DarkProgrammer000

Enumeration

Jul 11th, 2021
135
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. #A script to enumerate local information from a Linux host
  3. version="version 0.982"
  4. #@rebootuser
  5.  
  6. #help function
  7. usage ()
  8. {
  9. echo -e "\n\e[00;31m#########################################################\e[00m"
  10. echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m"
  11. echo -e "\e[00;31m#########################################################\e[00m"
  12. echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m"
  13. echo -e "\e[00;33m# $version\e[00m\n"
  14. echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n"
  15.  
  16.         echo "OPTIONS:"
  17.         echo "-k    Enter keyword"
  18.         echo "-e    Enter export location"
  19.         echo "-s    Supply user password for sudo checks (INSECURE)"
  20.         echo "-t    Include thorough (lengthy) tests"
  21.         echo "-r    Enter report name"
  22.         echo "-h    Displays this help text"
  23.         echo -e "\n"
  24.         echo "Running with no options = limited scans/no output file"
  25.        
  26. echo -e "\e[00;31m#########################################################\e[00m"     
  27. }
  28. header()
  29. {
  30. echo -e "\n\e[00;31m#########################################################\e[00m"
  31. echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m"
  32. echo -e "\e[00;31m#########################################################\e[00m"
  33. echo -e "\e[00;33m# www.rebootuser.com\e[00m"
  34. echo -e "\e[00;33m# $version\e[00m\n"
  35.  
  36. }
  37.  
  38. debug_info()
  39. {
  40. echo "[-] Debug Info"
  41.  
  42. if [ "$keyword" ]; then
  43.     echo "[+] Searching for the keyword $keyword in conf, php, ini and log files"
  44. fi
  45.  
  46. if [ "$report" ]; then
  47.     echo "[+] Report name = $report"
  48. fi
  49.  
  50. if [ "$export" ]; then
  51.     echo "[+] Export location = $export"
  52. fi
  53.  
  54. if [ "$thorough" ]; then
  55.     echo "[+] Thorough tests = Enabled"
  56. else
  57.     echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m"
  58. fi
  59.  
  60. sleep 2
  61.  
  62. if [ "$export" ]; then
  63.   mkdir $export 2>/dev/null
  64.   format=$export/LinEnum-export-`date +"%d-%m-%y"`
  65.   mkdir $format 2>/dev/null
  66. fi
  67.  
  68. if [ "$sudopass" ]; then
  69.   echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m"
  70.   read -s userpassword
  71.   echo
  72. fi
  73.  
  74. who=`whoami` 2>/dev/null
  75. echo -e "\n"
  76.  
  77. echo -e "\e[00;33mScan started at:"; date
  78. echo -e "\e[00m\n"
  79. }
  80.  
  81. # useful binaries (thanks to https://gtfobins.github.io/)
  82. binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh'
  83.  
  84. system_info()
  85. {
  86. echo -e "\e[00;33m### SYSTEM ##############################################\e[00m"
  87.  
  88. #basic kernel info
  89. unameinfo=`uname -a 2>/dev/null`
  90. if [ "$unameinfo" ]; then
  91.   echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo"
  92.   echo -e "\n"
  93. fi
  94.  
  95. procver=`cat /proc/version 2>/dev/null`
  96. if [ "$procver" ]; then
  97.   echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver"
  98.   echo -e "\n"
  99. fi
  100.  
  101. #search all *-release files for version info
  102. release=`cat /etc/*-release 2>/dev/null`
  103. if [ "$release" ]; then
  104.   echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release"
  105.   echo -e "\n"
  106. fi
  107.  
  108. #target hostname info
  109. hostnamed=`hostname 2>/dev/null`
  110. if [ "$hostnamed" ]; then
  111.   echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed"
  112.   echo -e "\n"
  113. fi
  114. }
  115.  
  116. user_info()
  117. {
  118. echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m"
  119.  
  120. #current user details
  121. currusr=`id 2>/dev/null`
  122. if [ "$currusr" ]; then
  123.   echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr"
  124.   echo -e "\n"
  125. fi
  126.  
  127. #last logged on user information
  128. lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null`
  129. if [ "$lastlogedonusrs" ]; then
  130.   echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs"
  131.   echo -e "\n"
  132. fi
  133.  
  134. #who else is logged on
  135. loggedonusrs=`w 2>/dev/null`
  136. if [ "$loggedonusrs" ]; then
  137.   echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs"
  138.   echo -e "\n"
  139. fi
  140.  
  141. #lists all id's and respective group(s)
  142. grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null`
  143. if [ "$grpinfo" ]; then
  144.   echo -e "\e[00;31m[-] Group memberships:\e[00m\n$grpinfo"
  145.   echo -e "\n"
  146. fi
  147.  
  148. #added by phackt - look for adm group (thanks patrick)
  149. adm_users=$(echo -e "$grpinfo" | grep "(adm)")
  150. if [[ ! -z $adm_users ]];
  151.   then
  152.     echo -e "\e[00;31m[-] It looks like we have some admin users:\e[00m\n$adm_users"
  153.     echo -e "\n"
  154. fi
  155.  
  156. #checks to see if any hashes are stored in /etc/passwd (depreciated  *nix storage method)
  157. hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`
  158. if [ "$hashesinpasswd" ]; then
  159.   echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd"
  160.   echo -e "\n"
  161. fi
  162.  
  163. #contents of /etc/passwd
  164. readpasswd=`cat /etc/passwd 2>/dev/null`
  165. if [ "$readpasswd" ]; then
  166.   echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd"
  167.   echo -e "\n"
  168. fi
  169.  
