|
@@ -0,0 +1,1340 @@
|
|
|
|
+#!/bin/bash
|
|
|
|
+#A script to enumerate local information from a Linux host
|
|
|
|
+version="version 0.98"
|
|
|
|
+#@rebootuser
|
|
|
|
+
|
|
|
|
+#help function
|
|
|
|
+usage ()
|
|
|
|
+{
|
|
|
|
+echo -e "\n\e[00;31m#########################################################\e[00m"
|
|
|
|
+echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m"
|
|
|
|
+echo -e "\e[00;31m#########################################################\e[00m"
|
|
|
|
+echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m"
|
|
|
|
+echo -e "\e[00;33m# $version\e[00m\n"
|
|
|
|
+echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n"
|
|
|
|
+
|
|
|
|
+ echo "OPTIONS:"
|
|
|
|
+ echo "-k Enter keyword"
|
|
|
|
+ echo "-e Enter export location"
|
|
|
|
+ echo "-s Supply user password for sudo checks (INSECURE)"
|
|
|
|
+ echo "-t Include thorough (lengthy) tests"
|
|
|
|
+ echo "-r Enter report name"
|
|
|
|
+ echo "-h Displays this help text"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ echo "Running with no options = limited scans/no output file"
|
|
|
|
+
|
|
|
|
+echo -e "\e[00;31m#########################################################\e[00m"
|
|
|
|
+}
|
|
|
|
+header()
|
|
|
|
+{
|
|
|
|
+echo -e "\n\e[00;31m#########################################################\e[00m"
|
|
|
|
+echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m"
|
|
|
|
+echo -e "\e[00;31m#########################################################\e[00m"
|
|
|
|
+echo -e "\e[00;33m# www.rebootuser.com\e[00m"
|
|
|
|
+echo -e "\e[00;33m# $version\e[00m\n"
|
|
|
|
+
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+debug_info()
|
|
|
|
+{
|
|
|
|
+echo "[-] Debug Info"
|
|
|
|
+
|
|
|
|
+if [ "$keyword" ]; then
|
|
|
|
+ echo "[+] Searching for the keyword $keyword in conf, php, ini and log files"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$report" ]; then
|
|
|
|
+ echo "[+] Report name = $report"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ]; then
|
|
|
|
+ echo "[+] Export location = $export"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$thorough" ]; then
|
|
|
|
+ echo "[+] Thorough tests = Enabled"
|
|
|
|
+else
|
|
|
|
+ echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+sleep 2
|
|
|
|
+
|
|
|
|
+if [ "$export" ]; then
|
|
|
|
+ mkdir $export 2>/dev/null
|
|
|
|
+ format=$export/LinEnum-export-`date +"%d-%m-%y"`
|
|
|
|
+ mkdir $format 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$sudopass" ]; then
|
|
|
|
+ echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m"
|
|
|
|
+ read -s userpassword
|
|
|
|
+ echo
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+who=`whoami` 2>/dev/null
|
|
|
|
+echo -e "\n"
|
|
|
|
+
|
|
|
|
+echo -e "\e[00;33mScan started at:"; date
|
|
|
|
+echo -e "\e[00m\n"
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+# useful binaries (thanks to https://gtfobins.github.io/)
|
|
|
|
+binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh'
|
|
|
|
+
|
|
|
|
+system_info()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### SYSTEM ##############################################\e[00m"
|
|
|
|
+
|
|
|
|
+#basic kernel info
|
|
|
|
+unameinfo=`uname -a 2>/dev/null`
|
|
|
|
+if [ "$unameinfo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+procver=`cat /proc/version 2>/dev/null`
|
|
|
|
+if [ "$procver" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#search all *-release files for version info
|
|
|
|
+release=`cat /etc/*-release 2>/dev/null`
|
|
|
|
+if [ "$release" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#target hostname info
|
|
|
|
+hostnamed=`hostname 2>/dev/null`
|
|
|
|
+if [ "$hostnamed" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+user_info()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m"
|
|
|
|
+
|
|
|
|
+#current user details
|
|
|
|
+currusr=`id 2>/dev/null`
|
|
|
|
+if [ "$currusr" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#last logged on user information
|
|
|
|
+lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null`
|
|
|
|
