[ { "path": "CHANGELOG.md", "content": "# Changelog\n\nNote: Export functionality is currently in the experimental stage.\n\n## V0.982 (release 07-01-2020)\n* Improvements to script execution speed by @Jrhenderson11 (https://github.com/rebootuser/LinEnum/pull/45 & https://github.com/rebootuser/LinEnum/commit/13741ce79fd5627da64bcf6a04fea11829e91ec8)\n\n## V0.981 (release 21-11-2019)\n* List permissions on PATH directories to see if they are writable by @stealthcopter\n* Added checks for .bak files by @richardcurteis\n\n## V0.98 (18-10-19 & 20-11-19)\n* Added further useful binaries to list by @Anon-Exploiter\n* Fixes to psql password issue by @Disassembler0\n\n## V0.971 (11-09-19)\n* Added useful binaries to list by @Anon-Exploiter\n\n## V0.97 (release 09-07-2019)\n* Improvements to TCP/UDP socket output by @Hypnoze57\n\n## V0.96 (release 16-04-2019)\n* Fixes to SUID/SGID checks\n\n## V0.95 (release 24-01-2019)\nAdditions\n* Additional checks provided by @djhohnstein (https://github.com/djhohnstein/LinEnum/commit/bf4ce1ad3beb392cab5d388e364972373533c721#diff-679e8fbdcfe07231f5eda7a8b491511dR1350)\n* Searches /home for private key files\n* Searches /home for AWS keys\n* Searches / for git credential files \n\nModifications\n* SUID/SGID and capabilities checks moved from thorough to standard check\n* False positive ssh-agent fix \n* Output text/small code changes and clean-up\n\n## V0.9 (release 25-05-2018)\nAdditions\n* Sudo/SUID/SGID binary list expanded to include entries from https://gtfobins.github.io/\n* -s switch introduced. This allows you to supply the current user password for authenticated sudo 'checks'. Note; this is INSECURE and is really only for use in CTF environments\n\nModifications\n* Sudo/suid/guid searches modified & bug in sudo parsing (when multiple entries are separated by commas) fixed\n* Apache home dir output moved to thorough checks (due to extensive output)\n\n## V0.8 (release 12-04-2018)\nAdditions\n* Prints contents of users .bash_history (if found)\n* Looks for users that have used sudo\n* Checks for htpasswd files\n* Lists hidden files\n* Further checks/output in regards to viewing files the user owns\n* Additional checks using newer ip commands\n* Added PHP search for keywords\n\nModifications\n* Code/commands cleaned\n* Added [+] and [-] to output, to aid in searching through the generated report\n\n## V0.7 (22-01-2018)\nAdditions\n* LX Container checks\n* Loaded Kernel Modules list\n* adm group listing\n* SELinux Presence\n\nModifications\n* Code optimization: everything is in functions, cat grep awk pair optimized.\n\n## V0.6 (release 12-05-2017)\nAdditions\n* ARP information added\n* Shows users currently logged onto the host\n* Added checks to show env information\n* Displays enabled Apache modules\n* Checks to see if we're in a Docker container\n* Checks to see if we're hosting Docker services\n\nModifications\n* Tweaked the SSH search as we were getting false negatives\n* Tweaked the searches used for SUID, GUID binaries\n* Fixed issues with some commands not, or incorrectly, redirecting to error\n\n## V0.5 (release 27-01-2014)\nAdditions\n* Interface tweaks including the following additional switches:\n** -e :export functionality\n** -r :generate report output\n** -t :perform thorough tests\n* Thorough tests include lengthy checks, if the -t switch is absent, a default 'quick' scan is performed\n* Export functionality copies 'interesting' files to a specified location for offline analysis\n* Checks added for inetd.conf binary ownership\n* Extracts password policy and hashing information from /etc/login.defs\n* Checks umask value\n\nModifications\n* Reporting functionality now has a dependency on 'tee'\n* Fixed/modified user/group scan\n* Tidied sudoer file extraction command\n\n## V0.4 (release 05-08-2013)\nAdditions\n* Added basic usage details to display on start-up\n* Added cron.deny/cron.allow checks\n\nModifications\n* Fixed printing of scan start date when output is saved to file\n* Tidied up output when output is saved to a file\n\n## V0.3 (release 30-08-2013)\nEdited by Nikhil Sreekumar (@roo7break)\nEnhancements\n* Support for multiple keywords for searching added (space separated)\n* Search for keywords optimised\n* Store output to file and pass seach keywords from command line (e.g. ./LinEnum.sh output.txt \"password credential username\"\n\n## V0.2 (release 30-08-2013)\nAdditions\n* Date/time is displayed when the scan is started\n* Checks for word-readable files in /home and displays positive matches\n* Apache user config (user/group) details displayed (if applicable)\n* Details all members of our users' current groups\n* Lists available shells\n* Performs basics SSH checks (i.e. what can be read/where is it stored and associated permissions)\n* Locates and lists password hashes that may be found in /etc/passwd on old setups (big thanks to www.pentestmonkey.net)\n* Locates credentials file and username/passwords in /etc/fstab\n\nModifications:\n* ifconfig command simplified so 'br' & 'em' interfaces details are also shown\n* Keyword search also includes *.ini files\n\n## V0.1 (release 19-08-2013)\n" }, { "path": "CONTRIBUTORS.md", "content": "Following People have contributed to various features (list in no particular order):\n\n* @roo7break (http://roo7break.co.uk/) : added reporting functionality [added to version 3 (support discontinued in later versions).]\n* @Reboare : added lxc container checks\n* @phackt : added various checks (adm group, SELinux Presence, fstab)\n* @anantshri (http://anantshri.info) : code optimization, loaded kernel modules listing\n* @gedigi : fixed incorrect sudo NOPASSWD check\n* https://github.com/d78ui98 : code optimization\n* https://github.com/djhohnstein : added checks for private keys, AWS keys and git credential files\n* @3therk1ll : added checks for .bak files\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2018 Rebootuser\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "LinEnum.sh", "content": "#!