#!/bin/bash# ...----....#

1. #!/bin/bash
2.  
3. # ...----....
4. # ..-:"'' ''"-..
5. # .-' '-.
6. # .' . . '.
7. # .' . . . . .''.
8. # .' . . . . . . . ..:.
9. # .' . . . . . . .. . . ....::.
10. # .. . . . . . . .. . ....:IA.
11. # .: . . . . . . .. . .. .. ....:IA.
12. # .: . . .. . . . . .. . ... ....:.:VHA.
13. # '.. . .. . . . . .. . .. . .....:.::IHHB.
14. # .:. . . . . . . . . . . ...:.:... .......:HIHMM.
15. # .:.... . . ."::"'.. . . . .:.:.:II;,. .. ..:IHIMMA
16. # ':.:.. ..::IHHHHHI::. . . ...:.::::.,,,. . ....VIMMHM
17. # .:::I. .AHHHHHHHHHHAI::. .:...,:IIHHHHHHMMMHHL:. . VMMMM
18. # .:.:V.:IVHHHHHHHMHMHHH::..:" .:HIHHHHHHHHHHHHHMHHA. .VMMM.
19. # :..V.:IVHHHHHMMHHHHHHHB... . .:VPHHMHHHMMHHHHHHHHHAI.:VMMI
20. # ::V..:VIHHHHHHMMMHHHHHH. . .I":IIMHHMMHHHHHHHHHHHAPI:WMM
21. # ::". .:.HHHHHHHHMMHHHHHI. . .:..I:MHMMHHHHHHHHHMHV:':H:WM
22. # :: . :.::IIHHHHHHMMHHHHV .ABA.:.:IMHMHMMMHMHHHHV:'. .IHWW
23. # '. ..:..:.:IHHHHHMMHV" .AVMHMA.:.'VHMMMMHHHHHV:' . :IHWV
24. # :. .:...:".:.:TPP" .AVMMHMMA.:. "VMMHHHP.:... .. :IVAI
25. # .:. '... .:"' . ..HMMMHMMMA::. ."VHHI:::.... .:IHW'
26. # ... . . ..:IIPPIH: ..HMMMI.MMMV:I:. .:ILLH:.. ...:I:IM
27. # : . .'"' .:.V". .. . :HMMM:IMMMI::I. ..:HHIIPPHI::'.P:HM.
28. # :. . . .. ..:.. . :AMMM IMMMM..:...:IV":T::I::.".:IHIMA
29. # 'V:.. .. . .. . . . 'VMMV..VMMV :....:V:.:..:....::IHHHMH
30. # "IHH:.II:.. .:. . . . . " :HB"" . . ..PI:.::.:::..:IHHMMV"
31. # :IP""HHII:. . . . . .'V:. . . ..:IH:.:.::IHIHHMMMMM"
32. # :V:. VIMA:I.. . . . .. . . .:.I:I:..:IHHHHMMHHMMM
33. # :"VI:.VWMA::. .: . .. .:. ..:.I::.:IVHHHMMMHMMMMI
34. # :."VIIHHMMA:. . . .: .:.. . .:.II:I:AMMMMMMHMMMMMI
35. # :..VIHIHMMMI...::.,:.,:!"I:!"I!"I!"V:AI:VAMMMMMMHMMMMMM'
36. # ':.:HIHIMHHA:"!!"I.:AXXXVVXXXXXXXA:."HPHIMMMMHHMHMMMMMV
37. # V:H:I:MA:W'I :AXXXIXII:IIIISSSSSSXXA.I.VMMMHMHMMMMMM
38. # 'I::IVA ASSSSXSSSSBBSBMBSSSSSSBBMMMBS.VVMMHIMM'"'
39. # I:: VPAIMSSSSSSSSSBSSSMMBSSSBBMMMMXXI:MMHIMMI
40. # .I::. "H:XIIXBBMMMMMMMMMMMMMMMMMBXIXXMMPHIIMM'
41. # :::I. ':XSSXXIIIIXSSBMBSSXXXIIIXXSMMAMI:.IMM
42. # :::I:. .VSSSSSISISISSSBII:ISSSSBMMB:MI:..:MM
43. # ::.I:. ':"SSSSSSSISISSXIIXSSSSBMMB:AHI:..MMM.
44. # ::.I:. . ..:"BBSSSSSSSSSSSSBBBMMMB:AHHI::.HMMI
45. # :..::. . ..::":BBBBBSSBBBMMMB:MMMMHHII::IHHMI
46. # ':.I:... ....:IHHHHHMMMMMMMMMMMMMMMHHIIIIHMMV"
47. # "V:. ..:...:.IHHHMMMMMMMMMMMMMMMMHHHMHHMHP'
48. # ':. .:::.:.::III::IHHHHMMMMMHMHMMHHHHM"
49. # "::....::.:::..:..::IIIIIHHHHMMMHHMV"
50. # "::.::.. .. . ...:::IIHHMMMMHMV"
51. # "V::... . .I::IHHMMV"'
52. # '"VHVHHHAHHHHMMV:"'
53. #
54. # ___
55. # / _ \
56. # ______ _ ___ / /_\ \_ __
57. # |_ / _` |/ _ \ | _ | '_ \
58. # / / (_| | (_) || | | | | | |
59. # /___\__,_|\___/ \_| |_/_| |_|
60. # ______
61. # |______|
62. #
63. # to use after exploiting https://youtu.be/3OIrSfqEAKc
64.  
65. header()
66. {
67. echo -e "\n\e[00;31m#########################################################\e[00m"
68. echo -e "\e[00;31m#\e[00m" "\e[00;33mLinux Post-Exploitation Script\e[00m" "\e[00;31m#\e[00m"
69. echo -e "\e[00;31m#########################################################\e[00m"
70. }
71.  
72. debug_info()
73. {
74. echo "[-] Debug Info"
75.  
76. if [ "$keyword" ]; then
77. echo "[+] Searching for the keyword $keyword in conf, php, ini and log files"
78. else
79. :
80. fi
81.  