+if [ "$lastlogedonusrs" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#who else is logged on
|
|
|
|
+loggedonusrs=`w 2>/dev/null`
|
|
|
|
+if [ "$loggedonusrs" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#lists all id's and respective group(s)
|
|
|
|
+grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`
|
|
|
|
+if [ "$grpinfo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#added by phackt - look for adm group (thanks patrick)
|
|
|
|
+adm_users=$(echo -e "$grpinfo" | grep "(adm)")
|
|
|
|
+if [[ ! -z $adm_users ]];
|
|
|
|
+ then
|
|
|
|
+ echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method)
|
|
|
|
+hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`
|
|
|
|
+if [ "$hashesinpasswd" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#contents of /etc/passwd
|
|
|
|
+readpasswd=`cat /etc/passwd 2>/dev/null`
|
|
|
|
+if [ "$readpasswd" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$readpasswd" ]; then
|
|
|
|
+ mkdir $format/etc-export/ 2>/dev/null
|
|
|
|
+ cp /etc/passwd $format/etc-export/passwd 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#checks to see if the shadow file can be read
|
|
|
|
+readshadow=`cat /etc/shadow 2>/dev/null`
|
|
|
|
+if [ "$readshadow" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$readshadow" ]; then
|
|
|
|
+ mkdir $format/etc-export/ 2>/dev/null
|
|
|
|
+ cp /etc/shadow $format/etc-export/shadow 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#checks to see if /etc/master.passwd can be read - BSD 'shadow' variant
|
|
|
|
+readmasterpasswd=`cat /etc/master.passwd 2>/dev/null`
|
|
|
|
+if [ "$readmasterpasswd" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$readmasterpasswd" ]; then
|
|
|
|
+ mkdir $format/etc-export/ 2>/dev/null
|
|
|
|
+ cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#all root accounts (uid 0)
|
|
|
|
+superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null`
|
|
|
|
+if [ "$superman" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#pull out vital sudoers info
|
|
|
|
+sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null`
|
|
|
|
+if [ "$sudoers" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$sudoers" ]; then
|
|
|
|
+ mkdir $format/etc-export/ 2>/dev/null
|
|
|
|
+ cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#can we sudo without supplying a password
|
|
|
|
+sudoperms=`echo '' | sudo -S -l -k 2>/dev/null`
|
|
|
|
+if [ "$sudoperms" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#check sudo perms - authenticated
|
|
|
|
+if [ "$sudopass" ]; then
|
|
|
|
+ if [ "$sudoperms" ]; then
|
|
|
|
+ :
|
|
|
|
+ else
|
|
|
|
+ sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null`
|
|
|
|
+ if [ "$sudoauth" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated
|
|
|
|
+if [ "$sudopass" ]; then
|
|
|
|
+ if [ "$sudoperms" ]; then
|
|
|
|
+ :
|
|
|
|
+ else
|
|
|
|
+ sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
|
|
|
|
+ if [ "$sudopermscheck" ]; then
|
|
|
|
+ echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values)
|
|
|
|
+sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
|
|
|
|
+if [ "$sudopwnage" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#who has sudoed in the past
|
|
|
|
+whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null`
|
|
|
|
+if [ "$whohasbeensudo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#checks to see if roots home directory is accessible
|
|
|
|
+rthmdir=`ls -ahl /root/ 2>/dev/null`
|
|
|
|
+if [ "$rthmdir" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#displays /home directory permissions - check if any are lax
|
|
|
|
+homedirperms=`ls -ahl /home/ 2>/dev/null`
|
|
|
|
+if [ "$homedirperms" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#looks for files we can write to that don't belong to us
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
|
|
|
|
+ if [ "$grfilesall" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#looks for files that belong to us
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
|
|
|
|
+ if [ "$ourfilesall" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#looks for hidden files