/bin/bash\n#A script to enumerate local information from a Linux host\nversion=\"version 0.982\"\n#@rebootuser\n\n#help function\nusage () \n{ \necho -e \"\\n\\e[00;31m#########################################################\\e[00m\" \necho -e \"\\e[00;31m#\\e[00m\" \"\\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\\e[00m\" \"\\e[00;31m#\\e[00m\"\necho -e \"\\e[00;31m#########################################################\\e[00m\"\necho -e \"\\e[00;33m# www.rebootuser.com | @rebootuser \\e[00m\"\necho -e \"\\e[00;33m# $version\\e[00m\\n\"\necho -e \"\\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \\e[00m\\n\"\n\n\t\techo \"OPTIONS:\"\n\t\techo \"-k\tEnter keyword\"\n\t\techo \"-e\tEnter export location\"\n\t\techo \"-s \tSupply user password for sudo checks (INSECURE)\"\n\t\techo \"-t\tInclude thorough (lengthy) tests\"\n\t\techo \"-r\tEnter report name\" \n\t\techo \"-h\tDisplays this help text\"\n\t\techo -e \"\\n\"\n\t\techo \"Running with no options = limited scans/no output file\"\n\t\t\necho -e \"\\e[00;31m#########################################################\\e[00m\"\t\t\n}\nheader()\n{\necho -e \"\\n\\e[00;31m#########################################################\\e[00m\" \necho -e \"\\e[00;31m#\\e[00m\" \"\\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\\e[00m\" \"\\e[00;31m#\\e[00m\" \necho -e \"\\e[00;31m#########################################################\\e[00m\" \necho -e \"\\e[00;33m# www.rebootuser.com\\e[00m\" \necho -e \"\\e[00;33m# $version\\e[00m\\n\" \n\n}\n\ndebug_info()\n{\necho \"[-] Debug Info\" \n\nif [ \"$keyword\" ]; then \n\techo \"[+] Searching for the keyword $keyword in conf, php, ini and log files\" \nfi\n\nif [ \"$report\" ]; then \n\techo \"[+] Report name = $report\" \nfi\n\nif [ \"$export\" ]; then \n\techo \"[+] Export location = $export\" \nfi\n\nif [ \"$thorough\" ]; then \n\techo \"[+] Thorough tests = Enabled\" \nelse \n\techo -e \"\\e[00;33m[+] Thorough tests = Disabled\\e[00m\" \nfi\n\nsleep 2\n\nif [ \"$export\" ]; then\n mkdir $export 2>/dev/null\n format=$export/LinEnum-export-`date +\"%d-%m-%y\"`\n mkdir $format 2>/dev/null\nfi\n\nif [ \"$sudopass\" ]; then \n echo -e \"\\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\\e[00m\"\n read -s userpassword\n echo \nfi\n\nwho=`whoami` 2>/dev/null \necho -e \"\\n\" \n\necho -e \"\\e[00;33mScan started at:\"; date \necho -e \"\\e[00m\\n\" \n}\n\n# useful binaries (thanks to https://gtfobins.github.io/)\nbinarylist='aria2c\\|arp\\|ash\\|awk\\|base64\\|bash\\|busybox\\|cat\\|chmod\\|chown\\|cp\\|csh\\|curl\\|cut\\|dash\\|date\\|dd\\|diff\\|dmsetup\\|docker\\|ed\\|emacs\\|env\\|expand\\|expect\\|file\\|find\\|flock\\|fmt\\|fold\\|ftp\\|gawk\\|gdb\\|gimp\\|git\\|grep\\|head\\|ht\\|iftop\\|ionice\\|ip$\\|irb\\|jjs\\|jq\\|jrunscript\\|ksh\\|ld.so\\|ldconfig\\|less\\|logsave\\|lua\\|make\\|man\\|mawk\\|more\\|mv\\|mysql\\|nano\\|nawk\\|nc\\|netcat\\|nice\\|nl\\|nmap\\|node\\|od\\|openssl\\|perl\\|pg\\|php\\|pic\\|pico\\|python\\|readelf\\|rlwrap\\|rpm\\|rpmquery\\|rsync\\|ruby\\|run-parts\\|rvim\\|scp\\|script\\|sed\\|setarch\\|sftp\\|sh\\|shuf\\|socat\\|sort\\|sqlite3\\|ssh$\\|start-stop-daemon\\|stdbuf\\|strace\\|systemctl\\|tail\\|tar\\|taskset\\|tclsh\\|tee\\|telnet\\|tftp\\|time\\|timeout\\|ul\\|unexpand\\|uniq\\|unshare\\|vi\\|vim\\|watch\\|wget\\|wish\\|xargs\\|xxd\\|zip\\|zsh'\n\nsystem_info()\n{\necho -e \"\\e[00;33m### SYSTEM ##############################################\\e[00m\" \n\n#basic kernel info\nunameinfo=`uname -a 2>/dev/null`\nif [ \"$unameinfo\" ]; then\n echo -e \"\\e[00;31m[-] Kernel information:\\e[00m\\n$unameinfo\" \n echo -e \"\\n\" \nfi\n\nprocver=`cat /proc/version 2>/dev/null`\nif [ \"$procver\" ]; then\n echo -e \"\\e[00;31m[-] Kernel information (continued):\\e[00m\\n$procver\" \n echo -e \"\\n\" \nfi\n\n#search all *-release files for version info\nrelease=`cat /etc/*-release 2>/dev/null`\nif [ \"$release\" ]; then\n echo -e \"\\e[00;31m[-] Specific release information:\\e[00m\\n$release\" \n echo -e \"\\n\" \nfi\n\n#target hostname info\nhostnamed=`hostname 2>/dev/null`\nif [ \"$hostnamed\" ]; then\n echo -e \"\\e[00;31m[-] Hostname:\\e[00m\\n$hostnamed\" \n echo -e \"\\n\" \nfi\n}\n\nuser_info()\n{\necho -e \"\\e[00;33m### USER/GROUP ##########################################\\e[00m\" \n\n#current user details\ncurrusr=`id 2>/dev/null`\nif [ \"$currusr\" ]; then\n echo -e \"\\e[00;31m[-] Current user/group info:\\e[00m\\n$currusr\" \n echo -e \"\\n\"\nfi\n\n#last logged on user information\nlastlogedonusrs=`lastlog 2>/dev/null |grep -v \"Never\" 2>/dev/null`\nif [ \"$lastlogedonusrs\" ]; then\n echo -e \"\\e[00;31m[-] Users that have previously logged onto the system:\\e[00m\\n$lastlogedonusrs\" \n echo -e \"\\n\" \nfi\n\n#who else is logged on\nloggedonusrs=`w 2>/dev/null`\nif [ \"$loggedonusrs\" ]; then\n echo -e \"\\e[00;31m[-] Who else is logged on:\\e[00m\\n$loggedonusrs\" \n echo -e \"\\n\"\nfi\n\n#lists all id's and respective group(s)\ngrpinfo=`for i in $(cut -d\":\" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`\nif [ \"$grpinfo\" ]; then\n echo -e \"\\e[00;31m[-] Group memberships:\\e[00m\\n$grpinfo\"\n echo -e \"\\n\"\nfi\n\n#added by phackt - look for adm group (thanks patrick)\nadm_users=$(echo -e \"$grpinfo\" | grep \"(adm)\")\nif [[ ! -z $adm_users ]];\n then\n echo -e \"\\e[00;31m[-] It looks like we have some admin users:\\e[00m\\n$adm_users\"\n echo -e \"\\n\"\nfi\n\n#checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method)\nhashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`\nif [ \"$hashesinpasswd\" ]; then\n echo -e \"\\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\\e[00m\\n$hashesinpasswd\" \n echo -e \"\\n\"\nfi\n\n#contents of /etc/passwd\nreadpasswd=`cat /etc/passwd 2>/dev/null`\nif [ \"$readpasswd\" ]; then\n echo -e \"\\e[00;31m[-] Contents of /etc/passwd:\\e[00m\\n$readpasswd\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$readpasswd\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/passwd $format/etc-export/passwd 2>/dev/null\nfi\n\n#checks to see if the shadow file can be read\nreadshadow=`cat /etc/shadow 2>/dev/null`\nif [ \"$readshadow\" ]; then\n echo -e \"\\e[00;33m[+] We can read the shadow file!\\e[00m\\n$readshadow\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$readshadow\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/shadow $format/etc-export/shadow 2>/dev/null\nfi\n\n#checks to see if /etc/master.passwd can be read - BSD 'shadow' variant\nreadmasterpasswd=`cat /etc/master.passwd 2>/dev/null`\nif [ \"$readmasterpasswd\" ]; then\n echo -e \"\\e[00;33m[+] We can read the master.passwd file!\\e[00m\\n$readmasterpasswd\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$readmasterpasswd\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null\nfi\n\n#all root accounts (uid 0)\nsuperman=`grep -v -E \"^#\" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null`\nif [ \"$superman\" ]; then\n echo -e \"\\e[00;31m[-] Super user account(s):\\e[00m\\n$superman\"\n echo -e \"\\n\"\nfi\n\n#pull out vital sudoers info\nsudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v \"#\" 2>/dev/null`\nif [ \"$sudoers\" ]; then\n echo -e \"\\e[00;31m[-] Sudoers configuration (condensed):\\e[00m$sudoers\"\n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$sudoers\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null\nfi\n\n#can we sudo without supplying a password\nsudoperms=`echo '' | sudo -S -l -k 2>/dev/null`\nif [ \"$sudoperms\" ]; then\n echo -e \"\\e[00;33m[+] We can sudo without supplying a password!