "$crontabvalue" ]; then - echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" - echo -e "\n" -fi - -crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` -if [ "$crontabvar" ]; then - echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" - echo -e "\n" -fi - -anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` -if [ "$anacronjobs" ]; then - echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" - echo -e "\n" -fi - -anacrontab=`ls -la /var/spool/anacron 2>/dev/null` -if [ "$anacrontab" ]; then - echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" - echo -e "\n" -fi - -#pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) -cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` -if [ "$cronother" ]; then - echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" - echo -e "\n" -fi - -# list systemd timers -if [ "$thorough" = "1" ]; then - # include inactive timers in thorough mode - systemdtimers="$(systemctl list-timers --all 2>/dev/null)" - info="" -else - systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)" - # replace the info in the output with a hint towards thorough mode - info="\e[2mEnable thorough tests to see inactive timers\e[00m" -fi -if [ "$systemdtimers" ]; then - echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info" - echo -e "\n" -fi - -} diff --git a/includes/jobs b/includes/jobs new file mode 100755 index 0000000..c3d8396 --- /dev/null +++ b/includes/jobs @@ -0,0 +1,70 @@ +#!/bin/bash + +job_info() { + echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" + + #are there any cron jobs configured + cronjobs=$(ls -la /etc/cron* 2>/dev/null) + if [ "$cronjobs" ]; then + echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" + echo -e "\n" + fi + + #can we manipulate these jobs in any way + cronjobwwperms=$(find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} \; 2>/dev/null) + if [ "$cronjobwwperms" ]; then + echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" + echo -e "\n" + fi + + #contab contents + crontabvalue=$(cat /etc/crontab 2>/dev/null) + if [ "$crontabvalue" ]; then + echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" + echo -e "\n" + fi + + crontabvar=$(ls -la /var/spool/cron/crontabs 2>/dev/null) + if [ "$crontabvar" ]; then + echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" + echo -e "\n" + fi + + anacronjobs=$( + ls -la /etc/anacrontab 2>/dev/null + cat /etc/anacrontab 2>/dev/null + ) + if [ "$anacronjobs" ]; then + echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" + echo -e "\n" + fi + + anacrontab=$(ls -la /var/spool/anacron 2>/dev/null) + if [ "$anacrontab" ]; then + echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" + echo -e "\n" + fi + + #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) + cronother=$(cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null) + if [ "$cronother" ]; then + echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" + echo -e "\n" + fi + + # list systemd timers + if [ "$thorough" = "1" ]; then + # include inactive timers in thorough mode + systemdtimers="$(systemctl list-timers --all 2>/dev/null)" + info="" + else + systemdtimers="$(systemctl list-timers 2>/dev/null | head -n -1 2>/dev/null)" + # replace the info in the output with a hint towards thorough mode + info="\e[2mEnable thorough tests to see inactive timers\e[00m" + fi + if [ "$systemdtimers" ]; then + echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info" + echo -e "\n" + fi + +} diff --git a/includes/k8s b/includes/k8s new file mode 100755 index 0000000..52dc05f --- /dev/null +++ b/includes/k8s @@ -0,0 +1,45 @@ +#!/bin/bash + +k8s_checks() { + + k8sconfig=$(kubectl config view 2>/dev/null) + + if [ "$k8sconfig" ]; then + echo -e "\e[00;33m[+] Looks like there is a Kubernetes Cluster running \e[00m\n$k8sconfig" + echo -e "\n" + + k8sservices=$(kubectl get services 2>/dev/null) + if [ "$k8sservices" ]; then + echo -e "\e[00;33m[+] Services Running on Kubernetes cluster. \e[00m\n$k8sservices" + echo -e "\n" + fi + + k8spodswithlabels=$(kubectl get pods --all-namespaces 2>/dev/null) + if [ "$k8spodswithlabels" ]; then + echo -e "\e[00;33m[+] Kubernetes Pods with Labels \e[00m\n$k8spodswithlabels" + echo -e "\e[00;33m[+] Run 'kubectl logs ' to search for interesting information in logs\e[00m\n" + echo -e "\e[00;33m[+] Run 'kubectl exec -it -- sh' to gain shell access into pods and extract information like 'printenv' etc \e[00m\n" + echo -e "\n" + fi + + k8snodes=$(kubectl get nodes 2>/dev/null) + if [ "$k8snodes" ]; then + echo -e "\e[00;33m[+] Kubernetes Nodes \e[00m\n$k8snodes" + echo -e "\n" + fi + + k8sevents=$(kubectl get events 2>/dev/null) + if [ "$k8sevents" ]; then + echo -e "\e[00;33m[+] Kubernetes Events. Check here for interesting \e[00m\n$k8sevents" + echo -e "\n" + fi + + k8ssecrets=$(kubectl get secret -o json 2>/dev/null) + if [ "$k8ssecrets" ]; then + echo -e "\e[00;33m[+] Fetch all Secrets stored in Kubernetes Cluster \e[00m\n$k8ssecrets" + echo -e "\n" + fi + + fi + +} diff --git a/includes/kube_info.sh b/includes/kube_info.sh deleted file mode 100755 index 31a4fe2..0000000 --- a/includes/kube_info.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash - -k8s_checks() -{ - -k8sconfig=`kubectl config view 2>/dev/null` - -if [ "$k8sconfig" ]; then - echo -e "\e[00;33m[+] Looks like there is a Kubernetes Cluster running \e[00m\n$k8sconfig" - echo -e "\n" - - -k8sservices=`kubectl get services 2>/dev/null` -if [ "$k8sservices" ]; then - echo -e "\e[00;33m[+] Services Running on Kubernetes cluster. \e[00m\n$k8sservices" - echo -e "\n" -fi - -k8spodswithlabels=`kubectl get pods --all-namespaces 2>/dev/null` -if [ "$k8spodswithlabels" ]; then - echo -e "\e[00;33m[+] Kubernetes Pods with Labels \e[00m\n$k8spodswithlabels" - echo -e "\e[00;33m[+] Run 'kubectl logs ' to search for interesting information in logs\e[00m\n" - echo -e "\e[00;33m[+] Run 'kubectl exec -it -- sh' to gain shell access into pods and extract information like 'printenv' etc \e[00m\n" - echo -e "\n" -fi - -k8snodes=`kubectl get nodes 2>/dev/null` -if [ "$k8snodes" ]; then - echo -e "\e[00;33m[+] Kubernetes Nodes \e[00m\n$k8snodes" - echo -e "\n" -fi - -k8sevents=`kubectl get events 2>/dev/null` -if [ "$k8sevents" ]; then - echo -e "\e[00;33m[+] Kubernetes Events. Check here for interesting \e[00m\n$k8sevents" - echo -e "\n" -fi - -k8ssecrets=`kubectl get secret -o json 2>/dev/null` -if [ "$k8ssecrets" ]; then - echo -e "\e[00;33m[+] Fetch all Secrets stored in Kubernetes Cluster \e[00m\n$k8ssecrets" - echo -e "\n" -fi - -fi - -} - diff --git a/includes/lxc b/includes/lxc new file mode 100755 index 0000000..6426f1d --- /dev/null +++ b/includes/lxc @@ -0,0 +1,18 @@ +#!/bin/bash + +lxc_container_checks() { + + #specific checks - are we in an lxd/lxc container + lxccontainer=$(grep -qa container=lxc /proc/1/environ 2>/dev/null) + if [ "$lxccontainer" ]; then + echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer" + echo -e "\n" + fi + + #specific checks - are we a member of the lxd group + lxdgroup=$(id | grep -i lxd 2>/dev/null) + if [ "$lxdgroup" ]; then + echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup" + echo -e "\n" + fi +} diff --git a/includes/lxc_info.sh b/includes/lxc_info.sh deleted file mode 100755 index 0d292c6..0000000 --- a/includes/lxc_info.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -lxc_container_checks() -{ - -#specific checks - are we in an lxd/lxc container -lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` -if [ "$lxccontainer" ]; then - echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer" - echo -e "\n" -fi - -#specific checks - are we a member of the lxd group -lxdgroup=`id | grep -i lxd 2>/dev/null` -if [ "$lxdgroup" ]; then - echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup" - echo -e "\n" -fi -} diff --git a/includes/network_info.sh b/includes/network_info.sh deleted file mode 100755 index 64c57b9..0000000 --- a/includes/network_info.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash - -networking_info() -{ -echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" - -#nic information -nicinfo=`/sbin/ifconfig -a 2>/dev/null` -if [ "$nicinfo" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" - echo -e "\n" -fi - -#nic information (using ip) -nicinfoip=`/sbin/ip a 2>/dev/null` -if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" - echo -e "\n" -fi - -arpinfo=`arp -a 2>/dev/null` -if [ "$arpinfo" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" - echo -e "\n" -fi - -arpinfoip=`ip n 2>/dev/null` -if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" - echo -e "\n" -fi - -#dns settings -nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null` -if [ "$nsinfo" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" - echo -e "\n" -fi - -nsinfosysd=`systemd-resolve --status 2>/dev/null` -if [ "$nsinfosysd" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" - echo -e "\n" -fi - -#default route configuration -defroute=`route 2>/dev/null | grep default` -if [ "$defroute" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" - echo -e "\n" -fi - -#default route configuration -defrouteip=`ip r 2>/dev/null | grep default` -if [ ! "$defroute" ] && [ "$defrouteip" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" - echo -e "\n" -fi - -#listening TCP -tcpservs=`netstat -ntpl 2>/dev/null` -if [ "$tcpservs" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" - echo -e "\n" -fi - -tcpservsip=`ss -t -l -n 2>/dev/null` -if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" - echo -e "\n" -fi - -#listening UDP -udpservs=`netstat -nupl 2>/dev/null` -if [ "$udpservs" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" - echo -e "\n" -fi - -udpservsip=`ss -u -l -n 2>/dev/null` -if [ ! "$udpservs" ] && [ "$udpservsip" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" - echo -e "\n" -fi -} diff --git a/includes/networking b/includes/networking new file mode 100755 index 0000000..aa48b5f --- /dev/null +++ b/includes/networking @@ -0,0 +1,84 @@ +#!/bin/bash + +networking_info() { + echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" + + #nic information + nicinfo=$(/sbin/ifconfig -a 2>/dev/null) + if [ "$nicinfo" ]; then + echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" + echo -e "\n" + fi + + #nic information (using ip) + nicinfoip=$(/sbin/ip a 2>/dev/null) + if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then + echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" + echo -e "\n" + fi + + arpinfo=$(arp -a 2>/dev/null) + if [ "$arpinfo" ]; then + echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" + echo -e "\n" + fi + + arpinfoip=$(ip n 2>/dev/null) + if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then + echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" + echo -e "\n" + fi + + #dns settings + nsinfo=$(grep "nameserver" /etc/resolv.conf 2>/dev/null) + if [ "$nsinfo" ]; then + echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" + echo -e "\n" + fi + + nsinfosysd=$(systemd-resolve --status 2>/dev/null) + if [ "$nsinfosysd" ]; then + echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" + echo -e "\n" + fi + + #default route configuration + defroute=$(route 2>/dev/null | grep default) + if [ "$defroute" ]; then + echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" + echo -e "\n" + fi + + #default route configuration + defrouteip=$(ip r 2>/dev/null | grep default) + if [ ! "$defroute" ] && [ "$defrouteip" ]; then + echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" + echo -e "\n" + fi + + #listening TCP + tcpservs=$(netstat -ntpl 2>/dev/null) + if [ "$tcpservs" ]; then + echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" + echo -e "\n" + fi + + tcpservsip=$(ss -t -l -n 2>/dev/null) + if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then + echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" + echo -e "\n" + fi + + #listening UDP + udpservs=$(netstat -nupl 2>/dev/null) + if [ "$udpservs" ]; then + echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" + echo -e "\n" + fi + + udpservsip=$(ss -u -l -n 2>/dev/null) + if [ ! "$udpservs" ] && [ "$udpservsip" ]; then + echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" + echo -e "\n" + fi +} diff --git a/includes/services b/includes/services new file mode 100755 index 0000000..6335c38 --- /dev/null +++ b/includes/services @@ -0,0 +1,134 @@ +#!/bin/bash + +services_info() { + echo -e "\e[00;33m### SERVICES #############################################\e[00m" + + #running processes + psaux=$(ps aux 2>/dev/null) + if [ "$psaux" ]; then + echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" + echo -e "\n" + fi + + #lookup process binary path and permissisons + procperm=$(ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls -la 2>/dev/null | awk '!x[$0]++' 2>/dev/null) + if [ "$procperm" ]; then + echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" + echo -e "\n" + fi + + if [ "$export" ] && [ "$procperm" ]; then + procpermbase=$(ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null) + mkdir $format/ps-export/ 2>/dev/null + for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null + fi + + #anything 'useful' in inetd.conf + inetdread=$(cat /etc/inetd.conf 2>/dev/null) + if [ "$inetdread" ]; then + echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" + echo -e "\n" + fi + + if [ "$export" ] && [ "$inetdread" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null + fi + + #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each + inetdbinperms=$(awk '{print $7}' /etc/inetd.conf 2>/dev/null | xargs -r ls -la 2>/dev/null) + if [ "$inetdbinperms" ]; then + echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" + echo -e "\n" + fi + + xinetdread=$(cat /etc/xinetd.conf 2>/dev/null) + if [ "$xinetdread" ]; then + echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" + echo -e "\n" + fi + + if [ "$export" ] && [ "$xinetdread" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null + fi + + xinetdincd=$(grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null) + if [ "$xinetdincd" ]; then + echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m" + ls -la /etc/xinetd.d 2>/dev/null + echo -e "\n" + fi + + #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each + xinetdbinperms=$(awk '{print $7}' /etc/xinetd.conf 2>/dev/null | xargs -r ls -la 2>/dev/null) + if [ "$xinetdbinperms" ]; then + echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" + echo -e "\n" + fi + + initdread=$(ls -la /etc/init.d 2>/dev/null) + if [ "$initdread" ]; then + echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" + echo -e "\n" + fi + + #init.d files NOT belonging to root! + initdperms=$(find /etc/init.d/ \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) + if [ "$initdperms" ]; then + echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" + echo -e "\n" + fi + + rcdread=$(ls -la /etc/rc.d/init.d 2>/dev/null) + if [ "$rcdread" ]; then + echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" + echo -e "\n" + fi + + #init.d files NOT belonging to root! + rcdperms=$(find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) + if [ "$rcdperms" ]; then + echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" + echo -e "\n" + fi + + usrrcdread=$(ls -la /usr/local/etc/rc.d 2>/dev/null) + if [ "$usrrcdread" ]; then + echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" + echo -e "\n" + fi + + #rc.d files NOT belonging to root! + usrrcdperms=$(find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) + if [ "$usrrcdperms" ]; then + echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" + echo -e "\n" + fi + + initread=$(ls -la /etc/init/ 2>/dev/null) + if [ "$initread" ]; then + echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread" + echo -e "\n" + fi + + # upstart scripts not belonging to root + initperms=$(find /etc/init \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) + if [ "$initperms" ]; then + echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms" + echo -e "\n" + fi + + systemdread=$(ls -lthR /lib/systemd/ 2>/dev/null) + if [ "$systemdread" ]; then + echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread" + echo -e "\n" + fi + + # systemd files not belonging to root + systemdperms=$(find /lib/systemd/ \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) + if [ "$systemdperms" ]; then + echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms" + echo -e "\n" + fi +} diff --git a/includes/services_info.sh b/includes/services_info.sh deleted file mode 100755 index a17a9eb..0000000 --- a/includes/services_info.sh +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/bash - -services_info() -{ -echo -e "\e[00;33m### SERVICES #############################################\e[00m" - -#running processes -psaux=`ps aux 2>/dev/null` -if [ "$psaux" ]; then - echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" - echo -e "\n" -fi - -#lookup process binary path and permissisons -procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null` -if [ "$procperm" ]; then - echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" - echo -e "\n" -fi - -if [ "$export" ] && [ "$procperm" ]; then -procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null` - mkdir $format/ps-export/ 2>/dev/null - for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null -fi - -#anything 'useful' in inetd.conf -inetdread=`cat /etc/inetd.conf 2>/dev/null` -if [ "$inetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" - echo -e "\n" -fi - -if [ "$export" ] && [ "$inetdread" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null -fi - -#very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each -inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$inetdbinperms" ]; then - echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" - echo -e "\n" -fi - -xinetdread=`cat /etc/xinetd.conf 2>/dev/null` -if [ "$xinetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" - echo -e "\n" -fi - -if [ "$export" ] && [ "$xinetdread" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null -fi - -xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null` -if [ "$xinetdincd" ]; then - echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null - echo -e "\n" -fi - -#very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each -xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$xinetdbinperms" ]; then - echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" - echo -e "\n" -fi - -initdread=`ls -la /etc/init.d 2>/dev/null` -if [ "$initdread" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" - echo -e "\n" -fi - -#init.d files NOT belonging to root! -initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$initdperms" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" - echo -e "\n" -fi - -rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` -if [ "$rcdread" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" - echo -e "\n" -fi - -#init.d files NOT belonging to root! -rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$rcdperms" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" - echo -e "\n" -fi - -usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` -if [ "$usrrcdread" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" - echo -e "\n" -fi - -#rc.d files NOT belonging to root! -usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$usrrcdperms" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" - echo -e "\n" -fi - -initread=`ls -la /etc/init/ 2>/dev/null` -if [ "$initread" ]; then - echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread" - echo -e "\n" -fi - -# upstart scripts not belonging to root -initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$initperms" ]; then - echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms" - echo -e "\n" -fi - -systemdread=`ls -lthR /lib/systemd/ 2>/dev/null` -if [ "$systemdread" ]; then - echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread" - echo -e "\n" -fi - -# systemd files not belonging to root -systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` -if [ "$systemdperms" ]; then - echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms" - echo -e "\n" -fi -} diff --git a/includes/system b/includes/system new file mode 100755 index 0000000..8cebdb0 --- /dev/null +++ b/includes/system @@ -0,0 +1,32 @@ +#!/bin/bash + +system_info() { + echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" + + #basic kernel info + unameinfo=$(uname -a 2>/dev/null) + if [ "$unameinfo" ]; then + echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" + echo -e "\n" + fi + + procver=$(cat /proc/version 2>/dev/null) + if [ "$procver" ]; then + echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" + echo -e "\n" + fi + + #search all *-release files for version info + release=$(cat /etc/*-release 2>/dev/null) + if [ "$release" ]; then + echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" + echo -e "\n" + fi + + #target hostname info + hostnamed=$(hostname 2>/dev/null) + if [ "$hostnamed" ]; then + echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" + echo -e "\n" + fi +} diff --git a/includes/system_info.sh b/includes/system_info.sh deleted file mode 100755 index 2e3aa06..0000000 --- a/includes/system_info.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -system_info() -{ -echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" - -#basic kernel info -unameinfo=`uname -a 2>/dev/null` -if [ "$unameinfo" ]; then - echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" - echo -e "\n" -fi - -procver=`cat /proc/version 2>/dev/null` -if [ "$procver" ]; then - echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" - echo -e "\n" -fi - -#search all *-release files for version info -release=`cat /etc/*-release 2>/dev/null` -if [ "$release" ]; then - echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" - echo -e "\n" -fi - -#target hostname info -hostnamed=`hostname 2>/dev/null` -if [ "$hostnamed" ]; then - echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" - echo -e "\n" -fi -} diff --git a/includes/user_info.sh b/includes/user_info.sh deleted file mode 100755 index 677ec4d..0000000 --- a/includes/user_info.sh +++ /dev/null @@ -1,240 +0,0 @@ -#!/bin/bash - -user_info() -{ -echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" - -#current user details -currusr=`id 2>/dev/null` -if [ "$currusr" ]; then - echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" - echo -e "\n" -fi - -#last logged on user information -lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` -if [ "$lastlogedonusrs" ]; then - echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" - echo -e "\n" -fi - -#who else is logged on -loggedonusrs=`w 2>/dev/null` -if [ "$loggedonusrs" ]; then - echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" - echo -e "\n" -fi - -#lists all id's and respective group(s) -grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do echo -e "$i : $(id $i)";done 2>/dev/null` -if [ "$grpinfo" ]; then - echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo" - echo -e "\n" -fi - -#added by phackt - look for adm group (thanks patrick) -adm_users=$(echo -e "$grpinfo" | grep "(adm)") -if [[ ! -z $adm_users ]]; - then - echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users" - echo -e "\n" -fi - -#checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) -hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` -if [ "$hashesinpasswd" ]; then - echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" - echo -e "\n" -fi - -#contents of /etc/passwd -readpasswd=`cat /etc/passwd 2>/dev/null` -if [ "$readpasswd" ]; then - echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" - echo -e "\n" -fi - -if [ "$export" ] && [ "$readpasswd" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/passwd $format/etc-export/passwd 2>/dev/null -fi - -#checks to see if the shadow file can be read -readshadow=`cat /etc/shadow 2>/dev/null` -if [ "$readshadow" ]; then - echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" - echo -e "\n" -fi - -if [ "$export" ] && [ "$readshadow" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/shadow $format/etc-export/shadow 2>/dev/null -fi - -#checks to see if /etc/master.passwd can be read - BSD 'shadow' variant -readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` -if [ "$readmasterpasswd" ]; then - echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" - echo -e "\n" -fi - -if [ "$export" ] && [ "$readmasterpasswd" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null -fi - -#all root accounts (uid 0) -superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null` -if [ "$superman" ]; then - echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman" - echo -e "\n" -fi - -#pull out vital sudoers info -sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null` -if [ "$sudoers" ]; then - echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers" - echo -e "\n" -fi - -if [ "$export" ] && [ "$sudoers" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null -fi - -#can we sudo without supplying a password -sudoperms=`echo '' | sudo -S -l -k 2>/dev/null` -if [ "$sudoperms" ]; then - echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" - echo -e "\n" -fi - -#check sudo perms - authenticated -if [ "$sudopass" ]; then - if [ "$sudoperms" ]; then - : - else - sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null` - if [ "$sudoauth" ]; then - echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" - echo -e "\n" - fi - fi -fi - -##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated -if [ "$sudopass" ]; then - if [ "$sudoperms" ]; then - : - else - sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` - if [ "$sudopermscheck" ]; then - echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" - echo -e "\n" - fi - fi -fi - -#known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) -sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` -if [ "$sudopwnage" ]; then - echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" - echo -e "\n" -fi - -#who has sudoed in the past -whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null` -if [ "$whohasbeensudo" ]; then - echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" - echo -e "\n" -fi - -#checks to see if roots home directory is accessible -rthmdir=`ls -ahl /root/ 2>/dev/null` -if [ "$rthmdir" ]; then - echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" - echo -e "\n" -fi - -#displays /home directory permissions - check if any are lax -homedirperms=`ls -ahl /home/ 2>/dev/null` -if [ "$homedirperms" ]; then - echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" - echo -e "\n" -fi - -#looks for files we can write to that don't belong to us -if [ "$thorough" = "1" ]; then - grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` - if [ "$grfilesall" ]; then - echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" - echo -e "\n" - fi -fi - -#looks for files that belong to us -if [ "$thorough" = "1" ]; then - ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` - if [ "$ourfilesall" ]; then - echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall" - echo -e "\n" - fi -fi - -#looks for hidden files -if [ "$thorough" = "1" ]; then - hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` - if [ "$hiddenfiles" ]; then - echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles" - echo -e "\n" - fi -fi - -#looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch -if [ "$thorough" = "1" ]; then -wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` - if [ "$wrfileshm" ]; then - echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" - echo -e "\n" - fi -fi - -if [ "$thorough" = "1" ]; then - if [ "$export" ] && [ "$wrfileshm" ]; then - mkdir $format/wr-files/ 2>/dev/null - for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null - fi -fi - -#lists current user's home directory contents -if [ "$thorough" = "1" ]; then -homedircontents=`ls -ahl ~ 2>/dev/null` - if [ "$homedircontents" ] ; then - echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" - echo -e "\n" - fi -fi - -#checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch -if [ "$thorough" = "1" ]; then -sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;` - if [ "$sshfiles" ]; then - echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" - echo -e "\n" - fi -fi - -if [ "$thorough" = "1" ]; then - if [ "$export" ] && [ "$sshfiles" ]; then - mkdir $format/ssh-files/ 2>/dev/null - for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null - fi -fi - -#is root permitted to login via ssh -sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` -if [ "$sshrootlogin" = "yes" ]; then - echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" - echo -e "\n" -fi -} diff --git a/includes/users b/includes/users new file mode 100755 index 0000000..d74db1e --- /dev/null +++ b/includes/users @@ -0,0 +1,239 @@ +#!/bin/bash + +user_info() { + echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" + + #current user details + currusr=$(id 2>/dev/null) + if [ "$currusr" ]; then + echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" + echo -e "\n" + fi + + #last logged on user information + lastlogedonusrs=$(lastlog 2>/dev/null | grep -v "Never" 2>/dev/null) + if [ "$lastlogedonusrs" ]; then + echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" + echo -e "\n" + fi + + #who else is logged on + loggedonusrs=$(w 2>/dev/null) + if [ "$loggedonusrs" ]; then + echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" + echo -e "\n" + fi + + #lists all id's and respective group(s) + grpinfo=$(for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null); do echo -e "$i : $(id $i)"; done 2>/dev/null) + if [ "$grpinfo" ]; then + echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo" + echo -e "\n" + fi + + #added by phackt - look for adm group (thanks patrick) + adm_users=$(echo -e "$grpinfo" | grep "(adm)") + if [[ ! -z $adm_users ]]; then + echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users" + echo -e "\n" + fi + + #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) + hashesinpasswd=$(grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null) + if [ "$hashesinpasswd" ]; then + echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" + echo -e "\n" + fi + + #contents of /etc/passwd + readpasswd=$(cat /etc/passwd 2>/dev/null) + if [ "$readpasswd" ]; then + echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" + echo -e "\n" + fi + + if [ "$export" ] && [ "$readpasswd" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/passwd $format/etc-export/passwd 2>/dev/null + fi + + #checks to see if the shadow file can be read + readshadow=$(cat /etc/shadow 2>/dev/null) + if [ "$readshadow" ]; then + echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" + echo -e "\n" + fi + + if [ "$export" ] && [ "$readshadow" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/shadow $format/etc-export/shadow 2>/dev/null + fi + + #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant + readmasterpasswd=$(cat /etc/master.passwd 2>/dev/null) + if [ "$readmasterpasswd" ]; then + echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" + echo -e "\n" + fi + + if [ "$export" ] && [ "$readmasterpasswd" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null + fi + + #all root accounts (uid 0) + superman=$(grep -v -E "^#" /etc/passwd 2>/dev/null | awk -F: '$3 == 0 { print $1}' 2>/dev/null) + if [ "$superman" ]; then + echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman" + echo -e "\n" + fi + + #pull out vital sudoers info + sudoers=$(grep -v -e '^$' /etc/sudoers 2>/dev/null | grep -v "#" 2>/dev/null) + if [ "$sudoers" ]; then + echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers" + echo -e "\n" + fi + + if [ "$export" ] && [ "$sudoers" ]; then + mkdir $format/etc-export/ 2>/dev/null + cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null + fi + + #can we sudo without supplying a password + sudoperms=$(echo '' | sudo -S -l -k 2>/dev/null) + if [ "$sudoperms" ]; then + echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" + echo -e "\n" + fi + + #check sudo perms - authenticated + if [ "$sudopass" ]; then + if [ "$sudoperms" ]; then + : + else + sudoauth=$(echo $userpassword | sudo -S -l -k 2>/dev/null) + if [ "$sudoauth" ]; then + echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" + echo -e "\n" + fi + fi + fi + + ##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated + if [ "$sudopass" ]; then + if [ "$sudoperms" ]; then + : + else + sudopermscheck=$(echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) + if [ "$sudopermscheck" ]; then + echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" + echo -e "\n" + fi + fi + fi + + #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) + sudopwnage=$(echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) + if [ "$sudopwnage" ]; then + echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" + echo -e "\n" + fi + + #who has sudoed in the past + whohasbeensudo=$(find /home -name .sudo_as_admin_successful 2>/dev/null) + if [ "$whohasbeensudo" ]; then + echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" + echo -e "\n" + fi + + #checks to see if roots home directory is accessible + rthmdir=$(ls -ahl /root/ 2>/dev/null) + if [ "$rthmdir" ]; then + echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" + echo -e "\n" + fi + + #displays /home directory permissions - check if any are lax + homedirperms=$(ls -ahl /home/ 2>/dev/null) + if [ "$homedirperms" ]; then + echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" + echo -e "\n" + fi + + #looks for files we can write to that don't belong to us + if [ "$thorough" = "1" ]; then + grfilesall=$(find / -writable ! -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) + if [ "$grfilesall" ]; then + echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" + echo -e "\n" + fi + fi + + #looks for files that belong to us + if [ "$thorough" = "1" ]; then + ourfilesall=$(find / -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) + if [ "$ourfilesall" ]; then + echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall" + echo -e "\n" + fi + fi + + #looks for hidden files + if [ "$thorough" = "1" ]; then + hiddenfiles=$(find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) + if [ "$hiddenfiles" ]; then + echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles" + echo -e "\n" + fi + fi + + #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch + if [ "$thorough" = "1" ]; then + wrfileshm=$(find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null) + if [ "$wrfileshm" ]; then + echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" + echo -e "\n" + fi + fi + + if [ "$thorough" = "1" ]; then + if [ "$export" ] && [ "$wrfileshm" ]; then + mkdir $format/wr-files/ 2>/dev/null + for i in $wrfileshm; do cp --parents $i $format/wr-files/; done 2>/dev/null + fi + fi + + #lists current user's home directory contents + if [ "$thorough" = "1" ]; then + homedircontents=$(ls -ahl ~ 2>/dev/null) + if [ "$homedircontents" ]; then + echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" + echo -e "\n" + fi + fi + + #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch + if [ "$thorough" = "1" ]; then + sshfiles=$(find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null) + if [ "$sshfiles" ]; then + echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" + echo -e "\n" + fi + fi + + if [ "$thorough" = "1" ]; then + if [ "$export" ] && [ "$sshfiles" ]; then + mkdir $format/ssh-files/ 2>/dev/null + for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null + fi + fi + + #is root permitted to login via ssh + sshrootlogin=$(grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}') + if [ "$sshrootlogin" = "yes" ]; then + echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" + grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" + echo -e "\n" + fi +} diff --git a/includes/util b/includes/util new file mode 100755 index 0000000..8976fe4 --- /dev/null +++ b/includes/util @@ -0,0 +1,82 @@ +#!/bin/bash + +#help function +usage() { + echo -e "\n\e[00;31m#########################################################\e[00m" + echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" + echo -e "\e[00;31m#########################################################\e[00m" + echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m" + echo -e "\e[00;33m# $version\e[00m\n" + echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n" + + echo "OPTIONS:" + echo "-k Enter keyword" + echo "-e Enter export location" + echo "-s Supply user password for sudo checks (INSECURE)" + echo "-t Include thorough (lengthy) tests" + echo "-r Enter report name" + echo "-h Displays this help text" + echo -e "\n" + echo "Running with no options = limited scans/no output file" + + echo -e "\e[00;31m#########################################################\e[00m" +} + +header() { + echo -e "\n\e[00;31m#########################################################\e[00m" + echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" + echo -e "\e[00;31m#########################################################\e[00m" + echo -e "\e[00;33m# www.rebootuser.com\e[00m" + echo -e "\e[00;33m# $version\e[00m\n" + +} + +debug_info() { + echo "[-] Debug Info" + + if [ "$keyword" ]; then + echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" + fi + + if [ "$report" ]; then + echo "[+] Report name = $report" + fi + + if [ "$export" ]; then + echo "[+] Export location = $export" + fi + + if [ "$thorough" ]; then + echo "[+] Thorough tests = Enabled" + else + echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m" + fi + + sleep 2 + + if [ "$export" ]; then + mkdir $export 2>/dev/null + format=$export/LinEnum-export-$(date +"%d-%m-%y") + mkdir $format 2>/dev/null + fi + + if [ "$sudopass" ]; then + echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m" + read -s userpassword + echo + fi + + who=$(whoami) 2>/dev/null + echo -e "\n" + + echo -e "\e[00;33mScan started at:" + date + echo -e "\e[00m\n" +} + +# useful binaries (thanks to https://gtfobins.github.io/) +binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh' + +footer() { + echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" +} From 60f868a1a21f66200a1ba47dbca2d9d355fd36fb Mon Sep 17 00:00:00 2001 From: Matt Jones Date: Tue, 28 Sep 2021 21:13:06 -0400 Subject: [PATCH 04/10] working on the cleanup --- LinEnum | 2 +- includes/users | 4 ++-- includes/util | 52 +++++++++++++++++++++++++++++++------------------- 3 files changed, 35 insertions(+), 23 deletions(-) diff --git a/LinEnum b/LinEnum index 9d2711d..0293d09 100755 --- a/LinEnum +++ b/LinEnum @@ -28,7 +28,7 @@ # MIT # -version="version 0.982" +VERSION="version 0.982" #@rebootuser # Set the path to include the libraries. These are searched for in the same directory or within the path. We capture diff --git a/includes/users b/includes/users index d74db1e..87a2656 100755 --- a/includes/users +++ b/includes/users @@ -112,7 +112,7 @@ user_info() { if [ "$sudoperms" ]; then : else - sudoauth=$(echo $userpassword | sudo -S -l -k 2>/dev/null) + sudoauth=$(echo $user_password | sudo -S -l -k 2>/dev/null) if [ "$sudoauth" ]; then echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" echo -e "\n" @@ -125,7 +125,7 @@ user_info() { if [ "$sudoperms" ]; then : else - sudopermscheck=$(echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) + sudopermscheck=$(echo $user_password | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) if [ "$sudopermscheck" ]; then echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" echo -e "\n" diff --git a/includes/util b/includes/util index 8976fe4..a3d6d91 100755 --- a/includes/util +++ b/includes/util @@ -1,13 +1,23 @@ #!/bin/bash -#help function +red="0;31m" +green="0;32m" +orange="0;33m" +blue="0;34m" +purple="0;35m" +cyan="0;36m" +white="1;37m" +yellow="1;33m" +default="0m" + +# help function usage() { - echo -e "\n\e[00;31m#########################################################\e[00m" - echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" - echo -e "\e[00;31m#########################################################\e[00m" - echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m" - echo -e "\e[00;33m# $version\e[00m\n" - echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n" + echo -e "\n\e[$red#########################################################\e[$default" + echo -e "\e[$red#\e[00m" "\e[$orange Local Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$red#\e[$default" + echo -e "\e[$red#########################################################\e[$default" + echo -e "\e[$orange# www.rebootuser.com | @rebootuser \e[$default" + echo -e "\e[$orange# $version\e[$default\n" + echo -e "\e[$orange# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[$default\n" echo "OPTIONS:" echo "-k Enter keyword" @@ -19,15 +29,15 @@ usage() { echo -e "\n" echo "Running with no options = limited scans/no output file" - echo -e "\e[00;31m#########################################################\e[00m" + echo -e "\e[$red#########################################################\e[$default" } header() { - echo -e "\n\e[00;31m#########################################################\e[00m" - echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" - echo -e "\e[00;31m#########################################################\e[00m" - echo -e "\e[00;33m# www.rebootuser.com\e[00m" - echo -e "\e[00;33m# $version\e[00m\n" + echo -e "\n\e[$red#########################################################\e[$default" + echo -e "\e[$red#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$red#\e[$default" + echo -e "\e[$red#########################################################\e[$default" + echo -e "\e[$orange# www.rebootuser.com\e[$default" + echo -e "\e[$orange# $version\e[$default\n" } @@ -49,27 +59,29 @@ debug_info() { if [ "$thorough" ]; then echo "[+] Thorough tests = Enabled" else - echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m" + echo -e "\e[$purple [+] Thorough tests = Disabled\e[$default" fi sleep 2 if [ "$export" ]; then - mkdir $export 2>/dev/null - format=$export/LinEnum-export-$(date +"%d-%m-%y") - mkdir $format 2>/dev/null + mkdir "$export" 2>/dev/null + local format + format="$export/LinEnum-export-$(date +"%d-%m-%y")" + mkdir "$format" 2>/dev/null fi if [ "$sudopass" ]; then - echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m" - read -s userpassword + local user_password + echo -e "\e[$purple [+] Please enter password - INSECURE - really only for CTF use!\e[$default" + read -sr user_password echo fi who=$(whoami) 2>/dev/null echo -e "\n" - echo -e "\e[00;33mScan started at:" + echo -e "\e[$orange Scan started at:" date echo -e "\e[00m\n" } From f088e304fb8a4ef04a2b900b3285dad75521d068 Mon Sep 17 00:00:00 2001 From: Matty Jones Date: Wed, 29 Sep 2021 03:17:07 +0000 Subject: [PATCH 05/10] update header, footer, and debug info --- LinEnum | 10 +++++-- includes/util | 77 ++++++++++++++++++++++++++++++++------------------- 2 files changed, 56 insertions(+), 31 deletions(-) diff --git a/LinEnum b/LinEnum index 0293d09..f30b87a 100755 --- a/LinEnum +++ b/LinEnum @@ -61,8 +61,11 @@ library_import call_each() { header - # debug_info - # system_info + + if [ "$debug" ]; then + debug_info + fi + # system_info ## 1st pass complete # user_info # environmental_info # job_info @@ -75,9 +78,10 @@ call_each() { footer } -while getopts "h:k:r:e:st" option; do +while getopts "h:k:r:e:std" option; do case "${option}" in k) keyword=${OPTARG} ;; + d) debug=1 ;; r) report=${OPTARG}"-"$(date +"%d-%m-%y") ;; e) export=${OPTARG} ;; s) sudopass=1 ;; diff --git a/includes/util b/includes/util index a3d6d91..8cbcccd 100755 --- a/includes/util +++ b/includes/util @@ -12,20 +12,22 @@ default="0m" # help function usage() { - echo -e "\n\e[$red#########################################################\e[$default" - echo -e "\e[$red#\e[00m" "\e[$orange Local Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$red#\e[$default" - echo -e "\e[$red#########################################################\e[$default" + echo -e "\n\e[$red##########################################################\e[$default" + echo -e "\e[$red#\e[$default" "\e[$orange Local Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$red#\e[$default" + echo -e "\e[$red##########################################################\e[$default" echo -e "\e[$orange# www.rebootuser.com | @rebootuser \e[$default" - echo -e "\e[$orange# $version\e[$default\n" + echo -e "\e[$orange# $VERSION\e[$default\n" echo -e "\e[$orange# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[$default\n" echo "OPTIONS:" - echo "-k Enter keyword" - echo "-e Enter export location" - echo "-s Supply user password for sudo checks (INSECURE)" - echo "-t Include thorough (lengthy) tests" - echo "-r Enter report name" - echo "-h Displays this help text" + echo "-e Enter export location" + echo "-d Print debug info" + echo "-h Displays this help text" + echo "-k Enter keyword" + echo "-r Enter report name" + echo "-s Supply user password for sudo checks (INSECURE)" + echo "-t Include thorough (lengthy) tests" + echo -e "\n" echo "Running with no options = limited scans/no output file" @@ -33,39 +35,56 @@ usage() { } header() { - echo -e "\n\e[$red#########################################################\e[$default" - echo -e "\e[$red#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$red#\e[$default" - echo -e "\e[$red#########################################################\e[$default" + echo -e "\n\e[$red##########################################################\e[$default" + echo -e "\e[$red#\e[$default" "\e[$orange Local Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$red#\e[$default" + echo -e "\e[$red##########################################################\e[$default" echo -e "\e[$orange# www.rebootuser.com\e[$default" - echo -e "\e[$orange# $version\e[$default\n" + echo -e "\e[$orange# $VERSION\e[$default\n" } debug_info() { echo "[-] Debug Info" - if [ "$keyword" ]; then - echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" + if [ "$export" ]; then + echo -e " [+] Export path = \e[$green $export\e[$default" + else + echo -e " [+] Export = \e[$red disabled\e[$default" fi + if [ "$keyword" ]; then + echo -e " [+] Keyword search = \e[$green $keyword\e[$default" + else + echo -e " [+] Keyword search = \e[$red disabled\e[$default" + fi + if [ "$report" ]; then - echo "[+] Report name = $report" + echo -e " [+] Reporting = \e[$green $report\e[$default" + else + echo -e " [+] Reporting = \e[$red disabled\e[$default" fi - if [ "$export" ]; then - echo "[+] Export location = $export" + if [ "$sudopass" ]; then + echo -e " [+] Sudo = \e[$green enabled\e[$default" + else + echo -e " [+] Sudo = \e[$red disabled\e[$default" fi if [ "$thorough" ]; then - echo "[+] Thorough tests = Enabled" + echo -e " [+] Thorough tests = \e[$green enabled\e[$default" else - echo -e "\e[$purple [+] Thorough tests = Disabled\e[$default" + echo -e " [+] Thorough tests = \e[$red disabled\e[$default" fi sleep 2 if [ "$export" ]; then - mkdir "$export" 2>/dev/null + mkdir -p "$export" 2> /dev/null + if [ ! $? -eq 0 ]; then + echo -e "\n \e[$red Could not create directory '$export'\e[$default" + exit 1 + fi + local format format="$export/LinEnum-export-$(date +"%d-%m-%y")" mkdir "$format" 2>/dev/null @@ -78,17 +97,19 @@ debug_info() { echo fi - who=$(whoami) 2>/dev/null - echo -e "\n" + # who=$(whoami) 2>/dev/null + echo "" - echo -e "\e[$orange Scan started at:" - date - echo -e "\e[00m\n" + echo -e "\e[$orange [+] Scan started at:" + d_stamp=$(date) + echo " [+] $d_stamp" + echo -e "\e[$default\n" } # useful binaries (thanks to https://gtfobins.github.io/) binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh' +# TODO make this prettier footer() { - echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" + echo -e "\e[$orange############### SCAN COMPLETE ###############\e[$default" } From 5418d03ae45e61ba6fd389bed76cc1afc69b79f7 Mon Sep 17 00:00:00 2001 From: Matty Jones Date: Wed, 29 Sep 2021 03:17:39 +0000 Subject: [PATCH 06/10] simplify colors --- includes/applications | 30 +++++++------- includes/binaries | 92 +++++++++++++++++++++---------------------- includes/docker | 10 ++--- includes/environment | 16 ++++---- includes/jobs | 20 +++++----- includes/k8s | 16 ++++---- includes/lxc | 4 +- includes/networking | 26 ++++++------ includes/services | 36 ++++++++--------- includes/system | 22 ++++++----- includes/users | 52 ++++++++++++------------ 11 files changed, 164 insertions(+), 160 deletions(-) diff --git a/includes/applications b/includes/applications index 0f35c51..faa45a7 100755 --- a/includes/applications +++ b/includes/applications @@ -2,79 +2,79 @@ software_configs() { -echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" +echo -e "\e[$orange### SOFTWARE #############################################\e[$default" #sudo version - check to see if there are any known vulnerabilities with this sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` if [ "$sudover" ]; then - echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover" + echo -e "\e[$red[-] Sudo version:\e[$default\n$sudover" echo -e "\n" fi #mysql details - if installed mysqlver=`mysql --version 2>/dev/null` if [ "$mysqlver" ]; then - echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver" + echo -e "\e[$red[-] MYSQL version:\e[$default\n$mysqlver" echo -e "\n" fi #checks to see if root/root will get us a connection mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` if [ "$mysqlconnect" ]; then - echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" + echo -e "\e[$orange[+] We can connect to the local MYSQL service with default root/root credentials!