Ananke v0.06

#!/bin/sh
#
# Ananke v0.06 - "enumeration is a necessity"
# 2012-05-25
#
# Tested on Backtrack 5(Ubuntu 10.10), Ubuntu 7.10, Ubuntu 10.04 (LTS), Cent0S5.4, FC4, FBSD7.0
# Debian 4.0, Debian 5.0.4

# PLEASE NOTE:
# Acknowledged: This script is inefficient; multiple seeks exist for the same data - however no temporary flies are left to disk other than the final output file.
# *Obviously* this could be done (and much better) in another language e.g. python, perl... however using "sh" ensures portability; the language is
# available to run the script.


# Enable to "y" for execution of the intensive searches in the section below
STDOUT="y"          # echo section progress to stdout(Display)
SYSTEM="y"          # Perform System extraction
NETWORKING="y"      # Perform Network parameters extraction
AUTHENTICATION="y"  # Perform Authentication extraction
SYSTEMCONF="y"      # Perform system configuration specific extraction
    PROCESSES="y"   # Perform running processes extraction
APPLICATIONS="y"    # Perform Servers and Applications extraction
LANGUAGES="y"       # Perform installed languages extraction
FILESRCH="y"        # Perform file system directories and permissions extraction
    SUIDLIB="y"     # SUID library breakdown and permissions extraction
    HOMELIST="y"    # List files in home directories
PKGMGMT="y"         # Perform package management extraction
KERNELCONF="y"      # Perform kernel config extraction
LOGPROC="y"         # Very Basic logfile analysis extraction
    APACHELOG="y"   # Do this for Apache
    SSHDLOGS="y"    # Do this for SSHD in auth.log
    POSTFIXLOGS="y" # Do this for SSHD in auth.log

# Ensure commands referenced below are in the common path environment
PATH="$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"

UNAME=`whereis uname | awk '{print$2}' 2>/dev/null`
HOSTNAME="`whereis hostname | awk '{print$2}' 2>/dev/null`"

DATE=`date +"%Y-%m-%d"`
TIME=`date +"%H:%M:%S"`
OSNAME=`$UNAME -s`
OSREL=`$UNAME -r`
OSVER=`$UNAME -v`
ARCHTYPE=`$UNAME -m`
OSFULL=`$UNAME -a`
UPTIME=`uptime`
ID=`id`
WHO=`whoami`
echo "`$HOSTNAME -f` reconnaissance executed by $WHO"

# Primary IPv4Address
if [ $OSNAME = "FreeBSD" ]; then
    PIP4ADD="`ifconfig | grep "inet " | grep -v 127.0.0.1 | head -n 1 | awk {'print $2}'`"
elif [ $OSNAME = "Linux" ]; then
    PIP4ADD="`/sbin/ifconfig | grep "inet addr" | head -n 1 | cut -d : -f 2 | awk '{ print $1}'`"
fi;

echo $PIP4ADD
FILE="`echo $PIP4ADD`_`$HOSTNAME`_audit_`whoami`_$DATE"
rm $FILE 2>/dev/null;


# -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Variables and binary locations section
#PHPCONF=`find /etc -name php.ini 2>/dev/null | grep apache`

SSH=`command -v ssh 2>/dev/null`
SSHVER="$SSH -V"
SSHDCONF=`find /etc -name sshd_config 2>/dev/null | head -n 1 2>/dev/null`

MYSQL="`command -v mysql 2>/dev/null | sed '/^$/d'`"
if [ -r `command -v mysql 2>/dev/null | sed '/^$/d'` ]; then MYSQLVER=`$MYSQL -V 2>/dev/null`;
fi;
if [ -r $MYSQL ]; then MYSQLVER=`$MYSQL -V 2>/dev/null`;
    MYSQLCONF=`find /etc -name my.cnf 2>/dev/null`;
fi;
HTTPD=`command -v httpd 2>/dev/null`
if [ -e "`command -v httpd 2>/dev/null`" ]; then
    HTTPD=`command -v httpd`
    HTTPDVER="`$HTTPD -v 2>/dev/null`"
    HTTPDCONF=`find /etc -name httpd.conf 2>/dev/null`
    DOCUMENTROOT=`grep -R DocumentRoot /etc/httpd/conf* 2>/dev/null | grep -v "#" | awk '{print $2}' | uniq | sed '/^$/d'`;
fi;

if [ -x "`command -v apache2 2>/dev/null`" ]; then
    APACHE="`command -v apache2 2>/dev/null`"
    APACHEVER="$APACHE -v 2>/dev/null"
    APACHECONF=`find /etc -name apache2.conf 2>/dev/null`
    DOCUMENTROOT=`grep -R DocumentRoot /etc/apache2 2>/dev/null | awk '{print $3}' | uniq | sed '/^$/d'`;
fi;

