SHARE
TWEET

Ananke v0.06

a guest Jul 19th, 2012 265 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. #
  3. # Ananke v0.06 - "enumeration is a necessity"
  4. # 2012-05-25
  5. #
  6. # Tested on Backtrack 5(Ubuntu 10.10), Ubuntu 7.10, Ubuntu 10.04 (LTS), Cent0S5.4, FC4, FBSD7.0
  7. # Debian 4.0, Debian 5.0.4
  8.  
  9. # PLEASE NOTE:
  10. # Acknowledged: This script is inefficient; multiple seeks exist for the same data - however no temporary flies are left to disk other than the final output file.
  11. # *Obviously* this could be done (and much better) in another language e.g. python, perl... however using "sh" ensures portability; the language is
  12. # available to run the script.
  13.  
  14.  
  15. # Enable to "y" for execution of the intensive searches in the section below
  16. STDOUT="y"                      # echo section progress to stdout(Display)
  17. SYSTEM="y"                      # Perform System extraction
  18. NETWORKING="y"          # Perform Network parameters extraction
  19. AUTHENTICATION="y"      # Perform Authentication extraction
  20. SYSTEMCONF="y"          # Perform system configuration specific extraction
  21.         PROCESSES="y"   # Perform running processes extraction
  22. APPLICATIONS="y"        # Perform Servers and Applications extraction
  23. LANGUAGES="y"           # Perform installed languages extraction
  24. FILESRCH="y"            # Perform file system directories and permissions extraction
  25.         SUIDLIB="y"     # SUID library breakdown and permissions extraction
  26.         HOMELIST="y"    # List files in home directories
  27. PKGMGMT="y"             # Perform package management extraction
  28. KERNELCONF="y"          # Perform kernel config extraction
  29. LOGPROC="y"             # Very Basic logfile analysis extraction
  30.         APACHELOG="y"   # Do this for Apache
  31.         SSHDLOGS="y"    # Do this for SSHD in auth.log
  32.         POSTFIXLOGS="y" # Do this for SSHD in auth.log
  33.  
  34. # Ensure commands referenced below are in the common path environment
  35. PATH="$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
  36.  
  37. UNAME=`whereis uname | awk '{print$2}' 2>/dev/null`
  38. HOSTNAME="`whereis hostname | awk '{print$2}' 2>/dev/null`"
  39.  
  40. DATE=`date +"%Y-%m-%d"`
  41. TIME=`date +"%H:%M:%S"`
  42. OSNAME=`$UNAME -s`
  43. OSREL=`$UNAME -r`
  44. OSVER=`$UNAME -v`
  45. ARCHTYPE=`$UNAME -m`
  46. OSFULL=`$UNAME -a`
  47. UPTIME=`uptime`
  48. ID=`id`
  49. WHO=`whoami`
  50. echo "`$HOSTNAME -f` reconnaissance executed by $WHO"
  51.  
  52. # Primary IPv4Address
  53. if [ $OSNAME = "FreeBSD" ]; then
  54.         PIP4ADD="`ifconfig | grep "inet " | grep -v 127.0.0.1 | head -n 1 | awk {'print $2}'`"
  55. elif [ $OSNAME = "Linux" ]; then
  56.         PIP4ADD="`/sbin/ifconfig | grep "inet addr" | head -n 1 | cut -d : -f 2 | awk '{ print $1}'`"
  57. fi;
  58.  
  59. echo $PIP4ADD
  60. FILE="`echo $PIP4ADD`_`$HOSTNAME`_audit_`whoami`_$DATE"
  61. rm $FILE 2>/dev/null;
  62.  
  63.  
  64. # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  65. # Variables and binary locations section
  66. #PHPCONF=`find /etc -name php.ini 2>/dev/null | grep apache`
  67.  
  68. SSH=`command -v ssh 2>/dev/null`
  69. SSHVER="$SSH -V"
  70. SSHDCONF=`find /etc -name sshd_config 2>/dev/null | head -n 1 2>/dev/null`
  71.  
  72. MYSQL="`command -v mysql 2>/dev/null | sed '/^$/d'`"
  73. if [ -r `command -v mysql 2>/dev/null | sed '/^$/d'` ]; then MYSQLVER=`$MYSQL -V 2>/dev/null`;
  74. fi;
  75. if [ -r $MYSQL ]; then MYSQLVER=`$MYSQL -V 2>/dev/null`;
  76.         MYSQLCONF=`find /etc -name my.cnf 2>/dev/null`;
  77. fi;
  78. HTTPD=`command -v httpd 2>/dev/null`
  79. if [ -e "`command -v httpd 2>/dev/null`" ]; then
  80.         HTTPD=`command -v httpd`
  81.         HTTPDVER="`$HTTPD -v 2>/dev/null`"
  82.         HTTPDCONF=`find /etc -name httpd.conf 2>/dev/null`
  83.         DOCUMENTROOT=`grep -R DocumentRoot /etc/httpd/conf* 2>/dev/null | grep -v "#" | awk '{print $2}' | uniq | sed '/^$/d'`;
  84. fi;
  85.  
  86. if [ -x "`command -v apache2 2>/dev/null`" ]; then
  87.         APACHE="`command -v apache2 2>/dev/null`"
  88.         APACHEVER="$APACHE -v 2>/dev/null"
  89.         APACHECONF=`find /etc -name apache2.conf 2>/dev/null`
  90.         DOCUMENTROOT=`grep -R DocumentRoot /etc/apache2 2>/dev/null | awk '{print $3}' | uniq | sed '/^$/d'`;
  91. fi;
  92.  
  93. SAMBA="`command -v smbd 2>/dev/null`"
  94. SAMBAVER="$SAMBA -V 2>/dev/null"
  95. SAMBACONF=`find /etc -name smb.conf 2>/dev/null`
  96.  