\e[$default\n$mysqlconnect" echo -e "\n" fi #mysql version details mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` if [ "$mysqlconnectnopass" ]; then - echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" + echo -e "\e[$orange[+] We can connect to the local MYSQL service as 'root' and without a password!\e[$default\n$mysqlconnectnopass" echo -e "\n" fi #postgres details - if installed postgver=`psql -V 2>/dev/null` if [ "$postgver" ]; then - echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver" + echo -e "\e[$red[-] Postgres version:\e[$default\n$postgver" echo -e "\n" fi #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon1" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" + echo -e "\e[$orange[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[$default\n$postcon1" echo -e "\n" fi postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon11" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" + echo -e "\e[$orange[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[$default\n$postcon11" echo -e "\n" fi postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon2" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" + echo -e "\e[$orange[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[$default\n$postcon2" echo -e "\n" fi postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon22" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" + echo -e "\e[$orange[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[$default\n$postcon22" echo -e "\n" fi #apache details - if installed apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` if [ "$apachever" ]; then - echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever" + echo -e "\e[$red[-] Apache version:\e[$default\n$apachever" echo -e "\n" fi #what account is apache running under apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null` if [ "$apacheusr" ]; then - echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr" + echo -e "\e[$red[-] Apache user configuration:\e[$default\n$apacheusr" echo -e "\n" fi @@ -86,14 +86,14 @@ fi #installed apache modules apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` if [ "$apachemodules" ]; then - echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules" + echo -e "\e[$red[-] Installed Apache modules:\e[$default\n$apachemodules" echo -e "\n" fi #htpasswd check htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null` if [ "$htpasswd" ]; then - echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd" + echo -e "\e[$orange[-] htpasswd found - could contain passwords:\e[$default\n$htpasswd" echo -e "\n" fi @@ -101,7 +101,7 @@ fi if [ "$thorough" = "1" ]; then apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` if [ "$apachehomedirs" ]; then - echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs" + echo -e "\e[$red[-] www home dir contents:\e[$default\n$apachehomedirs" echo -e "\n" fi fi diff --git a/includes/binaries b/includes/binaries index 891bf1a..a19c8c7 100755 --- a/includes/binaries +++ b/includes/binaries @@ -1,10 +1,10 @@ #!/bin/bash interesting_files() { - echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" + echo -e "\e[$orange### INTERESTING FILES ####################################\e[$default" #checks to see if various files are installed - echo -e "\e[00;31m[-] Useful file locations:\e[00m" + echo -e "\e[$red[-] Useful file locations:\e[$default" which nc 2>/dev/null which netcat 2>/dev/null which wget 2>/dev/null @@ -19,12 +19,12 @@ interesting_files() { #limited search for installed compilers compiler=$(dpkg --list 2>/dev/null | grep compiler | grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null) if [ "$compiler" ]; then - echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" + echo -e "\e[$red[-] Installed compilers:\e[$default\n$compiler" echo -e "\n" fi #manual check - lists out sensitive files, can we read/modify etc. - echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" + echo -e "\e[$red[-] Can we read/write sensitive files:\e[$default" ls -la /etc/passwd 2>/dev/null ls -la /etc/group 2>/dev/null ls -la /etc/profile 2>/dev/null @@ -36,7 +36,7 @@ interesting_files() { allsuid=$(find / -perm -4000 -type f 2>/dev/null) findsuid=$(find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null) if [ "$findsuid" ]; then - echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" + echo -e "\e[$red[-] SUID files:\e[$default\n$findsuid" echo -e "\n" fi @@ -48,21 +48,21 @@ interesting_files() { #list of 'interesting' suid files - feel free to make additions intsuid=$(find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null) if [ "$intsuid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" + echo -e "\e[$orange[+] Possibly interesting SUID files:\e[$default\n$intsuid" echo -e "\n" fi #lists world-writable suid files wwsuid=$(find $allsuid -perm -4002 -type f -exec ls -la {} \; 2>/dev/null) if [ "$wwsuid" ]; then - echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" + echo -e "\e[$orange[+] World-writable SUID files:\e[$default\n$wwsuid" echo -e "\n" fi #lists world-writable suid files owned by root wwsuidrt=$(find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} \; 2>/dev/null) if [ "$wwsuidrt" ]; then - echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" + echo -e "\e[$orange[+] World-writable SUID files owned by root:\e[$default\n$wwsuidrt" echo -e "\n" fi @@ -70,7 +70,7 @@ interesting_files() { allsgid=$(find / -perm -2000 -type f 2>/dev/null) findsgid=$(find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null) if [ "$findsgid" ]; then - echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" + echo -e "\e[$red[-] SGID files:\e[$default\n$findsgid" echo -e "\n" fi @@ -82,28 +82,28 @@ interesting_files() { #list of 'interesting' sgid files intsgid=$(find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null) if [ "$intsgid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" + echo -e "\e[$orange[+] Possibly interesting SGID files:\e[$default\n$intsgid" echo -e "\n" fi #lists world-writable sgid files wwsgid=$(find $allsgid -perm -2002 -type f -exec ls -la {} \; 2>/dev/null) if [ "$wwsgid" ]; then - echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" + echo -e "\e[$orange[+] World-writable SGID files:\e[$default\n$wwsgid" echo -e "\n" fi #lists world-writable sgid files owned by root wwsgidrt=$(find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} \; 2>/dev/null) if [ "$wwsgidrt" ]; then - echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" + echo -e "\e[$orange[+] World-writable SGID files owned by root:\e[$default\n$wwsgidrt" echo -e "\n" fi #list all files with POSIX capabilities set along with there capabilities fileswithcaps=$(getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null) if [ "$fileswithcaps" ]; then - echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps" + echo -e "\e[$red[+] Files with POSIX capabilities set:\e[$default\n$fileswithcaps" echo -e "\n" fi @@ -115,7 +115,7 @@ interesting_files() { #searches /etc/security/capability.conf for users associated capapilies userswithcaps=$(grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null) if [ "$userswithcaps" ]; then - echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps" + echo -e "\e[$orange[+] Users with specific POSIX capabilities:\e[$default\n$userswithcaps" echo -e "\n" fi @@ -123,22 +123,22 @@ interesting_files() { #matches the capabilities found associated with users with the current user matchedcaps=$(echo -e "$userswithcaps" | grep $(whoami) | awk '{print $1}' 2>/dev/null) if [ "$matchedcaps" ]; then - echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps" + echo -e "\e[$orange[+] Capabilities associated with the current user:\e[$default\n$matchedcaps" echo -e "\n" #matches the files with capapbilities with capabilities associated with the current user matchedfiles=$(echo -e "$matchedcaps" | while read -r cap; do echo -e "$fileswithcaps" | grep "$cap"; done 2>/dev/null) if [ "$matchedfiles" ]; then - echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles" + echo -e "\e[$orange[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[$default\n$matchedfiles" echo -e "\n" #lists the permissions of the files having the same capabilies associated with the current user matchedfilesperms=$(echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f; done 2>/dev/null) - echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms" + echo -e "\e[$orange[+] Permissions of files with the same capabilities associated with the current user:\e[$default\n$matchedfilesperms" echo -e "\n" if [ "$matchedfilesperms" ]; then #checks if any of the files with same capabilities associated with the current user is writable writablematchedfiles=$(echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} +; done 2>/dev/null) if [ "$writablematchedfiles" ]; then - echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles" + echo -e "\e[$orange[+] User/Group writable files with the same capabilities associated with the current user:\e[$default\n$writablematchedfiles" echo -e "\n" fi fi @@ -150,7 +150,7 @@ interesting_files() { if [ "$thorough" = "1" ]; then privatekeyfiles=$(grep -rl "PRIVATE KEY-----" /home 2>/dev/null) if [ "$privatekeyfiles" ]; then - echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles" + echo -e "\e[$orange[+] Private SSH keys found!:\e[$default\n$privatekeyfiles" echo -e "\n" fi fi @@ -159,7 +159,7 @@ interesting_files() { if [ "$thorough" = "1" ]; then awskeyfiles=$(grep -rli "aws_secret_access_key" /home 2>/dev/null) if [ "$awskeyfiles" ]; then - echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles" + echo -e "\e[$orange[+] AWS secret keys found!:\e[$default\n$awskeyfiles" echo -e "\n" fi fi @@ -168,7 +168,7 @@ interesting_files() { if [ "$thorough" = "1" ]; then gitcredfiles=$(find / -name ".git-credentials" 2>/dev/null) if [ "$gitcredfiles" ]; then - echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles" + echo -e "\e[$orange[+] Git credentials saved on the machine!:\e[$default\n$gitcredfiles" echo -e "\n" fi fi @@ -177,7 +177,7 @@ interesting_files() { if [ "$thorough" = "1" ]; then wwfiles=$(find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} \; 2>/dev/null) if [ "$wwfiles" ]; then - echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" + echo -e "\e[$red[-] World-writable files (excluding /proc and /sys):\e[$default\n$wwfiles" echo -e "\n" fi fi @@ -192,7 +192,7 @@ interesting_files() { #are any .plan files accessible in /home (could contain useful information) usrplan=$(find /home -iname *.plan -exec ls -la {} \; -exec cat {} \; 2>/dev/null) if [ "$usrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" + echo -e "\e[$red[-] Plan file permissions and contents:\e[$default\n$usrplan" echo -e "\n" fi @@ -203,7 +203,7 @@ interesting_files() { bsdusrplan=$(find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} \; 2>/dev/null) if [ "$bsdusrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" + echo -e "\e[$red[-] Plan file permissions and contents:\e[$default\n$bsdusrplan" echo -e "\n" fi @@ -215,7 +215,7 @@ interesting_files() { #are there any .rhosts files accessible - these may allow us to login as another user etc. rhostsusr=$(find /home -iname *.rhosts -exec ls -la {} \; -exec cat {} \; 2>/dev/null 2>/dev/null) if [ "$rhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" + echo -e "\e[$orange[+] rhost config file(s) and file contents:\e[$default\n$rhostsusr" echo -e "\n" fi @@ -226,7 +226,7 @@ interesting_files() { bsdrhostsusr=$(find /usr/home -iname *.rhosts -exec ls -la {} \; -exec cat {} \; 2>/dev/null 2>/dev/null) if [ "$bsdrhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" + echo -e "\e[$orange[+] rhost config file(s) and file contents:\e[$default\n$bsdrhostsusr" echo -e "\n" fi @@ -237,7 +237,7 @@ interesting_files() { rhostssys=$(find /etc -iname hosts.equiv -exec ls -la {} \; -exec cat {} \; 2>/dev/null 2>/dev/null) if [ "$rhostssys" ]; then - echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" + echo -e "\e[$orange[+] Hosts.equiv file and contents: \e[$default\n$rhostssys" echo -e "\n" fi @@ -252,7 +252,7 @@ interesting_files() { cat /etc/exports 2>/dev/null ) if [ "$nfsexports" ]; then - echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" + echo -e "\e[$red[-] NFS config details: \e[$default\n$nfsexports" echo -e "\n" fi @@ -266,7 +266,7 @@ interesting_files() { #displaying /etc/fstab fstab=$(cat /etc/fstab 2>/dev/null) if [ "$fstab" ]; then - echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m" + echo -e "\e[$red[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[$default" echo -e "$fstab" echo -e "\n" fi @@ -279,7 +279,7 @@ interesting_files() { grep domain /etc/fstab 2>/dev/null | awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -r echo domain: 2>/dev/null ) if [ "$fstab" ]; then - echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" + echo -e "\e[$orange[+] Looks like there are credentials in /etc/fstab!\e[$default\n$fstab" echo -e "\n" fi @@ -290,7 +290,7 @@ interesting_files() { fstabcred=$(grep cred /etc/fstab 2>/dev/null | awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null) if [ "$fstabcred" ]; then - echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" + echo -e "\e[$orange[+] /etc/fstab contains a credentials file!