  170. if [ "$export" ] && [ "$readpasswd" ]; then
  171.   mkdir $format/etc-export/ 2>/dev/null
  172.   cp /etc/passwd $format/etc-export/passwd 2>/dev/null
  173. fi
  174.  
  175. #checks to see if the shadow file can be read
  176. readshadow=`cat /etc/shadow 2>/dev/null`
  177. if [ "$readshadow" ]; then
  178.   echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow"
  179.   echo -e "\n"
  180. fi
  181.  
  182. if [ "$export" ] && [ "$readshadow" ]; then
  183.   mkdir $format/etc-export/ 2>/dev/null
  184.   cp /etc/shadow $format/etc-export/shadow 2>/dev/null
  185. fi
  186.  
  187. #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant
  188. readmasterpasswd=`cat /etc/master.passwd 2>/dev/null`
  189. if [ "$readmasterpasswd" ]; then
  190.   echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd"
  191.   echo -e "\n"
  192. fi
  193.  
  194. if [ "$export" ] && [ "$readmasterpasswd" ]; then
  195.   mkdir $format/etc-export/ 2>/dev/null
  196.   cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null
  197. fi
  198.  
  199. #all root accounts (uid 0)
  200. superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null`
  201. if [ "$superman" ]; then
  202.   echo -e "\e[00;31m[-] Super user account(s):\e[00m\n$superman"
  203.   echo -e "\n"
  204. fi
  205.  
  206. #pull out vital sudoers info
  207. sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null`
  208. if [ "$sudoers" ]; then
  209.   echo -e "\e[00;31m[-] Sudoers configuration (condensed):\e[00m$sudoers"
  210.   echo -e "\n"
  211. fi
  212.  
  213. if [ "$export" ] && [ "$sudoers" ]; then
  214.   mkdir $format/etc-export/ 2>/dev/null
  215.   cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null
  216. fi
  217.  
  218. #can we sudo without supplying a password
  219. sudoperms=`echo '' | sudo -S -l -k 2>/dev/null`
  220. if [ "$sudoperms" ]; then
  221.   echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms"
  222.   echo -e "\n"
  223. fi
  224.  
  225. #check sudo perms - authenticated
  226. if [ "$sudopass" ]; then
  227.     if [ "$sudoperms" ]; then
  228.       :
  229.     else
  230.       sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null`
  231.       if [ "$sudoauth" ]; then
  232.         echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth"
  233.         echo -e "\n"
  234.       fi
  235.     fi
  236. fi
  237.  
  238. ##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated
  239. if [ "$sudopass" ]; then
  240.     if [ "$sudoperms" ]; then
  241.       :
  242.     else
  243.       sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
  244.       if [ "$sudopermscheck" ]; then
  245.         echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck"
  246.         echo -e "\n"
  247.       fi
  248.     fi
  249. fi
  250.  
  251. #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values)
  252. sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null`
  253. if [ "$sudopwnage" ]; then
  254.   echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage"
  255.   echo -e "\n"
  256. fi
  257.  
  258. #who has sudoed in the past
  259. whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null`
  260. if [ "$whohasbeensudo" ]; then
  261.   echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo"
  262.   echo -e "\n"
  263. fi
  264.  
  265. #checks to see if roots home directory is accessible
  266. rthmdir=`ls -ahl /root/ 2>/dev/null`
  267. if [ "$rthmdir" ]; then
  268.   echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir"
  269.   echo -e "\n"
  270. fi
  271.  
  272. #displays /home directory permissions - check if any are lax
  273. homedirperms=`ls -ahl /home/ 2>/dev/null`
  274. if [ "$homedirperms" ]; then
  275.   echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms"
  276.   echo -e "\n"
  277. fi
  278.  
  279. #looks for files we can write to that don't belong to us
  280. if [ "$thorough" = "1" ]; then
  281.   grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
  282.   if [ "$grfilesall" ]; then
  283.     echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall"
  284.     echo -e "\n"
  285.   fi
  286. fi
  287.  
  288. #looks for files that belong to us
  289. if [ "$thorough" = "1" ]; then
  290.   ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
  291.   if [ "$ourfilesall" ]; then
  292.     echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall"
  293.     echo -e "\n"
  294.   fi
  295. fi
  296.  
  297. #looks for hidden files
  298. if [ "$thorough" = "1" ]; then
  299.   hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
  300.   if [ "$hiddenfiles" ]; then
  301.     echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles"
  302.     echo -e "\n"
  303.   fi
  304. fi
  305.  
  306. #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch
  307. if [ "$thorough" = "1" ]; then
  308. wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null`
  309.     if [ "$wrfileshm" ]; then
  310.         echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm"
  311.         echo -e "\n"
  312.     fi
  313. fi
  314.  
  315. if [ "$thorough" = "1" ]; then
  316.     if [ "$export" ] && [ "$wrfileshm" ]; then
  317.         mkdir $format/wr-files/ 2>/dev/null
  318.         for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null
  319.     fi
  320. fi
  321.  
  322. #lists current user's home directory contents
  323. if [ "$thorough" = "1" ]; then
  324. homedircontents=`ls -ahl ~ 2>/dev/null`
  325.     if [ "$homedircontents" ] ; then
  326.         echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents"
  327.         echo -e "\n"
  328.     fi
  329. fi
  330.  
  331. #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch
  332. if [ "$thorough" = "1" ]; then
  333. sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;`
  334.     if [ "$sshfiles" ]; then
  335.         echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles"
  336.         echo -e "\n"
  337.     fi
  338. fi
  339.  