82. if [ "$report" ]; then
83. echo "[+] Report name = $report"
84. else
85. :
86. fi
87.  
88. if [ "$export" ]; then
89. echo "[+] Export location = $export"
90. else
91. :
92. fi
93.  
94. if [ "$thorough" ]; then
95. echo "[+] Thorough tests = Enabled"
96. else
97. echo -e "\e[00;33m[+] Thorough tests = Disabled (SUID/GUID checks will not be perfomed!)\e[00m"
98. fi
99.  
100. sleep 2
101.  
102. if [ "$export" ]; then
103. mkdir $export 2>/dev/null
104. format=$export/LinEnum-export-`date +"%d-%m-%y"`
105. mkdir $format 2>/dev/null
106. else
107. :
108. fi
109.  
110. if [ "$sudopass" ]; then
111. echo -e "\e[00;35m[+] Please enter password\e[00m"
112. read -s userpassword
113. echo
114. else
115. :
116. fi
117.  
118. who=`whoami` 2>/dev/null
119. echo -e "\n"
120.  
121. echo -e "\e[00;33mScan started at:"; date
122. echo -e "\e[00m\n"
123. }
124.  
125. binarylist='nmap\|perl\|awk\|find\|bash\|sh\|man\|more\|less\|vi\|emacs\|vim\|nc\|netcat\|python\|ruby\|lua\|irb\|tar\|zip\|gdb\|pico\|scp\|git\|rvim\|script\|ash\|csh\|curl\|dash\|ed\|env\|expect\|ftp\|sftp\|node\|php\|rpm\|rpmquery\|socat\|strace\|taskset\|tclsh\|telnet\|tftp\|wget\|wish\|zsh\|ssh'
126.  
127. system_info()
128. {
129. echo -e "\e[00;33m### SYSTEM ##############################################\e[00m"
130.  
131. #basic kernel info
132. unameinfo=`uname -a 2>/dev/null`
133. if [ "$unameinfo" ]; then
134. echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo"
135. echo -e "\n"
136. else
137. :
138. fi
139.  
140. procver=`cat /proc/version 2>/dev/null`
141. if [ "$procver" ]; then
142. echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver"
143. echo -e "\n"
144. else
145. :
146. fi
147.  
148. #search all *-release files for version info
149. release=`cat /etc/*-release 2>/dev/null`
150. if [ "$release" ]; then
151. echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release"
152. echo -e "\n"
153. else
154. :
155. fi
156.  
157. #target hostname info
158. hostnamed=`hostname 2>/dev/null`
159. if [ "$hostnamed" ]; then
160. echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed"
161. echo -e "\n"
162. else
163. :
164. fi
165. }
166.  
167. user_info()
168. {
169. echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m"
170.  
171. #current user details
172. currusr=`id 2>/dev/null`
173. if [ "$currusr" ]; then
174. echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr"
175. echo -e "\n"
176. else
177. :
178. fi
179.  
180. #last logged on user information
181. lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null`
182. if [ "$lastlogedonusrs" ]; then
183. echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs"
184. echo -e "\n"
185. else
186. :
187. fi
188.  
189.  
190. #who else is logged on
191. loggedonusrs=`w 2>/dev/null`
192. if [ "$loggedonusrs" ]; then
193. echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs"
194. echo -e "\n"
195. else
196. :
197. fi
198.  
199. #lists all id's and respective group(s)
200. grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`
201. if [ "$grpinfo" ]; then
202. echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo"
203. echo -e "\n"
204. else
205. :
206. fi
207.  
208. #added by phackt - look for adm group (thanks patrick)
209. adm_users=$(echo -e "$grpinfo" | grep "(adm)")
210. if [[ ! -z $adm_users ]];
211. then
212. echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users"
213. echo -e "\n"
214. else
215. :
216. fi
217.  
218. #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method)
219. hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`
220. if [ "$hashesinpasswd" ]; then
221. echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd"
222. echo -e "\n"
223. else
224. :
225. fi
226.  
227. #contents of /etc/passwd
228. readpasswd=`cat /etc/passwd 2>/dev/null`
229. if [ "$readpasswd" ]; then
230. echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd"
231. echo -e "\n"
232. else
233. :
234. fi
235.  
236. if [ "$export" ] && [ "$readpasswd" ]; then
237. mkdir $format/etc-export/ 2>/dev/null
238. cp /etc/passwd $format/etc-export/passwd 2>/dev/null
239. else
240. :
241. fi
242.  
243. #checks to see if the shadow file can be read
244. readshadow=`cat /etc/shadow 2>/dev/null`
245. if [ "$readshadow" ]; then
246. echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow"
247. echo -e "\n"
248. else
249. :
250. fi
251.  
252. if [ "$export" ] && [ "$readshadow" ]; then
253. mkdir $format/etc-export/ 2>/dev/null
254. cp /etc/shadow $format/etc-export/shadow 2>/dev/null
255. else
256. :
257. fi
258.  
259. #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant
260. readmasterpasswd=`cat /etc/master.passwd 2>/dev/null`
261. if [ "$readmasterpasswd" ]; then
262. echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd"
263. echo -e "\n"
264. else
265. :
266. fi
267.  
268. if [ "$export" ] && [ "$readmasterpasswd" ]; then
269. mkdir $format/etc-export/ 2>/dev/null
270. cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null
271. else
272. :
273. fi
274.  
275. #all root accounts (uid 0)
276. superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null`
277. if [ "$superman" ]; then
278. echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman"
279. echo -e "\n"
280. else
281. :
282. fi
283.  
284. #pull out vital sudoers info
285. sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null`
286. if [ "$sudoers" ]; then
287. echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers"
288. echo -e "\n"
289. else
290. :
291. fi
292.  
293. if [ "$export" ] && [ "$sudoers" ]; then
294. mkdir $format/etc-export/ 2>/dev/null
295. cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null
296. else
297. :
298. fi
299.  