  97. GCC="`command -v gcc 2>/dev/null`"
  98. PERL="`command -v perl 2>/dev/null`"
  99. #echo $PERL
  100. RUBY="`command -v ruby 2>/dev/null`"
  101. PHP="`command -v php 2>/dev/null`"
  102.  
  103.  
  104. # Expand this if wishing to search outside of the following paths - streamlined to help reduce disk io and time consumption
  105. BINARYDIR="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin"
  106. WORLDIR="/tmp /var/tmp /var /root /dev /usr"  
  107. HOMEDIR="`cat  /etc/passwd | cut -d : -f 6`"
  108.  
  109. if [ $OSNAME = "Linux" ]; then
  110. LINUXIPv4="net.ipv4.tcp_syncookies \
  111. net.ipv4.conf.all.rp_filter \
  112. net.ipv4.conf.all.accept_source_route \
  113. net.ipv4.conf.all.accept_redirects \
  114. net.ipv4.conf.all.secure_redirects \
  115. net.ipv4.conf.default.rp_filter \
  116. net.ipv4.conf.default.accept_source_route \
  117. net.ipv4.conf.default.accept_redirects \
  118. net.ipv4.conf.default.secure_redirects \
  119. net.ipv4.icmp_echo_ignore_broadcasts \
  120. net.ipv4.ip_forward \
  121. net.ipv4.conf.all.send_redirects \
  122. net.ipv4.conf.default.send_redirects \
  123. net.ipv4.tcp_max_syn_backlog"
  124.  
  125. LINUXIPv6="net.ipv6.conf.all.forwarding \
  126. net.ipv6.conf.all.accept_redirects \
  127. net.ipv6.conf.all.disable_ipv6 \
  128. net.ipv6.bindv6only"
  129. fi;
  130.  
  131. if [ $OSNAME = "FreeBSD" ]; then
  132. FBSDIPv4="net.inet.ip.forwarding \
  133. net.inet.ip.redirect \
  134. net.inet.ip.accept_sourceroute \
  135. net.inet.ip.subnets_are_local \
  136. net.inet.ip.maxfragpackets \
  137. net.inet.ip.maxfragsperpacket \
  138. net.inet.ip.fragpackets \
  139. net.inet.ip.check_interface \
  140. net.inet.ip.random_id \
  141. net.inet.ip.sendsourcequench \
  142. net.inet.ip.process_options sysct\
  143. net.inet.icmp.maskrepl \
  144. net.inet.icmp.icmplim \
  145. net.inet.icmp.bmcastecho \
  146. net.inet.icmp.quotelen \
  147. net.inet.icmp.reply_from_interface \
  148. net.inet.icmp.reply_src \
  149. net.inet.icmp.icmplim_output \
  150. net.inet.icmp.log_redirect \
  151. net.inet.icmp.drop_redirect \
  152. net.inet.icmp.maskfake \
  153. net.inet.tcp.rfc1323 \
  154. net.inet.tcp.insecure_rst \
  155. net.inet.tcp.rfc3390 \
  156. net.inet.tcp.rfc3042 \
  157. net.inet.tcp.drop_synfin \
  158. Net.inet.tcp.delayed_ack \
  159. net.inet.tcp.blackhole \
  160. net.inet.tcp.log_in_vain \
  161. net.inet.tcp.icmp_may_rst \
  162. net.inet.tcp.do_tcpdrain \
  163. net.inet.tcp.log_debug \
  164. net.inet.tcp.syncache.rst_on_sock_fail \
  165. net.inet.tcp.syncookies_only \
  166. net.inet.tcp.syncookies \
  167. net.inet.tcp.timer_race \
  168. net.inet.tcp.always_keepalive \
  169. net.inet.udp.checksum \
  170. net.inet.udp.blackhole \
  171. net.inet.udp.log_in_vain \
  172. net.link.ether.ipfw"
  173.  
  174. FBSDIPv6="net.inet6.ip6.forwarding \
  175. net.inet6.ip6.redirect \
  176. net.inet6.ip6.log_interval \
  177. net.inet6.ip6.use_deprecated \
  178. net.inet6.icmp6.rediraccept \
  179. net.inet6.icmp6.redirtimeout"
  180.  
  181. FBSDSEC="security.jail.jailed \
  182. security.jail.mount_allowed \
  183. security.jail.chflags_allowed \
  184. security.jail.allow_raw_sockets \
  185. security.jail.enforce_statfs \
  186. security.jail.sysvipc_allowed \
  187. security.jail.socket_unixiproute_only \
  188. security.jail.set_hostname_allowed \
  189. security.bsd.suser_enabled \
  190. security.bsd.unprivileged_proc_debug \
  191. security.bsd.conservative_signals \
  192. security.bsd.see_other_gids \
  193. security.bsd.see_other_uids \
  194. security.bsd.unprivileged_read_msgbuf \
  195. security.bsd.hardlink_check_gid \
  196. security.bsd.hardlink_check_uid \
  197. security.bsd.unprivileged_get_quota"
  198. fi;
  199.  
  200.  
  201. # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  202. # System Fingerprinting section - header of the output file
  203.  