  340. if [ "$thorough" = "1" ]; then
  341.     if [ "$export" ] && [ "$sshfiles" ]; then
  342.         mkdir $format/ssh-files/ 2>/dev/null
  343.         for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null
  344.     fi
  345. fi
  346.  
  347. #is root permitted to login via ssh
  348. sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print  $2}'`
  349. if [ "$sshrootlogin" = "yes" ]; then
  350.   echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#"
  351.   echo -e "\n"
  352. fi
  353. }
  354.  
  355. environmental_info()
  356. {
  357. echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m"
  358.  
  359. #env information
  360. envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null`
  361. if [ "$envinfo" ]; then
  362.   echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo"
  363.   echo -e "\n"
  364. fi
  365.  
  366. #check if selinux is enabled
  367. sestatus=`sestatus 2>/dev/null`
  368. if [ "$sestatus" ]; then
  369.   echo -e "\e[00;31m[-] SELinux seems to be present:\e[00m\n$sestatus"
  370.   echo -e "\n"
  371. fi
  372.  
  373. #phackt
  374.  
  375. #current path configuration
  376. pathinfo=`echo $PATH 2>/dev/null`
  377. if [ "$pathinfo" ]; then
  378.   pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")`
  379.   echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo"
  380.   echo -e "$pathswriteable"
  381.   echo -e "\n"
  382. fi
  383.  
  384. #lists available shells
  385. shellinfo=`cat /etc/shells 2>/dev/null`
  386. if [ "$shellinfo" ]; then
  387.   echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo"
  388.   echo -e "\n"
  389. fi
  390.  
  391. #current umask value with both octal and symbolic output
  392. umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null`
  393. if [ "$umaskvalue" ]; then
  394.   echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue"
  395.   echo -e "\n"
  396. fi
  397.  
  398. #umask value as in /etc/login.defs
  399. umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null`
  400. if [ "$umaskdef" ]; then
  401.   echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef"
  402.   echo -e "\n"
  403. fi
  404.  
  405. #password policy information as stored in /etc/login.defs
  406. logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null`
  407. if [ "$logindefs" ]; then
  408.   echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs"
  409.   echo -e "\n"
  410. fi
  411.  
  412. if [ "$export" ] && [ "$logindefs" ]; then
  413.   mkdir $format/etc-export/ 2>/dev/null
  414.   cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null
  415. fi
  416. }
  417.  
  418. job_info()
  419. {
  420. echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m"
  421.  
  422. #are there any cron jobs configured
  423. cronjobs=`ls -la /etc/cron* 2>/dev/null`
  424. if [ "$cronjobs" ]; then
  425.   echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs"
  426.   echo -e "\n"
  427. fi
  428.  
  429. #can we manipulate these jobs in any way
  430. cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
  431. if [ "$cronjobwwperms" ]; then
  432.   echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms"
  433.   echo -e "\n"
  434. fi
  435.  
  436. #contab contents
  437. crontabvalue=`cat /etc/crontab 2>/dev/null`
  438. if [ "$crontabvalue" ]; then
  439.   echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue"
  440.   echo -e "\n"
  441. fi
  442.  
  443. crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null`
  444. if [ "$crontabvar" ]; then
  445.   echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar"
  446.   echo -e "\n"
  447. fi
  448.  
  449. anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null`
  450. if [ "$anacronjobs" ]; then
  451.   echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs"
  452.   echo -e "\n"
  453. fi
  454.  
  455. anacrontab=`ls -la /var/spool/anacron 2>/dev/null`
  456. if [ "$anacrontab" ]; then
  457.   echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab"
  458.   echo -e "\n"
  459. fi
  460.  
  461. #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command)
  462. cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null`
  463. if [ "$cronother" ]; then
  464.   echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother"
  465.   echo -e "\n"
  466. fi
  467.  
  468. # list systemd timers
  469. if [ "$thorough" = "1" ]; then
  470.   # include inactive timers in thorough mode
  471.   systemdtimers="$(systemctl list-timers --all 2>/dev/null)"
  472.   info=""
  473. else
  474.   systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)"
  475.   # replace the info in the output with a hint towards thorough mode
  476.   info="\e[2mEnable thorough tests to see inactive timers\e[00m"
  477. fi
  478. if [ "$systemdtimers" ]; then
  479.   echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info"
  480.   echo -e "\n"
  481. fi
  482.  
  483. }
  484.  
  485. networking_info()
  486. {
  487. echo -e "\e[00;33m### NETWORKING  ##########################################\e[00m"
  488.  
  489. #nic information
  490. nicinfo=`/sbin/ifconfig -a 2>/dev/null`
  491. if [ "$nicinfo" ]; then
  492.   echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo"
  493.   echo -e "\n"
  494. fi
  495.  
  496. #nic information (using ip)
  497. nicinfoip=`/sbin/ip a 2>/dev/null`
  498. if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then
  499.   echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip"
  500.   echo -e "\n"
  501. fi
  502.  
  503. arpinfo=`arp -a 2>/dev/null`
  504. if [ "$arpinfo" ]; then
  505.   echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo"
  506.   echo -e "\n"
  507. fi
  508.  
  509. arpinfoip=`ip n 2>/dev/null`
  510. if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then
  511.   echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip"
  512.   echo -e "\n"
  513. fi
  514.  
  515. #dns settings
  516. nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null`
  517. if [ "$nsinfo" ]; then
  518.   echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo"
  519.   echo -e "\n"
  520. fi
  521.  