300. #can we sudo without supplying a password
301. sudoperms=`echo '' | sudo -S -l -k 2>/dev/null`
302. if [ "$sudoperms" ]; then
303. echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms"
304. echo -e "\n"
305. else
306. :
307. fi
308.  
309. #check sudo perms - authenticated
310. if [ "$sudopass" ]; then
311. if [ "$sudoperms" ]; then
312. :
313. else
314. sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null`
315. if [ "$sudoauth" ]; then
316. echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth"
317. echo -e "\n"
318. else
319. :
320. fi
321. fi
322. else
323. :
324. fi
325.  
326. ##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated
327. if [ "$sudopass" ]; then
328. if [ "$sudoperms" ]; then
329. :
330. else
331. sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
332. if [ "$sudopermscheck" ]; then
333. echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck"
334. echo -e "\n"
335. else
336. :
337. fi
338. fi
339. else
340. :
341. fi
342.  
343. #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values)
344. sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
345. if [ "$sudopwnage" ]; then
346. echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage"
347. echo -e "\n"
348. else
349. :
350. fi
351.  
352. #who has sudoed in the past
353. whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null`
354. if [ "$whohasbeensudo" ]; then
355. echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo"
356. echo -e "\n"
357. else
358. :
359. fi
360.  
361. #checks to see if roots home directory is accessible
362. rthmdir=`ls -ahl /root/ 2>/dev/null`
363. if [ "$rthmdir" ]; then
364. echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir"
365. echo -e "\n"
366. else
367. :
368. fi
369.  
370. #displays /home directory permissions - check if any are lax
371. homedirperms=`ls -ahl /home/ 2>/dev/null`
372. if [ "$homedirperms" ]; then
373. echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms"
374. echo -e "\n"
375. else
376. :
377. fi
378.  
379. #looks for files we can write to that don't belong to us
380. if [ "$thorough" = "1" ]; then
381. grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
382. if [ "$grfilesall" ]; then
383. echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall"
384. echo -e "\n"
385. else
386. :
387. fi
388. fi
389.  
390. #looks for files that belong to us
391. if [ "$thorough" = "1" ]; then
392. ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
393. if [ "$ourfilesall" ]; then
394. echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall"
395. echo -e "\n"
396. else
397. :
398. fi
399. fi
400.  
401. #looks for hidden files
402. if [ "$thorough" = "1" ]; then
403. hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
404. if [ "$hiddenfiles" ]; then
405. echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles"
406. echo -e "\n"
407. else
408. :
409. fi
410. fi
411.  
412. #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch
413. if [ "$thorough" = "1" ]; then
414. wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null`
415. if [ "$wrfileshm" ]; then
416. echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm"
417. echo -e "\n"
418. else
419. :
420. fi
421. else
422. :
423. fi
424.  
425. if [ "$thorough" = "1" ]; then
426. if [ "$export" ] && [ "$wrfileshm" ]; then
427. mkdir $format/wr-files/ 2>/dev/null
428. for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null
429. else
430. :
431. fi
432. else
433. :
434. fi
435.  
436. #lists current user's home directory contents
437. if [ "$thorough" = "1" ]; then
438. homedircontents=`ls -ahl ~ 2>/dev/null`
439. if [ "$homedircontents" ] ; then
440. echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents"
441. echo -e "\n"
442. else
443. :
444. fi
445. else
446. :
447. fi
448.  
449. #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch
450. if [ "$thorough" = "1" ]; then
451. sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;`
452. if [ "$sshfiles" ]; then
453. echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles"
454. echo -e "\n"
455. else
456. :
457. fi
458. else
459. :
460. fi
461.  
462. if [ "$thorough" = "1" ]; then
463. if [ "$export" ] && [ "$sshfiles" ]; then
464. mkdir $format/ssh-files/ 2>/dev/null
465. for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null
466. else
467. :
468. fi
469. else
470. :
471. fi
472.  
473. #is root permitted to login via ssh
474. sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'`
475. if [ "$sshrootlogin" = "yes" ]; then
476. echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#"
477. echo -e "\n"
478. else
479. :
480. fi
481. }
482.  
483. environmental_info()
484. {
485. echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m"
486.  
487. #env information
488. envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null`
489. if [ "$envinfo" ]; then
490. echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo"
491. echo -e "\n"
492. else
493. :
494. fi
495.  
496. #check if selinux is enabled
497. sestatus=`sestatus 2>/dev/null`
498. if [ "$sestatus" ]; then
499. echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus"
500. echo -e "\n"
501. fi
502.  
503. #phackt
504.  
505. #current path configuration
506. pathinfo=`echo $PATH 2>/dev/null`
507. if [ "$pathinfo" ]; then
508. echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo"
509. echo -e "\n"
510. else
511. :
512. fi
513.  
514. #lists available shells
515. shellinfo=`cat /etc/shells 2>/dev/null`
516. if [ "$shellinfo" ]; then
517. echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo"
518. echo -e "\n"
519. else
520. :
521. fi
522.  
523. #current umask value with both octal and symbolic output
524. umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null`
525. if [ "$umaskvalue" ]; then
526. echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue"
527. echo -e "\n"
528. else
529. :
530. fi
531.  
532. #umask value as in /etc/login.defs
533. umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null`
534. if [ "$umaskdef" ]; then
535. echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef"
536. echo -e "\n"
537. else
538. :
539. fi
540.  
541. #password policy information as stored in /etc/login.defs
542. logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null`
543. if [ "$logindefs" ]; then
544. echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs"
545. echo -e "\n"
546. else
547. :
548. fi
549.  
550. if [ "$export" ] && [ "$logindefs" ]; then
551. mkdir $format/etc-export/ 2>/dev/null
552. cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null
553. else
554. :
555. fi
556. }
557.  
558. job_info()
559. {
560. echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m"
561.  
562. #are there any cron jobs configured
563. cronjobs=`ls -la /etc/cron* 2>/dev/null`
564. if [ "$cronjobs" ]; then
565. echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs"
566. echo -e "\n"
567. else
568. :
569. fi
570.  