  204. if [ $SYSTEM = "y" ]; then
  205.         echo "######################################################################################################################################################" >> $FILE;
  206.         if [ $STDOUT="y" ]; then echo "TARGET SYSTEM"; fi;
  207.         echo "TARGET SYSTEM" >> $FILE;
  208.         echo "######################################################################################################################################################" >> $FILE;
  209.         echo "" >> $FILE;
  210.         echo "Hostname: `$HOSTNAME`" >> $FILE;
  211.         if [ $OSNAME = "FreeBSD" ]; then
  212.                 echo "Primary IPv4 addr: `ifconfig | grep "inet " | grep -v 127.0.0.1 | head -n 1 | awk {'print $2}'`" >> $FILE;
  213.         elif [ $OSNAME = "Linux" ]; then
  214.                 echo "Primary IPv4 addr: `/sbin/ifconfig | grep "inet addr" | head -n 1 | cut -d : -f 2 | awk '{ print $1}'`" >> $FILE;
  215.         fi;
  216.         echo "" >> $FILE;
  217.         echo "Operating System: $OSNAME" >> $FILE;
  218.         if [ $OSNAME = "Linux" ]; then
  219.                 if [ -e "/etc/debian_version" ]; then echo "Debian Version: `cat /etc/debian_version | sed '/^$/d'`" >> $FILE && echo "Issue: `cat /etc/issue | sed '/^$/d'`" >> $FILE;
  220.                 elif [ -e "/etc/redhat-release" ]; then echo "RedHat-Release: `cat /etc/redhat-release | sed '/^$/d'`"  >> $FILE && echo "Issue: `cat /etc/issue | sed '/^$/d'`" >> $FILE;
  221.                 elif [ -e "/etc/gentoo-release" ]; then cat /etc/gentoo-release | sed '/^$/d' >> $FILE;
  222.                 fi;
  223.         fi;
  224.         echo "Operating Kernel release: $OSREL" >> $FILE;
  225.         echo "Operating Kerenl compile: $OSVER" >> $FILE;
  226.         echo "Architecture type: $ARCHTYPE" >> $FILE;
  227.         echo "Full Uname: $OSFULL" >> $FILE;
  228.         echo "System Uptime: $UPTIME" >> $FILE;
  229.         echo ""  >> $FILE;
  230.         echo ""  >> $FILE;
  231.         echo "Audit Start Date: $DATE" >> $FILE;
  232.         echo "Audit Start Time: $TIME" >> $FILE;
  233.         echo "Audit Performed by User: $ID" >> $FILE;
  234.         echo "" >> $FILE;
  235.         echo "User Environment:" >> $FILE && env >> $FILE;
  236.         echo "-----------------------------------------------------" >> $FILE;
  237.         echo "" >> $FILE;
  238. fi;
  239.  
  240. # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  241. # Network Fingerprinting section
  242. echo ""  >> $FILE;
  243. if [ $NETWORKING = "y" ]; then
  244.         echo "######################################################################################################################################################" >> $FILE;
  245.         if [ $STDOUT="y" ]; then echo "NETWORKING"; fi
  246.         echo "NETWORKING" >> $FILE;
  247.         echo "######################################################################################################################################################" >> $FILE;
  248.         echo "" >> $FILE;
  249.         # Interface configuration
  250.         echo "Interfaces:" >> $FILE && /sbin/ifconfig -a >> $FILE;
  251.         echo "-----------------------------------------------------" >> $FILE;
  252.         echo ""  >> $FILE;
  253.         # Routing table
  254.         echo "Routing Table:" >> $FILE && netstat -rn >> $FILE;
  255.         echo "-----------------------------------------------------" >> $FILE;
  256.         echo ""  >> $FILE;
  257.  
  258. # Listening IPv4/6 sockets
  259.         echo "Listening IPv4/6 sockets" >> $FILE;
  260.         if [ $OSNAME = "FreeBSD" ]; then
  261.                 echo "Listening Sockets:" >> $FILE && sockstat -l >> $FILE; echo "" >> $FILE;
  262.         elif [ $OSNAME = "Linux" ]; then
  263.                 echo "Listening Sockets:" >> $FILE && netstat -lnp --inet 2>/dev/null >> $FILE;
  264.         fi;
  265.         echo "-----------------------------------------------------" >> $FILE;
  266.         echo ""  >> $FILE;
  267.         echo "IPv4 Open Files Sockets:" >> $FILE;
  268.         if [ $OSNAME = "Linux" ]; then lsof -i4 2>/dev/null >> $FILE;
  269.                 echo "IPv4 TCP Sockets:" >> $FILE; netstat -ant4 2>/dev/null >> $FILE; echo "" >> $FILE;
  270.                 echo "IPv4 UDP Sockets:" >> $FILE; netstat -anu4 2>/dev/null >> $FILE;
  271.         elif [ $OSNAME = "FreeBSD" ]; then sockstat -4 >> $FILE; echo "" >> $FILE;
  272.                 echo "IPv4 TCP Sockets:" >> $FILE; /usr/bin/netstat -antf inet -p tcp 2>/dev/null >> $FILE; echo "" >> $FILE;
  273.         echo "IPv4 UDP Sockets:" >> $FILE; /usr/bin/netstat -antf inet -p udp 2>/dev/null >> $FILE; echo "" >> $FILE;
  274.         fi;
  275.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  276.  
  277.         echo "IPv6 Open Files Sockets:" >> $FILE;
  278.         if [ $OSNAME = "Linux" ]; then lsof -i6 2>/dev/null >> $FILE;
  279.                 echo "IPv6 TCP Sockets:" >> $FILE; netstat -ant6 2>/dev/null >> $FILE; echo "" >> $FILE;
  280.                 echo "IPv6 UDP Sockets:" >> $FILE; netstat -anu6 2>/dev/null >> $FILE;
  281.         elif [ $OSNAME = "FreeBSD" ]; then sockstat -6 >> $FILE; echo "" >> $FILE;
  282.                 echo "IPv6 TCP Sockets:" >> $FILE; /usr/bin/netstat -antf inet6 -p tcp 2>/dev/null >> $FILE; echo "" >> $FILE;
  283.                 echo "IPv6 UDP Sockets:" >> $FILE; /usr/bin/netstat -antf inet6 -p udp 2>/dev/null >> $FILE; echo "" >> $FILE;
  284.         fi;
  285.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  286.  
