#!/bin/bash# ...----....#

1. #!/bin/bash
2.  
3. # ...----....
4. # ..-:"'' ''"-..
5. # .-' '-.
6. # .' . . '.
7. # .' . . . . .''.
8. # .' . . . . . . . ..:.
9. # .' . . . . . . .. . . ....::.
10. # .. . . . . . . .. . ....:IA.
11. # .: . . . . . . .. . .. .. ....:IA.
12. # .: . . .. . . . . .. . ... ....:.:VHA.
13. # '.. . .. . . . . .. . .. . .....:.::IHHB.
14. # .:. . . . . . . . . . . ...:.:... .......:HIHMM.
15. # .:.... . . ."::"'.. . . . .:.:.:II;,. .. ..:IHIMMA
16. # ':.:.. ..::IHHHHHI::. . . ...:.::::.,,,. . ....VIMMHM
17. # .:::I. .AHHHHHHHHHHAI::. .:...,:IIHHHHHHMMMHHL:. . VMMMM
18. # .:.:V.:IVHHHHHHHMHMHHH::..:" .:HIHHHHHHHHHHHHHMHHA. .VMMM.
19. # :..V.:IVHHHHHMMHHHHHHHB... . .:VPHHMHHHMMHHHHHHHHHAI.:VMMI
20. # ::V..:VIHHHHHHMMMHHHHHH. . .I":IIMHHMMHHHHHHHHHHHAPI:WMM
21. # ::". .:.HHHHHHHHMMHHHHHI. . .:..I:MHMMHHHHHHHHHMHV:':H:WM
22. # :: . :.::IIHHHHHHMMHHHHV .ABA.:.:IMHMHMMMHMHHHHV:'. .IHWW
23. # '. ..:..:.:IHHHHHMMHV" .AVMHMA.:.'VHMMMMHHHHHV:' . :IHWV
24. # :. .:...:".:.:TPP" .AVMMHMMA.:. "VMMHHHP.:... .. :IVAI
25. # .:. '... .:"' . ..HMMMHMMMA::. ."VHHI:::.... .:IHW'
26. # ... . . ..:IIPPIH: ..HMMMI.MMMV:I:. .:ILLH:.. ...:I:IM
27. # : . .'"' .:.V". .. . :HMMM:IMMMI::I. ..:HHIIPPHI::'.P:HM.
28. # :. . . .. ..:.. . :AMMM IMMMM..:...:IV":T::I::.".:IHIMA
29. # 'V:.. .. . .. . . . 'VMMV..VMMV :....:V:.:..:....::IHHHMH
30. # "IHH:.II:.. .:. . . . . " :HB"" . . ..PI:.::.:::..:IHHMMV"
31. # :IP""HHII:. . . . . .'V:. . . ..:IH:.:.::IHIHHMMMMM"
32. # :V:. VIMA:I.. . . . .. . . .:.I:I:..:IHHHHMMHHMMM
33. # :"VI:.VWMA::. .: . .. .:. ..:.I::.:IVHHHMMMHMMMMI
34. # :."VIIHHMMA:. . . .: .:.. . .:.II:I:AMMMMMMHMMMMMI
35. # :..VIHIHMMMI...::.,:.,:!"I:!"I!"I!"V:AI:VAMMMMMMHMMMMMM'
36. # ':.:HIHIMHHA:"!!"I.:AXXXVVXXXXXXXA:."HPHIMMMMHHMHMMMMMV
37. # V:H:I:MA:W'I :AXXXIXII:IIIISSSSSSXXA.I.VMMMHMHMMMMMM
38. # 'I::IVA ASSSSXSSSSBBSBMBSSSSSSBBMMMBS.VVMMHIMM'"'
39. # I:: VPAIMSSSSSSSSSBSSSMMBSSSBBMMMMXXI:MMHIMMI
40. # .I::. "H:XIIXBBMMMMMMMMMMMMMMMMMBXIXXMMPHIIMM'
41. # :::I. ':XSSXXIIIIXSSBMBSSXXXIIIXXSMMAMI:.IMM
42. # :::I:. .VSSSSSISISISSSBII:ISSSSBMMB:MI:..:MM
43. # ::.I:. ':"SSSSSSSISISSXIIXSSSSBMMB:AHI:..MMM.
44. # ::.I:. . ..:"BBSSSSSSSSSSSSBBBMMMB:AHHI::.HMMI
45. # :..::. . ..::":BBBBBSSBBBMMMB:MMMMHHII::IHHMI
46. # ':.I:... ....:IHHHHHMMMMMMMMMMMMMMMHHIIIIHMMV"
47. # "V:. ..:...:.IHHHMMMMMMMMMMMMMMMMHHHMHHMHP'
48. # ':. .:::.:.::III::IHHHHMMMMMHMHMMHHHHM"
49. # "::....::.:::..:..::IIIIIHHHHMMMHHMV"
50. # "::.::.. .. . ...:::IIHHMMMMHMV"
51. # "V::... . .I::IHHMMV"'
52. # '"VHVHHHAHHHHMMV:"'
53. #
54. # ___
55. # / _ \
56. # ______ _ ___ / /_\ \_ __
57. # |_ / _` |/ _ \ | _ | '_ \
58. # / / (_| | (_) || | | | | | |
59. # /___\__,_|\___/ \_| |_/_| |_|
60. # ______
61.  
62. header()
63. {
64. echo -e "\n\e[00;31m#########################################################\e[00m"
65. echo -e "\e[00;31m#\e[00m" "\e[00;33mLinux Post-Exploitation Script\e[00m" "\e[00;31m#\e[00m"
66. echo -e "\e[00;31m#########################################################\e[00m"
67.  
68. }
69.  
70. debug_info()
71. {
72. echo "[-] Debug Info"
73.  
74. if [ "$keyword" ]; then
75. echo "[+] Searching for the keyword $keyword in conf, php, ini and log files"
76. else
77. :
78. fi
79.  
80. if [ "$report" ]; then
81. echo "[+] Report name = $report"
82. else
83. :
84. fi
85.  