571. #can we manipulate these jobs in any way
572. cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
573. if [ "$cronjobwwperms" ]; then
574. echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms"
575. echo -e "\n"
576. else
577. :
578. fi
579.  
580. #contab contents
581. crontabvalue=`cat /etc/crontab 2>/dev/null`
582. if [ "$crontabvalue" ]; then
583. echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue"
584. echo -e "\n"
585. else
586. :
587. fi
588.  
589. crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null`
590. if [ "$crontabvar" ]; then
591. echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar"
592. echo -e "\n"
593. else
594. :
595. fi
596.  
597. anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null`
598. if [ "$anacronjobs" ]; then
599. echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs"
600. echo -e "\n"
601. else
602. :
603. fi
604.  
605. anacrontab=`ls -la /var/spool/anacron 2>/dev/null`
606. if [ "$anacrontab" ]; then
607. echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab"
608. echo -e "\n"
609. else
610. :
611. fi
612.  
613. #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command)
614. cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null`
615. if [ "$cronother" ]; then
616. echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother"
617. echo -e "\n"
618. else
619. :
620. fi
621.  
622. # list systemd timers
623. if [ "$thorough" = "1" ]; then
624. # include inactive timers in thorough mode
625. systemdtimers="$(systemctl list-timers --all 2>/dev/null)"
626. info=""
627. else
628. systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)"
629. # replace the info in the output with a hint towards thorough mode
630. info="\e[2mEnable thorough tests to see inactive timers\e[00m"
631. fi
632. if [ "$systemdtimers" ]; then
633. echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info"
634. echo -e "\n"
635. else
636. :
637. fi
638.  
639.  
640. }
641. networking_info()
642. {
643. echo -e "\e[00;33m### NETWORKING ##########################################\e[00m"
644.  
645. #nic information
646. nicinfo=`/sbin/ifconfig -a 2>/dev/null`
647. if [ "$nicinfo" ]; then
648. echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo"
649. echo -e "\n"
650. else
651. :
652. fi
653.  
654. #nic information (using ip)
655. nicinfoip=`/sbin/ip a 2>/dev/null`
656. if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then
657. echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip"
658. echo -e "\n"
659. else
660. :
661. fi
662.  
663. arpinfo=`arp -a 2>/dev/null`
664. if [ "$arpinfo" ]; then
665. echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo"
666. echo -e "\n"
667. else
668. :
669. fi
670.  
671. arpinfoip=`ip n 2>/dev/null`
672. if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then
673. echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip"
674. echo -e "\n"
675. else
676. :
677. fi
678.  
679. #dns settings
680. nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null`
681. if [ "$nsinfo" ]; then
682. echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo"
683. echo -e "\n"
684. else
685. :
686. fi
687.  
688. nsinfosysd=`systemd-resolve --status 2>/dev/null`
689. if [ "$nsinfosysd" ]; then
690. echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd"
691. echo -e "\n"
692. else
693. :
694. fi
695.  
696. #default route configuration
697. defroute=`route 2>/dev/null | grep default`
698. if [ "$defroute" ]; then
699. echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute"
700. echo -e "\n"
701. else
702. :
703. fi
704.  
705. #default route configuration
706. defrouteip=`ip r 2>/dev/null | grep default`
707. if [ ! "$defroute" ] && [ "$defrouteip" ]; then
708. echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip"
709. echo -e "\n"
710. else
711. :
712. fi
713.  
714. #listening TCP
715. tcpservs=`netstat -antp 2>/dev/null`
716. if [ "$tcpservs" ]; then
717. echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs"
718. echo -e "\n"
719. else
720. :
721. fi
722.  
723. tcpservsip=`ss -t 2>/dev/null`
724. if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then
725. echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip"
726. echo -e "\n"
727. else
728. :
729. fi
730. #listening UDP
731. udpservs=`netstat -anup 2>/dev/null`
732. if [ "$udpservs" ]; then
733. echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs"
734. echo -e "\n"
735. else
736. :
737. fi
738.  
739. udpservsip=`ip -u 2>/dev/null`
740. if [ ! "$udpservs" ] && [ "$udpservsip" ]; then
741. echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip"
742. echo -e "\n"
743. else
744. :
745. fi
746. }
747.  
748. services_info()
749. {
750. echo -e "\e[00;33m### SERVICES #############################################\e[00m"
751.  
752. #running processes
753. psaux=`ps aux 2>/dev/null`
754. if [ "$psaux" ]; then
755. echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux"
756. echo -e "\n"
757. else
758. :
759. fi
760.  
761. #lookup process binary path and permissisons
762. procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null`
763. if [ "$procperm" ]; then
764. echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm"
765. echo -e "\n"
766. else
767. :
768. fi
769.  
770. if [ "$export" ] && [ "$procperm" ]; then
771. procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null`
772. mkdir $format/ps-export/ 2>/dev/null
773. for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null
774. else
775. :
776. fi
777.  
778. #anything 'useful' in inetd.conf
779. inetdread=`cat /etc/inetd.conf 2>/dev/null`
780. if [ "$inetdread" ]; then
781. echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread"
782. echo -e "\n"
783. else
784. :
785. fi
786.  
787. if [ "$export" ] && [ "$inetdread" ]; then
788. mkdir $format/etc-export/ 2>/dev/null
789. cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null
790. else
791. :
792. fi
793.  
794. #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each
795. inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
796. if [ "$inetdbinperms" ]; then
797. echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms"
798. echo -e "\n"
799. else
800. :
801. fi
802.  
803. xinetdread=`cat /etc/xinetd.conf 2>/dev/null`
804. if [ "$xinetdread" ]; then
805. echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread"
806. echo -e "\n"
807. else
808. :
809. fi
810.  
811. if [ "$export" ] && [ "$xinetdread" ]; then
812. mkdir $format/etc-export/ 2>/dev/null
813. cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null
814. else
815. :
816. fi
817.  
818. xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null`
819. if [ "$xinetdincd" ]; then
820. echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null
821. echo -e "\n"
822. else
823. :
824. fi
825.  
826. #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each
827. xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
828. if [ "$xinetdbinperms" ]; then
829. echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms"
830. echo -e "\n"
831. else
832. :
833. fi
834.  
835. initdread=`ls -la /etc/init.d 2>/dev/null`
836. if [ "$initdread" ]; then
837. echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread"
838. echo -e "\n"
839. else
840. :
841. fi
842.  
843. #init.d files NOT belonging to root!
844. initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
845. if [ "$initdperms" ]; then
846. echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms"
847. echo -e "\n"
848. else
849. :
850. fi
851.  
852. rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null`
853. if [ "$rcdread" ]; then
854. echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread"
855. echo -e "\n"
856. else
857. :
858. fi
859.  
860. #init.d files NOT belonging to root!
861. rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
862. if [ "$rcdperms" ]; then
863. echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms"
864. echo -e "\n"
865. else
866. :
867. fi
868.  
869. usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null`
870. if [ "$usrrcdread" ]; then
871. echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread"
872. echo -e "\n"
873. else
874. :
875. fi
876.  
877. #rc.d files NOT belonging to root!
878. usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
879. if [ "$usrrcdperms" ]; then
880. echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms"
881. echo -e "\n"
882. else
883. :
884. fi
885.  
886. initread=`ls -la /etc/init/ 2>/dev/null`
887. if [ "$initread" ]; then
888. echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread"
889. echo -e "\n"
890. else
891. :
892. fi
893.  
894. # upstart scripts not belonging to root
895. initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
896. if [ "$initperms" ]; then
897. echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms"
898. echo -e "\n"
899. else
900. :
901. fi
902.  
903. systemdread=`ls -lthR /lib/systemd/ 2>/dev/null`
904. if [ "$systemdread" ]; then
905. echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread"
906. echo -e "\n"
907. else
908. :
909. fi
910.  
911. # systemd files not belonging to root
912. systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
913. if [ "$systemdperms" ]; then
914. echo -e "\e[00;31m[-] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms"
915. echo -e "\n"
916. else
917. :
918. fi
919. }
920.  
921. software_configs()
922. {
923. echo -e "\e[00;33m### SOFTWARE #############################################\e[00m"
924.  
925. #sudo version - check to see if there are any known vulnerabilities with this
926. sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null`
927. if [ "$sudover" ]; then
928. echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover"
929. echo -e "\n"
930. else
931. :
932. fi
933.  
934. #mysql details - if installed
935. mysqlver=`mysql --version 2>/dev/null`
936. if [ "$mysqlver" ]; then
937. echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver"
938. echo -e "\n"
939. else
940. :
941. fi
942.  
943. #checks to see if root/root will get us a connection
944. mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null`
945. if [ "$mysqlconnect" ]; then
946. echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect"
947. echo -e "\n"
948. else
949. :
950. fi
951.  
952. #mysql version details
953. mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null`
954. if [ "$mysqlconnectnopass" ]; then
955. echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass"
956. echo -e "\n"
957. else
958. :
959. fi
960.  
961. #postgres details - if installed
962. postgver=`psql -V 2>/dev/null`
963. if [ "$postgver" ]; then
964. echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver"
965. echo -e "\n"
966. else
967. :
968. fi
969.  
970. #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
971. postcon1=`psql -U postgres template0 -c 'select version()' 2>/dev/null | grep version`
972. if [ "$postcon1" ]; then
973. echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1"
974. echo -e "\n"
975. else
976. :
977. fi
978.  
979. postcon11=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`
980. if [ "$postcon11" ]; then
981. echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11"
982. echo -e "\n"
983. else
984. :
985. fi
986.  
987. postcon2=`psql -U pgsql template0 -c 'select version()' 2>/dev/null | grep version`
988. if [ "$postcon2" ]; then
989. echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2"
990. echo -e "\n"
991. else
992. :
993. fi
994.  
995. postcon22=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`
996. if [ "$postcon22" ]; then
997. echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22"
998. echo -e "\n"
999. else
1000. :
1001. fi
1002.  
1003. #apache details - if installed
1004. apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null`
1005. if [ "$apachever" ]; then
1006. echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever"
1007. echo -e "\n"
1008. else
1009. :
1010. fi
1011.  
1012. #what account is apache running under
1013. apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null`
1014. if [ "$apacheusr" ]; then
1015. echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr"
1016. echo -e "\n"
1017. else
1018. :
1019. fi
1020.  
1021. if [ "$export" ] && [ "$apacheusr" ]; then
1022. mkdir --parents $format/etc-export/apache2/ 2>/dev/null
1023. cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null
1024. else
1025. :
1026. fi
1027.  
1028. #installed apache modules
1029. apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null`
1030. if [ "$apachemodules" ]; then
1031. echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules"
1032. echo -e "\n"
1033. else
1034. :
1035. fi
1036.  
1037. #htpasswd check
1038. htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null`
1039. if [ "$htpasswd" ]; then
1040. echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd"
1041. echo -e "\n"
1042. else
1043. :
1044. fi
1045.  
1046. #anything in the default http home dirs (changed to thorough as can be large)
1047. if [ "$thorough" = "1" ]; then
1048. apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`
1049. if [ "$apachehomedirs" ]; then
1050. echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs"
1051. echo -e "\n"
1052. else
1053. :
1054. fi
1055. fi
1056.  
1057. }
1058.  
1059. interesting_files()
1060. {
1061. echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m"
1062.  
1063. #checks to see if various files are installed
1064. echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null
1065. echo -e "\n"
1066.  
1067. #limited search for installed compilers
1068. compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null`
1069. if [ "$compiler" ]; then
1070. echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler"
1071. echo -e "\n"
1072. else
1073. :
1074. fi
1075.  
1076. #manual check - lists out sensitive files, can we read/modify etc.
1077. echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null
1078. echo -e "\n"
1079.  