  287. # Accessible network filtering configuration. Firewall.
  288. # TCPWrappers
  289.         if [ -e "/etc/hosts.allow" ]; then echo "TCPWrappers hosts.allow:" >> $FILE; ls -la /etc/hosts.allow >> $FILE && cat /etc/hosts.allow 2>/dev/null | grep -v "#" | sed '/^$/d' >> $FILE;
  290.                 echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  291.         fi;
  292.         if [ -e "/etc/hosts.deny" ]; then echo "TCPWrappers hosts.deny:" >> $FILE; ls -la /etc/hosts.deny >> $FILE && cat /etc/hosts.deny 2>/dev/null | grep -v "#" | sed '/^$/d' >> $FILE;
  293.                 echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  294.         fi;
  295.  
  296.         if [ $OSNAME = "Linux" ]; then
  297.                 echo "IPTABLES RULESET:" >> $FILE && iptables -L >> $FILE;
  298.         elif [ $OSNAME = "FreeBSD" ]; then
  299.                 echo "IPFW RULESET:" >> $FILE && ipfw -a list >> $FILE;
  300.         fi;
  301.  
  302. # hosts file
  303.         if [ -e "/etc/hosts" ]; then echo "Hosts File:" >> $FILE; ls -la /etc/hosts >> $FILE && cat /etc/hosts 2>/dev/null | sed '/^$/d' >> $FILE;
  304.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  305.         fi;
  306.  
  307.  
  308. #IPv4 security settings - test with sysctl -n - value is returned
  309.         echo "IPv4 security kernel configuration:" >> $FILE;
  310. #if [ $OSNAME = "FreeBSD" ]; then
  311.         if [ $OSNAME = "Linux" ]; then
  312.                 for i in $LINUXIPv4; do
  313.                         /sbin/sysctl $i >> $FILE;
  314.                         done;
  315.         fi;
  316.         echo "" >> $FILE;
  317.         if [ -e "/etc/sysctl.conf" ]; then echo "Sysctl.conf security permissions:" >> $FILE && ls -la /etc/sysctl.conf >> $FILE && cat /etc/sysctl.conf | sed '/^$/d' >> $FILE;
  318.                 echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  319.         fi;    
  320. fi
  321.  
  322.  
  323.  
  324. # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  325. # Authentication Fingerprinting section
  326. if [ $AUTHENTICATION = "y" ]; then
  327.         echo ""  >> $FILE;
  328.         echo "######################################################################################################################################################" >> $FILE;
  329.         if [ $STDOUT="y" ]; then echo "AUTHENTICATION"; fi
  330.         echo "AUTHENTICATION" >> $FILE;
  331.         echo "######################################################################################################################################################" >> $FILE;
  332.         echo ""  >> $FILE;
  333.         echo "Users online:" >> $FILE && who >> $FILE;
  334.         echo "-----------------------------------------------------" >> $FILE;
  335.         echo ""  >> $FILE;
  336.         echo "Last logins:" >> $FILE && last >> $FILE;
  337.         echo "-----------------------------------------------------" >> $FILE;
  338.         echo ""  >> $FILE;
  339.         if [ -r "/etc/passwd" ]; then echo "Password file:" >> $FILE && ls -la /etc/passwd >> $FILE && cat /etc/passwd 2>/dev/null | sed '/^$/d' >> $FILE;
  340.         echo "" >> $FILE && echo "UID 0 accounts" && grep 'x:0:' /etc/passwd >> $FILE;
  341.  
  342.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi
  343.  
  344.         if [ -e "/etc/shadow" ]; then echo "Shadow file:" >> $FILE && ls -la /etc/shadow >> $FILE && cat /etc/shadow 2>/dev/null | sed '/^$/d' >> $FILE;
  345.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi
  346.         if [ -e "/etc/group" ]; then echo "Group file:" >> $FILE && ls -la /etc/group >> $FILE && cat /etc/group 2>/dev/null | sed '/^$/d' >> $FILE;
  347.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi
  348.  
  349.  
  350.  
  351.         if [ -e /etc/sudoers ]; then echo "SUDOers file:" >> $FILE && ls -la /etc/sudoers >> $FILE && cat /etc/sudoers 2>/dev/null | grep -v "#" | sed '/^$/d' >> $FILE;
  352.         echo ""  >> $FILE;
  353.         echo "Sudoers wheel group restrictions:" >> $FILE && grep pam_wheel.so /etc/pam.d/su >> $FILE;
  354.         echo "-----------------------------------------------------" >> $FILE; fi
  355.         echo "" >> $FILE;
  356. fi
  357.  
  358.  
  359. # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  360. # System configurations and Fingerprinting section
  361. echo "" >> $FILE;
  362. if [ $SYSTEMCONF = "y" ]; then
  363.         if [ $STDOUT="y" ]; then echo "SYSTEMCONF"; fi
  364.         echo "######################################################################################################################################################" >> $FILE;
  365.         echo "SYSTEMCONF" >> $FILE;
  366.         echo "######################################################################################################################################################" >> $FILE;
  367.         echo "" >> $FILE;
  368.  
  369. # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  370. # Running processes section
  371.         if [ $PROCESSES = "y" ]; then
  372.                 echo "-----------------------------------------------------" >> $FILE;
  373.                         if [ $STDOUT="y" ]; then echo "PROCESSES"; fi
  374.                 echo "PROCESSES" >> $FILE;
  375.                 echo "-----------------------------------------------------" >> $FILE;
  376. # Adjust output format here ->
  377.                 ps auxgw | grep -v " TIME COMMAND" | sort -n >> $FILE; echo "" >> $FILE;
  378.         fi
  379.  