\\e[00m\\n$sudoperms\" \n echo -e \"\\n\"\nfi\n\n#check sudo perms - authenticated\nif [ \"$sudopass\" ]; then\n if [ \"$sudoperms\" ]; then\n :\n else\n sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null`\n if [ \"$sudoauth\" ]; then\n echo -e \"\\e[00;33m[+] We can sudo when supplying a password!\\e[00m\\n$sudoauth\" \n echo -e \"\\n\"\n fi\n fi\nfi\n\n##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated\nif [ \"$sudopass\" ]; then\n if [ \"$sudoperms\" ]; then\n :\n else\n sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`\n if [ \"$sudopermscheck\" ]; then\n echo -e \"\\e[00;33m[-] Possible sudo pwnage!\\e[00m\\n$sudopermscheck\" \n echo -e \"\\n\"\n fi\n fi\nfi\n\n#known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values)\nsudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`\nif [ \"$sudopwnage\" ]; then\n echo -e \"\\e[00;33m[+] Possible sudo pwnage!\\e[00m\\n$sudopwnage\" \n echo -e \"\\n\"\nfi\n\n#who has sudoed in the past\nwhohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null`\nif [ \"$whohasbeensudo\" ]; then\n echo -e \"\\e[00;31m[-] Accounts that have recently used sudo:\\e[00m\\n$whohasbeensudo\" \n echo -e \"\\n\"\nfi\n\n#checks to see if roots home directory is accessible\nrthmdir=`ls -ahl /root/ 2>/dev/null`\nif [ \"$rthmdir\" ]; then\n echo -e \"\\e[00;33m[+] We can read root's home directory!\\e[00m\\n$rthmdir\" \n echo -e \"\\n\"\nfi\n\n#displays /home directory permissions - check if any are lax\nhomedirperms=`ls -ahl /home/ 2>/dev/null`\nif [ \"$homedirperms\" ]; then\n echo -e \"\\e[00;31m[-] Are permissions on /home directories lax:\\e[00m\\n$homedirperms\" \n echo -e \"\\n\"\nfi\n\n#looks for files we can write to that don't belong to us\nif [ \"$thorough\" = \"1\" ]; then\n grfilesall=`find / -writable ! -user \\`whoami\\` -type f ! -path \"/proc/*\" ! -path \"/sys/*\" -exec ls -al {} \\; 2>/dev/null`\n if [ \"$grfilesall\" ]; then\n echo -e \"\\e[00;31m[-] Files not owned by user but writable by group:\\e[00m\\n$grfilesall\" \n echo -e \"\\n\"\n fi\nfi\n\n#looks for files that belong to us\nif [ \"$thorough\" = \"1\" ]; then\n ourfilesall=`find / -user \\`whoami\\` -type f ! -path \"/proc/*\" ! -path \"/sys/*\" -exec ls -al {} \\; 2>/dev/null`\n if [ \"$ourfilesall\" ]; then\n echo -e \"\\e[00;31m[-] Files owned by our user:\\e[00m\\n$ourfilesall\"\n echo -e \"\\n\"\n fi\nfi\n\n#looks for hidden files\nif [ \"$thorough\" = \"1\" ]; then\n hiddenfiles=`find / -name \".*\" -type f ! -path \"/proc/*\" ! -path \"/sys/*\" -exec ls -al {} \\; 2>/dev/null`\n if [ \"$hiddenfiles\" ]; then\n echo -e \"\\e[00;31m[-] Hidden files:\\e[00m\\n$hiddenfiles\"\n echo -e \"\\n\"\n fi\nfi\n\n#looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch\nif [ \"$thorough\" = \"1\" ]; then\nwrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \\; 2>/dev/null`\n\tif [ \"$wrfileshm\" ]; then\n\t\techo -e \"\\e[00;31m[-] World-readable files within /home:\\e[00m\\n$wrfileshm\" \n\t\techo -e \"\\n\"\n\tfi\nfi\n\nif [ \"$thorough\" = \"1\" ]; then\n\tif [ \"$export\" ] && [ \"$wrfileshm\" ]; then\n\t\tmkdir $format/wr-files/ 2>/dev/null\n\t\tfor i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null\n\tfi\nfi\n\n#lists current user's home directory contents\nif [ \"$thorough\" = \"1\" ]; then\nhomedircontents=`ls -ahl ~ 2>/dev/null`\n\tif [ \"$homedircontents\" ] ; then\n\t\techo -e \"\\e[00;31m[-] Home directory contents:\\e[00m\\n$homedircontents\" \n\t\techo -e \"\\n\" \n\tfi\nfi\n\n#checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch\nif [ \"$thorough\" = \"1\" ]; then\nsshfiles=`find / \\( -name \"id_dsa*\" -o -name \"id_rsa*\" -o -name \"known_hosts\" -o -name \"authorized_hosts\" -o -name \"authorized_keys\" \\) -exec ls -la {} 2>/dev/null \\;`\n\tif [ \"$sshfiles\" ]; then\n\t\techo -e \"\\e[00;31m[-] SSH keys/host information found in the following locations:\\e[00m\\n$sshfiles\" \n\t\techo -e \"\\n\"\n\tfi\nfi\n\nif [ \"$thorough\" = \"1\" ]; then\n\tif [ \"$export\" ] && [ \"$sshfiles\" ]; then\n\t\tmkdir $format/ssh-files/ 2>/dev/null\n\t\tfor i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null\n\tfi\nfi\n\n#is root permitted to login via ssh\nsshrootlogin=`grep \"PermitRootLogin \" /etc/ssh/sshd_config 2>/dev/null | grep -v \"#\" | awk '{print $2}'`\nif [ \"$sshrootlogin\" = \"yes\" ]; then\n echo -e \"\\e[00;31m[-] Root is allowed to login via SSH:\\e[00m\" ; grep \"PermitRootLogin \" /etc/ssh/sshd_config 2>/dev/null | grep -v \"#\" \n echo -e \"\\n\"\nfi\n}\n\nenvironmental_info()\n{\necho -e \"\\e[00;33m### ENVIRONMENTAL #######################################\\e[00m\" \n\n#env information\nenvinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null`\nif [ \"$envinfo\" ]; then\n echo -e \"\\e[00;31m[-] Environment information:\\e[00m\\n$envinfo\" \n echo -e \"\\n\"\nfi\n\n#check if selinux is enabled\nsestatus=`sestatus 2>/dev/null`\nif [ \"$sestatus\" ]; then\n echo -e \"\\e[00;31m[-] SELinux seems to be present:\\e[00m\\n$sestatus\"\n echo -e \"\\n\"\nfi\n\n#phackt\n\n#current path configuration\npathinfo=`echo $PATH 2>/dev/null`\nif [ \"$pathinfo\" ]; then\n pathswriteable=`ls -ld $(echo $PATH | tr \":\" \" \")`\n echo -e \"\\e[00;31m[-] Path information:\\e[00m\\n$pathinfo\" \n echo -e \"$pathswriteable\"\n echo -e \"\\n\"\nfi\n\n#lists available shells\nshellinfo=`cat /etc/shells 2>/dev/null`\nif [ \"$shellinfo\" ]; then\n echo -e \"\\e[00;31m[-] Available shells:\\e[00m\\n$shellinfo\" \n echo -e \"\\n\"\nfi\n\n#current umask value with both octal and symbolic output\numaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null`\nif [ \"$umaskvalue\" ]; then\n echo -e \"\\e[00;31m[-] Current umask value:\\e[00m\\n$umaskvalue\" \n echo -e \"\\n\"\nfi\n\n#umask value as in /etc/login.defs\numaskdef=`grep -i \"^UMASK\" /etc/login.defs 2>/dev/null`\nif [ \"$umaskdef\" ]; then\n echo -e \"\\e[00;31m[-] umask value as specified in /etc/login.defs:\\e[00m\\n$umaskdef\" \n echo -e \"\\n\"\nfi\n\n#password policy information as stored in /etc/login.defs\nlogindefs=`grep \"^PASS_MAX_DAYS\\|^PASS_MIN_DAYS\\|^PASS_WARN_AGE\\|^ENCRYPT_METHOD\" /etc/login.defs 2>/dev/null`\nif [ \"$logindefs\" ]; then\n echo -e \"\\e[00;31m[-] Password and storage information:\\e[00m\\n$logindefs\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$logindefs\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null\nfi\n}\n\njob_info()\n{\necho -e \"\\e[00;33m### JOBS/TASKS ##########################################\\e[00m\" \n\n#are there any cron jobs configured\ncronjobs=`ls -la /etc/cron* 2>/dev/null`\nif [ \"$cronjobs\" ]; then\n echo -e \"\\e[00;31m[-] Cron jobs:\\e[00m\\n$cronjobs\" \n echo -e \"\\n\"\nfi\n\n#can we manipulate these jobs in any way\ncronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$cronjobwwperms\" ]; then\n echo -e \"\\e[00;33m[+] World-writable