\e[$default\n$fstabcred" echo -e "\n" fi @@ -305,10 +305,10 @@ interesting_files() { else confkey=$(find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null) if [ "$confkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" + echo -e "\e[$red[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[$default\n$confkey" echo -e "\n" else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" + echo -e "\e[$red[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[$default" echo -e "'$keyword' not found in any .conf files" echo -e "\n" fi @@ -330,10 +330,10 @@ interesting_files() { else phpkey=$(find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null) if [ "$phpkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" + echo -e "\e[$red[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[$default\n$phpkey" echo -e "\n" else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" + echo -e "\e[$red[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[$default" echo -e "'$keyword' not found in any .php files" echo -e "\n" fi @@ -355,10 +355,10 @@ interesting_files() { else logkey=$(find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null) if [ "$logkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" + echo -e "\e[$red[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[$default\n$logkey" echo -e "\n" else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" + echo -e "\e[$red[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[$default" echo -e "'$keyword' not found in any .log files" echo -e "\n" fi @@ -380,10 +380,10 @@ interesting_files() { else inikey=$(find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null) if [ "$inikey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" + echo -e "\e[$red[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[$default\n$inikey" echo -e "\n" else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" + echo -e "\e[$red[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[$default" echo -e "'$keyword' not found in any .ini files" echo -e "\n" fi @@ -402,7 +402,7 @@ interesting_files() { #quick extract of .conf files from /etc - only 1 level allconf=$(find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null) if [ "$allconf" ]; then - echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" + echo -e "\e[$red[-] All *.conf files in /etc (recursive 1 level):\e[$default\n$allconf" echo -e "\n" fi @@ -414,7 +414,7 @@ interesting_files() { #extract any user history files that are accessible usrhist=$(ls -la ~/.*_history 2>/dev/null) if [ "$usrhist" ]; then - echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" + echo -e "\e[$red[-] Current user's history files:\e[$default\n$usrhist" echo -e "\n" fi @@ -426,7 +426,7 @@ interesting_files() { #can we read roots *_history files - could be passwords stored etc. roothist=$(ls -la /root/.*_history 2>/dev/null) if [ "$roothist" ]; then - echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" + echo -e "\e[$orange[+] Root's history files are accessible!\e[$default\n$roothist" echo -e "\n" fi @@ -438,26 +438,26 @@ interesting_files() { #all accessible .bash_history, fish_history[.*], .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files in /home checkbashhist=$(find /home -regex '.*\.?\(bash_\|fish_\|zsh_\|z\|tcsh_\|csh_\|nano_\|python_\)history\(\..*\)?' -print -exec cat {} \; 2>/dev/null) if [ "$checkbashhist" ]; then - echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history, fish_history, .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files:\e[00m\n$checkbashhist" + echo -e "\e[$red[-] Location and contents (if accessible) of .bash_history, fish_history, .zsh_history, .zhistory, .tcsh_history, .csh_history, .nano_history and .python_history files:\e[$default\n$checkbashhist" echo -e "\n" fi #any .bak files that may be of interest - echo -e "\e[00;31m[-] Location and Permissions (if accessible) of .bak file(s):\e[00m" + echo -e "\e[$red[-] Location and Permissions (if accessible) of .bak file(s):\e[$default" find / -name *.bak -type f -exec ls -la {} \; 2>/dev/null echo -e "\n" #is there any mail accessible readmail=$(ls -la /var/mail 2>/dev/null) if [ "$readmail" ]; then - echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" + echo -e "\e[$red[-] Any interesting mail in /var/mail:\e[$default\n$readmail" echo -e "\n" fi #can we read roots mail readmailroot=$(head /var/mail/root 2>/dev/null) if [ "$readmailroot" ]; then - echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" + echo -e "\e[$orange[+] We can read /var/mail/root! (snippet below)\e[$default\n$readmailroot" echo -e "\n" fi diff --git a/includes/docker b/includes/docker index b8b93b5..47ea9db 100755 --- a/includes/docker +++ b/includes/docker @@ -8,7 +8,7 @@ docker_checks() { find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null ) if [ "$dockercontainer" ]; then - echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" + echo -e "\e[$orange[+] Looks like we're in a Docker container:\e[$default\n$dockercontainer" echo -e "\n" fi @@ -18,28 +18,28 @@ docker_checks() { docker ps -a 2>/dev/null ) if [ "$dockerhost" ]; then - echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" + echo -e "\e[$orange[+] Looks like we're hosting Docker:\e[$default\n$dockerhost" echo -e "\n" fi #specific checks - are we a member of the docker group dockergrp=$(id | grep -i docker 2>/dev/null) if [ "$dockergrp" ]; then - echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" + echo -e "\e[$orange[+] We're a member of the (docker) group - could possibly misuse these rights!\e[$default\n$dockergrp" echo -e "\n" fi #specific checks - are there any docker files present dockerfiles=$(find / -name Dockerfile -exec ls -l {} \; 2>/dev/null) if [ "$dockerfiles" ]; then - echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" + echo -e "\e[$red[-] Anything juicy in the Dockerfile:\e[$default\n$dockerfiles" echo -e "\n" fi #specific checks - are there any docker files present dockeryml=$(find / -name docker-compose.yml -exec ls -l {} \; 2>/dev/null) if [ "$dockeryml" ]; then - echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" + echo -e "\e[$red[-] Anything juicy in docker-compose.yml:\e[$default\n$dockeryml" echo -e "\n" fi } diff --git a/includes/environment b/includes/environment index cf48be7..b594b50 100755 --- a/includes/environment +++ b/includes/environment @@ -1,19 +1,19 @@ #!/bin/bash environmental_info() { - echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" + echo -e "\e[$orange### ENVIRONMENTAL #######################################\e[$default" #env information envinfo=$(env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null) if [ "$envinfo" ]; then - echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" + echo -e "\e[$red[-] Environment information:\e[$default\n$envinfo" echo -e "\n" fi #check if selinux is enabled sestatus=$(sestatus 2>/dev/null) if [ "$sestatus" ]; then - echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus" + echo -e "\e[$red[-] SELinux seems to be present:\e[$default\n$sestatus" echo -e "\n" fi @@ -23,7 +23,7 @@ environmental_info() { pathinfo=$(echo $PATH 2>/dev/null) if [ "$pathinfo" ]; then pathswriteable=$(ls -ld $(echo $PATH | tr ":" " ")) - echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" + echo -e "\e[$red[-] Path information:\e[$default\n$pathinfo" echo -e "$pathswriteable" echo -e "\n" fi @@ -31,7 +31,7 @@ environmental_info() { #lists available shells shellinfo=$(cat /etc/shells 2>/dev/null) if [ "$shellinfo" ]; then - echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" + echo -e "\e[$red[-] Available shells:\e[$default\n$shellinfo" echo -e "\n" fi @@ -41,21 +41,21 @@ environmental_info() { umask 2>/dev/null ) if [ "$umaskvalue" ]; then - echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" + echo -e "\e[$red[-] Current umask value:\e[$default\n$umaskvalue" echo -e "\n" fi #umask value as in /etc/login.defs umaskdef=$(grep -i "^UMASK" /etc/login.defs 2>/dev/null) if [ "$umaskdef" ]; then - echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" + echo -e "\e[$red[-] umask value as specified in /etc/login.defs:\e[$default\n$umaskdef" echo -e "\n" fi #password policy information as stored in /etc/login.defs logindefs=$(grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null) if [ "$logindefs" ]; then - echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" + echo -e "\e[$red[-] Password and storage information:\e[$default\n$logindefs" echo -e "\n" fi diff --git a/includes/jobs b/includes/jobs index c3d8396..cf4f53a 100755 --- a/includes/jobs +++ b/includes/jobs @@ -1,32 +1,32 @@ #!/bin/bash job_info() { - echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" + echo -e "\e[$orange### JOBS/TASKS ##########################################\e[$default" #are there any cron jobs configured cronjobs=$(ls -la /etc/cron* 2>/dev/null) if [ "$cronjobs" ]; then - echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" + echo -e "\e[$red[-] Cron jobs:\e[$default\n$cronjobs" echo -e "\n" fi #can we manipulate these jobs in any way cronjobwwperms=$(find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} \; 2>/dev/null) if [ "$cronjobwwperms" ]; then - echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" + echo -e "\e[$orange[+] World-writable cron jobs and file contents:\e[$default\n$cronjobwwperms" echo -e "\n" fi #contab contents crontabvalue=$(cat /etc/crontab 2>/dev/null) if [ "$crontabvalue" ]; then - echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" + echo -e "\e[$red[-] Crontab contents:\e[$default\n$crontabvalue" echo -e "\n" fi crontabvar=$(ls -la /var/spool/cron/crontabs 2>/dev/null) if [ "$crontabvar" ]; then - echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" + echo -e "\e[$red[-] Anything interesting in /var/spool/cron/crontabs:\e[$default\n$crontabvar" echo -e "\n" fi @@ -35,20 +35,20 @@ job_info() { cat /etc/anacrontab 2>/dev/null ) if [ "$anacronjobs" ]; then - echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" + echo -e "\e[$red[-] Anacron jobs and associated file permissions:\e[$default\n$anacronjobs" echo -e "\n" fi anacrontab=$(ls -la /var/spool/anacron 2>/dev/null) if [ "$anacrontab" ]; then - echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" + echo -e "\e[$red[-] When were jobs last executed (/var/spool/anacron contents):\e[$default\n$anacrontab" echo -e "\n" fi #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) cronother=$(cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null) if [ "$cronother" ]; then - echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" + echo -e "\e[$red[-] Jobs held by all users:\e[$default\n$cronother" echo -e "\n" fi @@ -60,10 +60,10 @@ job_info() { else systemdtimers="$(systemctl list-timers 2>/dev/null | head -n -1 2>/dev/null)" # replace the info in the output with a hint towards thorough mode - info="\e[2mEnable thorough tests to see inactive timers\e[00m" + info="\e[2mEnable thorough tests to see inactive timers\e[$default" fi if [ "$systemdtimers" ]; then - echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info" + echo -e "\e[$red[-] Systemd timers:\e[$default\n$systemdtimers\n$info" echo -e "\n" fi diff --git a/includes/k8s b/includes/k8s index 52dc05f..c389bf3 100755 --- a/includes/k8s +++ b/includes/k8s @@ -5,38 +5,38 @@ k8s_checks() { k8sconfig=$(kubectl config view 2>/dev/null) if [ "$k8sconfig" ]; then - echo -e "\e[00;33m[+] Looks like there is a Kubernetes Cluster running \e[00m\n$k8sconfig" + echo -e "\e[$orange[+] Looks like there is a Kubernetes Cluster running \e[$default\n$k8sconfig" echo -e "\n" k8sservices=$(kubectl get services 2>/dev/null) if [ "$k8sservices" ]; then - echo -e "\e[00;33m[+] Services Running on Kubernetes cluster. \e[00m\n$k8sservices" + echo -e "\e[$orange[+] Services Running on Kubernetes cluster. \e[$default\n$k8sservices" echo -e "\n" fi k8spodswithlabels=$(kubectl get pods --all-namespaces 2>/dev/null) if [ "$k8spodswithlabels" ]; then - echo -e "\e[00;33m[+] Kubernetes Pods with Labels \e[00m\n$k8spodswithlabels" - echo -e "\e[00;33m[+] Run 'kubectl logs ' to search for interesting information in logs\e[00m\n" - echo -e "\e[00;33m[+] Run 'kubectl exec -it -- sh' to gain shell access into pods and extract information like 'printenv' etc \e[00m\n" + echo -e "\e[$orange[+] Kubernetes Pods with Labels \e[$default\n$k8spodswithlabels" + echo -e "\e[$orange[+] Run 'kubectl logs ' to search for interesting information in logs\e[$default\n" + echo -e "\e[$orange[+] Run 'kubectl exec -it -- sh' to gain shell access into pods and extract information like 'printenv' etc \e[$default\n" echo -e "\n" fi k8snodes=$(kubectl get nodes 2>/dev/null) if [ "$k8snodes" ]; then - echo -e "\e[00;33m[+] Kubernetes Nodes \e[00m\n$k8snodes" + echo -e "\e[$orange[+] Kubernetes Nodes \e[$default\n$k8snodes" echo -e "\n" fi k8sevents=$(kubectl get events 2>/dev/null) if [ "$k8sevents" ]; then - echo -e "\e[00;33m[+] Kubernetes Events. Check here for interesting \e[00m\n$k8sevents" + echo -e "\e[$orange[+] Kubernetes Events. Check here for interesting \e[$default\n$k8sevents" echo -e "\n" fi k8ssecrets=$(kubectl get secret -o json 2>/dev/null) if [ "$k8ssecrets" ]; then - echo -e "\e[00;33m[+] Fetch all Secrets stored in Kubernetes Cluster \e[00m\n$k8ssecrets" + echo -e "\e[$orange[+] Fetch all Secrets stored in Kubernetes Cluster \e[$default\n$k8ssecrets" echo -e "\n" fi diff --git a/includes/lxc b/includes/lxc index 6426f1d..51f0995 100755 --- a/includes/lxc +++ b/includes/lxc @@ -5,14 +5,14 @@ lxc_container_checks() { #specific checks - are we in an lxd/lxc container lxccontainer=$(grep -qa container=lxc /proc/1/environ 2>/dev/null) if [ "$lxccontainer" ]; then - echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer" + echo -e "\e[$orange[+] Looks like we're in a lxc container:\e[$default\n$lxccontainer" echo -e "\n" fi #specific checks - are we a member of the lxd group lxdgroup=$(id | grep -i lxd 2>/dev/null) if [ "$lxdgroup" ]; then - echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup" + echo -e "\e[$orange[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[$default\n$lxdgroup" echo -e "\n" fi } diff --git a/includes/networking b/includes/networking index aa48b5f..ccb72f7 100755 --- a/includes/networking +++ b/includes/networking @@ -1,84 +1,84 @@ #!/bin/bash networking_info() { - echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" + echo -e "\e[$orange### NETWORKING ##########################################\e[$default" #nic information nicinfo=$(/sbin/ifconfig -a 2>/dev/null) if [ "$nicinfo" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" + echo -e "\e[$red[-] Network and IP info:\e[$default\n$nicinfo" echo -e "\n" fi #nic information (using ip) nicinfoip=$(/sbin/ip a 2>/dev/null) if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" + echo -e "\e[$red[-] Network and IP info:\e[$default\n$nicinfoip" echo -e "\n" fi arpinfo=$(arp -a 2>/dev/null) if [ "$arpinfo" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" + echo -e "\e[$red[-] ARP history:\e[$default\n$arpinfo" echo -e "\n" fi arpinfoip=$(ip n 2>/dev/null) if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" + echo -e "\e[$red[-] ARP history:\e[$default\n$arpinfoip" echo -e "\n" fi #dns settings nsinfo=$(grep "nameserver" /etc/resolv.conf 2>/dev/null) if [ "$nsinfo" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" + echo -e "\e[$red[-] Nameserver(s):\e[$default\n$nsinfo" echo -e "\n" fi nsinfosysd=$(systemd-resolve --status 2>/dev/null) if [ "$nsinfosysd" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" + echo -e "\e[$red[-] Nameserver(s):\e[$default\n$nsinfosysd" echo -e "\n" fi #default route configuration defroute=$(route 2>/dev/null | grep default) if [ "$defroute" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" + echo -e "\e[$red[-] Default route:\e[$default\n$defroute" echo -e "\n" fi #default route configuration defrouteip=$(ip r 2>/dev/null | grep default) if [ ! "$defroute" ] && [ "$defrouteip" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" + echo -e "\e[$red[-] Default route:\e[$default\n$defrouteip" echo -e "\n" fi #listening TCP tcpservs=$(netstat -ntpl 2>/dev/null) if [ "$tcpservs" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" + echo -e "\e[$red[-] Listening TCP:\e[$default\n$tcpservs" echo -e "\n" fi tcpservsip=$(ss -t -l -n 2>/dev/null) if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" + echo -e "\e[$red[-] Listening TCP:\e[$default\n$tcpservsip" echo -e "\n" fi #listening UDP udpservs=$(netstat -nupl 2>/dev/null) if [ "$udpservs" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" + echo -e "\e[$red[-] Listening UDP:\e[$default\n$udpservs" echo -e "\n" fi udpservsip=$(ss -u -l -n 2>/dev/null) if [ ! "$udpservs" ] && [ "$udpservsip" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" + echo -e "\e[$red[-] Listening UDP:\e[$default\n$udpservsip" echo -e "\n" fi } diff --git a/includes/services b/includes/services index 6335c38..44ec1a7 100755 --- a/includes/services +++ b/includes/services @@ -1,19 +1,19 @@ #!