  380. # /etc/motd
  381.         if [ -e /etc/motd ]; then echo "MOTD extraction" >> $FILE;
  382.                 echo "`ls -la /etc/motd`:" >> $FILE && cat /etc/motd 2>/dev/null >> $FILE;
  383.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi
  384.  
  385. # Sysctl on boot
  386.         if [ -e /etc/sysctl.conf ]; then echo "Sysctl permissions and extraction" >> $FILE && echo `ls -la /etc/sysctl.conf` >> $FILE && grep -v "#" /etc/sysctl.conf 2>/dev/null | sed '/^$/d' >> $FILE;
  387.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi
  388.  
  389. # NFS Exports - add checks for insecure configuration
  390.         if [ -e /etc/exports ]; then echo "NFS Exports extraction" >> $FILE;
  391.                 echo "`ls -la /etc/exports`:" >> $FILE && cat /etc/exports 2>/dev/null | sed '/^$/d' >> $FILE;
  392.         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi
  393.  
  394. # SUID DUMPABLE
  395. # needs to be 1 or 2
  396. # http://www.exploit-db.com/exploits/8369/
  397.         if [ `cat /proc/sys/fs/suid_dumpable` -ne "0" ]; then
  398.                 echo "suid_dumpable: `cat /proc/sys/fs/suid_dumpable` << ALERT check exploit 8369: #http://www.exploit-db.com/exploits/8369/" >> $FILE
  399.         fi
  400.  
  401.  
  402. # ASLR - sysctl kernel.randomize_va_space = 2
  403. # ../Documentation/sysctl/kernel.txt
  404. # This option can be used to select the type of process address space randomization that is used in the system, for architectures that support this feature.
  405. # 0 - Turn the process address space randomization off. This is the default for architectures that do not support this feature anyways, and kernels that are booted with the "norandmaps" parameter.
  406. # 1 - Make the addresses of mmap base, stack and VDSO page randomized. This, among other things, implies that shared libraries will be loaded to random addresses. Also for PIE-linked binaries,
  407. #    the location of code start is randomized. This is the default if the CONFIG_COMPAT_BRK option is enabled.
  408. # 2 - Additionally enable heap randomization. This is the default if CONFIG_COMPAT_BRK is disabled.
  409.         if [ $OSNAME = "Linux" ]; then
  410.                 echo "ASLR - Address Space Layout Randomization:" >> $FILE;
  411.                 /sbin/sysctl kernel.randomize_va_space >> $FILE;
  412.                 if [ `/sbin/sysctl kernel.randomize_va_space | awk '{print $3}'` -eq 0 ]; then echo "WARNING: ASLR set to 0" >> $FILE;
  413.                 fi
  414.                 echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  415.         fi
  416.  
  417. # CRONTAB
  418.         if [ -e /etc/crontab ]; then echo "System Crontab extraction" >> $FILE;
  419.                 echo "`ls -la /etc/crontab`:" >> $FILE && grep -v "#" /etc/crontab 2>/dev/null | sed '/^$/d' >> $FILE;
  420.                 echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  421.         fi
  422. fi
  423.  
  424.  
  425.  
  426. if [ $LANGUAGES = "y" ]; then
  427.         if [ $STDOUT="y" ]; then echo "LANGUAGES"; fi  
  428.         echo "" >> $FILE;
  429.         echo "######################################################################################################################################################" >> $FILE;
  430.         echo "LANGUAGES" >> $FILE;
  431.         echo "######################################################################################################################################################" >> $FILE;
  432.         echo "" >> $FILE;
  433.  
  434. # gcc version
  435.         if [ -e "`command -v gcc 2>/dev/null`" ]; then echo "GCC Version:" >> $FILE && echo "$GCC" >> $FILE && $GCC -v >> $FILE 2>&1;
  436.                 echo "-----------------------------------------------------" >> $FILE;
  437.                 echo "" >> $FILE;
  438.         fi
  439.  
  440. # perl version
  441.         if [ -e `command -v perl 2>/dev/null` ]; then echo "Perl Version:" >> $FILE &&echo $PERL >>$FILE && $PERL -v 2>/dev/null | head -n 2 | sed '/^$/d' >> $FILE;
  442.                 echo "-----------------------------------------------------" >> $FILE;
  443.                 echo "" >> $FILE;
  444.         fi
  445.  
  446. # PHP version
  447.         if [ -e "`command -v php 2>/dev/null`" ]; then echo "PHP extraction" >> $FILE && $PHP -v >> $FILE;
  448.         echo "" >> $FILE;
  449.                 for i in `find /etc -name php.ini 2>/dev/null`;
  450.                         do ls -la $i >> $FILE && cat $i | grep -v ";" | sed '/^$/d' >> $FILE && echo "" >> $FILE;
  451.                         done
  452.                 echo "-----------------------------------------------------" >> $FILE;
  453.                 echo "" >> $FILE;
  454.         fi
  455.  
  456. # Ruby version
  457.         if [ -e "`command -v ruby 2>/dev/null`" ]; then echo "RUBY Version:" >> $FILE && $RUBY -v >> $FILE;
  458.                 echo "-----------------------------------------------------" >> $FILE;
  459.                 echo "" >> $FILE;
  460.         fi
  461.         echo "-----------------------------------------------------" >> $FILE;
  462.         echo ""  >> $FILE;
  463. fi
  464.  
  465. # -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
  466. # Application Finger printing section
  467. ##Search for specific config files and extract contents
  468. if [ $APPLICATIONS = "y" ]; then
  469.         if [ $STDOUT="y" ]; then echo "APPLICATIONS"; fi
  470.         echo "" >> $FILE;
  471.         echo "######################################################################################################################################################" >> $FILE;
  472.         echo "APPLICATIONS" >> $FILE;
  473.         echo "######################################################################################################################################################" >> $FILE;
  474.         echo "" >> $FILE;
  475.  