cron jobs and file contents:\\e[00m\\n$cronjobwwperms\" \n echo -e \"\\n\"\nfi\n\n#contab contents\ncrontabvalue=`cat /etc/crontab 2>/dev/null`\nif [ \"$crontabvalue\" ]; then\n echo -e \"\\e[00;31m[-] Crontab contents:\\e[00m\\n$crontabvalue\" \n echo -e \"\\n\"\nfi\n\ncrontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null`\nif [ \"$crontabvar\" ]; then\n echo -e \"\\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\\e[00m\\n$crontabvar\" \n echo -e \"\\n\"\nfi\n\nanacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null`\nif [ \"$anacronjobs\" ]; then\n echo -e \"\\e[00;31m[-] Anacron jobs and associated file permissions:\\e[00m\\n$anacronjobs\" \n echo -e \"\\n\"\nfi\n\nanacrontab=`ls -la /var/spool/anacron 2>/dev/null`\nif [ \"$anacrontab\" ]; then\n echo -e \"\\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\\e[00m\\n$anacrontab\" \n echo -e \"\\n\"\nfi\n\n#pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command)\ncronother=`cut -d \":\" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null`\nif [ \"$cronother\" ]; then\n echo -e \"\\e[00;31m[-] Jobs held by all users:\\e[00m\\n$cronother\" \n echo -e \"\\n\"\nfi\n\n# list systemd timers\nif [ \"$thorough\" = \"1\" ]; then\n # include inactive timers in thorough mode\n systemdtimers=\"$(systemctl list-timers --all 2>/dev/null)\"\n info=\"\"\nelse\n systemdtimers=\"$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)\"\n # replace the info in the output with a hint towards thorough mode\n info=\"\\e[2mEnable thorough tests to see inactive timers\\e[00m\"\nfi\nif [ \"$systemdtimers\" ]; then\n echo -e \"\\e[00;31m[-] Systemd timers:\\e[00m\\n$systemdtimers\\n$info\"\n echo -e \"\\n\"\nfi\n\n}\n\nnetworking_info()\n{\necho -e \"\\e[00;33m### NETWORKING ##########################################\\e[00m\" \n\n#nic information\nnicinfo=`/sbin/ifconfig -a 2>/dev/null`\nif [ \"$nicinfo\" ]; then\n echo -e \"\\e[00;31m[-] Network and IP info:\\e[00m\\n$nicinfo\" \n echo -e \"\\n\"\nfi\n\n#nic information (using ip)\nnicinfoip=`/sbin/ip a 2>/dev/null`\nif [ ! \"$nicinfo\" ] && [ \"$nicinfoip\" ]; then\n echo -e \"\\e[00;31m[-] Network and IP info:\\e[00m\\n$nicinfoip\" \n echo -e \"\\n\"\nfi\n\narpinfo=`arp -a 2>/dev/null`\nif [ \"$arpinfo\" ]; then\n echo -e \"\\e[00;31m[-] ARP history:\\e[00m\\n$arpinfo\" \n echo -e \"\\n\"\nfi\n\narpinfoip=`ip n 2>/dev/null`\nif [ ! \"$arpinfo\" ] && [ \"$arpinfoip\" ]; then\n echo -e \"\\e[00;31m[-] ARP history:\\e[00m\\n$arpinfoip\" \n echo -e \"\\n\"\nfi\n\n#dns settings\nnsinfo=`grep \"nameserver\" /etc/resolv.conf 2>/dev/null`\nif [ \"$nsinfo\" ]; then\n echo -e \"\\e[00;31m[-] Nameserver(s):\\e[00m\\n$nsinfo\" \n echo -e \"\\n\"\nfi\n\nnsinfosysd=`systemd-resolve --status 2>/dev/null`\nif [ \"$nsinfosysd\" ]; then\n echo -e \"\\e[00;31m[-] Nameserver(s):\\e[00m\\n$nsinfosysd\" \n echo -e \"\\n\"\nfi\n\n#default route configuration\ndefroute=`route 2>/dev/null | grep default`\nif [ \"$defroute\" ]; then\n echo -e \"\\e[00;31m[-] Default route:\\e[00m\\n$defroute\" \n echo -e \"\\n\"\nfi\n\n#default route configuration\ndefrouteip=`ip r 2>/dev/null | grep default`\nif [ ! \"$defroute\" ] && [ \"$defrouteip\" ]; then\n echo -e \"\\e[00;31m[-] Default route:\\e[00m\\n$defrouteip\" \n echo -e \"\\n\"\nfi\n\n#listening TCP\ntcpservs=`netstat -ntpl 2>/dev/null`\nif [ \"$tcpservs\" ]; then\n echo -e \"\\e[00;31m[-] Listening TCP:\\e[00m\\n$tcpservs\" \n echo -e \"\\n\"\nfi\n\ntcpservsip=`ss -t -l -n 2>/dev/null`\nif [ ! \"$tcpservs\" ] && [ \"$tcpservsip\" ]; then\n echo -e \"\\e[00;31m[-] Listening TCP:\\e[00m\\n$tcpservsip\" \n echo -e \"\\n\"\nfi\n\n#listening UDP\nudpservs=`netstat -nupl 2>/dev/null`\nif [ \"$udpservs\" ]; then\n echo -e \"\\e[00;31m[-] Listening UDP:\\e[00m\\n$udpservs\" \n echo -e \"\\n\"\nfi\n\nudpservsip=`ss -u -l -n 2>/dev/null`\nif [ ! \"$udpservs\" ] && [ \"$udpservsip\" ]; then\n echo -e \"\\e[00;31m[-] Listening UDP:\\e[00m\\n$udpservsip\" \n echo -e \"\\n\"\nfi\n}\n\nservices_info()\n{\necho -e \"\\e[00;33m### SERVICES #############################################\\e[00m\" \n\n#running processes\npsaux=`ps aux 2>/dev/null`\nif [ \"$psaux\" ]; then\n echo -e \"\\e[00;31m[-] Running processes:\\e[00m\\n$psaux\" \n echo -e \"\\n\"\nfi\n\n#lookup process binary path and permissisons\nprocperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null`\nif [ \"$procperm\" ]; then\n echo -e \"\\e[00;31m[-] Process binaries and associated permissions (from above list):\\e[00m\\n$procperm\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$procperm\" ]; then\nprocpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null`\n mkdir $format/ps-export/ 2>/dev/null\n for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null\nfi\n\n#anything 'useful' in inetd.conf\ninetdread=`cat /etc/inetd.conf 2>/dev/null`\nif [ \"$inetdread\" ]; then\n echo -e \"\\e[00;31m[-] Contents of /etc/inetd.conf:\\e[00m\\n$inetdread\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$inetdread\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null\nfi\n\n#very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each\ninetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$inetdbinperms\" ]; then\n echo -e \"\\e[00;31m[-] The related inetd binary permissions:\\e[00m\\n$inetdbinperms\" \n echo -e \"\\n\"\nfi\n\nxinetdread=`cat /etc/xinetd.conf 2>/dev/null`\nif [ \"$xinetdread\" ]; then\n echo -e \"\\e[00;31m[-] Contents of /etc/xinetd.conf:\\e[00m\\n$xinetdread\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$xinetdread\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null\nfi\n\nxinetdincd=`grep \"/etc/xinetd.d\" /etc/xinetd.conf 2>/dev/null`\nif [ \"$xinetdincd\" ]; then\n echo -e \"\\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\\e[00m\"; ls -la /etc/xinetd.d 2>/dev/null \n echo -e \"\\n\"\nfi\n\n#very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each\nxinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$xinetdbinperms\" ]; then\n echo -e \"\\e[00;31m[-] The related xinetd binary permissions:\\e[00m\\n$xinetdbinperms\" \n echo -e \"\\n\"\nfi\n\ninitdread=`ls -la /etc/init.d 2>/dev/null`\nif [ \"$initdread\" ]; then\n echo -e \"\\e[00;31m[-] /etc/init.d/ binary permissions:\\e[00m\\n$initdread\" \n echo -e \"\\n\"\nfi\n\n#init.d files NOT belonging to root!\ninitdperms=`find /etc/init.d/ \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$initdperms\" ]; then\n echo -e \"\\e[00;31m[-] /etc/init.d/ files not belonging to root:\\e[00m\\n$initdperms\" \n echo -e \"\\n\"\nfi\n\nrcdread=`ls -la /etc/rc.d/init.d 2>/dev/null`\nif [ \"$rcdread\" ]; then\n echo -e \"\\e[00;31m[-] /etc/rc.d/init.d binary permissions:\\e[00m\\n$rcdread\" \n echo -e \"\\n\"\nfi\n\n#init.d files NOT belonging to root!