  522. nsinfosysd=`systemd-resolve --status 2>/dev/null`
  523. if [ "$nsinfosysd" ]; then
  524.   echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd"
  525.   echo -e "\n"
  526. fi
  527.  
  528. #default route configuration
  529. defroute=`route 2>/dev/null | grep default`
  530. if [ "$defroute" ]; then
  531.   echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute"
  532.   echo -e "\n"
  533. fi
  534.  
  535. #default route configuration
  536. defrouteip=`ip r 2>/dev/null | grep default`
  537. if [ ! "$defroute" ] && [ "$defrouteip" ]; then
  538.   echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip"
  539.   echo -e "\n"
  540. fi
  541.  
  542. #listening TCP
  543. tcpservs=`netstat -ntpl 2>/dev/null`
  544. if [ "$tcpservs" ]; then
  545.   echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs"
  546.   echo -e "\n"
  547. fi
  548.  
  549. tcpservsip=`ss -t -l -n 2>/dev/null`
  550. if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then
  551.   echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip"
  552.   echo -e "\n"
  553. fi
  554.  
  555. #listening UDP
  556. udpservs=`netstat -nupl 2>/dev/null`
  557. if [ "$udpservs" ]; then
  558.   echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs"
  559.   echo -e "\n"
  560. fi
  561.  
  562. udpservsip=`ss -u -l -n 2>/dev/null`
  563. if [ ! "$udpservs" ] && [ "$udpservsip" ]; then
  564.   echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip"
  565.   echo -e "\n"
  566. fi
  567. }
  568.  
  569. services_info()
  570. {
  571. echo -e "\e[00;33m### SERVICES #############################################\e[00m"
  572.  
  573. #running processes
  574. psaux=`ps aux 2>/dev/null`
  575. if [ "$psaux" ]; then
  576.   echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux"
  577.   echo -e "\n"
  578. fi
  579.  
  580. #lookup process binary path and permissisons
  581. procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null`
  582. if [ "$procperm" ]; then
  583.   echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm"
  584.   echo -e "\n"
  585. fi
  586.  
  587. if [ "$export" ] && [ "$procperm" ]; then
  588. procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null`
  589.   mkdir $format/ps-export/ 2>/dev/null
  590.   for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null
  591. fi
  592.  
  593. #anything 'useful' in inetd.conf
  594. inetdread=`cat /etc/inetd.conf 2>/dev/null`
  595. if [ "$inetdread" ]; then
  596.   echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread"
  597.   echo -e "\n"
  598. fi
  599.  
  600. if [ "$export" ] && [ "$inetdread" ]; then
  601.   mkdir $format/etc-export/ 2>/dev/null
  602.   cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null
  603. fi
  604.  
  605. #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each
  606. inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
  607. if [ "$inetdbinperms" ]; then
  608.   echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms"
  609.   echo -e "\n"
  610. fi
  611.  
  612. xinetdread=`cat /etc/xinetd.conf 2>/dev/null`
  613. if [ "$xinetdread" ]; then
  614.   echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread"
  615.   echo -e "\n"
  616. fi
  617.  
  618. if [ "$export" ] && [ "$xinetdread" ]; then
  619.   mkdir $format/etc-export/ 2>/dev/null
  620.   cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null
  621. fi
  622.  
  623. xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null`
  624. if [ "$xinetdincd" ]; then
  625.   echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null
  626.   echo -e "\n"
  627. fi
  628.  
  629. #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each
  630. xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null`
  631. if [ "$xinetdbinperms" ]; then
  632.   echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms"
  633.   echo -e "\n"
  634. fi
  635.  
  636. initdread=`ls -la /etc/init.d 2>/dev/null`
  637. if [ "$initdread" ]; then
  638.   echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread"
  639.   echo -e "\n"
  640. fi
  641.  
  642. #init.d files NOT belonging to root!
  643. initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
  644. if [ "$initdperms" ]; then
  645.   echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms"
  646.   echo -e "\n"
  647. fi
  648.  
  649. rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null`
  650. if [ "$rcdread" ]; then
  651.   echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread"
  652.   echo -e "\n"
  653. fi
  654.  
  655. #init.d files NOT belonging to root!
  656. rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
  657. if [ "$rcdperms" ]; then
  658.   echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms"
  659.   echo -e "\n"
  660. fi
  661.  
  662. usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null`
  663. if [ "$usrrcdread" ]; then
  664.   echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread"
  665.   echo -e "\n"
  666. fi
  667.  
  668. #rc.d files NOT belonging to root!
  669. usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
  670. if [ "$usrrcdperms" ]; then
  671.   echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms"
  672.   echo -e "\n"
  673. fi
  674.  
  675. initread=`ls -la /etc/init/ 2>/dev/null`
  676. if [ "$initread" ]; then
  677.   echo -e "\e[00;31m[-] /etc/init/ config file permissions:\e[00m\n$initread"
  678.   echo -e "\n"
  679. fi
  680.  
  681. # upstart scripts not belonging to root
  682. initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
  683. if [ "$initperms" ]; then
  684.    echo -e "\e[00;31m[-] /etc/init/ config files not belonging to root:\e[00m\n$initperms"
  685.    echo -e "\n"
  686. fi
  687.  
  688. systemdread=`ls -lthR /lib/systemd/ 2>/dev/null`
  689. if [ "$systemdread" ]; then
  690.   echo -e "\e[00;31m[-] /lib/systemd/* config file permissions:\e[00m\n$systemdread"
  691.   echo -e "\n"
  692. fi
  693.  