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
|
|
|
|
+ if [ "$hiddenfiles" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null`
|
|
|
|
+ if [ "$wrfileshm" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ if [ "$export" ] && [ "$wrfileshm" ]; then
|
|
|
|
+ mkdir $format/wr-files/ 2>/dev/null
|
|
|
|
+ for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#lists current user's home directory contents
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+homedircontents=`ls -ahl ~ 2>/dev/null`
|
|
|
|
+ if [ "$homedircontents" ] ; then
|
|
|
|
+ echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;`
|
|
|
|
+ if [ "$sshfiles" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ if [ "$export" ] && [ "$sshfiles" ]; then
|
|
|
|
+ mkdir $format/ssh-files/ 2>/dev/null
|
|
|
|
+ for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#is root permitted to login via ssh
|
|
|
|
+sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'`
|
|
|
|
+if [ "$sshrootlogin" = "yes" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+environmental_info()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m"
|
|
|
|
+
|
|
|
|
+#env information
|
|
|
|
+envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null`
|
|
|
|
+if [ "$envinfo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#check if selinux is enabled
|
|
|
|
+sestatus=`sestatus 2>/dev/null`
|
|
|
|
+if [ "$sestatus" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#phackt
|
|
|
|
+
|
|
|
|
+#current path configuration
|
|
|
|
+pathinfo=`echo $PATH 2>/dev/null`
|
|
|
|
+if [ "$pathinfo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#lists available shells
|
|
|
|
+shellinfo=`cat /etc/shells 2>/dev/null`
|
|
|
|
+if [ "$shellinfo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#current umask value with both octal and symbolic output
|
|
|
|
+umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null`
|
|
|
|
+if [ "$umaskvalue" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#umask value as in /etc/login.defs
|
|
|
|
+umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null`
|
|
|
|
+if [ "$umaskdef" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#password policy information as stored in /etc/login.defs
|
|
|
|
+logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null`
|
|
|
|
+if [ "$logindefs" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$logindefs" ]; then
|
|
|
|
+ mkdir $format/etc-export/ 2>/dev/null
|
|
|
|
+ cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+job_info()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m"
|
|
|
|
+
|
|
|
|
+#are there any cron jobs configured
|
|
|
|
+cronjobs=`ls -la /etc/cron* 2>/dev/null`
|
|
|
|
+if [ "$cronjobs" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#can we manipulate these jobs in any way
|
|
|
|
+cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
|
|
|
|
+if [ "$cronjobwwperms" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#contab contents
|
|
|
|
+crontabvalue=`cat /etc/crontab 2>/dev/null`
|
|
|
|
+if [ "$crontabvalue" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null`
|
|
|
|
+if [ "$crontabvar" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null`
|
|
|
|
+if [ "$anacronjobs" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+anacrontab=`ls -la /var/spool/anacron 2>/dev/null`
|
|
|
|
+if [ "$anacrontab" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command)
|
|
|
|
+cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null`
|
|
|
|
+if [ "$cronother" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+# list systemd timers
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ # include inactive timers in thorough mode
|
|
|
|
+ systemdtimers="$(systemctl list-timers --all 2>/dev/null)"
|
|
|
|
+ info=""
|
|
|
|
+else
|
|
|
|
+ systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)"
|
|
|
|
+ # replace the info in the output with a hint towards thorough mode
|
|
|
|
+ info="\e[2mEnable thorough tests to see inactive timers\e[00m"
|
|
|
|
+fi
|
|
|
|