1080. #search for suid files - this can take some time so is only 'activated' with thorough scanning switch (as are all suid scans below)
1081. if [ "$thorough" = "1" ]; then
1082. findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;`
1083. if [ "$findsuid" ]; then
1084. echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid"
1085. echo -e "\n"
1086. else
1087. :
1088. fi
1089. else
1090. :
1091. fi
1092.  
1093. if [ "$thorough" = "1" ]; then
1094. if [ "$export" ] && [ "$findsuid" ]; then
1095. mkdir $format/suid-files/ 2>/dev/null
1096. for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null
1097. else
1098. :
1099. fi
1100. else
1101. :
1102. fi
1103.  
1104. #list of 'interesting' suid files - feel free to make additions
1105. if [ "$thorough" = "1" ]; then
1106. intsuid=`find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
1107. if [ "$intsuid" ]; then
1108. echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid"
1109. echo -e "\n"
1110. else
1111. :
1112. fi
1113. else
1114. :
1115. fi
1116.  
1117. #lists word-writable suid files
1118. if [ "$thorough" = "1" ]; then
1119. wwsuid=`find / -perm -4007 -type f -exec ls -la {} 2>/dev/null \;`
1120. if [ "$wwsuid" ]; then
1121. echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid"
1122. echo -e "\n"
1123. else
1124. :
1125. fi
1126. else
1127. :
1128. fi
1129.  
1130. #lists world-writable suid files owned by root
1131. if [ "$thorough" = "1" ]; then
1132. wwsuidrt=`find / -uid 0 -perm -4007 -type f -exec ls -la {} 2>/dev/null \;`
1133. if [ "$wwsuidrt" ]; then
1134. echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt"
1135. echo -e "\n"
1136. else
1137. :
1138. fi
1139. else
1140. :
1141. fi
1142.  
1143. #search for guid files - this can take some time so is only 'activated' with thorough scanning switch (as are all guid scans below)
1144. if [ "$thorough" = "1" ]; then
1145. findguid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null \;`
1146. if [ "$findguid" ]; then
1147. echo -e "\e[00;31m[-] GUID files:\e[00m\n$findguid"
1148. echo -e "\n"
1149. else
1150. :
1151. fi
1152. else
1153. :
1154. fi
1155.  
1156. if [ "$thorough" = "1" ]; then
1157. if [ "$export" ] && [ "$findguid" ]; then
1158. mkdir $format/guid-files/ 2>/dev/null
1159. for i in $findguid; do cp $i $format/guid-files/; done 2>/dev/null
1160. else
1161. :
1162. fi
1163. else
1164. :
1165. fi
1166.  
1167. #list of 'interesting' guid files - feel free to make additions
1168. if [ "$thorough" = "1" ]; then
1169. intguid=`find / -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
1170. if [ "$intguid" ]; then
1171. echo -e "\e[00;33m[+] Possibly interesting GUID files:\e[00m\n$intguid"
1172. echo -e "\n"
1173. else
1174. :
1175. fi
1176. else
1177. :
1178. fi
1179.  
1180. #lists world-writable guid files
1181. if [ "$thorough" = "1" ]; then
1182. wwguid=`find / -perm -2007 -type f -exec ls -la {} 2>/dev/null \;`
1183. if [ "$wwguid" ]; then
1184. echo -e "\e[00;33m[+] World-writable GUID files:\e[00m\n$wwguid"
1185. echo -e "\n"
1186. else
1187. :
1188. fi
1189. else
1190. :
1191. fi
1192.  
1193. #lists world-writable guid files owned by root
1194. if [ "$thorough" = "1" ]; then
1195. wwguidrt=`find / -uid 0 -perm -2007 -type f -exec ls -la {} 2>/dev/null \;`
1196. if [ "$wwguidrt" ]; then
1197. echo -e "\e[00;33m[+] World-writable GUID files owned by root:\e[00m\n$wwguidrt"
1198. echo -e "\n"
1199. else
1200. :
1201. fi
1202. else
1203. :
1204. fi
1205.  
1206. #list all files with POSIX capabilities set along with there capabilities
1207. if [ "$thorough" = "1" ]; then
1208. fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null`
1209. if [ "$fileswithcaps" ]; then
1210. echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps"
1211. echo -e "\n"
1212. else
1213. :
1214. fi
1215. else
1216. :
1217. fi
1218.  
1219. if [ "$thorough" = "1" ]; then
1220. if [ "$export" ] && [ "$fileswithcaps" ]; then
1221. mkdir $format/files_with_capabilities/ 2>/dev/null
1222. for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null
1223. else
1224. :
1225. fi
1226. else
1227. :
1228. fi
1229.  
1230. #searches /etc/security/capability.conf for users associated capapilies
1231. if [ "$thorough" = "1" ]; then
1232. userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null`
1233. if [ "$userswithcaps" ]; then
1234. echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps"
1235. echo -e "\n"
1236. else
1237. :
1238. fi
1239. else
1240. :
1241. fi
1242.  
1243. if [ "$thorough" = "1" ] && [ "$userswithcaps" ] ; then
1244. #matches the capabilities found associated with users with the current user
1245. matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null`
1246. if [ "$matchedcaps" ]; then
1247. echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps"
1248. echo -e "\n"
1249. #matches the files with capapbilities with capabilities associated with the current user
1250. matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null`
1251. if [ "$matchedfiles" ]; then
1252. echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles"
1253. echo -e "\n"
1254. #lists the permissions of the files having the same capabilies associated with the current user
1255. matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`
1256. echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms"
1257. echo -e "\n"
1258. if [ "$matchedfilesperms" ]; then
1259. #checks if any of the files with same capabilities associated with the current user is writable
1260. writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`
1261. if [ "$writablematchedfiles" ]; then
1262. echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles"
1263. echo -e "\n"
1264. else
1265. :
1266. fi
1267. else
1268. :
1269. fi
1270. else
1271. :
1272. fi
1273. else
1274. :
1275. fi
1276. else
1277. :
1278. fi
1279.  