  694. # systemd files not belonging to root
  695. systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
  696. if [ "$systemdperms" ]; then
  697.    echo -e "\e[00;33m[+] /lib/systemd/* config files not belonging to root:\e[00m\n$systemdperms"
  698.    echo -e "\n"
  699. fi
  700. }
  701.  
  702. software_configs()
  703. {
  704. echo -e "\e[00;33m### SOFTWARE #############################################\e[00m"
  705.  
  706. #sudo version - check to see if there are any known vulnerabilities with this
  707. sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null`
  708. if [ "$sudover" ]; then
  709.   echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover"
  710.   echo -e "\n"
  711. fi
  712.  
  713. #mysql details - if installed
  714. mysqlver=`mysql --version 2>/dev/null`
  715. if [ "$mysqlver" ]; then
  716.   echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver"
  717.   echo -e "\n"
  718. fi
  719.  
  720. #checks to see if root/root will get us a connection
  721. mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null`
  722. if [ "$mysqlconnect" ]; then
  723.   echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect"
  724.   echo -e "\n"
  725. fi
  726.  
  727. #mysql version details
  728. mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null`
  729. if [ "$mysqlconnectnopass" ]; then
  730.   echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass"
  731.   echo -e "\n"
  732. fi
  733.  
  734. #postgres details - if installed
  735. postgver=`psql -V 2>/dev/null`
  736. if [ "$postgver" ]; then
  737.   echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver"
  738.   echo -e "\n"
  739. fi
  740.  
  741. #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
  742. postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version`
  743. if [ "$postcon1" ]; then
  744.   echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1"
  745.   echo -e "\n"
  746. fi
  747.  
  748. postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version`
  749. if [ "$postcon11" ]; then
  750.   echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11"
  751.   echo -e "\n"
  752. fi
  753.  
  754. postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version`
  755. if [ "$postcon2" ]; then
  756.   echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2"
  757.   echo -e "\n"
  758. fi
  759.  
  760. postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version`
  761. if [ "$postcon22" ]; then
  762.   echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22"
  763.   echo -e "\n"
  764. fi
  765.  
  766. #apache details - if installed
  767. apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null`
  768. if [ "$apachever" ]; then
  769.   echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever"
  770.   echo -e "\n"
  771. fi
  772.  
  773. #what account is apache running under
  774. apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null`
  775. if [ "$apacheusr" ]; then
  776.   echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr"
  777.   echo -e "\n"
  778. fi
  779.  
  780. if [ "$export" ] && [ "$apacheusr" ]; then
  781.   mkdir --parents $format/etc-export/apache2/ 2>/dev/null
  782.   cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null
  783. fi
  784.  
  785. #installed apache modules
  786. apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null`
  787. if [ "$apachemodules" ]; then
  788.   echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules"
  789.   echo -e "\n"
  790. fi
  791.  
  792. #htpasswd check
  793. htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null`
  794. if [ "$htpasswd" ]; then
  795.     echo -e "\e[00;33m[-] htpasswd found - could contain passwords:\e[00m\n$htpasswd"
  796.     echo -e "\n"
  797. fi
  798.  
  799. #anything in the default http home dirs (a thorough only check as output can be large)
  800. if [ "$thorough" = "1" ]; then
  801.   apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`
  802.   if [ "$apachehomedirs" ]; then
  803.     echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs"
  804.     echo -e "\n"
  805.   fi
  806. fi
  807.  
  808. }
  809.  
  810. interesting_files()
  811. {
  812. echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m"
  813.  
  814. #checks to see if various files are installed
  815. echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null
  816. echo -e "\n"
  817.  
  818. #limited search for installed compilers
  819. compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null`
  820. if [ "$compiler" ]; then
  821.   echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler"
  822.   echo -e "\n"
  823. fi
  824.  
  825. #manual check - lists out sensitive files, can we read/modify etc.
  826. echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null
  827. echo -e "\n"
  828.  
  829. #search for suid files
  830. allsuid=`find / -perm -4000 -type f 2>/dev/null`
  831. findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;`
  832. if [ "$findsuid" ]; then
  833.   echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid"
  834.   echo -e "\n"
  835. fi
  836.  
  837. if [ "$export" ] && [ "$findsuid" ]; then
  838.   mkdir $format/suid-files/ 2>/dev/null
  839.   for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null
  840. fi
  841.  
  842. #list of 'interesting' suid files - feel free to make additions
  843. intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
  844. if [ "$intsuid" ]; then
  845.   echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid"
  846.   echo -e "\n"
  847. fi
  848.  
  849. #lists world-writable suid files
  850. wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
  851. if [ "$wwsuid" ]; then
  852.   echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid"
  853.   echo -e "\n"
  854. fi
  855.  
  856. #lists world-writable suid files owned by root
  857. wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
  858. if [ "$wwsuidrt" ]; then
  859.   echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt"
  860.   echo -e "\n"
  861. fi
  862.  
  863. #search for sgid files
  864. allsgid=`find / -perm -2000 -type f 2>/dev/null`
  865. findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;`
  866. if [ "$findsgid" ]; then
  867.   echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid"
  868.   echo -e "\n"
  869. fi
  870.  
  871. if [ "$export" ] && [ "$findsgid" ]; then
  872.   mkdir $format/sgid-files/ 2>/dev/null
  873.   for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null
  874. fi
  875.  
  876. #list of 'interesting' sgid files
  877. intsgid=`find $allsgid -perm -2000 -type f  -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
  878. if [ "$intsgid" ]; then
  879.   echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid"
  880.   echo -e "\n"
  881. fi
  882.  