+if [ "$systemdtimers" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+networking_info()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### NETWORKING ##########################################\e[00m"
|
|
|
|
+
|
|
|
|
+#nic information
|
|
|
|
+nicinfo=`/sbin/ifconfig -a 2>/dev/null`
|
|
|
|
+if [ "$nicinfo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#nic information (using ip)
|
|
|
|
+nicinfoip=`/sbin/ip a 2>/dev/null`
|
|
|
|
+if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+arpinfo=`arp -a 2>/dev/null`
|
|
|
|
+if [ "$arpinfo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+arpinfoip=`ip n 2>/dev/null`
|
|
|
|
+if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#dns settings
|
|
|
|
+nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null`
|
|
|
|
+if [ "$nsinfo" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+nsinfosysd=`systemd-resolve --status 2>/dev/null`
|
|
|
|
+if [ "$nsinfosysd" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#default route configuration
|
|
|
|
+defroute=`route 2>/dev/null | grep default`
|
|
|
|
+if [ "$defroute" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#default route configuration
|
|
|
|
+defrouteip=`ip r 2>/dev/null | grep default`
|
|
|
|
+if [ ! "$defroute" ] && [ "$defrouteip" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#listening TCP
|
|
|
|
+tcpservs=`netstat -ntpl 2>/dev/null`
|
|
|
|
+if [ "$tcpservs" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+tcpservsip=`ss -t -l -n 2>/dev/null`
|
|
|
|
+if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#listening UDP
|
|
|
|
+udpservs=`netstat -nupl 2>/dev/null`
|
|
|
|
+if [ "$udpservs" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+udpservsip=`ss -u -l -n 2>/dev/null`
|
|
|
|
+if [ ! "$udpservs" ] && [ "$udpservsip" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+services_info()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### SERVICES #############################################\e[00m"
|
|
|
|
+
|
|
|
|
+#running processes
|
|
|
|
+psaux=`ps aux 2>/dev/null`
|
|
|
|
+if [ "$psaux" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#lookup process binary path and permissisons
|
|
|
|
+procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null`
|
|
|
|
+if [ "$procperm" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$procperm" ]; then
|
|
|
|
+procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null`
|
|
|
|
+ mkdir $format/ps-export/ 2>/dev/null
|
|
|
|
+ for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#anything 'useful' in inetd.conf
|
|
|
|
+inetdread=`cat /etc/inetd.conf 2>/dev/null`
|
|
|
|
+if [ "$inetdread" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$inetdread" ]; then
|
|
|
|
+ mkdir $format/etc-export/ 2>/dev/null
|
|
|
|
+ cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each
|
|
|
|
+inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
|
|
|
|
+if [ "$inetdbinperms" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+xinetdread=`cat /etc/xinetd.conf 2>/dev/null`
|
|
|
|
+if [ "$xinetdread" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$xinetdread" ]; then
|
|
|
|
+ mkdir $format/etc-export/ 2>/dev/null
|
|
|
|
+ cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null`
|
|
|
|
+if [ "$xinetdincd" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each
|
|
|
|
+xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
|
|
|
|
+if [ "$xinetdbinperms" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+initdread=`ls -la /etc/init.d 2>/dev/null`
|
|
|
|
+if [ "$initdread" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#init.d files NOT belonging to root!
|
|
|
|
+initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
|
|
|
|
+if [ "$initdperms" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null`
|
|
|
|
+if [ "$rcdread" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#init.d files NOT belonging to root!
|
|
|
|
+rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
|
|
|
|
+if [ "$rcdperms" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null`
|
|
|
|
+if [ "$usrrcdread" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#rc.d files NOT belonging to root!