\nrcdperms=`find /etc/rc.d/init.d \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$rcdperms\" ]; then\n echo -e \"\\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\\e[00m\\n$rcdperms\" \n echo -e \"\\n\"\nfi\n\nusrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null`\nif [ \"$usrrcdread\" ]; then\n echo -e \"\\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\\e[00m\\n$usrrcdread\" \n echo -e \"\\n\"\nfi\n\n#rc.d files NOT belonging to root!\nusrrcdperms=`find /usr/local/etc/rc.d \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$usrrcdperms\" ]; then\n echo -e \"\\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\\e[00m\\n$usrrcdperms\" \n echo -e \"\\n\"\nfi\n\ninitread=`ls -la /etc/init/ 2>/dev/null`\nif [ \"$initread\" ]; then\n echo -e \"\\e[00;31m[-] /etc/init/ config file permissions:\\e[00m\\n$initread\"\n echo -e \"\\n\"\nfi\n\n# upstart scripts not belonging to root\ninitperms=`find /etc/init \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$initperms\" ]; then\n echo -e \"\\e[00;31m[-] /etc/init/ config files not belonging to root:\\e[00m\\n$initperms\"\n echo -e \"\\n\"\nfi\n\nsystemdread=`ls -lthR /lib/systemd/ 2>/dev/null`\nif [ \"$systemdread\" ]; then\n echo -e \"\\e[00;31m[-] /lib/systemd/* config file permissions:\\e[00m\\n$systemdread\"\n echo -e \"\\n\"\nfi\n\n# systemd files not belonging to root\nsystemdperms=`find /lib/systemd/ \\! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`\nif [ \"$systemdperms\" ]; then\n echo -e \"\\e[00;33m[+] /lib/systemd/* config files not belonging to root:\\e[00m\\n$systemdperms\"\n echo -e \"\\n\"\nfi\n}\n\nsoftware_configs()\n{\necho -e \"\\e[00;33m### SOFTWARE #############################################\\e[00m\" \n\n#sudo version - check to see if there are any known vulnerabilities with this\nsudover=`sudo -V 2>/dev/null| grep \"Sudo version\" 2>/dev/null`\nif [ \"$sudover\" ]; then\n echo -e \"\\e[00;31m[-] Sudo version:\\e[00m\\n$sudover\" \n echo -e \"\\n\"\nfi\n\n#mysql details - if installed\nmysqlver=`mysql --version 2>/dev/null`\nif [ \"$mysqlver\" ]; then\n echo -e \"\\e[00;31m[-] MYSQL version:\\e[00m\\n$mysqlver\" \n echo -e \"\\n\"\nfi\n\n#checks to see if root/root will get us a connection\nmysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null`\nif [ \"$mysqlconnect\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\\e[00m\\n$mysqlconnect\" \n echo -e \"\\n\"\nfi\n\n#mysql version details\nmysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null`\nif [ \"$mysqlconnectnopass\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\\e[00m\\n$mysqlconnectnopass\" \n echo -e \"\\n\"\nfi\n\n#postgres details - if installed\npostgver=`psql -V 2>/dev/null`\nif [ \"$postgver\" ]; then\n echo -e \"\\e[00;31m[-] Postgres version:\\e[00m\\n$postgver\" \n echo -e \"\\n\"\nfi\n\n#checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this\npostcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version`\nif [ \"$postcon1\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\\e[00m\\n$postcon1\" \n echo -e \"\\n\"\nfi\n\npostcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version`\nif [ \"$postcon11\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\\e[00m\\n$postcon11\" \n echo -e \"\\n\"\nfi\n\npostcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version`\nif [ \"$postcon2\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\\e[00m\\n$postcon2\" \n echo -e \"\\n\"\nfi\n\npostcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version`\nif [ \"$postcon22\" ]; then\n echo -e \"\\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\\e[00m\\n$postcon22\" \n echo -e \"\\n\"\nfi\n\n#apache details - if installed\napachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null`\nif [ \"$apachever\" ]; then\n echo -e \"\\e[00;31m[-] Apache version:\\e[00m\\n$apachever\" \n echo -e \"\\n\"\nfi\n\n#what account is apache running under\napacheusr=`grep -i 'user\\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\\export /,\"\")}1' 2>/dev/null`\nif [ \"$apacheusr\" ]; then\n echo -e \"\\e[00;31m[-] Apache user configuration:\\e[00m\\n$apacheusr\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$apacheusr\" ]; then\n mkdir --parents $format/etc-export/apache2/ 2>/dev/null\n cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null\nfi\n\n#installed apache modules\napachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null`\nif [ \"$apachemodules\" ]; then\n echo -e \"\\e[00;31m[-] Installed Apache modules:\\e[00m\\n$apachemodules\" \n echo -e \"\\n\"\nfi\n\n#htpasswd check\nhtpasswd=`find / -name .htpasswd -print -exec cat {} \\; 2>/dev/null`\nif [ \"$htpasswd\" ]; then\n echo -e \"\\e[00;33m[-] htpasswd found - could contain passwords:\\e[00m\\n$htpasswd\"\n echo -e \"\\n\"\nfi\n\n#anything in the default http home dirs (a thorough only check as output can be large)\nif [ \"$thorough\" = \"1\" ]; then\n apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`\n if [ \"$apachehomedirs\" ]; then\n echo -e \"\\e[00;31m[-] www home dir contents:\\e[00m\\n$apachehomedirs\" \n echo -e \"\\n\"\n fi\nfi\n\n}\n\ninteresting_files()\n{\necho -e \"\\e[00;33m### INTERESTING FILES ####################################\\e[00m\" \n\n#checks to see if various files are installed\necho -e \"\\e[00;31m[-] Useful file locations:\\e[00m\" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null \necho -e \"\\n\" \n\n#limited search for installed compilers\ncompiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null`\nif [ \"$compiler\" ]; then\n echo -e \"\\e[00;31m[-] Installed compilers:\\e[00m\\n$compiler\" \n echo -e \"\\n\"\nfi\n\n#manual check - lists out sensitive files, can we read/modify etc.\necho -e \"\\e[00;31m[-] Can we read/write sensitive files:\\e[00m\" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null \necho -e \"\\n\" \n\n#search for suid files\nallsuid=`find / -perm -4000 -type f 2>/dev/null`\nfindsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$findsuid\" ]; then\n echo -e \"\\e[00;31m[-] SUID files:\\e[00m\\n$findsuid\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$findsuid\" ]; then\n mkdir $format/suid-files/ 2>/dev/null\n for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null\nfi\n\n#list of 'interesting' suid files - feel free to make additions\nintsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null`\nif [ \"$intsuid\" ]; then\n echo -e \"\\e[00;33m[+] Possibly interesting SUID files:\\e[00m\\n$intsuid\" \n echo -e \"\\n\"\nfi\n\n#lists world-writable suid files\nwwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$wwsuid\" ]; then\n echo -e \"\\e[00;33m[+] World-writable SUID files:\\e[00m\\n$wwsuid\" \n echo -e \"\\n\"\nfi\n\n#lists world-writable suid files owned by root\nwwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$wwsuidrt\" ]; then\n echo -e \"\\e[00;33m[+] World-writable