SAMBA="`command -v smbd 2>/dev/null`"
SAMBAVER="$SAMBA -V 2>/dev/null"
SAMBACONF=`find /etc -name smb.conf 2>/dev/null`

GCC="`command -v gcc 2>/dev/null`"
PERL="`command -v perl 2>/dev/null`"
#echo $PERL
RUBY="`command -v ruby 2>/dev/null`"
PHP="`command -v php 2>/dev/null`"


# Expand this if wishing to search outside of the following paths - streamlined to help reduce disk io and time consumption
BINARYDIR="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin"
WORLDIR="/tmp /var/tmp /var /root /dev /usr"
HOMEDIR="`cat  /etc/passwd | cut -d : -f 6`"

if [ $OSNAME = "Linux" ]; then
LINUXIPv4="net.ipv4.tcp_syncookies \
net.ipv4.conf.all.rp_filter \
net.ipv4.conf.all.accept_source_route \
net.ipv4.conf.all.accept_redirects \
net.ipv4.conf.all.secure_redirects \
net.ipv4.conf.default.rp_filter \
net.ipv4.conf.default.accept_source_route \
net.ipv4.conf.default.accept_redirects \
net.ipv4.conf.default.secure_redirects \
net.ipv4.icmp_echo_ignore_broadcasts \
net.ipv4.ip_forward \
net.ipv4.conf.all.send_redirects \
net.ipv4.conf.default.send_redirects \
net.ipv4.tcp_max_syn_backlog"

LINUXIPv6="net.ipv6.conf.all.forwarding \
net.ipv6.conf.all.accept_redirects \
net.ipv6.conf.all.disable_ipv6 \
net.ipv6.bindv6only"
fi;

if [ $OSNAME = "FreeBSD" ]; then
FBSDIPv4="net.inet.ip.forwarding \
net.inet.ip.redirect \
net.inet.ip.accept_sourceroute \
net.inet.ip.subnets_are_local \
net.inet.ip.maxfragpackets \
net.inet.ip.maxfragsperpacket \
net.inet.ip.fragpackets \
net.inet.ip.check_interface \
net.inet.ip.random_id \
net.inet.ip.sendsourcequench \
net.inet.ip.process_options sysct\
net.inet.icmp.maskrepl \
net.inet.icmp.icmplim \
net.inet.icmp.bmcastecho \
net.inet.icmp.quotelen \
net.inet.icmp.reply_from_interface \
net.inet.icmp.reply_src \
net.inet.icmp.icmplim_output \
net.inet.icmp.log_redirect \
net.inet.icmp.drop_redirect \
net.inet.icmp.maskfake \
net.inet.tcp.rfc1323 \
net.inet.tcp.insecure_rst \
net.inet.tcp.rfc3390 \
net.inet.tcp.rfc3042 \
net.inet.tcp.drop_synfin \
Net.inet.tcp.delayed_ack \
net.inet.tcp.blackhole \
net.inet.tcp.log_in_vain \
net.inet.tcp.icmp_may_rst \
net.inet.tcp.do_tcpdrain \
net.inet.tcp.log_debug \
net.inet.tcp.syncache.rst_on_sock_fail \
net.inet.tcp.syncookies_only \
net.inet.tcp.syncookies \
net.inet.tcp.timer_race \
net.inet.tcp.always_keepalive \
net.inet.udp.checksum \
net.inet.udp.blackhole \
net.inet.udp.log_in_vain \
net.link.ether.ipfw"

FBSDIPv6="net.inet6.ip6.forwarding \
net.inet6.ip6.redirect \
net.inet6.ip6.log_interval \
net.inet6.ip6.use_deprecated \
net.inet6.icmp6.rediraccept \
net.inet6.icmp6.redirtimeout"