  883. #lists world-writable sgid files
  884. wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
  885. if [ "$wwsgid" ]; then
  886.   echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid"
  887.   echo -e "\n"
  888. fi
  889.  
  890. #lists world-writable sgid files owned by root
  891. wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
  892. if [ "$wwsgidrt" ]; then
  893.   echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt"
  894.   echo -e "\n"
  895. fi
  896.  
  897. #list all files with POSIX capabilities set along with there capabilities
  898. fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null`
  899. if [ "$fileswithcaps" ]; then
  900.   echo -e "\e[00;31m[+] Files with POSIX capabilities set:\e[00m\n$fileswithcaps"
  901.   echo -e "\n"
  902. fi
  903.  
  904. if [ "$export" ] && [ "$fileswithcaps" ]; then
  905.   mkdir $format/files_with_capabilities/ 2>/dev/null
  906.   for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null
  907. fi
  908.  
  909. #searches /etc/security/capability.conf for users associated capapilies
  910. userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null`
  911. if [ "$userswithcaps" ]; then
  912.   echo -e "\e[00;33m[+] Users with specific POSIX capabilities:\e[00m\n$userswithcaps"
  913.   echo -e "\n"
  914. fi
  915.  
  916. if [ "$userswithcaps" ] ; then
  917. #matches the capabilities found associated with users with the current user
  918. matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null`
  919.     if [ "$matchedcaps" ]; then
  920.         echo -e "\e[00;33m[+] Capabilities associated with the current user:\e[00m\n$matchedcaps"
  921.         echo -e "\n"
  922.         #matches the files with capapbilities with capabilities associated with the current user
  923.         matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null`
  924.         if [ "$matchedfiles" ]; then
  925.             echo -e "\e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):\e[00m\n$matchedfiles"
  926.             echo -e "\n"
  927.             #lists the permissions of the files having the same capabilies associated with the current user
  928.             matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null`
  929.             echo -e "\e[00;33m[+] Permissions of files with the same capabilities associated with the current user:\e[00m\n$matchedfilesperms"
  930.             echo -e "\n"
  931.             if [ "$matchedfilesperms" ]; then
  932.                 #checks if any of the files with same capabilities associated with the current user is writable
  933.                 writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null`
  934.                 if [ "$writablematchedfiles" ]; then
  935.                     echo -e "\e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:\e[00m\n$writablematchedfiles"
  936.                     echo -e "\n"
  937.                 fi
  938.             fi
  939.         fi
  940.     fi
  941. fi
  942.  
  943. #look for private keys - thanks djhohnstein
  944. if [ "$thorough" = "1" ]; then
  945. privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home 2>/dev/null`
  946.     if [ "$privatekeyfiles" ]; then
  947.         echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles"
  948.         echo -e "\n"
  949.     fi
  950. fi
  951.  
  952. #look for AWS keys - thanks djhohnstein
  953. if [ "$thorough" = "1" ]; then
  954. awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null`
  955.     if [ "$awskeyfiles" ]; then
  956.         echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles"
  957.         echo -e "\n"
  958.     fi
  959. fi
  960.  
  961. #look for git credential files - thanks djhohnstein
  962. if [ "$thorough" = "1" ]; then
  963. gitcredfiles=`find / -name ".git-credentials" 2>/dev/null`
  964.     if [ "$gitcredfiles" ]; then
  965.         echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles"
  966.         echo -e "\n"
  967.     fi
  968. fi
  969.  
  970. #list all world-writable files excluding /proc and /sys
  971. if [ "$thorough" = "1" ]; then
  972. wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;`
  973.     if [ "$wwfiles" ]; then
  974.         echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles"
  975.         echo -e "\n"
  976.     fi
  977. fi
  978.  
  979. if [ "$thorough" = "1" ]; then
  980.     if [ "$export" ] && [ "$wwfiles" ]; then
  981.         mkdir $format/ww-files/ 2>/dev/null
  982.         for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null
  983.     fi
  984. fi
  985.  
  986. #are any .plan files accessible in /home (could contain useful information)
  987. usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
  988. if [ "$usrplan" ]; then
  989.   echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan"
  990.   echo -e "\n"
  991. fi
  992.  
  993. if [ "$export" ] && [ "$usrplan" ]; then
  994.   mkdir $format/plan_files/ 2>/dev/null
  995.   for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
  996. fi
  997.  
  998. bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
  999. if [ "$bsdusrplan" ]; then
  1000.   echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan"
  1001.   echo -e "\n"
  1002. fi
  1003.  
  1004. if [ "$export" ] && [ "$bsdusrplan" ]; then
  1005.   mkdir $format/plan_files/ 2>/dev/null
  1006.   for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
  1007. fi
  1008.  
  1009. #are there any .rhosts files accessible - these may allow us to login as another user etc.
  1010. rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
  1011. if [ "$rhostsusr" ]; then
  1012.   echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr"
  1013.   echo -e "\n"
  1014. fi
  1015.  
  1016. if [ "$export" ] && [ "$rhostsusr" ]; then
  1017.   mkdir $format/rhosts/ 2>/dev/null
  1018.   for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
  1019. fi
  1020.  
  1021. bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
  1022. if [ "$bsdrhostsusr" ]; then
  1023.   echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr"
  1024.   echo -e "\n"
  1025. fi
  1026.  
  1027. if [ "$export" ] && [ "$bsdrhostsusr" ]; then
  1028.   mkdir $format/rhosts 2>/dev/null
  1029.   for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
  1030. fi
  1031.  