/bin/bash services_info() { - echo -e "\e[00;33m### SERVICES #############################################\e[00m" + echo -e "\e[$orange### SERVICES #############################################\e[$default" #running processes psaux=$(ps aux 2>/dev/null) if [ "$psaux" ]; then - echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" + echo -e "\e[$red[-] Running processes:\e[$default\n$psaux" echo -e "\n" fi #lookup process binary path and permissisons procperm=$(ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls -la 2>/dev/null | awk '!x[$0]++' 2>/dev/null) if [ "$procperm" ]; then - echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" + echo -e "\e[$red[-] Process binaries and associated permissions (from above list):\e[$default\n$procperm" echo -e "\n" fi @@ -26,7 +26,7 @@ services_info() { #anything 'useful' in inetd.conf inetdread=$(cat /etc/inetd.conf 2>/dev/null) if [ "$inetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" + echo -e "\e[$red[-] Contents of /etc/inetd.conf:\e[$default\n$inetdread" echo -e "\n" fi @@ -38,13 +38,13 @@ services_info() { #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each inetdbinperms=$(awk '{print $7}' /etc/inetd.conf 2>/dev/null | xargs -r ls -la 2>/dev/null) if [ "$inetdbinperms" ]; then - echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" + echo -e "\e[$red[-] The related inetd binary permissions:\e[$default\n$inetdbinperms" echo -e "\n" fi xinetdread=$(cat /etc/xinetd.conf 2>/dev/null) if [ "$xinetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" + echo -e "\e[$red[-] Contents of /etc/xinetd.conf:\e[$default\n$xinetdread" echo -e "\n" fi @@ -55,7 +55,7 @@ services_info() { xinetdincd=$(grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null) if [ "$xinetdincd" ]; then - echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m" + echo -e "\e[$red[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[$default" ls -la /etc/xinetd.d 2>/dev/null echo -e "\n" fi @@ -63,72 +63,72 @@ services_info() { #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each xinetdbinperms=$(awk '{print $7}' /etc/xinetd.conf 2>/dev/null | xargs -r ls -la 2>/dev/null) if [ "$xinetdbinperms" ]; then - echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" + echo -e "\e[$red[-] The related xinetd binary permissions:\e[$default\n$xinetdbinperms" echo -e "\n" fi initdread=$(ls -la /etc/init.d 2>/dev/null) if [ "$initdread" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" + echo -e "\e[$red[-] /etc/init.d/ binary permissions:\e[$default\n$initdread" echo -e "\n" fi #init.d files NOT belonging to root! initdperms=$(find /etc/init.d/ \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) if [ "$initdperms" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" + echo -e "\e[$red[-] /etc/init.d/ files not belonging to root:\e[$default\n$initdperms" echo -e "\n" fi rcdread=$(ls -la /etc/rc.d/init.d 2>/dev/null) if [ "$rcdread" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" + echo -e "\e[$red[-] /etc/rc.d/init.d binary permissions:\e[$default\n$rcdread" echo -e "\n" fi #init.d files NOT belonging to root! rcdperms=$(find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) if [ "$rcdperms" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" + echo -e "\e[$red[-] /etc/rc.d/init.d files not belonging to root:\e[$default\n$rcdperms" echo -e "\n" fi usrrcdread=$(ls -la /usr/local/etc/rc.d 2>/dev/null) if [ "$usrrcdread" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" + echo -e "\e[$red[-] /usr/local/etc/rc.d binary permissions:\e[$default\n$usrrcdread" echo -e "\n" fi #rc.d files NOT belonging to root! usrrcdperms=$(find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) if [ "$usrrcdperms" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" + echo -e "\e[$red[-] /usr/local/etc/rc.d files not belonging to root:\e[$default\n$usrrcdperms" echo -e "\n" fi initread=$(ls -la /etc/init/ 2>/dev/null) if [ "$initread" ]; then - echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread" + echo -e "\e[$red[-] /etc/init/ config file permissions:\e[$default\n$initread" echo -e "\n" fi # upstart scripts not belonging to root initperms=$(find /etc/init \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) if [ "$initperms" ]; then - echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms" + echo -e "\e[$red[-] /etc/init/ config files not belonging to root:\e[$default\n$initperms" echo -e "\n" fi systemdread=$(ls -lthR /lib/systemd/ 2>/dev/null) if [ "$systemdread" ]; then - echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread" + echo -e "\e[$red[-] /lib/systemd/* config file permissions:\e[$default\n$systemdread" echo -e "\n" fi # systemd files not belonging to root systemdperms=$(find /lib/systemd/ \! -uid 0 -type f 2>/dev/null | xargs -r ls -la 2>/dev/null) if [ "$systemdperms" ]; then - echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms" + echo -e "\e[$orange[+] /lib/systemd/* config files not belonging to root:\e[$default\n$systemdperms" echo -e "\n" fi } diff --git a/includes/system b/includes/system index 8cebdb0..fa73ff1 100755 --- a/includes/system +++ b/includes/system @@ -1,32 +1,36 @@ #!/bin/bash system_info() { - echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" + echo -e "\e[$orange### SYSTEM ##############################################\e[$default" #basic kernel info unameinfo=$(uname -a 2>/dev/null) if [ "$unameinfo" ]; then - echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" - echo -e "\n" + echo -e "\e[$red[-] Kernel information:\e[$default" + echo "$unameinfo" + echo "" fi procver=$(cat /proc/version 2>/dev/null) if [ "$procver" ]; then - echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" - echo -e "\n" + echo -e "\e[$red[-] Kernel information (continued):\e[$default" + echo "$procver" + echo "" fi #search all *-release files for version info release=$(cat /etc/*-release 2>/dev/null) if [ "$release" ]; then - echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" - echo -e "\n" + echo -e "\e[$red[-] Specific release information:\e[$default" + echo "$release" + echo "" fi #target hostname info hostnamed=$(hostname 2>/dev/null) if [ "$hostnamed" ]; then - echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" - echo -e "\n" + echo -e "\e[$red[-] Hostname:\e[$default" + echo "$hostnamed" + echo "" fi } diff --git a/includes/users b/includes/users index 87a2656..a570093 100755 --- a/includes/users +++ b/includes/users @@ -1,54 +1,54 @@ #!/bin/bash user_info() { - echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" + echo -e "\e[$orange### USER/GROUP ##########################################\e[$default" #current user details currusr=$(id 2>/dev/null) if [ "$currusr" ]; then - echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" + echo -e "\e[$red[-] Current user/group info:\e[$default\n$currusr" echo -e "\n" fi #last logged on user information lastlogedonusrs=$(lastlog 2>/dev/null | grep -v "Never" 2>/dev/null) if [ "$lastlogedonusrs" ]; then - echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" + echo -e "\e[$red[-] Users that have previously logged onto the system:\e[$default\n$lastlogedonusrs" echo -e "\n" fi #who else is logged on loggedonusrs=$(w 2>/dev/null) if [ "$loggedonusrs" ]; then - echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" + echo -e "\e[$red[-] Who else is logged on:\e[$default\n$loggedonusrs" echo -e "\n" fi #lists all id's and respective group(s) grpinfo=$(for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null); do echo -e "$i : $(id $i)"; done 2>/dev/null) if [ "$grpinfo" ]; then - echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo" + echo -e "\e[$red[-] Group memberships:\e[$default\n$grpinfo" echo -e "\n" fi #added by phackt - look for adm group (thanks patrick) adm_users=$(echo -e "$grpinfo" | grep "(adm)") if [[ ! -z $adm_users ]]; then - echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users" + echo -e "\e[$red[-] It looks like we have some admin users:\e[$default\n$adm_users" echo -e "\n" fi #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) hashesinpasswd=$(grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null) if [ "$hashesinpasswd" ]; then - echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" + echo -e "\e[$orange[+] It looks like we have password hashes in /etc/passwd!\e[$default\n$hashesinpasswd" echo -e "\n" fi #contents of /etc/passwd readpasswd=$(cat /etc/passwd 2>/dev/null) if [ "$readpasswd" ]; then - echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" + echo -e "\e[$red[-] Contents of /etc/passwd:\e[$default\n$readpasswd" echo -e "\n" fi @@ -60,7 +60,7 @@ user_info() { #checks to see if the shadow file can be read readshadow=$(cat /etc/shadow 2>/dev/null) if [ "$readshadow" ]; then - echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" + echo -e "\e[$orange[+] We can read the shadow file!\e[$default\n$readshadow" echo -e "\n" fi @@ -72,7 +72,7 @@ user_info() { #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant readmasterpasswd=$(cat /etc/master.passwd 2>/dev/null) if [ "$readmasterpasswd" ]; then - echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" + echo -e "\e[$orange[+] We can read the master.passwd file!\e[$default\n$readmasterpasswd" echo -e "\n" fi @@ -84,14 +84,14 @@ user_info() { #all root accounts (uid 0) superman=$(grep -v -E "^#" /etc/passwd 2>/dev/null | awk -F: '$3 == 0 { print $1}' 2>/dev/null) if [ "$superman" ]; then - echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman" + echo -e "\e[$red[-] Super user account(s):\e[$default\n$superman" echo -e "\n" fi #pull out vital sudoers info sudoers=$(grep -v -e '^$' /etc/sudoers 2>/dev/null | grep -v "#" 2>/dev/null) if [ "$sudoers" ]; then - echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers" + echo -e "\e[$red[-] Sudoers configuration (condensed):\e[$default$sudoers" echo -e "\n" fi @@ -103,7 +103,7 @@ user_info() { #can we sudo without supplying a password sudoperms=$(echo '' | sudo -S -l -k 2>/dev/null) if [ "$sudoperms" ]; then - echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" + echo -e "\e[$orange[+] We can sudo without supplying a password!\e[$default\n$sudoperms" echo -e "\n" fi @@ -114,7 +114,7 @@ user_info() { else sudoauth=$(echo $user_password | sudo -S -l -k 2>/dev/null) if [ "$sudoauth" ]; then - echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" + echo -e "\e[$orange[+] We can sudo when supplying a password!\e[$default\n$sudoauth" echo -e "\n" fi fi @@ -127,7 +127,7 @@ user_info() { else sudopermscheck=$(echo $user_password | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) if [ "$sudopermscheck" ]; then - echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" + echo -e "\e[$orange[-] Possible sudo pwnage!\e[$default\n$sudopermscheck" echo -e "\n" fi fi @@ -136,28 +136,28 @@ user_info() { #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) sudopwnage=$(echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) if [ "$sudopwnage" ]; then - echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" + echo -e "\e[$orange[+] Possible sudo pwnage!\e[$default\n$sudopwnage" echo -e "\n" fi #who has sudoed in the past whohasbeensudo=$(find /home -name .sudo_as_admin_successful 2>/dev/null) if [ "$whohasbeensudo" ]; then - echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" + echo -e "\e[$red[-] Accounts that have recently used sudo:\e[$default\n$whohasbeensudo" echo -e "\n" fi #checks to see if roots home directory is accessible rthmdir=$(ls -ahl /root/ 2>/dev/null) if [ "$rthmdir" ]; then - echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" + echo -e "\e[$orange[+] We can read root's home directory!\e[$default\n$rthmdir" echo -e "\n" fi #displays /home directory permissions - check if any are lax homedirperms=$(ls -ahl /home/ 2>/dev/null) if [ "$homedirperms" ]; then - echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" + echo -e "\e[$red[-] Are permissions on /home directories lax:\e[$default\n$homedirperms" echo -e "\n" fi @@ -165,7 +165,7 @@ user_info() { if [ "$thorough" = "1" ]; then grfilesall=$(find / -writable ! -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) if [ "$grfilesall" ]; then - echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" + echo -e "\e[$red[-] Files not owned by user but writable by group:\e[$default\n$grfilesall" echo -e "\n" fi fi @@ -174,7 +174,7 @@ user_info() { if [ "$thorough" = "1" ]; then ourfilesall=$(find / -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) if [ "$ourfilesall" ]; then - echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall" + echo -e "\e[$red[-] Files owned by our user:\e[$default\n$ourfilesall" echo -e "\n" fi fi @@ -183,7 +183,7 @@ user_info() { if [ "$thorough" = "1" ]; then hiddenfiles=$(find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) if [ "$hiddenfiles" ]; then - echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles" + echo -e "\e[$red[-] Hidden files:\e[$default\n$hiddenfiles" echo -e "\n" fi fi @@ -192,7 +192,7 @@ user_info() { if [ "$thorough" = "1" ]; then wrfileshm=$(find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null) if [ "$wrfileshm" ]; then - echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" + echo -e "\e[$red[-] World-readable files within /home:\e[$default\n$wrfileshm" echo -e "\n" fi fi @@ -208,7 +208,7 @@ user_info() { if [ "$thorough" = "1" ]; then homedircontents=$(ls -ahl ~ 2>/dev/null) if [ "$homedircontents" ]; then - echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" + echo -e "\e[$red[-] Home directory contents:\e[$default\n$homedircontents" echo -e "\n" fi fi @@ -217,7 +217,7 @@ user_info() { if [ "$thorough" = "1" ]; then sshfiles=$(find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null) if [ "$sshfiles" ]; then - echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" + echo -e "\e[$red[-] SSH keys/host information found in the following locations:\e[$default\n$sshfiles" echo -e "\n" fi fi @@ -232,7 +232,7 @@ user_info() { #is root permitted to login via ssh sshrootlogin=$(grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}') if [ "$sshrootlogin" = "yes" ]; then - echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" + echo -e "\e[$red[-] Root is allowed to login via SSH:\e[$default" grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" echo -e "\n" fi From 10512cffde71e9ba6f21f918f8a9f250590a5246 Mon Sep 17 00:00:00 2001 From: Matty Jones Date: Wed, 29 Sep 2021 14:10:40 +0000 Subject: [PATCH 07/10] format output --- LinEnum | 8 ++++---- includes/system | 22 +++++++++------------- includes/users | 46 +++++++++++++++++++++++----------------------- includes/util | 26 +++++++++++++------------- 4 files changed, 49 insertions(+), 53 deletions(-) diff --git a/LinEnum b/LinEnum index f30b87a..f86c7bf 100755 --- a/LinEnum +++ b/LinEnum @@ -63,10 +63,10 @@ call_each() { header if [ "$debug" ]; then - debug_info + debug_info ## 1st pass complete fi - # system_info ## 1st pass complete - # user_info + system_info ## 1st pass complete + user_info # environmental_info # job_info # networking_info @@ -97,7 +97,7 @@ while getopts "h:k:r:e:std" option; do esac done -call_each | tee -a $report 2>/dev/null +call_each | tee -a "$report" 2>/dev/null #EndOfScript ## linuxprivchecker.py diff --git a/includes/system b/includes/system index fa73ff1..d0f0551 100755 --- a/includes/system +++ b/includes/system @@ -1,36 +1,32 @@ #!