  476. # HTTPD
  477. #       - check permissions on DocumentRoot
  478. #       - extract virtual hostnames
  479.         if [ -x "`command -v httpd 2>/dev/null`" ]; then echo "HTTPD Extraction" >>$FILE && echo $HTTPD >> $FILE && echo $HTTPDVER >> $FILE;
  480. #if [ -r $HTTPDCONF ]; then echo "HTTPD configuration" >> $FILE;
  481.                 echo "DocumentRoot:" >> $FILE; echo $DOCUMENTROOT >> $FILE; echo "" >> $FILE;
  482.                 echo "$HTTPDCONF:" >> $FILE;
  483.                 echo "`ls -la $HTTPDCONF`:" >> $FILE;
  484.                 grep -v "#" $HTTPDCONF 2>/dev/null | sed '/^$/d' >> $FILE;
  485.                 echo "" >> $FILE;
  486.                 echo "-----------------------------------------------------" >> $FILE;
  487.                 echo "" >> $FILE;
  488.         fi; #fi
  489.  
  490. # APACHE
  491. #       - check permissions on DocumentRoot
  492. #       - extract virtual hostnames
  493.         if [ -x "`command -v apache2 2>/dev/null`" ]; then echo "Apache2 Extraction" >>$FILE && echo $APACHE >> $FILE && echo $APACHEVER >> $FILE;
  494.                 if [ -r $APACHECONF ]; then echo "Apache2 configuration" >> $FILE;
  495.                         echo "DocumentRoot:" >> $FILE; echo $DOCUMENTROOT >> $FILE; echo "" >> $FILE;
  496.                         echo "$APACHECONF:" >> $FILE;
  497.                         echo "`ls -la $APACHECONF`:" >> $FILE;
  498.                         grep -v "#" $APACHECONF 2>/dev/null | sed '/^$/d' >> $FILE;
  499.                         echo "" >> $FILE;
  500.                         echo "Enabled Modules:" >> $FILE; ls -la /etc/apache2/mods-enabled/ >> $FILE; echo "" >> $FILE;
  501.                         echo "Apache Environment Variables:" >> $FILE;
  502.                         grep -v "#" /etc/apache2/envvars 2>/dev/null | sed '/^$/d' >> $FILE;
  503.                         echo "-----------------------------------------------------" >> $FILE;
  504.                         echo "" >> $FILE;
  505.                 fi;
  506.         fi;
  507.  
  508.  
  509. # MYSQL
  510.         if [ -x "`command -v mysql 2>/dev/null`" ]; then echo "MySQL Extraction:" >> $FILE && echo "$MYSQL:" >>$FILE && echo $MYSQLVER >> $FILE;
  511.                 if [ -e $MYSQLCONF ]; then echo "MySQL configuration" >> $FILE;
  512.                         echo "`ls -la $MYSQLCONF`:" >> $FILE; grep -v "#" $MYSQLCONF 2>/dev/null | sed '/^$/d' >> $FILE;
  513.                         echo "-----------------------------------------------------" >> $FILE;
  514.                         echo "" >> $FILE;
  515.                 fi;
  516.         fi;
  517.  
  518. # SSHD
  519.         if [ -x "`command -v sshd 2>/dev/null`" ]; then echo "SSHD Extraction:" >> $FILE && echo "$SSH:" >> $FILE && $SSH -V >> $FILE 2>&1;
  520.                 echo "" >> $FILE;
  521.                 if [ -e $SSHDCONF ]; then echo "SSHD configuration:" >> $FILE;
  522.                         echo "`ls -la $SSHDCONF`:" >> $FILE; grep -v "#" $SSHDCONF 2>/dev/null | sed '/^$/d' >> $FILE;
  523.                         if [ `grep "PermitRootLogin " /etc/ssh/sshd_config | grep -v "#" | awk '{print  $2}'` = "yes" ]; then echo "ALERT: Root login permitted" >> $FILE; fi
  524.                         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  525.                 fi;
  526.         fi;
  527.  
  528. # Samba config
  529.         if [ -x "`command -v smbd 2>/dev/null`" ]; then echo "Samba Extraction" >> $FILE && echo "$SAMBA:" >> $FILE && $SAMBAVER >> $FILE;
  530.                 if [ -e $SAMBACONF ]; then echo "Samba configuration" >> $FILE;
  531.                         echo "" >> $FILE;
  532.                         echo "`ls -la $SAMBACONF`:" >> $FILE; grep -v ";" $SAMBACONF 2>/dev/null | sed '/^$/d' >> $FILE;
  533.                         echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
  534.                 fi;
  535.         fi;
  536.  
  537. # other potential daemons
  538. # snmpd config
  539. # inetd/xinetd.conf
  540. # Snort
  541. # DNS? named?
  542. # Sendmail? Aliases file?
  543. # NFS?  /etc/exports?
  544. # Squid?
  545. # webmin
  546. # Syslogd as a logging server?
  547.  
  548. fi
  549.  
  550.  
  551. if [ $PKGMGMT = "y" ]; then
  552.         if [ $STDOUT="y" ]; then echo "PACKAGE MANAGEMENT"; fi
  553.         echo ""  >> $FILE;
  554.         echo "######################################################################################################################################################" >> $FILE;
  555.         echo "PACKAGE MANAGEMENT" >> $FILE;
  556.         echo "######################################################################################################################################################" >> $FILE;
  557.         echo ""  >> $FILE;
  558.         if [ $OSNAME = "Linux" ]; then
  559.                 if [ -e "/etc/debian_version" ]; then echo "Debian Version: `cat /etc/debian_version`" 2>/dev/null >> $FILE;
  560.                         DPKG=`whereis dpkg | awk '{print $2}' 2>/dev/null`;
  561.                         if [ -x $DPKG ]; then PKGMGR=$DPKG; FLAGS="-l";
  562.                         fi;
  563.                 fi;
  564.  