SUID files owned by root:\\e[00m\\n$wwsuidrt\" \n echo -e \"\\n\"\nfi\n\n#search for sgid files\nallsgid=`find / -perm -2000 -type f 2>/dev/null`\nfindsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$findsgid\" ]; then\n echo -e \"\\e[00;31m[-] SGID files:\\e[00m\\n$findsgid\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$findsgid\" ]; then\n mkdir $format/sgid-files/ 2>/dev/null\n for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null\nfi\n\n#list of 'interesting' sgid files\nintsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \\; 2>/dev/null | grep -w $binarylist 2>/dev/null`\nif [ \"$intsgid\" ]; then\n echo -e \"\\e[00;33m[+] Possibly interesting SGID files:\\e[00m\\n$intsgid\" \n echo -e \"\\n\"\nfi\n\n#lists world-writable sgid files\nwwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$wwsgid\" ]; then\n echo -e \"\\e[00;33m[+] World-writable SGID files:\\e[00m\\n$wwsgid\" \n echo -e \"\\n\"\nfi\n\n#lists world-writable sgid files owned by root\nwwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \\;`\nif [ \"$wwsgidrt\" ]; then\n echo -e \"\\e[00;33m[+] World-writable SGID files owned by root:\\e[00m\\n$wwsgidrt\" \n echo -e \"\\n\"\nfi\n\n#list all files with POSIX capabilities set along with there capabilities\nfileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null`\nif [ \"$fileswithcaps\" ]; then\n echo -e \"\\e[00;31m[+] Files with POSIX capabilities set:\\e[00m\\n$fileswithcaps\"\n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$fileswithcaps\" ]; then\n mkdir $format/files_with_capabilities/ 2>/dev/null\n for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null\nfi\n\n#searches /etc/security/capability.conf for users associated capapilies\nuserswithcaps=`grep -v '^#\\|none\\|^$' /etc/security/capability.conf 2>/dev/null`\nif [ \"$userswithcaps\" ]; then\n echo -e \"\\e[00;33m[+] Users with specific POSIX capabilities:\\e[00m\\n$userswithcaps\"\n echo -e \"\\n\"\nfi\n\nif [ \"$userswithcaps\" ] ; then\n#matches the capabilities found associated with users with the current user\nmatchedcaps=`echo -e \"$userswithcaps\" | grep \\`whoami\\` | awk '{print $1}' 2>/dev/null`\n\tif [ \"$matchedcaps\" ]; then\n\t\techo -e \"\\e[00;33m[+] Capabilities associated with the current user:\\e[00m\\n$matchedcaps\"\n\t\techo -e \"\\n\"\n\t\t#matches the files with capapbilities with capabilities associated with the current user\n\t\tmatchedfiles=`echo -e \"$matchedcaps\" | while read -r cap ; do echo -e \"$fileswithcaps\" | grep \"$cap\" ; done 2>/dev/null`\n\t\tif [ \"$matchedfiles\" ]; then\n\t\t\techo -e \"\\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\\e[00m\\n$matchedfiles\"\n\t\t\techo -e \"\\n\"\n\t\t\t#lists the permissions of the files having the same capabilies associated with the current user\n\t\t\tmatchedfilesperms=`echo -e \"$matchedfiles\" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`\n\t\t\techo -e \"\\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\\e[00m\\n$matchedfilesperms\"\n\t\t\techo -e \"\\n\"\n\t\t\tif [ \"$matchedfilesperms\" ]; then\n\t\t\t\t#checks if any of the files with same capabilities associated with the current user is writable\n\t\t\t\twritablematchedfiles=`echo -e \"$matchedfiles\" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`\n\t\t\t\tif [ \"$writablematchedfiles\" ]; then\n\t\t\t\t\techo -e \"\\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\\e[00m\\n$writablematchedfiles\"\n\t\t\t\t\techo -e \"\\n\"\n\t\t\t\tfi\n\t\t\tfi\n\t\tfi\n\tfi\nfi\n\n#look for private keys - thanks djhohnstein\nif [ \"$thorough\" = \"1\" ]; then\nprivatekeyfiles=`grep -rl \"PRIVATE KEY-----\" /home 2>/dev/null`\n\tif [ \"$privatekeyfiles\" ]; then\n \t\techo -e \"\\e[00;33m[+] Private SSH keys found!:\\e[00m\\n$privatekeyfiles\"\n \t\techo -e \"\\n\"\n\tfi\nfi\n\n#look for AWS keys - thanks djhohnstein\nif [ \"$thorough\" = \"1\" ]; then\nawskeyfiles=`grep -rli \"aws_secret_access_key\" /home 2>/dev/null`\n\tif [ \"$awskeyfiles\" ]; then\n \t\techo -e \"\\e[00;33m[+] AWS secret keys found!:\\e[00m\\n$awskeyfiles\"\n \t\techo -e \"\\n\"\n\tfi\nfi\n\n#look for git credential files - thanks djhohnstein\nif [ \"$thorough\" = \"1\" ]; then\ngitcredfiles=`find / -name \".git-credentials\" 2>/dev/null`\n\tif [ \"$gitcredfiles\" ]; then\n \t\techo -e \"\\e[00;33m[+] Git credentials saved on the machine!:\\e[00m\\n$gitcredfiles\"\n \t\techo -e \"\\n\"\n\tfi\nfi\n\n#list all world-writable files excluding /proc and /sys\nif [ \"$thorough\" = \"1\" ]; then\nwwfiles=`find / ! -path \"*/proc/*\" ! -path \"/sys/*\" -perm -2 -type f -exec ls -la {} 2>/dev/null \\;`\n\tif [ \"$wwfiles\" ]; then\n\t\techo -e \"\\e[00;31m[-] World-writable files (excluding /proc and /sys):\\e[00m\\n$wwfiles\" \n\t\techo -e \"\\n\"\n\tfi\nfi\n\nif [ \"$thorough\" = \"1\" ]; then\n\tif [ \"$export\" ] && [ \"$wwfiles\" ]; then\n\t\tmkdir $format/ww-files/ 2>/dev/null\n\t\tfor i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null\n\tfi\nfi\n\n#are any .plan files accessible in /home (could contain useful information)\nusrplan=`find /home -iname *.plan -exec ls -la {} \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$usrplan\" ]; then\n echo -e \"\\e[00;31m[-] Plan file permissions and contents:\\e[00m\\n$usrplan\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$usrplan\" ]; then\n mkdir $format/plan_files/ 2>/dev/null\n for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null\nfi\n\nbsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$bsdusrplan\" ]; then\n echo -e \"\\e[00;31m[-] Plan file permissions and contents:\\e[00m\\n$bsdusrplan\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$bsdusrplan\" ]; then\n mkdir $format/plan_files/ 2>/dev/null\n for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null\nfi\n\n#are there any .rhosts files accessible - these may allow us to login as another user etc.\nrhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$rhostsusr\" ]; then\n echo -e \"\\e[00;33m[+] rhost config file(s) and file contents:\\e[00m\\n$rhostsusr\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$rhostsusr\" ]; then\n mkdir $format/rhosts/ 2>/dev/null\n for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null\nfi\n\nbsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$bsdrhostsusr\" ]; then\n echo -e \"\\e[00;33m[+] rhost config file(s) and file contents:\\e[00m\\n$bsdrhostsusr\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$bsdrhostsusr\" ]; then\n mkdir $format/rhosts 2>/dev/null\n for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null\nfi\n\nrhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \\; -exec cat {} 2>/dev/null \\;`\nif [ \"$rhostssys\" ]; then\n echo -e \"\\e[00;33m[+] Hosts.equiv file and contents: \\e[00m\\n$rhostssys\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$rhostssys\" ]; then\n mkdir $format/rhosts/ 2>/dev/null\n for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null\nfi\n\n#list nfs shares/permisisons etc.\nnfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null`\nif [ \"$nfsexports\" ]; then\n echo -e \"\\e[00;31m[-] NFS config details: \\e[00m\\n$nfsexports\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$nfsexports\" ]; then\n mkdir $format/etc-export/ 2>/dev/null\n cp /etc/exports $format/etc-export/exports 2>/dev/null\nfi\n\nif [ \"$thorough\" = \"1\" ]; then\n #phackt\n #displaying /etc/fstab\n fstab=`cat /etc/fstab 2>/dev/null`\n if [ \"$fstab\" ]; then\n echo -e \"\\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\\e[00m\"\n echo -e \"$fstab\"\n echo -e \"\\n\"\n fi\nfi\n\n#looking for credentials in /etc/fstab\nfstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\\username=/,\"\");sub(/\\,.*/,\"\")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\\password=/,\"\");sub(/\\,.*/,\"\")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\\domain=/,\"\");sub(/\\,.*/,\"\")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`\nif [ \"$fstab\" ]; then\n echo -e \"\\e[00;33m[+] Looks like there are credentials in /etc/fstab!\\e[00m\\n$fstab\"\n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$fstab\" ]; then\n mkdir $format/etc-exports/ 2>/dev/null\n cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null\nfi\n\nfstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\\credentials=/,\"\");sub(/\\,.*/,\"\")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null`\nif [ \"$fstabcred\" ]; then\n echo -e \"\\e[00;33m[+] /etc/fstab contains a credentials file!\\e[00m\\n$fstabcred\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$fstabcred\" ]; then\n mkdir $format/etc-exports/ 2>/dev/null\n cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null\nfi\n\n#use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located\nif [ \"$keyword\" = \"\" ]; then\n echo -e \"[-] Can't search *.conf files as no keyword was entered\\n\" \n else\n confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \\; 2>/dev/null`\n if [ \"$confkey\" ]; then\n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\\e[00m\\n$confkey\" \n echo -e \"\\n\" \n else \n\techo -e \"\\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\\e[00m\" \n\techo -e \"'$keyword' not found in any .conf files\" \n\techo -e \"\\n\" \n fi\nfi\n\nif [ \"$keyword\" = \"\" ]; then\n :\n else\n if [ \"$export\" ] && [ \"$confkey\" ]; then\n\t confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \\; 2>/dev/null`\n mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null\n for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null\n fi\nfi\n\n#use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located\nif [ \"$keyword\" = \"\" ]; then\n echo -e \"[-] Can't search *.php files as no keyword was entered\\n\" \n else\n phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \\; 2>/dev/null`\n if [ \"$phpkey\" ]; then\n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\\e[00m\\n$phpkey\" \n echo -e \"\\n\" \n else \n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\\e[00m\" \n echo -e \"'$keyword' not found in any .php files\" \n echo -e \"\\n\" \n fi\nfi\n\nif [ \"$keyword\" = \"\" ]; then\n :\n else\n if [ \"$export\" ] && [ \"$phpkey\" ]; then\n phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \\; 2>/dev/null`\n mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null\n for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null\n fi\nfi\n\n#use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located\nif [ \"$keyword\" = \"\" ];then\n echo -e \"[-] Can't search *.log files as no keyword was entered\\n\" \n else\n logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \\; 2>/dev/null`\n if [ \"$logkey\" ]; then\n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\\e[00m\\n$logkey\" \n echo -e \"\\n\" \n else \n\techo -e \"\\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\\e[00m\" \n\techo -e \"'$keyword' not found in any .log files\"\n\techo -e \"\\n\" \n fi\nfi\n\nif [ \"$keyword\" = \"\" ];then\n :\n else\n if [ \"$export\" ] && [ \"$logkey\" ]; then\n logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \\; 2>/dev/null`\n\t mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null\n for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null\n fi\nfi\n\n#use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located\nif [ \"$keyword\" = \"\" ];then\n echo -e \"[-] Can't search *.ini files as no keyword was entered\\n\" \n else\n inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \\; 2>/dev/null`\n if [ \"$inikey\" ]; then\n echo -e \"\\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\\e[00m\\n$inikey\" \n echo -e \"\\n\" \n else \n\techo -e \"\\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\\e[00m\" \n\techo -e \"'$keyword' not found in any .ini files\" \n\techo -e \"\\n\"\n fi\nfi\n\nif [ \"$keyword\" = \"\" ];then\n :\n else\n if [ \"$export\" ] && [ \"$inikey\" ]; then\n\t inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \\; 2>/dev/null`\n mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null\n for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null\n fi\nfi\n\n#quick extract of .conf files from /etc - only 1 level\nallconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \\; 2>/dev/null`\nif [ \"$allconf\" ]; then\n echo -e \"\\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\\e[00m\\n$allconf\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$allconf\" ]; then\n mkdir $format/conf-files/ 2>/dev/null\n for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null\nfi\n\n#extract any user history files that are accessible\nusrhist=`ls -la ~/.*_history 2>/dev/null`\nif [ \"$usrhist\" ]; then\n echo -e \"\\e[00;31m[-] Current user's history files:\\e[00m\\n$usrhist\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$usrhist\" ]; then\n mkdir $format/history_files/ 2>/dev/null\n for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null\nfi\n\n#can we read roots *_history files - could be passwords stored etc.\nroothist=`ls -la /root/.*_history 2>/dev/null`\nif [ \"$roothist\" ]; then\n echo -e \"\\e[00;33m[+] Root's history files are accessible!