86. if [ "$export" ]; then
87. echo "[+] Export location = $export"
88. else
89. :
90. fi
91.  
92. if [ "$thorough" ]; then
93. echo "[+] Thorough tests = Enabled"
94. else
95. echo -e "\e[00;33m[+] Thorough tests = Disabled (SUID/GUID checks will not be perfomed!)\e[00m"
96. fi
97.  
98. sleep 2
99.  
100. if [ "$export" ]; then
101. mkdir $export 2>/dev/null
102. format=$export/LinEnum-export-`date +"%d-%m-%y"`
103. mkdir $format 2>/dev/null
104. else
105. :
106. fi
107.  
108. if [ "$sudopass" ]; then
109. echo -e "\e[00;35m[+] Please enter password\e[00m"
110. read -s userpassword
111. echo
112. else
113. :
114. fi
115.  
116. who=`whoami` 2>/dev/null
117. echo -e "\n"
118.  
119. echo -e "\e[00;33mScan started at:"; date
120. echo -e "\e[00m\n"
121. }
122.  
123. binarylist='nmap\|perl\|awk\|find\|bash\|sh\|man\|more\|less\|vi\|emacs\|vim\|nc\|netcat\|python\|ruby\|lua\|irb\|tar\|zip\|gdb\|pico\|scp\|git\|rvim\|script\|ash\|csh\|curl\|dash\|ed\|env\|expect\|ftp\|sftp\|node\|php\|rpm\|rpmquery\|socat\|strace\|taskset\|tclsh\|telnet\|tftp\|wget\|wish\|zsh\|ssh'
124.  
125. system_info()
126. {
127. echo -e "\e[00;33m### SYSTEM ##############################################\e[00m"
128.  
129. #basic kernel info
130. unameinfo=`uname -a 2>/dev/null`
131. if [ "$unameinfo" ]; then
132. echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo"
133. echo -e "\n"
134. else
135. :
136. fi
137.  
138. procver=`cat /proc/version 2>/dev/null`
139. if [ "$procver" ]; then
140. echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver"
141. echo -e "\n"
142. else
143. :
144. fi
145.  
146. #search all *-release files for version info
147. release=`cat /etc/*-release 2>/dev/null`
148. if [ "$release" ]; then
149. echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release"
150. echo -e "\n"
151. else
152. :
153. fi
154.  
155. #target hostname info
156. hostnamed=`hostname 2>/dev/null`
157. if [ "$hostnamed" ]; then
158. echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed"
159. echo -e "\n"
160. else
161. :
162. fi
163. }
164.  
165. user_info()
166. {
167. echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m"
168.  
169. #current user details
170. currusr=`id 2>/dev/null`
171. if [ "$currusr" ]; then
172. echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr"
173. echo -e "\n"
174. else
175. :
176. fi
177.  
178. #last logged on user information
179. lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null`
180. if [ "$lastlogedonusrs" ]; then
181. echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs"
182. echo -e "\n"
183. else
184. :
185. fi
186.  
187.  
188. #who else is logged on
189. loggedonusrs=`w 2>/dev/null`
190. if [ "$loggedonusrs" ]; then
191. echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs"
192. echo -e "\n"
193. else
194. :
195. fi
196.  
197. #lists all id's and respective group(s)
198. grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`
199. if [ "$grpinfo" ]; then
200. echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo"
201. echo -e "\n"
202. else
203. :
204. fi
205.  
206. #added by phackt - look for adm group (thanks patrick)
207. adm_users=$(echo -e "$grpinfo" | grep "(adm)")
208. if [[ ! -z $adm_users ]];
209. then
210. echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users"
211. echo -e "\n"
212. else
213. :
214. fi
215.  
216. #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method)
217. hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`
218. if [ "$hashesinpasswd" ]; then
219. echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd"
220. echo -e "\n"
221. else
222. :
223. fi
224.  
225. #contents of /etc/passwd
226. readpasswd=`cat /etc/passwd 2>/dev/null`
227. if [ "$readpasswd" ]; then
228. echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd"
229. echo -e "\n"
230. else
231. :
232. fi
233.  
234. if [ "$export" ] && [ "$readpasswd" ]; then
235. mkdir $format/etc-export/ 2>/dev/null
236. cp /etc/passwd $format/etc-export/passwd 2>/dev/null
237. else
238. :
239. fi
240.  
241. #checks to see if the shadow file can be read
242. readshadow=`cat /etc/shadow 2>/dev/null`
243. if [ "$readshadow" ]; then
244. echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow"
245. echo -e "\n"
246. else
247. :
248. fi
249.  
250. if [ "$export" ] && [ "$readshadow" ]; then
251. mkdir $format/etc-export/ 2>/dev/null
252. cp /etc/shadow $format/etc-export/shadow 2>/dev/null
253. else
254. :
255. fi
256.  
257. #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant
258. readmasterpasswd=`cat /etc/master.passwd 2>/dev/null`
259. if [ "$readmasterpasswd" ]; then
260. echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd"
261. echo -e "\n"
262. else
263. :
264. fi
265.  
266. if [ "$export" ] && [ "$readmasterpasswd" ]; then
267. mkdir $format/etc-export/ 2>/dev/null
268. cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null
269. else
270. :
271. fi
272.  
273. #all root accounts (uid 0)
274. superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null`
275. if [ "$superman" ]; then
276. echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman"
277. echo -e "\n"
278. else
279. :
280. fi
281.  
282. #pull out vital sudoers info
283. sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null`
284. if [ "$sudoers" ]; then
285. echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers"
286. echo -e "\n"
287. else
288. :
289. fi
290.  
291. if [ "$export" ] && [ "$sudoers" ]; then
292. mkdir $format/etc-export/ 2>/dev/null
293. cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null
294. else
295. :
296. fi
297.  
298. #can we sudo without supplying a password
299. sudoperms=`echo '' | sudo -S -l -k 2>/dev/null`
300. if [ "$sudoperms" ]; then
301. echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms"
302. echo -e "\n"
303. else
304. :
305. fi
306.  