  1032. rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
  1033. if [ "$rhostssys" ]; then
  1034.   echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys"
  1035.   echo -e "\n"
  1036. fi
  1037.  
  1038. if [ "$export" ] && [ "$rhostssys" ]; then
  1039.   mkdir $format/rhosts/ 2>/dev/null
  1040.   for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null
  1041. fi
  1042.  
  1043. #list nfs shares/permisisons etc.
  1044. nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null`
  1045. if [ "$nfsexports" ]; then
  1046.   echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports"
  1047.   echo -e "\n"
  1048. fi
  1049.  
  1050. if [ "$export" ] && [ "$nfsexports" ]; then
  1051.   mkdir $format/etc-export/ 2>/dev/null
  1052.   cp /etc/exports $format/etc-export/exports 2>/dev/null
  1053. fi
  1054.  
  1055. if [ "$thorough" = "1" ]; then
  1056.   #phackt
  1057.   #displaying /etc/fstab
  1058.   fstab=`cat /etc/fstab 2>/dev/null`
  1059.   if [ "$fstab" ]; then
  1060.     echo -e "\e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystems\e[00m"
  1061.     echo -e "$fstab"
  1062.     echo -e "\n"
  1063.   fi
  1064. fi
  1065.  
  1066. #looking for credentials in /etc/fstab
  1067. fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`
  1068. if [ "$fstab" ]; then
  1069.   echo -e "\e[00;33m[+] Looks like there are credentials in /etc/fstab!\e[00m\n$fstab"
  1070.   echo -e "\n"
  1071. fi
  1072.  
  1073. if [ "$export" ] && [ "$fstab" ]; then
  1074.   mkdir $format/etc-exports/ 2>/dev/null
  1075.   cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
  1076. fi
  1077.  
  1078. fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null`
  1079. if [ "$fstabcred" ]; then
  1080.     echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred"
  1081.     echo -e "\n"
  1082. fi
  1083.  
  1084. if [ "$export" ] && [ "$fstabcred" ]; then
  1085.   mkdir $format/etc-exports/ 2>/dev/null
  1086.   cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
  1087. fi
  1088.  
  1089. #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located
  1090. if [ "$keyword" = "" ]; then
  1091.   echo -e "[-] Can't search *.conf files as no keyword was entered\n"
  1092.   else
  1093.     confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
  1094.     if [ "$confkey" ]; then
  1095.       echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey"
  1096.       echo -e "\n"
  1097.      else
  1098.     echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m"
  1099.     echo -e "'$keyword' not found in any .conf files"
  1100.     echo -e "\n"
  1101.     fi
  1102. fi
  1103.  
  1104. if [ "$keyword" = "" ]; then
  1105.   :
  1106.   else
  1107.     if [ "$export" ] && [ "$confkey" ]; then
  1108.       confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
  1109.       mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null
  1110.       for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null
  1111.   fi
  1112. fi
  1113.  
  1114. #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located
  1115. if [ "$keyword" = "" ]; then
  1116.   echo -e "[-] Can't search *.php files as no keyword was entered\n"
  1117.   else
  1118.     phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
  1119.     if [ "$phpkey" ]; then
  1120.       echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey"
  1121.       echo -e "\n"
  1122.      else
  1123.   echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m"
  1124.   echo -e "'$keyword' not found in any .php files"
  1125.   echo -e "\n"
  1126.     fi
  1127. fi
  1128.  
  1129. if [ "$keyword" = "" ]; then
  1130.   :
  1131.   else
  1132.     if [ "$export" ] && [ "$phpkey" ]; then
  1133.     phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
  1134.       mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null
  1135.       for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null
  1136.   fi
  1137. fi
  1138.  
  1139. #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located
  1140. if [ "$keyword" = "" ];then
  1141.   echo -e "[-] Can't search *.log files as no keyword was entered\n"
  1142.   else
  1143.     logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
  1144.     if [ "$logkey" ]; then
  1145.       echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey"
  1146.       echo -e "\n"
  1147.      else
  1148.     echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m"
  1149.     echo -e "'$keyword' not found in any .log files"
  1150.     echo -e "\n"
  1151.     fi
  1152. fi
  1153.  
  1154. if [ "$keyword" = "" ];then
  1155.   :
  1156.   else
  1157.     if [ "$export" ] && [ "$logkey" ]; then
  1158.       logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
  1159.       mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null
  1160.       for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null
  1161.   fi
  1162. fi
  1163.  
  1164. #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located
  1165. if [ "$keyword" = "" ];then
  1166.   echo -e "[-] Can't search *.ini files as no keyword was entered\n"
  1167.   else
  1168.     inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
  1169.     if [ "$inikey" ]; then
  1170.       echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey"
  1171.       echo -e "\n"
  1172.      else
  1173.     echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m"
  1174.     echo -e "'$keyword' not found in any .ini files"
  1175.     echo -e "\n"
  1176.     fi
  1177. fi
  1178.  
  1179. if [ "$keyword" = "" ];then
  1180.   :
  1181.   else
  1182.     if [ "$export" ] && [ "$inikey" ]; then
  1183.       inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
  1184.       mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null
  1185.       for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null
  1186.   fi
  1187. fi
  1188.  
  1189. #quick extract of .conf files from /etc - only 1 level
  1190. allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null`
  1191. if [ "$allconf" ]; then
  1192.   echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf"
  1193.   echo -e "\n"
  1194. fi
  1195.  
  1196. if [ "$export" ] && [ "$allconf" ]; then
  1197.   mkdir $format/conf-files/ 2>/dev/null
  1198.   for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null
  1199. fi
  1200.  