  565.                 if [ -e "/etc/redhat-release" ]; then echo "Redhat Release: `cat /etc/redhat-release`" 2>/dev/null >> $FILE;
  566.                         RPM=`whereis rpm | awk '{print $2}' 2>/dev/null`;
  567.                         if [ -x $RPM ]; then PKGMGR=$RPM; FLAGS="-qa | sort";
  568.                         fi;
  569.                 fi;
  570.  
  571.                 if [ -e "/etc/gentoo-release" ];
  572.                         then echo "Gentoo Release:: `cat /etc/gentoo-release`" 2>/dev/null >>$FILE;
  573.                         ls -la /var/db/pkg/* | awk '{print $9}' | sort -n | uniq 2>/dev/null | sed '/^$/d' >> $FILE;
  574. #EMERGE=`whereis emerge | awk '{print $2}' 2>/dev/null`;
  575. #if [ -x $EMERGE ]; then PKGMGR=$EMERGE; FLAGS="";
  576.  
  577. #if [ -e "/etc/gentoo-release" ]; then echo "Gentoo Release:: `cat /etc/gentoo-release`" 2>/dev/null >>$FILE;
  578. #EMERGE=`whereis emerge | awk '{print $2}' 2>/dev/null`;
  579. #if [ -x $EMERGE ]; then PKGMGR=$EMERGE; FLAGS="";
  580.  
  581. # ls -la /var/db/pkg/* | awk '{print $9}' | sort -n | uniq <- gives a "niceish" list of packages installed, bypassing the root/portage-group restrictions of running a portage query
  582. # emerge --info gives nicely formatted system information
  583.                 fi;
  584.         fi;
  585.         if [ $OSNAME = "FreeBSD" ]; then
  586.                 PKGINFO=`whereis pkg_info | awk '{print $2}' 2>/dev/null`;
  587.                 if [ -x $PKGINFO ]; then PKGMGR=$PKGINFO; FLAGS="";
  588.                 fi;
  589.         fi;
  590.  
  591.         if [ -x $PKGMGR ]; then $PKGMGR $FLAGS >> $FILE;
  592.         echo "-----------------------------------------------------" >> $FILE;
  593.         echo "" >> $FILE;
  594.         fi;
  595.  
  596. #Pulseaudio
  597.         file `whereis pulseaudio | awk '{print $2}'` 2>/dev/null >> $FILE;
  598.         `whereis pulseaudio | awk '{print $2}'` --version 2>/dev/null >> $FILE;
  599.         ls -al `whereis pulseaudio | awk '{print $2}'` 2>/dev/null >> $FILE;
  600.         echo "ALERT: Pulseaudio exists - investigate further and check pulseaudio exploits" >> $FILE;
  601.         echo "-----------------------------------------------------" >> $FILE;
  602.         echo ""  >> $FILE;
  603. fi;
  604.  
  605. #Open Files
  606. # lsof -i
  607. if [ $FILESRCH = "y" ]; then
  608.         if [ $STDOUT="y" ]; then echo "FILE SYSTEMS and FIND extractions"; fi
  609.         echo "######################################################################################################################################################" >> $FILE;
  610.         echo "FILE SYSTEMS and FIND extractions" >> $FILE;
  611.         echo "######################################################################################################################################################" >> $FILE;
  612.         echo ""  >> $FILE;
  613.         echo ""  >> $FILE;
  614.         echo "Partitions:" >> $FILE && df -h >> $FILE;
  615.         echo ""  >> $FILE;
  616. # /etc/fstab?
  617.         if [ -e /etc/fstab ]; then echo "File System Table file" >>$FILE &&  ls -la /etc/fstab >> $FILE && cat /etc/fstab 2>/dev/null >> $FILE;
  618.                 echo "" >> $FILE && echo "Active mounts" >> $FILE && mount >> $FILE
  619.                 echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
  620.         fi;
  621.  
  622. # SUID binaries files
  623.         echo "SUID binaries:"  >> $FILE;
  624.         SUID=`find $BINARYDIR -perm -4000 -print 2>/dev/null`
  625.         for  i in $SUID;
  626.                 do ls -la $i >> $FILE;
  627.                 done;
  628.         echo ""  >> $FILE;
  629.  
  630.         if [ $SUIDLIB = "y" ]; then
  631.                 for i in $SUID;
  632.                         do echo "<<-- `ls -la $i | awk '{print $1,$3,$4,$8,$9}'`: -->> " >> $FILE && \
  633.                                 ldd $i | grep / | awk '{print $3}' | sed '/^$/d' | sort | uniq | xargs ls -laH \
  634.                                 | awk '{print $1,$3,$4,$8,$9}' >> $FILE && echo "" >> $FILE;
  635.                         done
  636.         fi;
  637.  
  638. # SGID binaries files
  639.         echo "SGID binaries:"  >> $FILE;
  640.         find $BINARYDIR -perm -2000 -print | xargs ls -la 2>/dev/null >> $FILE;
  641.         echo "-----------------------------------------------------" >> $FILE;
  642.         echo ""  >> $FILE;
  643.  
  644. # World writeable directories and files
  645.         echo "World Writeable Files and Directories:"  >> $FILE;
  646.         for w in "$WORLDIR"; do
  647.                 find / -path $w -o -perm -2 ! -type l -ls 2>/dev/null >> $FILE;
  648.         done;
  649.         echo "-----------------------------------------------------" >> $FILE;
  650.         echo ""  >> $FILE;
  651.  