FBSDSEC="security.jail.jailed \
security.jail.mount_allowed \
security.jail.chflags_allowed \
security.jail.allow_raw_sockets \
security.jail.enforce_statfs \
security.jail.sysvipc_allowed \
security.jail.socket_unixiproute_only \
security.jail.set_hostname_allowed \
security.bsd.suser_enabled \
security.bsd.unprivileged_proc_debug \
security.bsd.conservative_signals \
security.bsd.see_other_gids \
security.bsd.see_other_uids \
security.bsd.unprivileged_read_msgbuf \
security.bsd.hardlink_check_gid \
security.bsd.hardlink_check_uid \
security.bsd.unprivileged_get_quota"
fi;


# -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
# System Fingerprinting section - header of the output file

if [ $SYSTEM = "y" ]; then
    echo "######################################################################################################################################################" >> $FILE;
    if [ $STDOUT="y" ]; then echo "TARGET SYSTEM"; fi;
    echo "TARGET SYSTEM" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo "" >> $FILE;
    echo "Hostname: `$HOSTNAME`" >> $FILE;
    if [ $OSNAME = "FreeBSD" ]; then
        echo "Primary IPv4 addr: `ifconfig | grep "inet " | grep -v 127.0.0.1 | head -n 1 | awk {'print $2}'`" >> $FILE;
    elif [ $OSNAME = "Linux" ]; then
        echo "Primary IPv4 addr: `/sbin/ifconfig | grep "inet addr" | head -n 1 | cut -d : -f 2 | awk '{ print $1}'`" >> $FILE;
    fi;
    echo "" >> $FILE;
    echo "Operating System: $OSNAME" >> $FILE;
    if [ $OSNAME = "Linux" ]; then
            if [ -e "/etc/debian_version" ]; then echo "Debian Version: `cat /etc/debian_version | sed '/^$/d'`" >> $FILE && echo "Issue: `cat /etc/issue | sed '/^$/d'`" >> $FILE;
            elif [ -e "/etc/redhat-release" ]; then echo "RedHat-Release: `cat /etc/redhat-release | sed '/^$/d'`"  >> $FILE && echo "Issue: `cat /etc/issue | sed '/^$/d'`" >> $FILE;
            elif [ -e "/etc/gentoo-release" ]; then cat /etc/gentoo-release | sed '/^$/d' >> $FILE;
            fi;
    fi;
    echo "Operating Kernel release: $OSREL" >> $FILE;
    echo "Operating Kerenl compile: $OSVER" >> $FILE;
    echo "Architecture type: $ARCHTYPE" >> $FILE;
    echo "Full Uname: $OSFULL" >> $FILE;
    echo "System Uptime: $UPTIME" >> $FILE;
    echo ""  >> $FILE;
    echo ""  >> $FILE;
    echo "Audit Start Date: $DATE" >> $FILE;
    echo "Audit Start Time: $TIME" >> $FILE;
    echo "Audit Performed by User: $ID" >> $FILE;
    echo "" >> $FILE;
    echo "User Environment:" >> $FILE && env >> $FILE;
    echo "-----------------------------------------------------" >> $FILE;
    echo "" >> $FILE;
fi;

# -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Network Fingerprinting section
echo ""  >> $FILE;
if [ $NETWORKING = "y" ]; then
    echo "######################################################################################################################################################" >> $FILE;
    if [ $STDOUT="y" ]; then echo "NETWORKING"; fi
    echo "NETWORKING" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo "" >> $FILE;
    # Interface configuration
    echo "Interfaces:" >> $FILE && /sbin/ifconfig -a >> $FILE;
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;
    # Routing table
    echo "Routing Table:" >> $FILE && netstat -rn >> $FILE;
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;