/bin/bash system_info() { - echo -e "\e[$orange### SYSTEM ##############################################\e[$default" + echo -e "\e[$orange######################## System ############################\e[$default" #basic kernel info unameinfo=$(uname -a 2>/dev/null) if [ "$unameinfo" ]; then - echo -e "\e[$red[-] Kernel information:\e[$default" - echo "$unameinfo" - echo "" + echo -e "\e[$cyan[-] Kernel information:\e[$default" + echo -e "$unameinfo\n" fi procver=$(cat /proc/version 2>/dev/null) if [ "$procver" ]; then - echo -e "\e[$red[-] Kernel information (continued):\e[$default" - echo "$procver" - echo "" + echo -e "\e[$cyan[-] Kernel information (continued):\e[$default" + echo -e "$procver\n" fi #search all *-release files for version info release=$(cat /etc/*-release 2>/dev/null) if [ "$release" ]; then - echo -e "\e[$red[-] Specific release information:\e[$default" - echo "$release" - echo "" + echo -e "\e[$cyan[-] Specific release information:\e[$default" + echo -e "$release\n" fi #target hostname info hostnamed=$(hostname 2>/dev/null) if [ "$hostnamed" ]; then - echo -e "\e[$red[-] Hostname:\e[$default" - echo "$hostnamed" - echo "" + echo -e "\e[$cyan[-] Hostname:\e[$default" + echo -e "$hostnamed\n" fi } diff --git a/includes/users b/includes/users index a570093..cca3455 100755 --- a/includes/users +++ b/includes/users @@ -1,40 +1,40 @@ #!/bin/bash user_info() { - echo -e "\e[$orange### USER/GROUP ##########################################\e[$default" + echo -e "\e[$orange###################### User/Group ##########################[$default" # TODO fix spacing #current user details currusr=$(id 2>/dev/null) if [ "$currusr" ]; then - echo -e "\e[$red[-] Current user/group info:\e[$default\n$currusr" - echo -e "\n" + echo -e "\e[$cyan[-] Current user/group:\e[$default" + echo -e "$currusr\n" fi #last logged on user information lastlogedonusrs=$(lastlog 2>/dev/null | grep -v "Never" 2>/dev/null) if [ "$lastlogedonusrs" ]; then - echo -e "\e[$red[-] Users that have previously logged onto the system:\e[$default\n$lastlogedonusrs" - echo -e "\n" + echo -e "\e[$cyan[-] Users that have previously logged onto the system:\e[$default" + echo -e "$lastlogedonusrs\n" fi #who else is logged on loggedonusrs=$(w 2>/dev/null) if [ "$loggedonusrs" ]; then - echo -e "\e[$red[-] Who else is logged on:\e[$default\n$loggedonusrs" - echo -e "\n" + echo -e "\e[$cyan[-] Who else is logged on:\e[$default" + echo -e "$loggedonusrs\n" fi #lists all id's and respective group(s) - grpinfo=$(for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null); do echo -e "$i : $(id $i)"; done 2>/dev/null) + grpinfo=$(for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null); do echo -e "$i : $(id | awk -F"groups=" '{ print $2 }' | column -t)"; done 2>/dev/null) if [ "$grpinfo" ]; then - echo -e "\e[$red[-] Group memberships:\e[$default\n$grpinfo" - echo -e "\n" + echo -e "\e[$cyan[-] Group memberships:\e[$default" + echo -e "$grpinfo\n" fi #added by phackt - look for adm group (thanks patrick) adm_users=$(echo -e "$grpinfo" | grep "(adm)") if [[ ! -z $adm_users ]]; then - echo -e "\e[$red[-] It looks like we have some admin users:\e[$default\n$adm_users" + echo -e "\e[$cyan[-] It looks like we have some admin users:\e[$default\n$adm_users" echo -e "\n" fi @@ -48,7 +48,7 @@ user_info() { #contents of /etc/passwd readpasswd=$(cat /etc/passwd 2>/dev/null) if [ "$readpasswd" ]; then - echo -e "\e[$red[-] Contents of /etc/passwd:\e[$default\n$readpasswd" + echo -e "\e[$cyan[-] Contents of /etc/passwd:\e[$default\n$readpasswd" echo -e "\n" fi @@ -84,14 +84,14 @@ user_info() { #all root accounts (uid 0) superman=$(grep -v -E "^#" /etc/passwd 2>/dev/null | awk -F: '$3 == 0 { print $1}' 2>/dev/null) if [ "$superman" ]; then - echo -e "\e[$red[-] Super user account(s):\e[$default\n$superman" + echo -e "\e[$cyan[-] Super user account(s):\e[$default\n$superman" echo -e "\n" fi #pull out vital sudoers info sudoers=$(grep -v -e '^$' /etc/sudoers 2>/dev/null | grep -v "#" 2>/dev/null) if [ "$sudoers" ]; then - echo -e "\e[$red[-] Sudoers configuration (condensed):\e[$default$sudoers" + echo -e "\e[$cyan[-] Sudoers configuration (condensed):\e[$default$sudoers" echo -e "\n" fi @@ -143,7 +143,7 @@ user_info() { #who has sudoed in the past whohasbeensudo=$(find /home -name .sudo_as_admin_successful 2>/dev/null) if [ "$whohasbeensudo" ]; then - echo -e "\e[$red[-] Accounts that have recently used sudo:\e[$default\n$whohasbeensudo" + echo -e "\e[$cyan[-] Accounts that have recently used sudo:\e[$default\n$whohasbeensudo" echo -e "\n" fi @@ -157,7 +157,7 @@ user_info() { #displays /home directory permissions - check if any are lax homedirperms=$(ls -ahl /home/ 2>/dev/null) if [ "$homedirperms" ]; then - echo -e "\e[$red[-] Are permissions on /home directories lax:\e[$default\n$homedirperms" + echo -e "\e[$cyan[-] Are permissions on /home directories lax:\e[$default\n$homedirperms" echo -e "\n" fi @@ -165,7 +165,7 @@ user_info() { if [ "$thorough" = "1" ]; then grfilesall=$(find / -writable ! -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) if [ "$grfilesall" ]; then - echo -e "\e[$red[-] Files not owned by user but writable by group:\e[$default\n$grfilesall" + echo -e "\e[$cyan[-] Files not owned by user but writable by group:\e[$default\n$grfilesall" echo -e "\n" fi fi @@ -174,7 +174,7 @@ user_info() { if [ "$thorough" = "1" ]; then ourfilesall=$(find / -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) if [ "$ourfilesall" ]; then - echo -e "\e[$red[-] Files owned by our user:\e[$default\n$ourfilesall" + echo -e "\e[$cyan[-] Files owned by our user:\e[$default\n$ourfilesall" echo -e "\n" fi fi @@ -183,7 +183,7 @@ user_info() { if [ "$thorough" = "1" ]; then hiddenfiles=$(find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) if [ "$hiddenfiles" ]; then - echo -e "\e[$red[-] Hidden files:\e[$default\n$hiddenfiles" + echo -e "\e[$cyan[-] Hidden files:\e[$default\n$hiddenfiles" echo -e "\n" fi fi @@ -192,7 +192,7 @@ user_info() { if [ "$thorough" = "1" ]; then wrfileshm=$(find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null) if [ "$wrfileshm" ]; then - echo -e "\e[$red[-] World-readable files within /home:\e[$default\n$wrfileshm" + echo -e "\e[$cyan[-] World-readable files within /home:\e[$default\n$wrfileshm" echo -e "\n" fi fi @@ -208,7 +208,7 @@ user_info() { if [ "$thorough" = "1" ]; then homedircontents=$(ls -ahl ~ 2>/dev/null) if [ "$homedircontents" ]; then - echo -e "\e[$red[-] Home directory contents:\e[$default\n$homedircontents" + echo -e "\e[$cyan[-] Home directory contents:\e[$default\n$homedircontents" echo -e "\n" fi fi @@ -217,7 +217,7 @@ user_info() { if [ "$thorough" = "1" ]; then sshfiles=$(find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null) if [ "$sshfiles" ]; then - echo -e "\e[$red[-] SSH keys/host information found in the following locations:\e[$default\n$sshfiles" + echo -e "\e[$cyan[-] SSH keys/host information found in the following locations:\e[$default\n$sshfiles" echo -e "\n" fi fi @@ -232,7 +232,7 @@ user_info() { #is root permitted to login via ssh sshrootlogin=$(grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}') if [ "$sshrootlogin" = "yes" ]; then - echo -e "\e[$red[-] Root is allowed to login via SSH:\e[$default" + echo -e "\e[$cyan[-] Root is allowed to login via SSH:\e[$default" grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" echo -e "\n" fi diff --git a/includes/util b/includes/util index 8cbcccd..89d4b32 100755 --- a/includes/util +++ b/includes/util @@ -12,16 +12,16 @@ default="0m" # help function usage() { - echo -e "\n\e[$red##########################################################\e[$default" - echo -e "\e[$red#\e[$default" "\e[$orange Local Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$red#\e[$default" - echo -e "\e[$red##########################################################\e[$default" + echo -e "\n\e[$blue##########################################################\e[$default" + echo -e "\e[$blue#\e[$default" "\e[$orange Local Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$blue#\e[$default" + echo -e "\e[$blue##########################################################\e[$default" echo -e "\e[$orange# www.rebootuser.com | @rebootuser \e[$default" echo -e "\e[$orange# $VERSION\e[$default\n" echo -e "\e[$orange# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[$default\n" echo "OPTIONS:" echo "-e Enter export location" - echo "-d Print debug info" + echo "-d Print debug info" echo "-h Displays this help text" echo "-k Enter keyword" echo "-r Enter report name" @@ -31,13 +31,13 @@ usage() { echo -e "\n" echo "Running with no options = limited scans/no output file" - echo -e "\e[$red#########################################################\e[$default" + echo -e "\e[$blue#########################################################\e[$default" } header() { - echo -e "\n\e[$red##########################################################\e[$default" - echo -e "\e[$red#\e[$default" "\e[$orange Local Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$red#\e[$default" - echo -e "\e[$red##########################################################\e[$default" + echo -e "\n\e[$blue##########################################################\e[$default" + echo -e "\e[$blue#\e[$default" "\e[$orange Local Linux Enumeration & Privilege Escalation Script\e[$default" "\e[$blue#\e[$default" + echo -e "\e[$blue##########################################################\e[$default" echo -e "\e[$orange# www.rebootuser.com\e[$default" echo -e "\e[$orange# $VERSION\e[$default\n" @@ -48,16 +48,16 @@ debug_info() { if [ "$export" ]; then echo -e " [+] Export path = \e[$green $export\e[$default" - else + else echo -e " [+] Export = \e[$red disabled\e[$default" fi if [ "$keyword" ]; then echo -e " [+] Keyword search = \e[$green $keyword\e[$default" - else + else echo -e " [+] Keyword search = \e[$red disabled\e[$default" fi - + if [ "$report" ]; then echo -e " [+] Reporting = \e[$green $report\e[$default" else @@ -79,9 +79,9 @@ debug_info() { sleep 2 if [ "$export" ]; then - mkdir -p "$export" 2> /dev/null + mkdir -p "$export" 2>/dev/null if [ ! $? -eq 0 ]; then - echo -e "\n \e[$red Could not create directory '$export'\e[$default" + echo -e "\n \e[$blue Could not create directory '$export'\e[$default" exit 1 fi From ba506319a725d4ce1d04934cfbd9b1282c9c5825 Mon Sep 17 00:00:00 2001 From: Matt Jones Date: Sat, 30 Oct 2021 00:14:01 -0400 Subject: [PATCH 08/10] updates --- .gitignore | 1 + LinEnum | 2 +- includes/users | 239 --------------------------- includes/users.sh | 402 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 404 insertions(+), 240 deletions(-) delete mode 100755 includes/users create mode 100755 includes/users.sh diff --git a/.gitignore b/.gitignore index 485dee6..70fbfc3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .idea +includes/includes.iml diff --git a/LinEnum b/LinEnum index f86c7bf..b9ac424 100755 --- a/LinEnum +++ b/LinEnum @@ -49,7 +49,7 @@ library_import() { source networking source services source system - source users + source users.sh source util export PATH="$ORIG_PATH" diff --git a/includes/users b/includes/users deleted file mode 100755 index cca3455..0000000 --- a/includes/users +++ /dev/null @@ -1,239 +0,0 @@ -#!/bin/bash - -user_info() { - echo -e "\e[$orange###################### User/Group ##########################[$default" # TODO fix spacing - - #current user details - currusr=$(id 2>/dev/null) - if [ "$currusr" ]; then - echo -e "\e[$cyan[-] Current user/group:\e[$default" - echo -e "$currusr\n" - fi - - #last logged on user information - lastlogedonusrs=$(lastlog 2>/dev/null | grep -v "Never" 2>/dev/null) - if [ "$lastlogedonusrs" ]; then - echo -e "\e[$cyan[-] Users that have previously logged onto the system:\e[$default" - echo -e "$lastlogedonusrs\n" - fi - - #who else is logged on - loggedonusrs=$(w 2>/dev/null) - if [ "$loggedonusrs" ]; then - echo -e "\e[$cyan[-] Who else is logged on:\e[$default" - echo -e "$loggedonusrs\n" - fi - - #lists all id's and respective group(s) - grpinfo=$(for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null); do echo -e "$i : $(id | awk -F"groups=" '{ print $2 }' | column -t)"; done 2>/dev/null) - if [ "$grpinfo" ]; then - echo -e "\e[$cyan[-] Group memberships:\e[$default" - echo -e "$grpinfo\n" - fi - - #added by phackt - look for adm group (thanks patrick) - adm_users=$(echo -e "$grpinfo" | grep "(adm)") - if [[ ! -z $adm_users ]]; then - echo -e "\e[$cyan[-] It looks like we have some admin users:\e[$default\n$adm_users" - echo -e "\n" - fi - - #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) - hashesinpasswd=$(grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null) - if [ "$hashesinpasswd" ]; then - echo -e "\e[$orange[+] It looks like we have password hashes in /etc/passwd!\e[$default\n$hashesinpasswd" - echo -e "\n" - fi - - #contents of /etc/passwd - readpasswd=$(cat /etc/passwd 2>/dev/null) - if [ "$readpasswd" ]; then - echo -e "\e[$cyan[-] Contents of /etc/passwd:\e[$default\n$readpasswd" - echo -e "\n" - fi - - if [ "$export" ] && [ "$readpasswd" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/passwd $format/etc-export/passwd 2>/dev/null - fi - - #checks to see if the shadow file can be read - readshadow=$(cat /etc/shadow 2>/dev/null) - if [ "$readshadow" ]; then - echo -e "\e[$orange[+] We can read the shadow file!\e[$default\n$readshadow" - echo -e "\n" - fi - - if [ "$export" ] && [ "$readshadow" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/shadow $format/etc-export/shadow 2>/dev/null - fi - - #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant - readmasterpasswd=$(cat /etc/master.passwd 2>/dev/null) - if [ "$readmasterpasswd" ]; then - echo -e "\e[$orange[+] We can read the master.passwd file!\e[$default\n$readmasterpasswd" - echo -e "\n" - fi - - if [ "$export" ] && [ "$readmasterpasswd" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null - fi - - #all root accounts (uid 0) - superman=$(grep -v -E "^#" /etc/passwd 2>/dev/null | awk -F: '$3 == 0 { print $1}' 2>/dev/null) - if [ "$superman" ]; then - echo -e "\e[$cyan[-] Super user account(s):\e[$default\n$superman" - echo -e "\n" - fi - - #pull out vital sudoers info - sudoers=$(grep -v -e '^$' /etc/sudoers 2>/dev/null | grep -v "#" 2>/dev/null) - if [ "$sudoers" ]; then - echo -e "\e[$cyan[-] Sudoers configuration (condensed):\e[$default$sudoers" - echo -e "\n" - fi - - if [ "$export" ] && [ "$sudoers" ]; then - mkdir $format/etc-export/ 2>/dev/null - cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null - fi - - #can we sudo without supplying a password - sudoperms=$(echo '' | sudo -S -l -k 2>/dev/null) - if [ "$sudoperms" ]; then - echo -e "\e[$orange[+] We can sudo without supplying a password!\e[$default\n$sudoperms" - echo -e "\n" - fi - - #check sudo perms - authenticated - if [ "$sudopass" ]; then - if [ "$sudoperms" ]; then - : - else - sudoauth=$(echo $user_password | sudo -S -l -k 2>/dev/null) - if [ "$sudoauth" ]; then - echo -e "\e[$orange[+] We can sudo when supplying a password!\e[$default\n$sudoauth" - echo -e "\n" - fi - fi - fi - - ##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated - if [ "$sudopass" ]; then - if [ "$sudoperms" ]; then - : - else - sudopermscheck=$(echo $user_password | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) - if [ "$sudopermscheck" ]; then - echo -e "\e[$orange[-] Possible sudo pwnage!\e[$default\n$sudopermscheck" - echo -e "\n" - fi - fi - fi - - #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - sudopwnage=$(echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) - if [ "$sudopwnage" ]; then - echo -e "\e[$orange[+] Possible sudo pwnage!\e[$default\n$sudopwnage" - echo -e "\n" - fi - - #who has sudoed in the past - whohasbeensudo=$(find /home -name .sudo_as_admin_successful 2>/dev/null) - if [ "$whohasbeensudo" ]; then - echo -e "\e[$cyan[-] Accounts that have recently used sudo:\e[$default\n$whohasbeensudo" - echo -e "\n" - fi - - #checks to see if roots home directory is accessible - rthmdir=$(ls -ahl /root/ 2>/dev/null) - if [ "$rthmdir" ]; then - echo -e "\e[$orange[+] We can read root's home directory!