\\e[00m\\n$roothist\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$roothist\" ]; then\n mkdir $format/history_files/ 2>/dev/null\n cp $roothist $format/history_files/ 2>/dev/null\nfi\n\n#all accessible .bash_history files in /home\ncheckbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \\;`\nif [ \"$checkbashhist\" ]; then\n echo -e \"\\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\\e[00m\\n$checkbashhist\"\n echo -e \"\\n\"\nfi\n\n#any .bak files that may be of interest\nbakfiles=`find / -name *.bak -type f 2/dev/null`\nif [ \"$readmail\" ]; then\n echo -e \"\\e[00;31m[-] Any interesting mail in /var/mail:\\e[00m\\n$readmail\" \n echo -e \"\\n\"\nfi\n\n#can we read roots mail\nreadmailroot=`head /var/mail/root 2>/dev/null`\nif [ \"$readmailroot\" ]; then\n echo -e \"\\e[00;33m[+] We can read /var/mail/root! (snippet below)\\e[00m\\n$readmailroot\" \n echo -e \"\\n\"\nfi\n\nif [ \"$export\" ] && [ \"$readmailroot\" ]; then\n mkdir $format/mail-from-root/ 2>/dev/null\n cp $readmailroot $format/mail-from-root/ 2>/dev/null\nfi\n}\n\ndocker_checks()\n{\n\n#specific checks - check to see if we're in a docker container\ndockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name \"*dockerenv*\" -exec ls -la {} \\; 2>/dev/null`\nif [ \"$dockercontainer\" ]; then\n echo -e \"\\e[00;33m[+] Looks like we're in a Docker container:\\e[00m\\n$dockercontainer\" \n echo -e \"\\n\"\nfi\n\n#specific checks - check to see if we're a docker host\ndockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null`\nif [ \"$dockerhost\" ]; then\n echo -e \"\\e[00;33m[+] Looks like we're hosting Docker:\\e[00m\\n$dockerhost\" \n echo -e \"\\n\"\nfi\n\n#specific checks - are we a member of the docker group\ndockergrp=`id | grep -i docker 2>/dev/null`\nif [ \"$dockergrp\" ]; then\n echo -e \"\\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\\e[00m\\n$dockergrp\" \n echo -e \"\\n\"\nfi\n\n#specific checks - are there any docker files present\ndockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \\;`\nif [ \"$dockerfiles\" ]; then\n echo -e \"\\e[00;31m[-] Anything juicy in the Dockerfile:\\e[00m\\n$dockerfiles\" \n echo -e \"\\n\"\nfi\n\n#specific checks - are there any docker files present\ndockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \\;`\nif [ \"$dockeryml\" ]; then\n echo -e \"\\e[00;31m[-] Anything juicy in docker-compose.yml:\\e[00m\\n$dockeryml\" \n echo -e \"\\n\"\nfi\n}\n\nlxc_container_checks()\n{\n\n#specific checks - are we in an lxd/lxc container\nlxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`\nif [ \"$lxccontainer\" ]; then\n echo -e \"\\e[00;33m[+] Looks like we're in a lxc container:\\e[00m\\n$lxccontainer\"\n echo -e \"\\n\"\nfi\n\n#specific checks - are we a member of the lxd group\nlxdgroup=`id | grep -i lxd 2>/dev/null`\nif [ \"$lxdgroup\" ]; then\n echo -e \"\\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\\e[00m\\n$lxdgroup\"\n echo -e \"\\n\"\nfi\n}\n\nfooter()\n{\necho -e \"\\e[00;33m### SCAN COMPLETE ####################################\\e[00m\" \n}\n\ncall_each()\n{\n header\n debug_info\n system_info\n user_info\n environmental_info\n job_info\n networking_info\n services_info\n software_configs\n interesting_files\n docker_checks\n lxc_container_checks\n footer\n}\n\nwhile getopts \"h:k:r:e:st\" option; do\n case \"${option}\" in\n k) keyword=${OPTARG};;\n r) report=${OPTARG}\"-\"`date +\"%d-%m-%y\"`;;\n e) export=${OPTARG};;\n s) sudopass=1;;\n t) thorough=1;;\n h) usage; exit;;\n *) usage; exit;;\n esac\ndone\n\ncall_each | tee -a $report 2> /dev/null\n#EndOfScript\n" }, { "path": "README.md", "content": "# LinEnum\nFor more information visit www.rebootuser.com\n\nNote: Export functionality is currently in the experimental stage.\n\nGeneral usage:\n\nversion 0.982\n\n* Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t \n\nOPTIONS:\n* -k\tEnter keyword\n* -e\tEnter export location\n* -t\tInclude thorough (lengthy) tests\n* -s\tSupply current user password to check sudo perms (INSECURE)\n* -r\tEnter report name\n* -h\tDisplays this help text\n\n\nRunning with no options = limited scans/no output file\n\n* -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.\n* -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.\n* -t Performs thorough (slow) tests. Without this switch default 'quick' scans are performed.\n* -s Use the current user with supplied password to check for sudo permissions - note this is insecure and only really for CTF use!\n* -k An optional switch for which the user can search for a single keyword within many files (documented below).\n\nSee CHANGELOG.md for further details\n\nHigh-level summary of the checks/tasks performed by LinEnum:\n\n* Kernel and distribution release details\n* System Information:\n * Hostname\n * Networking details:\n * Current IP\n * Default route details\n * DNS server information\n* User Information:\n * Current user details\n * Last logged on users\n * Shows users logged onto the host\n * List all users including uid/gid information\n * List root accounts\n * Extracts password policies and hash storage method information\n * Checks umask value\n * Checks if password hashes are stored in /etc/passwd\n * Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc\n * Attempt to read restricted files i.e. /etc/shadow\n * List current users history files (i.e .bash_history, .nano_history etc.)\n * Basic SSH checks\n* Privileged access:\n * Which users have recently used sudo\n * Determine if /etc/sudoers is accessible\n * Determine if the current user has Sudo access without a password\n * Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)\n * Is root’s home directory accessible\n * List permissions for /home/\n* Environmental:\n * Display current $PATH\n * Displays env information\n* Jobs/Tasks:\n * List all cron jobs\n * Locate all world-writable cron jobs\n * Locate cron jobs owned by other users of the system\n * List the active and inactive systemd timers\n* Services:\n * List network connections (TCP & UDP)\n * List running processes\n * Lookup and list process binaries and associated permissions\n * List inetd.conf/xined.conf contents and associated binary file permissions\n * List init.d binary permissions\n* Version Information (of the following):\n * Sudo\n * MYSQL\n * Postgres\n * Apache\n * Checks user config\n * Shows enabled modules\n * Checks for htpasswd files\n * View www directories\n* Default/Weak Credentials:\n * Checks for default/weak Postgres accounts\n * Checks for default/weak MYSQL accounts\n* Searches:\n * Locate all SUID/GUID files\n * Locate all world-writable SUID/GUID files\n * Locate all SUID/GUID files owned by root\n * Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)\n * Locate files with POSIX capabilities\n * List all world-writable files\n * Find/list all accessible *.plan files and display contents\n * Find/list all accessible *.rhosts files and display contents\n * Show NFS server details\n * Locate *.conf and *.log files containing keyword supplied at script runtime\n * List all *.conf files located in /etc\n * .bak file search\n * Locate mail\n* Platform/software specific tests:\n * Checks to determine if we're in a Docker container\n * Checks to see if the host has Docker installed\n * Checks to determine if we're in an LXC container\n" } ]