307. #check sudo perms - authenticated
308. if [ "$sudopass" ]; then
309. if [ "$sudoperms" ]; then
310. :
311. else
312. sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null`
313. if [ "$sudoauth" ]; then
314. echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth"
315. echo -e "\n"
316. else
317. :
318. fi
319. fi
320. else
321. :
322. fi
323.  
324. ##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated
325. if [ "$sudopass" ]; then
326. if [ "$sudoperms" ]; then
327. :
328. else
329. sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
330. if [ "$sudopermscheck" ]; then
331. echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck"
332. echo -e "\n"
333. else
334. :
335. fi
336. fi
337. else
338. :
339. fi
340.  
341. #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values)
342. sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
343. if [ "$sudopwnage" ]; then
344. echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage"
345. echo -e "\n"
346. else
347. :
348. fi
349.  
350. #who has sudoed in the past
351. whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null`
352. if [ "$whohasbeensudo" ]; then
353. echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo"
354. echo -e "\n"
355. else
356. :
357. fi
358.  
359. #checks to see if roots home directory is accessible
360. rthmdir=`ls -ahl /root/ 2>/dev/null`
361. if [ "$rthmdir" ]; then
362. echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir"
363. echo -e "\n"
364. else
365. :
366. fi
367.  
368. #displays /home directory permissions - check if any are lax
369. homedirperms=`ls -ahl /home/ 2>/dev/null`
370. if [ "$homedirperms" ]; then
371. echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms"
372. echo -e "\n"
373. else
374. :
375. fi
376.  
377. #looks for files we can write to that don't belong to us
378. if [ "$thorough" = "1" ]; then
379. grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
380. if [ "$grfilesall" ]; then
381. echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall"
382. echo -e "\n"
383. else
384. :
385. fi
386. fi
387.  
388. #looks for files that belong to us
389. if [ "$thorough" = "1" ]; then
390. ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
391. if [ "$ourfilesall" ]; then
392. echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall"
393. echo -e "\n"
394. else
395. :
396. fi
397. fi
398.  
399. #looks for hidden files
400. if [ "$thorough" = "1" ]; then
401. hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
402. if [ "$hiddenfiles" ]; then
403. echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles"
404. echo -e "\n"
405. else
406. :
407. fi
408. fi
409.  
410. #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch
411. if [ "$thorough" = "1" ]; then
412. wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null`
413. if [ "$wrfileshm" ]; then
414. echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm"
415. echo -e "\n"
416. else
417. :
418. fi
419. else
420. :
421. fi
422.  
423. if [ "$thorough" = "1" ]; then
424. if [ "$export" ] && [ "$wrfileshm" ]; then
425. mkdir $format/wr-files/ 2>/dev/null
426. for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null
427. else
428. :
429. fi
430. else
431. :
432. fi
433.  
434. #lists current user's home directory contents
435. if [ "$thorough" = "1" ]; then
436. homedircontents=`ls -ahl ~ 2>/dev/null`
437. if [ "$homedircontents" ] ; then
438. echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents"
439. echo -e "\n"
440. else
441. :
442. fi
443. else
444. :
445. fi
446.  
447. #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch
448. if [ "$thorough" = "1" ]; then
449. sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;`
450. if [ "$sshfiles" ]; then
451. echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles"
452. echo -e "\n"
453. else
454. :
455. fi
456. else
457. :
458. fi
459.  
460. if [ "$thorough" = "1" ]; then
461. if [ "$export" ] && [ "$sshfiles" ]; then
462. mkdir $format/ssh-files/ 2>/dev/null
463. for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null
464. else
465. :
466. fi
467. else
468. :
469. fi
470.  
471. #is root permitted to login via ssh
472. sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'`
473. if [ "$sshrootlogin" = "yes" ]; then
474. echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#"
475. echo -e "\n"
476. else
477. :
478. fi
479. }
480.  
481. environmental_info()
482. {
483. echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m"
484.  
485. #env information
486. envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null`
487. if [ "$envinfo" ]; then
488. echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo"
489. echo -e "\n"
490. else
491. :
492. fi
493.  
494. #check if selinux is enabled
495. sestatus=`sestatus 2>/dev/null`
496. if [ "$sestatus" ]; then
497. echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus"
498. echo -e "\n"
499. fi
500.  
501. #phackt
502.  
503. #current path configuration
504. pathinfo=`echo $PATH 2>/dev/null`
505. if [ "$pathinfo" ]; then
506. echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo"
507. echo -e "\n"
508. else
509. :
510. fi
511.  
512. #lists available shells
513. shellinfo=`cat /etc/shells 2>/dev/null`
514. if [ "$shellinfo" ]; then
515. echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo"
516. echo -e "\n"
517. else
518. :
519. fi
520.  
521. #current umask value with both octal and symbolic output
522. umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null`
523. if [ "$umaskvalue" ]; then
524. echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue"
525. echo -e "\n"
526. else
527. :
528. fi
529.  
530. #umask value as in /etc/login.defs
531. umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null`
532. if [ "$umaskdef" ]; then
533. echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef"
534. echo -e "\n"
535. else
536. :
537. fi
538.  
539. #password policy information as stored in /etc/login.defs
540. logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null`
541. if [ "$logindefs" ]; then
542. echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs"
543. echo -e "\n"
544. else
545. :
546. fi
547.  
548. if [ "$export" ] && [ "$logindefs" ]; then
549. mkdir $format/etc-export/ 2>/dev/null
550. cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null
551. else
552. :
553. fi
554. }
555.  
556. job_info()
557. {
558. echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m"
559.  
560. #are there any cron jobs configured
561. cronjobs=`ls -la /etc/cron* 2>/dev/null`
562. if [ "$cronjobs" ]; then
563. echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs"
564. echo -e "\n"
565. else
566. :
567. fi
568.  