1280. #list all world-writable files excluding /proc and /sys
1281. if [ "$thorough" = "1" ]; then
1282. wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;`
1283. if [ "$wwfiles" ]; then
1284. echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles"
1285. echo -e "\n"
1286. else
1287. :
1288. fi
1289. else
1290. :
1291. fi
1292.  
1293. if [ "$thorough" = "1" ]; then
1294. if [ "$export" ] && [ "$wwfiles" ]; then
1295. mkdir $format/ww-files/ 2>/dev/null
1296. for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null
1297. else
1298. :
1299. fi
1300. else
1301. :
1302. fi
1303.  
1304. #are any .plan files accessible in /home (could contain useful information)
1305. usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
1306. if [ "$usrplan" ]; then
1307. echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan"
1308. echo -e "\n"
1309. else
1310. :
1311. fi
1312.  
1313. if [ "$export" ] && [ "$usrplan" ]; then
1314. mkdir $format/plan_files/ 2>/dev/null
1315. for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
1316. else
1317. :
1318. fi
1319.  
1320. bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
1321. if [ "$bsdusrplan" ]; then
1322. echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan"
1323. echo -e "\n"
1324. else
1325. :
1326. fi
1327.  
1328. if [ "$export" ] && [ "$bsdusrplan" ]; then
1329. mkdir $format/plan_files/ 2>/dev/null
1330. for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
1331. else
1332. :
1333. fi
1334.  
1335. #are there any .rhosts files accessible - these may allow us to login as another user etc.
1336. rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
1337. if [ "$rhostsusr" ]; then
1338. echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr"
1339. echo -e "\n"
1340. else
1341. :
1342. fi
1343.  
1344. if [ "$export" ] && [ "$rhostsusr" ]; then
1345. mkdir $format/rhosts/ 2>/dev/null
1346. for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
1347. else
1348. :
1349. fi
1350.  
1351. bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
1352. if [ "$bsdrhostsusr" ]; then
1353. echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr"
1354. echo -e "\n"
1355. else
1356. :
1357. fi
1358.  
1359. if [ "$export" ] && [ "$bsdrhostsusr" ]; then
1360. mkdir $format/rhosts 2>/dev/null
1361. for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
1362. else
1363. :
1364. fi
1365.  
1366. rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
1367. if [ "$rhostssys" ]; then
1368. echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys"
1369. echo -e "\n"
1370. else
1371. :
1372. fi
1373.  
1374. if [ "$export" ] && [ "$rhostssys" ]; then
1375. mkdir $format/rhosts/ 2>/dev/null
1376. for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null
1377. else
1378. :
1379. fi
1380.  
1381. #list nfs shares/permisisons etc.
1382. nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null`
1383. if [ "$nfsexports" ]; then
1384. echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports"
1385. echo -e "\n"
1386. else
1387. :
1388. fi
1389.  
1390. if [ "$export" ] && [ "$nfsexports" ]; then
1391. mkdir $format/etc-export/ 2>/dev/null
1392. cp /etc/exports $format/etc-export/exports 2>/dev/null
1393. else
1394. :
1395. fi
1396.  
1397. if [ "$thorough" = "1" ]; then
1398. #phackt
1399. #displaying /etc/fstab
1400. fstab=`cat /etc/fstab 2>/dev/null`
1401. if [ "$fstab" ]; then
1402. echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m"
1403. echo -e "$fstab"
1404. echo -e "\n"
1405. fi
1406. fi
1407.  
1408. #looking for credentials in /etc/fstab
1409. fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`
1410. if [ "$fstab" ]; then
1411. echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab"
1412. echo -e "\n"
1413. else
1414. :
1415. fi
1416.  
1417. if [ "$export" ] && [ "$fstab" ]; then
1418. mkdir $format/etc-exports/ 2>/dev/null
1419. cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
1420. else
1421. :
1422. fi
1423.  
1424. fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null`
1425. if [ "$fstabcred" ]; then
1426. echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred"
1427. echo -e "\n"
1428. else
1429. :
1430. fi
1431.  
1432. if [ "$export" ] && [ "$fstabcred" ]; then
1433. mkdir $format/etc-exports/ 2>/dev/null
1434. cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
1435. else
1436. :
1437. fi
1438.  
1439. #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located
1440. if [ "$keyword" = "" ]; then
1441. echo -e "[-] Can't search *.conf files as no keyword was entered\n"
1442. else
1443. confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
1444. if [ "$confkey" ]; then
1445. echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey"
1446. echo -e "\n"
1447. else
1448. echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m"
1449. echo -e "'$keyword' not found in any .conf files"
1450. echo -e "\n"
1451. fi
1452. fi
1453.  
1454. if [ "$keyword" = "" ]; then
1455. :
1456. else
1457. if [ "$export" ] && [ "$confkey" ]; then
1458. confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
1459. mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null
1460. for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null
1461. else
1462. :
1463. fi
1464. fi
1465.  
1466. #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located
1467. if [ "$keyword" = "" ]; then
1468. echo -e "[-] Can't search *.php files as no keyword was entered\n"
1469. else
1470. phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
1471. if [ "$phpkey" ]; then
1472. echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey"
1473. echo -e "\n"
1474. else
1475. echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m"
1476. echo -e "'$keyword' not found in any .php files"
1477. echo -e "\n"
1478. fi
1479. fi
1480.  
1481. if [ "$keyword" = "" ]; then
1482. :
1483. else
1484. if [ "$export" ] && [ "$phpkey" ]; then
1485. phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
1486. mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null
1487. for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null
1488. else
1489. :
1490. fi
1491. fi
1492.  
1493. #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located
1494. if [ "$keyword" = "" ];then
1495. echo -e "[-] Can't search *.log files as no keyword was entered\n"
1496. else
1497. logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
1498. if [ "$logkey" ]; then
1499. echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey"
1500. echo -e "\n"
1501. else
1502. echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m"
1503. echo -e "'$keyword' not found in any .log files"
1504. echo -e "\n"
1505. fi
1506. fi
1507.  