  652. # Known_hosts file and file bruteforcing
  653. # http://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/
  654.         echo "Retrieved SSH User and key files:" >> $FILE;
  655.         for p in "$HOMEDIR"; do
  656.                 find / -path $p \( -name "known_hosts" -o -name "id_rsa*" -o -name "authorized_hosts" -o -name "id_dsa*" \
  657.                         -o -name "identity" \) -print -exec ls -la {} \; -exec cat {} \; 2>/dev/null >> $FILE;
  658.         done
  659.         echo "" >> $FILE;
  660.  
  661.         echo "Retrieved Core dump files:" >> $FILE;
  662.         find / -type f -regex ".*/core\.[0-9][0-9][0-9][0-9]$" -print -exec ls -la {} \; -exec strings {} \; 2> /dev/null
  663.  
  664. # Temporary directories contents
  665.         if [ -e /tmp ]; then echo "Contents - /tmp" >>$FILE && ls -la /tmp 2>/dev/null >> $FILE && find /tmp -name "*" >> $FILE;
  666.                 echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
  667.         fi
  668.         if [ -e /tmp ]; then echo "Contents - /var/tmp" >>$FILE && ls -la /var/tmp 2>/dev/null >> $FILE && find /var/tmp -name "*" >> $FILE;
  669.                 echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
  670.         fi
  671.         if [ -e /tmp ]; then echo "Contents - /dev/shm" >>$FILE && ls -la /dev/shm 2>/dev/null >> $FILE && find /dev/shm -name "*" >> $FILE;
  672.                 echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
  673.         fi
  674.  
  675. # Home directory permissions?
  676.         if [ $HOMELIST = "y" ]; then
  677.                 if [ -e /home ]; then echo "Contents - /home" >>$FILE &&  ls -la /home 2>/dev/null >> $FILE #&& find /home -name "*" >> $FILE;
  678.                         echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
  679.                 fi;
  680.                         if [ -e ~/ ]; then echo "Contents - `whoami` ~/" >>$FILE && ls -la ~/ 2>/dev/null >> $FILE && find ~/ -name "*" >> $FILE;
  681.                         echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
  682.                 fi;
  683.                 if [ $WHO != "root" ]; then echo "Contents - /root" >>$FILE &&  ls -la /root 2>/dev/null >> $FILE && find /root -name "*" >> $FILE;
  684.                         echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
  685.                 fi;
  686.         fi;
  687.  
  688. # End of intensive file system searches
  689.         echo "" >> $FILE;
  690. fi;
  691. #-----------------------------------------------------------------------------------------------------------------
  692.  
  693. if [ $KERNELCONF = "y" ]; then
  694.         if [ $STDOUT="y" ]; then echo "Kernel configurations extractions"; fi
  695.                 echo "Kernel Configuration files (check for supported options like CAM support, ReiserFS...:"  >> $FILE;
  696.                 echo Kernel Configurations found: >> $FILE;
  697.                 ls -la /proc/config.gz 2>/dev/null >> $FILE && `ls -la /boot | grep config` 2>/dev/null >> $FILE;
  698.                 echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE;
  699.  
  700.                 if [ -e "/proc/config.gz" ]; then ls -la /proc/config.gz >> $FILE && zcat /proc/config.gz 2>/dev/null | sed '/^$/d' >> $FILE; fi;
  701.                         echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE;
  702.                         echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE;
  703.                         for i in `ls /boot | grep config`; do file /boot/$i >> $FILE && cat /boot/$i | sed '/^$/d' >> $FILE && echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE && echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE; done;
  704.  
  705. fi;
  706.  
  707. echo "######################################################################################################################################################" >> $FILE;
  708. echo "VERY BASIC LOGFILE PARSING - identify clients of the system" >> $FILE;
  709. echo "######################################################################################################################################################" >> $FILE;
  710. echo >> $FILE;
  711. if [ $LOGPROC = "y" ]; then
  712.         if [ $APACHELOG = "y" ]; then
  713.                 echo "Apache2 client Sources:" >>$FILE;
  714.                 for f in `grep access.log -R /etc/apache2/* | grep -v "#" | cut -d : -f 2 | awk '{ print $2}' | sort | uniq`; do echo $f >> $FILE && cat $f 2>/dev/null | awk '{print $1,$7,$8,$9}' | sort | uniq -c | sort -rn | head -n 30 | sed '/^$/d'>> $FILE && echo $f.1 >> $FILE && cat $f.1 2>/dev/null | awk '{print $1,$7,$8,$9}' | sort | uniq -c | sort -rn | head -n 30 | sed '/^$/d' >> $FILE;
  715.                 done;
  716.         fi;
  717.         echo "" >>$FILE;
  718.         if [ $SSHDLOGS = "y" ]; then
  719.                 echo "SSHD Login Sources:" >>$FILE;
  720.                 for u in `grep "sshd:session): session opened for user" /var/log/auth.log | awk '{print $11}' | sort | uniq`; do echo $u >> $FILE && grep "publickey for $u from" /var/log/auth.log | awk '{print$6,$7,$8,"user: "$9,$10,$11,$14,$15,$16}' | sort | uniq -c | sed '/^$/d' >> $FILE;
  721.                 done;
  722.         fi;
  723.         echo "" >>$FILE;
  724.         if [ $POSTFIXLOGS = "y" ]; then
  725.                 echo "Postfix client Sources:" >> $FILE;
  726.                 zgrep status=sent mail.log* 2>/dev/null | awk '{ print $7,$8}' | sort | uniq -c | sed '/^$/d'>> $FILE;
  727.         fi
  728. fi;
  729.  
  730. # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
  731. # end of scripted enumeration
  732. # ------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
  733. chmod 600 $FILE;
  734. echo >> $FILE;
  735. echo >> $FILE;
  736. echo "EOF -- End of File" >> $FILE;
  737. echo "Output file is: $FILE"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top