569. #can we manipulate these jobs in any way
570. cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
571. if [ "$cronjobwwperms" ]; then
572. echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms"
573. echo -e "\n"
574. else
575. :
576. fi
577.  
578. #contab contents
579. crontabvalue=`cat /etc/crontab 2>/dev/null`
580. if [ "$crontabvalue" ]; then
581. echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue"
582. echo -e "\n"
583. else
584. :
585. fi
586.  
587. crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null`
588. if [ "$crontabvar" ]; then
589. echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar"
590. echo -e "\n"
591. else
592. :
593. fi
594.  
595. anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null`
596. if [ "$anacronjobs" ]; then
597. echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs"
598. echo -e "\n"
599. else
600. :
601. fi
602.  
603. anacrontab=`ls -la /var/spool/anacron 2>/dev/null`
604. if [ "$anacrontab" ]; then
605. echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab"
606. echo -e "\n"
607. else
608. :
609. fi
610.  
611. #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command)
612. cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null`
613. if [ "$cronother" ]; then
614. echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother"
615. echo -e "\n"
616. else
617. :
618. fi
619.  
620. # list systemd timers
621. if [ "$thorough" = "1" ]; then
622. # include inactive timers in thorough mode
623. systemdtimers="$(systemctl list-timers --all 2>/dev/null)"
624. info=""
625. else
626. systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)"
627. # replace the info in the output with a hint towards thorough mode
628. info="\e[2mEnable thorough tests to see inactive timers\e[00m"
629. fi
630. if [ "$systemdtimers" ]; then
631. echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info"
632. echo -e "\n"
633. else
634. :
635. fi
636.  
637.  
638. }
639. networking_info()
640. {
641. echo -e "\e[00;33m### NETWORKING ##########################################\e[00m"
642.  
643. #nic information
644. nicinfo=`/sbin/ifconfig -a 2>/dev/null`
645. if [ "$nicinfo" ]; then
646. echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo"
647. echo -e "\n"
648. else
649. :
650. fi
651.  
652. #nic information (using ip)
653. nicinfoip=`/sbin/ip a 2>/dev/null`
654. if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then
655. echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip"
656. echo -e "\n"
657. else
658. :
659. fi
660.  
661. arpinfo=`arp -a 2>/dev/null`
662. if [ "$arpinfo" ]; then
663. echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo"
664. echo -e "\n"
665. else
666. :
667. fi
668.  
669. arpinfoip=`ip n 2>/dev/null`
670. if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then
671. echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip"
672. echo -e "\n"
673. else
674. :
675. fi
676.  
677. #dns settings
678. nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null`
679. if [ "$nsinfo" ]; then
680. echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo"
681. echo -e "\n"
682. else
683. :
684. fi
685.  
686. nsinfosysd=`systemd-resolve --status 2>/dev/null`
687. if [ "$nsinfosysd" ]; then
688. echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd"
689. echo -e "\n"
690. else
691. :
692. fi
693.  
694. #default route configuration
695. defroute=`route 2>/dev/null | grep default`
696. if [ "$defroute" ]; then
697. echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute"
698. echo -e "\n"
699. else
700. :
701. fi
702.  
703. #default route configuration
704. defrouteip=`ip r 2>/dev/null | grep default`
705. if [ ! "$defroute" ] && [ "$defrouteip" ]; then
706. echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip"
707. echo -e "\n"
708. else
709. :
710. fi
711.  
712. #listening TCP
713. tcpservs=`netstat -antp 2>/dev/null`
714. if [ "$tcpservs" ]; then
715. echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs"
716. echo -e "\n"
717. else
718. :
719. fi
720.  
721. tcpservsip=`ss -t 2>/dev/null`
722. if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then
723. echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip"
724. echo -e "\n"
725. else
726. :
727. fi
728. #listening UDP
729. udpservs=`netstat -anup 2>/dev/null`
730. if [ "$udpservs" ]; then
731. echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs"
732. echo -e "\n"
733. else
734. :
735. fi
736.  
737. udpservsip=`ip -u 2>/dev/null`
738. if [ ! "$udpservs" ] && [ "$udpservsip" ]; then
739. echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip"
740. echo -e "\n"
741. else
742. :
743. fi
744. }
745.  
746. services_info()
747. {
748. echo -e "\e[00;33m### SERVICES #############################################\e[00m"
749.  
750. #running processes
751. psaux=`ps aux 2>/dev/null`
752. if [ "$psaux" ]; then
753. echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux"
754. echo -e "\n"
755. else
756. :
757. fi
758.  
759. #lookup process binary path and permissisons
760. procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null`
761. if [ "$procperm" ]; then
762. echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm"
763. echo -e "\n"
764. else
765. :
766. fi
767.  
768. if [ "$export" ] && [ "$procperm" ]; then
769. procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null`
770. mkdir $format/ps-export/ 2>/dev/null
771. for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null
772. else
773. :
774. fi
775.  
776. #anything 'useful' in inetd.conf
777. inetdread=`cat /etc/inetd.conf 2>/dev/null`
778. if [ "$inetdread" ]; then
779. echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread"
780. echo -e "\n"
781. else
782. :
783. fi
784.  
785. if [ "$export" ] && [ "$inetdread" ]; then
786. mkdir $format/etc-export/ 2>/dev/null
787. cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null
788. else
789. :
790. fi
791.  
792. #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each
793. inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
794. if [ "$inetdbinperms" ]; then
795. echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms"
796. echo -e "\n"
797. else
798. :
799. fi
800.  
801. xinetdread=`cat /etc/xinetd.conf 2>/dev/null`
802. if [ "$xinetdread" ]; then
803. echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread"
804. echo -e "\n"
805. else
806. :
807. fi
808.  
809. if [ "$export" ] && [ "$xinetdread" ]; then
810. mkdir $format/etc-export/ 2>/dev/null
811. cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null
812. else
813. :
814. fi
815.  
816. xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null`
817. if [ "$xinetdincd" ]; then
818. echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null
819. echo -e "\n"
820. else
821. :
822. fi
823.  