|
|
|
|
+usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
|
|
|
|
+if [ "$usrrcdperms" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+initread=`ls -la /etc/init/ 2>/dev/null`
|
|
|
|
+if [ "$initread" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+# upstart scripts not belonging to root
|
|
|
|
+initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
|
|
|
|
+if [ "$initperms" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+systemdread=`ls -lthR /lib/systemd/ 2>/dev/null`
|
|
|
|
+if [ "$systemdread" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+# systemd files not belonging to root
|
|
|
|
+systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
|
|
|
|
+if [ "$systemdperms" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+software_configs()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### SOFTWARE #############################################\e[00m"
|
|
|
|
+
|
|
|
|
+#sudo version - check to see if there are any known vulnerabilities with this
|
|
|
|
+sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null`
|
|
|
|
+if [ "$sudover" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#mysql details - if installed
|
|
|
|
+mysqlver=`mysql --version 2>/dev/null`
|
|
|
|
+if [ "$mysqlver" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#checks to see if root/root will get us a connection
|
|
|
|
+mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null`
|
|
|
|
+if [ "$mysqlconnect" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#mysql version details
|
|
|
|
+mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null`
|
|
|
|
+if [ "$mysqlconnectnopass" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#postgres details - if installed
|
|
|
|
+postgver=`psql -V 2>/dev/null`
|
|
|
|
+if [ "$postgver" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
|
|
|
|
+postcon1=`psql -U postgres template0 -c 'select version()' 2>/dev/null | grep version`
|
|
|
|
+if [ "$postcon1" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+postcon11=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`
|
|
|
|
+if [ "$postcon11" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+postcon2=`psql -U pgsql template0 -c 'select version()' 2>/dev/null | grep version`
|
|
|
|
+if [ "$postcon2" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+postcon22=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`
|
|
|
|
+if [ "$postcon22" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#apache details - if installed
|
|
|
|
+apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null`
|
|
|
|
+if [ "$apachever" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#what account is apache running under
|
|
|
|
+apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null`
|
|
|
|
+if [ "$apacheusr" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$apacheusr" ]; then
|
|
|
|
+ mkdir --parents $format/etc-export/apache2/ 2>/dev/null
|
|
|
|
+ cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#installed apache modules
|
|
|
|
+apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null`
|
|
|
|
+if [ "$apachemodules" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#htpasswd check
|
|
|
|
+htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null`
|
|
|
|
+if [ "$htpasswd" ]; then
|
|
|
|
+ echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#anything in the default http home dirs (a thorough only check as output can be large)
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`
|
|
|
|
+ if [ "$apachehomedirs" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+interesting_files()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m"
|
|
|
|
+
|
|
|
|
+#checks to see if various files are installed
|
|
|
|
+echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null
|
|
|
|
+echo -e "\n"
|
|
|
|
+
|
|
|
|
+#limited search for installed compilers
|
|
|
|
+compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null`
|
|
|
|
+if [ "$compiler" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#manual check - lists out sensitive files, can we read/modify etc.
|
|
|
|
+echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null
|
|
|
|
+echo -e "\n"
|
|
|
|
+
|
|
|
|
+#search for suid files
|
|
|
|
+findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;`
|
|
|
|
+if [ "$findsuid" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$findsuid" ]; then
|
|
|
|
+ mkdir $format/suid-files/ 2>/dev/null
|
|
|
|
+ for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#list of 'interesting' suid files - feel free to make additions
|
|
|
|
+intsuid=`find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
|
|
|
|
+if [ "$intsuid" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#lists word-writable suid files
|
|
|
|
+wwsuid=`find / -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
|
|
|
|
+if [ "$wwsuid" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#lists world-writable suid files owned by root
|
|
|
|
+wwsuidrt=`find / -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
|
|
|
|