  1201. #extract any user history files that are accessible
  1202. usrhist=`ls -la ~/.*_history 2>/dev/null`
  1203. if [ "$usrhist" ]; then
  1204.   echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist"
  1205.   echo -e "\n"
  1206. fi
  1207.  
  1208. if [ "$export" ] && [ "$usrhist" ]; then
  1209.   mkdir $format/history_files/ 2>/dev/null
  1210.   for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null
  1211. fi
  1212.  
  1213. #can we read roots *_history files - could be passwords stored etc.
  1214. roothist=`ls -la /root/.*_history 2>/dev/null`
  1215. if [ "$roothist" ]; then
  1216.   echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist"
  1217.   echo -e "\n"
  1218. fi
  1219.  
  1220. if [ "$export" ] && [ "$roothist" ]; then
  1221.   mkdir $format/history_files/ 2>/dev/null
  1222.   cp $roothist $format/history_files/ 2>/dev/null
  1223. fi
  1224.  
  1225. #all accessible .bash_history files in /home
  1226. checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \;`
  1227. if [ "$checkbashhist" ]; then
  1228.   echo -e "\e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):\e[00m\n$checkbashhist"
  1229.   echo -e "\n"
  1230. fi
  1231.  
  1232. #any .bak files that may be of interest
  1233. bakfiles=`find / -name *.bak -type f 2</dev/null`
  1234. if [ "$bakfiles" ]; then
  1235.   echo -e "\e[00;31m[-] Location and Permissions (if accessible) of .bak file(s):\e[00m"
  1236.   for bak in `echo $bakfiles`; do ls -la $bak;done
  1237.   echo -e "\n"
  1238. fi
  1239.  
  1240. #is there any mail accessible
  1241. readmail=`ls -la /var/mail 2>/dev/null`
  1242. if [ "$readmail" ]; then
  1243.   echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail"
  1244.   echo -e "\n"
  1245. fi
  1246.  
  1247. #can we read roots mail
  1248. readmailroot=`head /var/mail/root 2>/dev/null`
  1249. if [ "$readmailroot" ]; then
  1250.   echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot"
  1251.   echo -e "\n"
  1252. fi
  1253.  
  1254. if [ "$export" ] && [ "$readmailroot" ]; then
  1255.   mkdir $format/mail-from-root/ 2>/dev/null
  1256.   cp $readmailroot $format/mail-from-root/ 2>/dev/null
  1257. fi
  1258. }
  1259.  
  1260. docker_checks()
  1261. {
  1262.  
  1263. #specific checks - check to see if we're in a docker container
  1264. dockercontainer=` grep -i docker /proc/self/cgroup  2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`
  1265. if [ "$dockercontainer" ]; then
  1266.   echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer"
  1267.   echo -e "\n"
  1268. fi
  1269.  
  1270. #specific checks - check to see if we're a docker host
  1271. dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null`
  1272. if [ "$dockerhost" ]; then
  1273.   echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost"
  1274.   echo -e "\n"
  1275. fi
  1276.  
  1277. #specific checks - are we a member of the docker group
  1278. dockergrp=`id | grep -i docker 2>/dev/null`
  1279. if [ "$dockergrp" ]; then
  1280.   echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp"
  1281.   echo -e "\n"
  1282. fi
  1283.  
  1284. #specific checks - are there any docker files present
  1285. dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;`
  1286. if [ "$dockerfiles" ]; then
  1287.   echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles"
  1288.   echo -e "\n"
  1289. fi
  1290.  
  1291. #specific checks - are there any docker files present
  1292. dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;`
  1293. if [ "$dockeryml" ]; then
  1294.   echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml"
  1295.   echo -e "\n"
  1296. fi
  1297. }
  1298.  
  1299. lxc_container_checks()
  1300. {
  1301.  
  1302. #specific checks - are we in an lxd/lxc container
  1303. lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`
  1304. if [ "$lxccontainer" ]; then
  1305.   echo -e "\e[00;33m[+] Looks like we're in a lxc container:\e[00m\n$lxccontainer"
  1306.   echo -e "\n"
  1307. fi
  1308.  
  1309. #specific checks - are we a member of the lxd group
  1310. lxdgroup=`id | grep -i lxd 2>/dev/null`
  1311. if [ "$lxdgroup" ]; then
  1312.   echo -e "\e[00;33m[+] We're a member of the (lxd) group - could possibly misuse these rights!\e[00m\n$lxdgroup"
  1313.   echo -e "\n"
  1314. fi
  1315. }
  1316.  
  1317. footer()
  1318. {
  1319. echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m"
  1320. }
  1321.  
  1322. call_each()
  1323. {
  1324.   header
  1325.   debug_info
  1326.   system_info
  1327.   user_info
  1328.   environmental_info
  1329.   job_info
  1330.   networking_info
  1331.   services_info
  1332.   software_configs
  1333.   interesting_files
  1334.   docker_checks
  1335.   lxc_container_checks
  1336.   footer
  1337. }
  1338.  
  1339. while getopts "h:k:r:e:st" option; do
  1340.  case "${option}" in
  1341.     k) keyword=${OPTARG};;
  1342.     r) report=${OPTARG}"-"`date +"%d-%m-%y"`;;
  1343.     e) export=${OPTARG};;
  1344.     s) sudopass=1;;
  1345.     t) thorough=1;;
  1346.     h) usage; exit;;
  1347.     *) usage; exit;;
  1348.  esac
  1349. done
  1350.  
  1351. call_each | tee -a $report 2> /dev/null
  1352. #EndOfScript
RAW Paste Data