824. #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each
825. xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
826. if [ "$xinetdbinperms" ]; then
827. echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms"
828. echo -e "\n"
829. else
830. :
831. fi
832.  
833. initdread=`ls -la /etc/init.d 2>/dev/null`
834. if [ "$initdread" ]; then
835. echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread"
836. echo -e "\n"
837. else
838. :
839. fi
840.  
841. #init.d files NOT belonging to root!
842. initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
843. if [ "$initdperms" ]; then
844. echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms"
845. echo -e "\n"
846. else
847. :
848. fi
849.  
850. rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null`
851. if [ "$rcdread" ]; then
852. echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread"
853. echo -e "\n"
854. else
855. :
856. fi
857.  
858. #init.d files NOT belonging to root!
859. rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
860. if [ "$rcdperms" ]; then
861. echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms"
862. echo -e "\n"
863. else
864. :
865. fi
866.  
867. usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null`
868. if [ "$usrrcdread" ]; then
869. echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread"
870. echo -e "\n"
871. else
872. :
873. fi
874.  
875. #rc.d files NOT belonging to root!
876. usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
877. if [ "$usrrcdperms" ]; then
878. echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms"
879. echo -e "\n"
880. else
881. :
882. fi
883.  
884. initread=`ls -la /etc/init/ 2>/dev/null`
885. if [ "$initread" ]; then
886. echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread"
887. echo -e "\n"
888. else
889. :
890. fi
891.  
892. # upstart scripts not belonging to root
893. initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
894. if [ "$initperms" ]; then
895. echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms"
896. echo -e "\n"
897. else
898. :
899. fi
900.  
901. systemdread=`ls -lthR /lib/systemd/ 2>/dev/null`
902. if [ "$systemdread" ]; then
903. echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread"
904. echo -e "\n"
905. else
906. :
907. fi
908.  
909. # systemd files not belonging to root
910. systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
911. if [ "$systemdperms" ]; then
912. echo -e "\e[00;31m[-] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms"
913. echo -e "\n"
914. else
915. :
916. fi
917. }
918.  
919. software_configs()
920. {
921. echo -e "\e[00;33m### SOFTWARE #############################################\e[00m"
922.  
923. #sudo version - check to see if there are any known vulnerabilities with this
924. sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null`
925. if [ "$sudover" ]; then
926. echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover"
927. echo -e "\n"
928. else
929. :
930. fi
931.  
932. #mysql details - if installed
933. mysqlver=`mysql --version 2>/dev/null`
934. if [ "$mysqlver" ]; then
935. echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver"
936. echo -e "\n"
937. else
938. :
939. fi
940.  
941. #checks to see if root/root will get us a connection
942. mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null`
943. if [ "$mysqlconnect" ]; then
944. echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect"
945. echo -e "\n"
946. else
947. :
948. fi
949.  
950. #mysql version details
951. mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null`
952. if [ "$mysqlconnectnopass" ]; then
953. echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass"
954. echo -e "\n"
955. else
956. :
957. fi
958.  
959. #postgres details - if installed
960. postgver=`psql -V 2>/dev/null`
961. if [ "$postgver" ]; then
962. echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver"
963. echo -e "\n"
964. else
965. :
966. fi
967.  
968. #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
969. postcon1=`psql -U postgres template0 -c 'select version()' 2>/dev/null | grep version`
970. if [ "$postcon1" ]; then
971. echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1"
972. echo -e "\n"
973. else
974. :
975. fi
976.  
977. postcon11=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`
978. if [ "$postcon11" ]; then
979. echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11"
980. echo -e "\n"
981. else
982. :
983. fi
984.  
985. postcon2=`psql -U pgsql template0 -c 'select version()' 2>/dev/null | grep version`
986. if [ "$postcon2" ]; then
987. echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2"
988. echo -e "\n"
989. else
990. :
991. fi
992.  
993. postcon22=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`
994. if [ "$postcon22" ]; then
995. echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22"
996. echo -e "\n"
997. else
998. :
999. fi
1000.  
1001. #apache details - if installed
1002. apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null`
1003. if [ "$apachever" ]; then
1004. echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever"
1005. echo -e "\n"
1006. else
1007. :
1008. fi
1009.  
1010. #what account is apache running under
1011. apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null`
1012. if [ "$apacheusr" ]; then
1013. echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr"
1014. echo -e "\n"
1015. else
1016. :
1017. fi
1018.  
1019. if [ "$export" ] && [ "$apacheusr" ]; then
1020. mkdir --parents $format/etc-export/apache2/ 2>/dev/null
1021. cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null
1022. else
1023. :
1024. fi
1025.  
1026. #installed apache modules
1027. apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null`
1028. if [ "$apachemodules" ]; then
1029. echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules"
1030. echo -e "\n"
1031. else
1032. :
1033. fi
1034.  
1035. #htpasswd check
1036. htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null`
1037. if [ "$htpasswd" ]; then
1038. echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd"
1039. echo -e "\n"
1040. else
1041. :
1042. fi
1043.  
1044. #anything in the default http home dirs (changed to thorough as can be large)
1045. if [ "$thorough" = "1" ]; then
1046. apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`
1047. if [ "$apachehomedirs" ]; then
1048. echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs"
1049. echo -e "\n"
1050. else
1051. :
1052. fi
1053. fi
1054.  
1055. }
1056.  
1057. interesting_files()
1058. {
1059. echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m"
1060.  
1061. #checks to see if various files are installed
1062. echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null
1063. echo -e "\n"
1064.  
1065. #limited search for installed compilers
1066. compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null`
1067. if [ "$compiler" ]; then
1068. echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler"
1069. echo -e "\n"
1070. else
1071. :
1072. fi
1073.  
1074. #manual check - lists out sensitive files, can we read/modify etc.
1075. echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null
1076. echo -e "\n"
1077.  