+if [ "$wwsuidrt" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#search for sgid files
|
|
|
|
+findsgid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null \;`
|
|
|
|
+if [ "$findsgid" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$findsgid" ]; then
|
|
|
|
+ mkdir $format/sgid-files/ 2>/dev/null
|
|
|
|
+ for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#list of 'interesting' sgid files
|
|
|
|
+intsgid=`find / -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
|
|
|
|
+if [ "$intsgid" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#lists world-writable sgid files
|
|
|
|
+wwsgid=`find / -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
|
|
|
|
+if [ "$wwsgid" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#lists world-writable sgid files owned by root
|
|
|
|
+wwsgidrt=`find / -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
|
|
|
|
+if [ "$wwsgidrt" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#list all files with POSIX capabilities set along with there capabilities
|
|
|
|
+fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null`
|
|
|
|
+if [ "$fileswithcaps" ]; then
|
|
|
|
+ echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$fileswithcaps" ]; then
|
|
|
|
+ mkdir $format/files_with_capabilities/ 2>/dev/null
|
|
|
|
+ for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#searches /etc/security/capability.conf for users associated capapilies
|
|
|
|
+userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null`
|
|
|
|
+if [ "$userswithcaps" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$userswithcaps" ] ; then
|
|
|
|
+#matches the capabilities found associated with users with the current user
|
|
|
|
+matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null`
|
|
|
|
+ if [ "$matchedcaps" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ #matches the files with capapbilities with capabilities associated with the current user
|
|
|
|
+ matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null`
|
|
|
|
+ if [ "$matchedfiles" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ #lists the permissions of the files having the same capabilies associated with the current user
|
|
|
|
+ matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`
|
|
|
|
+ echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ if [ "$matchedfilesperms" ]; then
|
|
|
|
+ #checks if any of the files with same capabilities associated with the current user is writable
|
|
|
|
+ writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`
|
|
|
|
+ if [ "$writablematchedfiles" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+ fi
|
|
|
|
+ fi
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#look for private keys - thanks djhohnstein
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home 2>/dev/null`
|
|
|
|
+ if [ "$privatekeyfiles" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#look for AWS keys - thanks djhohnstein
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null`
|
|
|
|
+ if [ "$awskeyfiles" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#look for git credential files - thanks djhohnstein
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+gitcredfiles=`find / -name ".git-credentials" 2>/dev/null`
|
|
|
|
+ if [ "$gitcredfiles" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#list all world-writable files excluding /proc and /sys
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;`
|
|
|
|
+ if [ "$wwfiles" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ if [ "$export" ] && [ "$wwfiles" ]; then
|
|
|
|
+ mkdir $format/ww-files/ 2>/dev/null
|
|
|
|
+ for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#are any .plan files accessible in /home (could contain useful information)
|
|
|
|
+usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
|
|
|
|
+if [ "$usrplan" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$usrplan" ]; then
|
|
|
|
+ mkdir $format/plan_files/ 2>/dev/null
|
|
|
|
+ for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
|
|
|
|
+if [ "$bsdusrplan" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$bsdusrplan" ]; then
|
|
|
|
+ mkdir $format/plan_files/ 2>/dev/null
|
|
|
|
+ for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#are there any .rhosts files accessible - these may allow us to login as another user etc.
|
|
|
|
+rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
|
|
|
|
+if [ "$rhostsusr" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$rhostsusr" ]; then
|
|
|
|
+ mkdir $format/rhosts/ 2>/dev/null
|
|
|
|
+ for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
|
|
|
|
+if [ "$bsdrhostsusr" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$bsdrhostsusr" ]; then
|
|
|
|
+ mkdir $format/rhosts 2>/dev/null
|
|
|
|
+ for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
|
|
|
|
+if [ "$rhostssys" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$rhostssys" ]; then
|
|
|
|
+ mkdir $format/rhosts/ 2>/dev/null
|
|
|
|
+ for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#list nfs shares/permisisons etc.