\e[$default\n$rthmdir" - echo -e "\n" - fi - - #displays /home directory permissions - check if any are lax - homedirperms=$(ls -ahl /home/ 2>/dev/null) - if [ "$homedirperms" ]; then - echo -e "\e[$cyan[-] Are permissions on /home directories lax:\e[$default\n$homedirperms" - echo -e "\n" - fi - - #looks for files we can write to that don't belong to us - if [ "$thorough" = "1" ]; then - grfilesall=$(find / -writable ! -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) - if [ "$grfilesall" ]; then - echo -e "\e[$cyan[-] Files not owned by user but writable by group:\e[$default\n$grfilesall" - echo -e "\n" - fi - fi - - #looks for files that belong to us - if [ "$thorough" = "1" ]; then - ourfilesall=$(find / -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) - if [ "$ourfilesall" ]; then - echo -e "\e[$cyan[-] Files owned by our user:\e[$default\n$ourfilesall" - echo -e "\n" - fi - fi - - #looks for hidden files - if [ "$thorough" = "1" ]; then - hiddenfiles=$(find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) - if [ "$hiddenfiles" ]; then - echo -e "\e[$cyan[-] Hidden files:\e[$default\n$hiddenfiles" - echo -e "\n" - fi - fi - - #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch - if [ "$thorough" = "1" ]; then - wrfileshm=$(find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null) - if [ "$wrfileshm" ]; then - echo -e "\e[$cyan[-] World-readable files within /home:\e[$default\n$wrfileshm" - echo -e "\n" - fi - fi - - if [ "$thorough" = "1" ]; then - if [ "$export" ] && [ "$wrfileshm" ]; then - mkdir $format/wr-files/ 2>/dev/null - for i in $wrfileshm; do cp --parents $i $format/wr-files/; done 2>/dev/null - fi - fi - - #lists current user's home directory contents - if [ "$thorough" = "1" ]; then - homedircontents=$(ls -ahl ~ 2>/dev/null) - if [ "$homedircontents" ]; then - echo -e "\e[$cyan[-] Home directory contents:\e[$default\n$homedircontents" - echo -e "\n" - fi - fi - - #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch - if [ "$thorough" = "1" ]; then - sshfiles=$(find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null) - if [ "$sshfiles" ]; then - echo -e "\e[$cyan[-] SSH keys/host information found in the following locations:\e[$default\n$sshfiles" - echo -e "\n" - fi - fi - - if [ "$thorough" = "1" ]; then - if [ "$export" ] && [ "$sshfiles" ]; then - mkdir $format/ssh-files/ 2>/dev/null - for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null - fi - fi - - #is root permitted to login via ssh - sshrootlogin=$(grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}') - if [ "$sshrootlogin" = "yes" ]; then - echo -e "\e[$cyan[-] Root is allowed to login via SSH:\e[$default" - grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" - echo -e "\n" - fi -} diff --git a/includes/users.sh b/includes/users.sh new file mode 100755 index 0000000..2b86a8e --- /dev/null +++ b/includes/users.sh @@ -0,0 +1,402 @@ +#!/bin/bash + +# TODO: Create more descriptive file names + +# Current User Details +current_user() { + local curr_user + curr_user=$(id 2>/dev/null) + if [ "$curr_user" ]; then + echo -e "\e[$cyan[-] Current user/group:\e[$default" + echo -e "$curr_user\n" + fi + + return 0 +} + +# Get a list of all logged in users +get_logged_in_users() { + local logged_in_users + logged_in_users=$(w 2>/dev/null) + if [ "$logged_in_users" ]; then + echo -e "\e[$cyan[-] Who else is logged on:\e[$default" + echo -e "$logged_in_users\n" + fi + + return 0 +} + +# Get info on users that have logged in previously +get_previous_logged_in_users() { + local previous_users + previous_users=$(lastlog 2>/dev/null | grep -v "Never" 2>/dev/null) + if [ "$previous_users" ]; then + echo -e "\e[$cyan[-] Users that have previously logged onto the system:\e[$default" + echo -e "$previous_users\n" + fi + + return 0 +} + +# Get a list of groups a user is in +get_user_groups() { + local user + local grp_info + + # shellcheck disable=SC2013 + grp_info=$(for user in $(cut -d":" -f1 /etc/passwd 2>/dev/null); do echo -e "$user : $(id "$user" | awk -F"groups=" '{ print $2 }' | column -t)"; done 2>/dev/null) + if [ "$grp_info" ]; then + echo -e "\e[$cyan[-] Group memberships:\e[$default" + echo -e "$grp_info\n" + fi + + return 0 +} + +# Checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) +check_passwd_hashes() { + local passwd_hashes + passwd_hashes=$(grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null) + if [ "$passwd_hashes" ]; then + echo -e "\e[$cyan[-] It looks like we have password hashes in /etc/passwd!\e[$default\n$passwd_hashes" + echo -e "\n" + fi + + return 0 +} + +# Print the contents contents of /etc/passwd +# NOTE: Is this needed if we are using the other specialized functions +read_passwd_contents() { + local passwd_contents + # TODO: Make this a utility function + while IFS= read -r line; do + passwd_contents+=("$line") + done /dev/null" + cp /etc/passwd "$format/etc-export/passwd 2>/dev/null" + fi + + return 0 + +} + +# Checks to see if the shadow file can be read +read_shadow_file_contents() { + local shadow_file_contents + # TODO: Make this a utility function + while IFS= read -r line; do + shadow_file_contents+=("$line") + done /dev/null" + cp /etc/shadow $format/etc-export/shadow 2>/dev/null + fi + + return 0 +} + +# Tries to read the BSD 'shadow' variant /etc/master.passwd +read_bsd_shadow_file() { + bsd_shadow_file=/etc/master.passwd + if test -f "$bsd_shadow_file"; then + local shadow_file_contents + # TODO: Make this a utility function + while IFS= read -r line; do + shadow_file_contents+=("$line") + done /dev/null" + cp /etc/master.passwd "$format/etc-export/master.passwd 2>/dev/null" + fi + + return 0 +} + +# Find accounts with uid 0 +find_uid0_accounts() { + # NOTE: Should this be a loop? + local root_accounts + root_accounts=$(grep -v -E "^#" /etc/passwd 2>/dev/null | awk -F: '$3 == 0 { print $1}' 2>/dev/null) + if [ "$root_accounts" ]; then + printf "%s[-] Root accounts:%s\n\n" "${cyan}" "${default}" + printf "%s\n" "${root_accounts}" + else + printf "%s[-] Could not read /etc/passwd%s\n\n" "${purple}" "${default}" + fi +} + +#pull out vital sudoers info +print_sudoers_config() { + local sudoers_config + sudoers_config=$(grep -v -e '^$' /etc/sudoers 2>/dev/null | grep -v "#" 2>/dev/null) + if [ "$sudoers_config" ]; then + printf "%s[-] Sudoers configuration (condensed):%s\n\n" "${cyan}" "${default}" + printf "%s\n" "${sudoers_config}" + + # TODO pass in the data, instead of recalling the function + export_sudoers_config + + else + printf "%s[-] Could not read /etc/sudoers%s\n\n" "${purple}" "${default}" + fi +} + +# TODO: Change $format to $location +# TODO: Chnage variable name from export as that is a std command + +# If selected, export the contents of /etc/shadow +export_sudoers_config() { + local contents + # TODO: Make this a utility function + contents=read_bsd_bsd_shadow_file + + if [ "$export" ] && [ "$contents" ]; then + printf "%s[-] Contents of /etc/sudoers will be exported to %s/etc-export/ %s\n\n" "${cyan}" "${format}" "${default}" + # TODO: Check for errors when creating the directory + mkdir "$format/etc-export/ 2>/dev/null" + cp /etc/sudoers "$format/etc-export/sudoers 2>/dev/null" + fi + + return 0 +} +user_info() { + echo -e "\e[$orange###################### User/Group ##########################[$default" # TODO fix spacing + + # TODO: Change function names to be consistent + + current_user + get_logged_in_users + get_previous_logged_in_users + get_user_groups + check_passwd_hashes + read_passwd_contents + read_shadow_file_contents + read_bsd_shadow_file + find_uid0_accounts + print_sudoers_config + export_sudoers_config + + #added by phackt - look for adm group (thanks patrick) + # adm_users=$(echo -e "$grpinfo" | grep "(adm)") + # if [[ ! -z $adm_users ]]; then + # echo -e "\e[$cyan[-] It looks like we have some admin users:\e[$default\n$adm_users" + # echo -e "\n" + # fi + + #can we sudo without supplying a password + sudoperms=$(echo '' | sudo -S -l -k 2>/dev/null) + if [ "$sudoperms" ]; then + echo -e "\e[$orange[+] We can sudo without supplying a password!\e[$default\n$sudoperms" + echo -e "\n" + fi + + #check sudo perms - authenticated + if [ "$sudopass" ]; then + if [ "$sudoperms" ]; then + : + else + sudoauth=$(echo $user_password | sudo -S -l -k 2>/dev/null) + if [ "$sudoauth" ]; then + echo -e "\e[$orange[+] We can sudo when supplying a password!\e[$default\n$sudoauth" + echo -e "\n" + fi + fi + fi + + ##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated + if [ "$sudopass" ]; then + if [ "$sudoperms" ]; then + : + else + sudopermscheck=$(echo $user_password | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) + if [ "$sudopermscheck" ]; then + echo -e "\e[$orange[-] Possible sudo pwnage!\e[$default\n$sudopermscheck" + echo -e "\n" + fi + fi + fi + + #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) + sudopwnage=$(echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null) + if [ "$sudopwnage" ]; then + echo -e "\e[$orange[+] Possible sudo pwnage!\e[$default\n$sudopwnage" + echo -e "\n" + fi + + #who has sudoed in the past + whohasbeensudo=$(find /home -name .sudo_as_admin_successful 2>/dev/null) + if [ "$whohasbeensudo" ]; then + echo -e "\e[$cyan[-] Accounts that have recently used sudo:\e[$default\n$whohasbeensudo" + echo -e "\n" + fi + + #checks to see if roots home directory is accessible + rthmdir=$(ls -ahl /root/ 2>/dev/null) + if [ "$rthmdir" ]; then + echo -e "\e[$orange[+] We can read root's home directory!\e[$default\n$rthmdir" + echo -e "\n" + fi + + #displays /home directory permissions - check if any are lax + homedirperms=$(ls -ahl /home/ 2>/dev/null) + if [ "$homedirperms" ]; then + echo -e "\e[$cyan[-] Are permissions on /home directories lax:\e[$default\n$homedirperms" + echo -e "\n" + fi + + #looks for files we can write to that don't belong to us + if [ "$thorough" = "1" ]; then + grfilesall=$(find / -writable ! -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) + if [ "$grfilesall" ]; then + echo -e "\e[$cyan[-] Files not owned by user but writable by group:\e[$default\n$grfilesall" + echo -e "\n" + fi + fi + + #looks for files that belong to us + if [ "$thorough" = "1" ]; then + ourfilesall=$(find / -user $(whoami) -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) + if [ "$ourfilesall" ]; then + echo -e "\e[$cyan[-] Files owned by our user:\e[$default\n$ourfilesall" + echo -e "\n" + fi + fi + + #looks for hidden files + if [ "$thorough" = "1" ]; then + hiddenfiles=$(find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null) + if [ "$hiddenfiles" ]; then + echo -e "\e[$cyan[-] Hidden files:\e[$default\n$hiddenfiles" + echo -e "\n" + fi + fi + + #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch + if [ "$thorough" = "1" ]; then + wrfileshm=$(find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null) + if [ "$wrfileshm" ]; then + echo -e "\e[$cyan[-] World-readable files within /home:\e[$default\n$wrfileshm" + echo -e "\n" + fi + fi + + if [ "$thorough" = "1" ]; then + if [ "$export" ] && [ "$wrfileshm" ]; then + mkdir $format/wr-files/ 2>/dev/null + for i in $wrfileshm; do cp --parents $i $format/wr-files/; done 2>/dev/null + fi + fi + + #lists current user's home directory contents + if [ "$thorough" = "1" ]; then + homedircontents=$(ls -ahl ~ 2>/dev/null) + if [ "$homedircontents" ]; then + echo -e "\e[$cyan[-] Home directory contents:\e[$default\n$homedircontents" + echo -e "\n" + fi + fi + + #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch + if [ "$thorough" = "1" ]; then + sshfiles=$(find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null) + if [ "$sshfiles" ]; then + echo -e "\e[$cyan[-] SSH keys/host information found in the following locations:\e[$default\n$sshfiles" + echo -e "\n" + fi + fi + + if [ "$thorough" = "1" ]; then + if [ "$export" ] && [ "$sshfiles" ]; then + mkdir $format/ssh-files/ 2>/dev/null + for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null + fi + fi + + #is root permitted to login via ssh + sshrootlogin=$(grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}') + if [ "$sshrootlogin" = "yes" ]; then + echo -e "\e[$cyan[-] Root is allowed to login via SSH:\e[$default" + grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" + echo -e "\n" + fi +} From e27c2404424deb5c1f40ec2c4ee124ad109b0148 Mon Sep 17 00:00:00 2001 From: Matt Jones Date: Sat, 30 Oct 2021 00:40:19 -0400 Subject: [PATCH 09/10] call out some additional bugs I created --- includes/users.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/includes/users.sh b/includes/users.sh index 2b86a8e..e000d47 100755 --- a/includes/users.sh +++ b/includes/users.sh @@ -1,6 +1,6 @@ #!/bin/bash -# TODO: Create more descriptive file names +# TODO: Create more descriptive function names # Current User Details current_user() { @@ -78,7 +78,7 @@ read_passwd_contents() { printf "%s[-] Contents of /etc/passwd:%s\n" "${cyan}" "${default}" printf "%s\n" "${passwd_contents[@]}" - # TODO pass in the data, instead of recalling the function + # BUG pass in the data, instead of recalling the function export_passwd_contents else printf "%s[-] Could not read /etc/passwd%s" "${purple}" "${default}" @@ -88,8 +88,7 @@ read_passwd_contents() { } # TODO: Change $format to $location -# TODO: Chnage varianle name from export as that is a std command - +# TODO: Change variable name from export as that is a std command # If selected, export the contents of /etc/passwd export_passwd_contents() { local contents @@ -119,7 +118,7 @@ read_shadow_file_contents() { printf "%s[-] Contents of /etc/shadow:%s\n" "${cyan}" "${default}" printf "%s\n" "${shadow_file_contents[@]}" - # TODO pass in the data, instead of recalling the function + # BUG pass in the data, instead of recalling the function export_shadow_file else printf "%s[-] Could not read /etc/shadow%s" "${purple}" "${default}" @@ -130,7 +129,6 @@ read_shadow_file_contents() { # TODO: Change $format to $location # TODO: Chnage variable name from export as that is a std command - # If selected, export the contents of /etc/shadow export_shadow_file() { local contents @@ -161,7 +159,7 @@ read_bsd_shadow_file() { printf "%s[-] Contents of /etc/shadow:%s\n" "${cyan}" "${default}" printf "%s\n\n" "${shadow_file_contents[@]}" - # TODO pass in the data, instead of recalling the function + # BUG pass in the data, instead of recalling the function export_bsd_shadow_file else printf "%s[-] Could not read /etc/master.passwd%s\n\n" "${purple}" "${default}" @@ -175,7 +173,6 @@ read_bsd_shadow_file() { # TODO: Change $format to $location # TODO: Chnage variable name from export as that is a std command - # If selected, export the contents of /etc/shadow export_bsd_shadow_file() { local contents @@ -203,6 +200,8 @@ find_uid0_accounts() { else printf "%s[-] Could not read /etc/passwd%s\n\n" "${purple}" "${default}" fi + + return 0 } #pull out vital sudoers info @@ -213,17 +212,18 @@ print_sudoers_config() { printf "%s[-] Sudoers configuration (condensed):%s\n\n" "${cyan}" "${default}" printf "%s\n" "${sudoers_config}" - # TODO pass in the data, instead of recalling the function + # BUG pass in the data, instead of recalling the function export_sudoers_config else printf "%s[-] Could not read /etc/sudoers%s\n\n" "${purple}" "${default}" fi + + return 0 } # TODO: Change $format to $location # TODO: Chnage variable name from export as that is a std command - # If selected, export the contents of /etc/shadow export_sudoers_config() { local contents From 6d973b9a98aa2348605b6056b7e36d3db57b2149 Mon Sep 17 00:00:00 2001 From: Matt Jones Date: Wed, 19 Jan 2022 08:02:21 -0500 Subject: [PATCH 10/10] move cleanup --- .gitignore | 0 CHANGELOG.md | 0 CONTRIBUTORS.md | 0 LICENSE | 0 README.md | 0 5 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 .gitignore mode change 100644 => 100755 CHANGELOG.md mode change 100644 => 100755 CONTRIBUTORS.md mode change 100644 => 100755 LICENSE mode change 100644 => 100755 README.md diff --git a/.gitignore b/.gitignore old mode 100644 new mode 100755 diff --git a/CHANGELOG.md b/CHANGELOG.md old mode 100644 new mode 100755 diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md old mode 100644 new mode 100755 diff --git a/LICENSE b/LICENSE old mode 100644 new mode 100755 diff --git a/README.md b/README.md old mode 100644 new mode 100755