1078. #search for suid files - this can take some time so is only 'activated' with thorough scanning switch (as are all suid scans below)
1079. if [ "$thorough" = "1" ]; then
1080. findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;`
1081. if [ "$findsuid" ]; then
1082. echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid"
1083. echo -e "\n"
1084. else
1085. :
1086. fi
1087. else
1088. :
1089. fi
1090.  
1091. if [ "$thorough" = "1" ]; then
1092. if [ "$export" ] && [ "$findsuid" ]; then
1093. mkdir $format/suid-files/ 2>/dev/null
1094. for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null
1095. else
1096. :
1097. fi
1098. else
1099. :
1100. fi
1101.  
1102. #list of 'interesting' suid files - feel free to make additions
1103. if [ "$thorough" = "1" ]; then
1104. intsuid=`find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
1105. if [ "$intsuid" ]; then
1106. echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid"
1107. echo -e "\n"
1108. else
1109. :
1110. fi
1111. else
1112. :
1113. fi
1114.  
1115. #lists word-writable suid files
1116. if [ "$thorough" = "1" ]; then
1117. wwsuid=`find / -perm -4007 -type f -exec ls -la {} 2>/dev/null \;`
1118. if [ "$wwsuid" ]; then
1119. echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid"
1120. echo -e "\n"
1121. else
1122. :
1123. fi
1124. else
1125. :
1126. fi
1127.  
1128. #lists world-writable suid files owned by root
1129. if [ "$thorough" = "1" ]; then
1130. wwsuidrt=`find / -uid 0 -perm -4007 -type f -exec ls -la {} 2>/dev/null \;`
1131. if [ "$wwsuidrt" ]; then
1132. echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt"
1133. echo -e "\n"
1134. else
1135. :
1136. fi
1137. else
1138. :
1139. fi
1140.  
1141. #search for guid files - this can take some time so is only 'activated' with thorough scanning switch (as are all guid scans below)
1142. if [ "$thorough" = "1" ]; then
1143. findguid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null \;`
1144. if [ "$findguid" ]; then
1145. echo -e "\e[00;31m[-] GUID files:\e[00m\n$findguid"
1146. echo -e "\n"
1147. else
1148. :
1149. fi
1150. else
1151. :
1152. fi
1153.  
1154. if [ "$thorough" = "1" ]; then
1155. if [ "$export" ] && [ "$findguid" ]; then
1156. mkdir $format/guid-files/ 2>/dev/null
1157. for i in $findguid; do cp $i $format/guid-files/; done 2>/dev/null
1158. else
1159. :
1160. fi
1161. else
1162. :
1163. fi
1164.  
1165. #list of 'interesting' guid files - feel free to make additions
1166. if [ "$thorough" = "1" ]; then
1167. intguid=`find / -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
1168. if [ "$intguid" ]; then
1169. echo -e "\e[00;33m[+] Possibly interesting GUID files:\e[00m\n$intguid"
1170. echo -e "\n"
1171. else
1172. :
1173. fi
1174. else
1175. :
1176. fi
1177.  
1178. #lists world-writable guid files
1179. if [ "$thorough" = "1" ]; then
1180. wwguid=`find / -perm -2007 -type f -exec ls -la {} 2>/dev/null \;`
1181. if [ "$wwguid" ]; then
1182. echo -e "\e[00;33m[+] World-writable GUID files:\e[00m\n$wwguid"
1183. echo -e "\n"
1184. else
1185. :
1186. fi
1187. else
1188. :
1189. fi
1190.  
1191. #lists world-writable guid files owned by root
1192. if [ "$thorough" = "1" ]; then
1193. wwguidrt=`find / -uid 0 -perm -2007 -type f -exec ls -la {} 2>/dev/null \;`
1194. if [ "$wwguidrt" ]; then
1195. echo -e "\e[00;33m[+] World-writable GUID files owned by root:\e[00m\n$wwguidrt"
1196. echo -e "\n"
1197. else
1198. :
1199. fi
1200. else
1201. :
1202. fi
1203.  
1204. #list all files with POSIX capabilities set along with there capabilities
1205. if [ "$thorough" = "1" ]; then
1206. fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null`
1207. if [ "$fileswithcaps" ]; then
1208. echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps"
1209. echo -e "\n"
1210. else
1211. :
1212. fi
1213. else
1214. :
1215. fi
1216.  
1217. if [ "$thorough" = "1" ]; then
1218. if [ "$export" ] && [ "$fileswithcaps" ]; then
1219. mkdir $format/files_with_capabilities/ 2>/dev/null
1220. for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null
1221. else
1222. :
1223. fi
1224. else
1225. :
1226. fi
1227.  
1228. #searches /etc/security/capability.conf for users associated capapilies
1229. if [ "$thorough" = "1" ]; then
1230. userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null`
1231. if [ "$userswithcaps" ]; then
1232. echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps"
1233. echo -e "\n"
1234. else
1235. :
1236. fi
1237. else
1238. :
1239. fi
1240.  
1241. if [ "$thorough" = "1" ] && [ "$userswithcaps" ] ; then
1242. #matches the capabilities found associated with users with the current user
1243. matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null`
1244. if [ "$matchedcaps" ]; then
1245. echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps"
1246. echo -e "\n"
1247. #matches the files with capapbilities with capabilities associated with the current user
1248. matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null`
1249. if [ "$matchedfiles" ]; then
1250. echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles"
1251. echo -e "\n"
1252. #lists the permissions of the files having the same capabilies associated with the current user
1253. matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`
1254. echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms"
1255. echo -e "\n"
1256. if [ "$matchedfilesperms" ]; then
1257. #checks if any of the files with same capabilities associated with the current user is writable
1258. writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`
1259. if [ "$writablematchedfiles" ]; then
1260. echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles"
1261. echo -e "\n"
1262. else
1263. :
1264. fi
1265. else
1266. :
1267. fi
1268. else
1269. :
1270. fi
1271. else
1272. :
1273. fi
1274. else
1275. :
1276. fi
1277.  