|
|
|
|
+nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null`
|
|
|
|
+if [ "$nfsexports" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$nfsexports" ]; then
|
|
|
|
+ mkdir $format/etc-export/ 2>/dev/null
|
|
|
|
+ cp /etc/exports $format/etc-export/exports 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$thorough" = "1" ]; then
|
|
|
|
+ #phackt
|
|
|
|
+ #displaying /etc/fstab
|
|
|
|
+ fstab=`cat /etc/fstab 2>/dev/null`
|
|
|
|
+ if [ "$fstab" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m"
|
|
|
|
+ echo -e "$fstab"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#looking for credentials in /etc/fstab
|
|
|
|
+fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`
|
|
|
|
+if [ "$fstab" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$fstab" ]; then
|
|
|
|
+ mkdir $format/etc-exports/ 2>/dev/null
|
|
|
|
+ cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null`
|
|
|
|
+if [ "$fstabcred" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$fstabcred" ]; then
|
|
|
|
+ mkdir $format/etc-exports/ 2>/dev/null
|
|
|
|
+ cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located
|
|
|
|
+if [ "$keyword" = "" ]; then
|
|
|
|
+ echo -e "[-] Can't search *.conf files as no keyword was entered\n"
|
|
|
|
+ else
|
|
|
|
+ confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
|
|
|
|
+ if [ "$confkey" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ else
|
|
|
|
+ echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m"
|
|
|
|
+ echo -e "'$keyword' not found in any .conf files"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$keyword" = "" ]; then
|
|
|
|
+ :
|
|
|
|
+ else
|
|
|
|
+ if [ "$export" ] && [ "$confkey" ]; then
|
|
|
|
+ confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
|
|
|
|
+ mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null
|
|
|
|
+ for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located
|
|
|
|
+if [ "$keyword" = "" ]; then
|
|
|
|
+ echo -e "[-] Can't search *.php files as no keyword was entered\n"
|
|
|
|
+ else
|
|
|
|
+ phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
|
|
|
|
+ if [ "$phpkey" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ else
|
|
|
|
+ echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m"
|
|
|
|
+ echo -e "'$keyword' not found in any .php files"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$keyword" = "" ]; then
|
|
|
|
+ :
|
|
|
|
+ else
|
|
|
|
+ if [ "$export" ] && [ "$phpkey" ]; then
|
|
|
|
+ phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
|
|
|
|
+ mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null
|
|
|
|
+ for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located
|
|
|
|
+if [ "$keyword" = "" ];then
|
|
|
|
+ echo -e "[-] Can't search *.log files as no keyword was entered\n"
|
|
|
|
+ else
|
|
|
|
+ logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
|
|
|
|
+ if [ "$logkey" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ else
|
|
|
|
+ echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m"
|
|
|
|
+ echo -e "'$keyword' not found in any .log files"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$keyword" = "" ];then
|
|
|
|
+ :
|
|
|
|
+ else
|
|
|
|
+ if [ "$export" ] && [ "$logkey" ]; then
|
|
|
|
+ logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
|
|
|
|
+ mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null
|
|
|
|
+ for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located
|
|
|
|
+if [ "$keyword" = "" ];then
|
|
|
|
+ echo -e "[-] Can't search *.ini files as no keyword was entered\n"
|
|
|
|
+ else
|
|
|
|
+ inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
|
|
|
|
+ if [ "$inikey" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ else
|
|
|
|
+ echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m"
|
|
|
|
+ echo -e "'$keyword' not found in any .ini files"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$keyword" = "" ];then
|
|
|
|
+ :
|
|
|
|
+ else
|
|
|
|
+ if [ "$export" ] && [ "$inikey" ]; then
|
|
|
|
+ inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
|
|
|
|
+ mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null
|
|
|
|
+ for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#quick extract of .conf files from /etc - only 1 level
|
|
|
|
+allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null`
|
|
|
|
+if [ "$allconf" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$allconf" ]; then
|
|
|
|
+ mkdir $format/conf-files/ 2>/dev/null
|
|
|
|
+ for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#extract any user history files that are accessible
|
|
|
|
+usrhist=`ls -la ~/.*_history 2>/dev/null`
|
|
|
|
+if [ "$usrhist" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$usrhist" ]; then
|
|
|
|
+ mkdir $format/history_files/ 2>/dev/null
|
|
|
|
+ for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#can we read roots *_history files - could be passwords stored etc.