1508. if [ "$keyword" = "" ];then
1509. :
1510. else
1511. if [ "$export" ] && [ "$logkey" ]; then
1512. logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
1513. mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null
1514. for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null
1515. else
1516. :
1517. fi
1518. fi
1519.  
1520. #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located
1521. if [ "$keyword" = "" ];then
1522. echo -e "[-] Can't search *.ini files as no keyword was entered\n"
1523. else
1524. inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
1525. if [ "$inikey" ]; then
1526. echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey"
1527. echo -e "\n"
1528. else
1529. echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m"
1530. echo -e "'$keyword' not found in any .ini files"
1531. echo -e "\n"
1532. fi
1533. fi
1534.  
1535. if [ "$keyword" = "" ];then
1536. :
1537. else
1538. if [ "$export" ] && [ "$inikey" ]; then
1539. inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
1540. mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null
1541. for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null
1542. else
1543. :
1544. fi
1545. fi
1546.  
1547. #quick extract of .conf files from /etc - only 1 level
1548. allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null`
1549. if [ "$allconf" ]; then
1550. echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf"
1551. echo -e "\n"
1552. else
1553. :
1554. fi
1555.  
1556. if [ "$export" ] && [ "$allconf" ]; then
1557. mkdir $format/conf-files/ 2>/dev/null
1558. for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null
1559. else
1560. :
1561. fi
1562.  
1563. #extract any user history files that are accessible
1564. usrhist=`ls -la ~/.*_history 2>/dev/null`
1565. if [ "$usrhist" ]; then
1566. echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist"
1567. echo -e "\n"
1568. else
1569. :
1570. fi
1571.  
1572. if [ "$export" ] && [ "$usrhist" ]; then
1573. mkdir $format/history_files/ 2>/dev/null
1574. for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null
1575. else
1576. :
1577. fi
1578.  
1579. #can we read roots *_history files - could be passwords stored etc.
1580. roothist=`ls -la /root/.*_history 2>/dev/null`
1581. if [ "$roothist" ]; then
1582. echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist"
1583. echo -e "\n"
1584. else
1585. :
1586. fi
1587.  
1588. if [ "$export" ] && [ "$roothist" ]; then
1589. mkdir $format/history_files/ 2>/dev/null
1590. cp $roothist $format/history_files/ 2>/dev/null
1591. else
1592. :
1593. fi
1594.  
1595. #all accessible .bash_history files in /home
1596. checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \;`
1597. if [ "$checkbashhist" ]; then
1598. echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\e[00m\n$checkbashhist"
1599. echo -e "\n"
1600. else
1601. :
1602. fi
1603.  
1604. #is there any mail accessible
1605. readmail=`ls -la /var/mail 2>/dev/null`
1606. if [ "$readmail" ]; then
1607. echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail"
1608. echo -e "\n"
1609. else
1610. :
1611. fi
1612.  
1613. #can we read roots mail
1614. readmailroot=`head /var/mail/root 2>/dev/null`
1615. if [ "$readmailroot" ]; then
1616. echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot"
1617. echo -e "\n"
1618. else
1619. :
1620. fi
1621.  
1622. if [ "$export" ] && [ "$readmailroot" ]; then
1623. mkdir $format/mail-from-root/ 2>/dev/null
1624. cp $readmailroot $format/mail-from-root/ 2>/dev/null
1625. else
1626. :
1627. fi
1628. }
1629.  
1630. docker_checks()
1631. {
1632. #specific checks - check to see if we're in a docker container
1633. dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`
1634. if [ "$dockercontainer" ]; then
1635. echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer"
1636. echo -e "\n"
1637. else
1638. :
1639. fi
1640.  
1641. #specific checks - check to see if we're a docker host
1642. dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null`
1643. if [ "$dockerhost" ]; then
1644. echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost"
1645. echo -e "\n"
1646. else
1647. :
1648. fi
1649.  
1650. #specific checks - are we a member of the docker group
1651. dockergrp=`id | grep -i docker 2>/dev/null`
1652. if [ "$dockergrp" ]; then
1653. echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp"
1654. echo -e "\n"
1655. else
1656. :
1657. fi
1658.  
1659. #specific checks - are there any docker files present
1660. dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;`
1661. if [ "$dockerfiles" ]; then
1662. echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles"
1663. echo -e "\n"
1664. else
1665. :
1666. fi
1667.  
1668. #specific checks - are there any docker files present
1669. dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;`
1670. if [ "$dockeryml" ]; then
1671. echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml"
1672. echo -e "\n"
1673. else
1674. :
1675. fi
1676. }
1677.  
1678. lxc_container_checks()
1679. {
1680. #specific checks - are we in an lxd/lxc container
1681. lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`
1682. if [ "$lxccontainer" ]; then
1683. echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer"
1684. echo -e "\n"
1685. fi
1686.  
1687. #specific checks - are we a member of the lxd group
1688. lxdgroup=`id | grep -i lxd 2>/dev/null`
1689. if [ "$lxdgroup" ]; then
1690. echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup"
1691. echo -e "\n"
1692. fi
1693. }
1694.  
1695. footer()
1696. {
1697. echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m"
1698. }
1699.  
1700. call_each()
1701. {
1702. header
1703. debug_info
1704. system_info
1705. user_info
1706. environmental_info
1707. job_info
1708. networking_info
1709. services_info
1710. software_configs
1711. interesting_files
1712. docker_checks
1713. lxc_container_checks
1714. footer
1715. }
1716.  
1717. while getopts "h:k:r:e:st" option; do
1718. case "${option}" in
1719. k) keyword=${OPTARG};;
1720. r) report=${OPTARG}"-"`date +"%d-%m-%y"`;;
1721. e) export=${OPTARG};;
1722. s) sudopass=1;;
1723. t) thorough=1;;
1724. h) usage; exit;;
1725. *) usage; exit;;
1726. esac
1727. done
1728.  
1729. call_each | tee -a $report 2> /dev/null