1278. #list all world-writable files excluding /proc and /sys
1279. if [ "$thorough" = "1" ]; then
1280. wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;`
1281. if [ "$wwfiles" ]; then
1282. echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles"
1283. echo -e "\n"
1284. else
1285. :
1286. fi
1287. else
1288. :
1289. fi
1290.  
1291. if [ "$thorough" = "1" ]; then
1292. if [ "$export" ] && [ "$wwfiles" ]; then
1293. mkdir $format/ww-files/ 2>/dev/null
1294. for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null
1295. else
1296. :
1297. fi
1298. else
1299. :
1300. fi
1301.  
1302. #are any .plan files accessible in /home (could contain useful information)
1303. usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
1304. if [ "$usrplan" ]; then
1305. echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan"
1306. echo -e "\n"
1307. else
1308. :
1309. fi
1310.  
1311. if [ "$export" ] && [ "$usrplan" ]; then
1312. mkdir $format/plan_files/ 2>/dev/null
1313. for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
1314. else
1315. :
1316. fi
1317.  
1318. bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
1319. if [ "$bsdusrplan" ]; then
1320. echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan"
1321. echo -e "\n"
1322. else
1323. :
1324. fi
1325.  
1326. if [ "$export" ] && [ "$bsdusrplan" ]; then
1327. mkdir $format/plan_files/ 2>/dev/null
1328. for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
1329. else
1330. :
1331. fi
1332.  
1333. #are there any .rhosts files accessible - these may allow us to login as another user etc.
1334. rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
1335. if [ "$rhostsusr" ]; then
1336. echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr"
1337. echo -e "\n"
1338. else
1339. :
1340. fi
1341.  
1342. if [ "$export" ] && [ "$rhostsusr" ]; then
1343. mkdir $format/rhosts/ 2>/dev/null
1344. for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
1345. else
1346. :
1347. fi
1348.  
1349. bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
1350. if [ "$bsdrhostsusr" ]; then
1351. echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr"
1352. echo -e "\n"
1353. else
1354. :
1355. fi
1356.  
1357. if [ "$export" ] && [ "$bsdrhostsusr" ]; then
1358. mkdir $format/rhosts 2>/dev/null
1359. for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
1360. else
1361. :
1362. fi
1363.  
1364. rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
1365. if [ "$rhostssys" ]; then
1366. echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys"
1367. echo -e "\n"
1368. else
1369. :
1370. fi
1371.  
1372. if [ "$export" ] && [ "$rhostssys" ]; then
1373. mkdir $format/rhosts/ 2>/dev/null
1374. for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null
1375. else
1376. :
1377. fi
1378.  
1379. #list nfs shares/permisisons etc.
1380. nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null`
1381. if [ "$nfsexports" ]; then
1382. echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports"
1383. echo -e "\n"
1384. else
1385. :
1386. fi
1387.  
1388. if [ "$export" ] && [ "$nfsexports" ]; then
1389. mkdir $format/etc-export/ 2>/dev/null
1390. cp /etc/exports $format/etc-export/exports 2>/dev/null
1391. else
1392. :
1393. fi
1394.  
1395. if [ "$thorough" = "1" ]; then
1396. #phackt
1397. #displaying /etc/fstab
1398. fstab=`cat /etc/fstab 2>/dev/null`
1399. if [ "$fstab" ]; then
1400. echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m"
1401. echo -e "$fstab"
1402. echo -e "\n"
1403. fi
1404. fi
1405.  
1406. #looking for credentials in /etc/fstab
1407. fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`
1408. if [ "$fstab" ]; then
1409. echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab"
1410. echo -e "\n"
1411. else
1412. :
1413. fi
1414.  
1415. if [ "$export" ] && [ "$fstab" ]; then
1416. mkdir $format/etc-exports/ 2>/dev/null
1417. cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
1418. else
1419. :
1420. fi
1421.  
1422. fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null`
1423. if [ "$fstabcred" ]; then
1424. echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred"
1425. echo -e "\n"
1426. else
1427. :
1428. fi
1429.  
1430. if [ "$export" ] && [ "$fstabcred" ]; then
1431. mkdir $format/etc-exports/ 2>/dev/null
1432. cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
1433. else
1434. :
1435. fi
1436.  
1437. #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located
1438. if [ "$keyword" = "" ]; then
1439. echo -e "[-] Can't search *.conf files as no keyword was entered\n"
1440. else
1441. confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
1442. if [ "$confkey" ]; then
1443. echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey"
1444. echo -e "\n"
1445. else
1446. echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m"
1447. echo -e "'$keyword' not found in any .conf files"
1448. echo -e "\n"
1449. fi
1450. fi
1451.  
1452. if [ "$keyword" = "" ]; then
1453. :
1454. else
1455. if [ "$export" ] && [ "$confkey" ]; then
1456. confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
1457. mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null
1458. for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null
1459. else
1460. :
1461. fi
1462. fi
1463.  
1464. #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located
1465. if [ "$keyword" = "" ]; then
1466. echo -e "[-] Can't search *.php files as no keyword was entered\n"
1467. else
1468. phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
1469. if [ "$phpkey" ]; then
1470. echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey"
1471. echo -e "\n"
1472. else
1473. echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m"
1474. echo -e "'$keyword' not found in any .php files"
1475. echo -e "\n"
1476. fi
1477. fi
1478.  
1479. if [ "$keyword" = "" ]; then
1480. :
1481. else
1482. if [ "$export" ] && [ "$phpkey" ]; then
1483. phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
1484. mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null
1485. for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null
1486. else
1487. :
1488. fi
1489. fi
1490.  
1491. #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located
1492. if [ "$keyword" = "" ];then
1493. echo -e "[-] Can't search *.log files as no keyword was entered\n"
1494. else
1495. logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
1496. if [ "$logkey" ]; then
1497. echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey"
1498. echo -e "\n"
1499. else
1500. echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m"
1501. echo -e "'$keyword' not found in any .log files"
1502. echo -e "\n"
1503. fi
1504. fi
1505.  