|
|
|
|
+roothist=`ls -la /root/.*_history 2>/dev/null`
|
|
|
|
+if [ "$roothist" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$roothist" ]; then
|
|
|
|
+ mkdir $format/history_files/ 2>/dev/null
|
|
|
|
+ cp $roothist $format/history_files/ 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#all accessible .bash_history files in /home
|
|
|
|
+checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \;`
|
|
|
|
+if [ "$checkbashhist" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\e[00m\n$checkbashhist"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#is there any mail accessible
|
|
|
|
+readmail=`ls -la /var/mail 2>/dev/null`
|
|
|
|
+if [ "$readmail" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#can we read roots mail
|
|
|
|
+readmailroot=`head /var/mail/root 2>/dev/null`
|
|
|
|
+if [ "$readmailroot" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if [ "$export" ] && [ "$readmailroot" ]; then
|
|
|
|
+ mkdir $format/mail-from-root/ 2>/dev/null
|
|
|
|
+ cp $readmailroot $format/mail-from-root/ 2>/dev/null
|
|
|
|
+fi
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+docker_checks()
|
|
|
|
+{
|
|
|
|
+
|
|
|
|
+#specific checks - check to see if we're in a docker container
|
|
|
|
+dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`
|
|
|
|
+if [ "$dockercontainer" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#specific checks - check to see if we're a docker host
|
|
|
|
+dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null`
|
|
|
|
+if [ "$dockerhost" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#specific checks - are we a member of the docker group
|
|
|
|
+dockergrp=`id | grep -i docker 2>/dev/null`
|
|
|
|
+if [ "$dockergrp" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#specific checks - are there any docker files present
|
|
|
|
+dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;`
|
|
|
|
+if [ "$dockerfiles" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#specific checks - are there any docker files present
|
|
|
|
+dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;`
|
|
|
|
+if [ "$dockeryml" ]; then
|
|
|
|
+ echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+lxc_container_checks()
|
|
|
|
+{
|
|
|
|
+
|
|
|
|
+#specific checks - are we in an lxd/lxc container
|
|
|
|
+lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`
|
|
|
|
+if [ "$lxccontainer" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+#specific checks - are we a member of the lxd group
|
|
|
|
+lxdgroup=`id | grep -i lxd 2>/dev/null`
|
|
|
|
+if [ "$lxdgroup" ]; then
|
|
|
|
+ echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup"
|
|
|
|
+ echo -e "\n"
|
|
|
|
+fi
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+footer()
|
|
|
|
+{
|
|
|
|
+echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m"
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+call_each()
|
|
|
|
+{
|
|
|
|
+ header
|
|
|
|
+ debug_info
|
|
|
|
+ system_info
|
|
|
|
+ user_info
|
|
|
|
+ environmental_info
|
|
|
|
+ job_info
|
|
|
|
+ networking_info
|
|
|
|
+ services_info
|
|
|
|
+ software_configs
|
|
|
|
+ interesting_files
|
|
|
|
+ docker_checks
|
|
|
|
+ lxc_container_checks
|
|
|
|
+ footer
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+while getopts "h:k:r:e:st" option; do
|
|
|
|
+ case "${option}" in
|
|
|
|
+ k) keyword=${OPTARG};;
|
|
|
|
+ r) report=${OPTARG}"-"`date +"%d-%m-%y"`;;
|
|
|
|
+ e) export=${OPTARG};;
|
|
|
|
+ s) sudopass=1;;
|
|
|
|
+ t) thorough=1;;
|
|
|
|
+ h) usage; exit;;
|
|
|
|
+ *) usage; exit;;
|
|
|
|
+ esac
|
|
|
|
+done
|
|
|
|
+
|
|
|
|
+call_each | tee -a $report 2> /dev/null
|
|
|
|
+#EndOfScript
|