1506. if [ "$keyword" = "" ];then
1507. :
1508. else
1509. if [ "$export" ] && [ "$logkey" ]; then
1510. logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
1511. mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null
1512. for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null
1513. else
1514. :
1515. fi
1516. fi
1517.  
1518. #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located
1519. if [ "$keyword" = "" ];then
1520. echo -e "[-] Can't search *.ini files as no keyword was entered\n"
1521. else
1522. inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
1523. if [ "$inikey" ]; then
1524. echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey"
1525. echo -e "\n"
1526. else
1527. echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m"
1528. echo -e "'$keyword' not found in any .ini files"
1529. echo -e "\n"
1530. fi
1531. fi
1532.  
1533. if [ "$keyword" = "" ];then
1534. :
1535. else
1536. if [ "$export" ] && [ "$inikey" ]; then
1537. inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
1538. mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null
1539. for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null
1540. else
1541. :
1542. fi
1543. fi
1544.  
1545. #quick extract of .conf files from /etc - only 1 level
1546. allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null`
1547. if [ "$allconf" ]; then
1548. echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf"
1549. echo -e "\n"
1550. else
1551. :
1552. fi
1553.  
1554. if [ "$export" ] && [ "$allconf" ]; then
1555. mkdir $format/conf-files/ 2>/dev/null
1556. for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null
1557. else
1558. :
1559. fi
1560.  
1561. #extract any user history files that are accessible
1562. usrhist=`ls -la ~/.*_history 2>/dev/null`
1563. if [ "$usrhist" ]; then
1564. echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist"
1565. echo -e "\n"
1566. else
1567. :
1568. fi
1569.  
1570. if [ "$export" ] && [ "$usrhist" ]; then
1571. mkdir $format/history_files/ 2>/dev/null
1572. for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null
1573. else
1574. :
1575. fi
1576.  
1577. #can we read roots *_history files - could be passwords stored etc.
1578. roothist=`ls -la /root/.*_history 2>/dev/null`
1579. if [ "$roothist" ]; then
1580. echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist"
1581. echo -e "\n"
1582. else
1583. :
1584. fi
1585.  
1586. if [ "$export" ] && [ "$roothist" ]; then
1587. mkdir $format/history_files/ 2>/dev/null
1588. cp $roothist $format/history_files/ 2>/dev/null
1589. else
1590. :
1591. fi
1592.  
1593. #all accessible .bash_history files in /home
1594. checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \;`
1595. if [ "$checkbashhist" ]; then
1596. echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\e[00m\n$checkbashhist"
1597. echo -e "\n"
1598. else
1599. :
1600. fi
1601.  
1602. #is there any mail accessible
1603. readmail=`ls -la /var/mail 2>/dev/null`
1604. if [ "$readmail" ]; then
1605. echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail"
1606. echo -e "\n"
1607. else
1608. :
1609. fi
1610.  
1611. #can we read roots mail
1612. readmailroot=`head /var/mail/root 2>/dev/null`
1613. if [ "$readmailroot" ]; then
1614. echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot"
1615. echo -e "\n"
1616. else
1617. :
1618. fi
1619.  
1620. if [ "$export" ] && [ "$readmailroot" ]; then
1621. mkdir $format/mail-from-root/ 2>/dev/null
1622. cp $readmailroot $format/mail-from-root/ 2>/dev/null
1623. else
1624. :
1625. fi
1626. }
1627.  
1628. docker_checks()
1629. {
1630. #specific checks - check to see if we're in a docker container
1631. dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`
1632. if [ "$dockercontainer" ]; then
1633. echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer"
1634. echo -e "\n"
1635. else
1636. :
1637. fi
1638.  
1639. #specific checks - check to see if we're a docker host
1640. dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null`
1641. if [ "$dockerhost" ]; then
1642. echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost"
1643. echo -e "\n"
1644. else
1645. :
1646. fi
1647.  
1648. #specific checks - are we a member of the docker group
1649. dockergrp=`id | grep -i docker 2>/dev/null`
1650. if [ "$dockergrp" ]; then
1651. echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp"
1652. echo -e "\n"
1653. else
1654. :
1655. fi
1656.  
1657. #specific checks - are there any docker files present
1658. dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;`
1659. if [ "$dockerfiles" ]; then
1660. echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles"
1661. echo -e "\n"
1662. else
1663. :
1664. fi
1665.  
1666. #specific checks - are there any docker files present
1667. dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;`
1668. if [ "$dockeryml" ]; then
1669. echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml"
1670. echo -e "\n"
1671. else
1672. :
1673. fi
1674. }
1675.  
1676. lxc_container_checks()
1677. {
1678. #specific checks - are we in an lxd/lxc container
1679. lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`
1680. if [ "$lxccontainer" ]; then
1681. echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer"
1682. echo -e "\n"
1683. fi
1684.  
1685. #specific checks - are we a member of the lxd group
1686. lxdgroup=`id | grep -i lxd 2>/dev/null`
1687. if [ "$lxdgroup" ]; then
1688. echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup"
1689. echo -e "\n"
1690. fi
1691. }
1692.  
1693. footer()
1694. {
1695. echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m"
1696. }
1697.  
1698. call_each()
1699. {
1700. header
1701. debug_info
1702. system_info
1703. user_info
1704. environmental_info
1705. job_info
1706. networking_info
1707. services_info
1708. software_configs
1709. interesting_files
1710. docker_checks
1711. lxc_container_checks
1712. footer
1713. }
1714.  
1715. while getopts "h:k:r:e:st" option; do
1716. case "${option}" in
1717. k) keyword=${OPTARG};;
1718. r) report=${OPTARG}"-"`date +"%d-%m-%y"`;;
1719. e) export=${OPTARG};;
1720. s) sudopass=1;;
1721. t) thorough=1;;
1722. h) usage; exit;;
1723. *) usage; exit;;
1724. esac
1725. done
1726.  
1727. call_each | tee -a $report 2> /dev/null