# Listening IPv4/6 sockets
    echo "Listening IPv4/6 sockets" >> $FILE;
    if [ $OSNAME = "FreeBSD" ]; then
        echo "Listening Sockets:" >> $FILE && sockstat -l >> $FILE; echo "" >> $FILE;
    elif [ $OSNAME = "Linux" ]; then
        echo "Listening Sockets:" >> $FILE && netstat -lnp --inet 2>/dev/null >> $FILE;
    fi;
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;
    echo "IPv4 Open Files Sockets:" >> $FILE;
    if [ $OSNAME = "Linux" ]; then lsof -i4 2>/dev/null >> $FILE;
        echo "IPv4 TCP Sockets:" >> $FILE; netstat -ant4 2>/dev/null >> $FILE; echo "" >> $FILE;
        echo "IPv4 UDP Sockets:" >> $FILE; netstat -anu4 2>/dev/null >> $FILE;
    elif [ $OSNAME = "FreeBSD" ]; then sockstat -4 >> $FILE; echo "" >> $FILE;
        echo "IPv4 TCP Sockets:" >> $FILE; /usr/bin/netstat -antf inet -p tcp 2>/dev/null >> $FILE; echo "" >> $FILE;
    echo "IPv4 UDP Sockets:" >> $FILE; /usr/bin/netstat -antf inet -p udp 2>/dev/null >> $FILE; echo "" >> $FILE;
    fi;
    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;

    echo "IPv6 Open Files Sockets:" >> $FILE;
    if [ $OSNAME = "Linux" ]; then lsof -i6 2>/dev/null >> $FILE;
        echo "IPv6 TCP Sockets:" >> $FILE; netstat -ant6 2>/dev/null >> $FILE; echo "" >> $FILE;
        echo "IPv6 UDP Sockets:" >> $FILE; netstat -anu6 2>/dev/null >> $FILE;
    elif [ $OSNAME = "FreeBSD" ]; then sockstat -6 >> $FILE; echo "" >> $FILE;
        echo "IPv6 TCP Sockets:" >> $FILE; /usr/bin/netstat -antf inet6 -p tcp 2>/dev/null >> $FILE; echo "" >> $FILE;
        echo "IPv6 UDP Sockets:" >> $FILE; /usr/bin/netstat -antf inet6 -p udp 2>/dev/null >> $FILE; echo "" >> $FILE;
    fi;
    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;

# Accessible network filtering configuration. Firewall.
# TCPWrappers
    if [ -e "/etc/hosts.allow" ]; then echo "TCPWrappers hosts.allow:" >> $FILE; ls -la /etc/hosts.allow >> $FILE && cat /etc/hosts.allow 2>/dev/null | grep -v "#" | sed '/^$/d' >> $FILE;
        echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
    fi;
    if [ -e "/etc/hosts.deny" ]; then echo "TCPWrappers hosts.deny:" >> $FILE; ls -la /etc/hosts.deny >> $FILE && cat /etc/hosts.deny 2>/dev/null | grep -v "#" | sed '/^$/d' >> $FILE;
        echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
    fi;

    if [ $OSNAME = "Linux" ]; then
        echo "IPTABLES RULESET:" >> $FILE && iptables -L >> $FILE;
    elif [ $OSNAME = "FreeBSD" ]; then
        echo "IPFW RULESET:" >> $FILE && ipfw -a list >> $FILE;
    fi;

# hosts file
    if [ -e "/etc/hosts" ]; then echo "Hosts File:" >> $FILE; ls -la /etc/hosts >> $FILE && cat /etc/hosts 2>/dev/null | sed '/^$/d' >> $FILE;
    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
    fi;


#IPv4 security settings - test with sysctl -n - value is returned
    echo "IPv4 security kernel configuration:" >> $FILE;
#if [ $OSNAME = "FreeBSD" ]; then
    if [ $OSNAME = "Linux" ]; then
        for i in $LINUXIPv4; do
            /sbin/sysctl $i >> $FILE;
            done;
    fi;
    echo "" >> $FILE;
    if [ -e "/etc/sysctl.conf" ]; then echo "Sysctl.conf security permissions:" >> $FILE && ls -la /etc/sysctl.conf >> $FILE && cat /etc/sysctl.conf | sed '/^$/d' >> $FILE;
        echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
    fi;
fi


# -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Authentication Fingerprinting section
if [ $AUTHENTICATION = "y" ]; then
    echo ""  >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    if [ $STDOUT="y" ]; then echo "AUTHENTICATION"; fi
    echo "AUTHENTICATION" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo ""  >> $FILE;
    echo "Users online:" >> $FILE && who >> $FILE;
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;
    echo "Last logins:" >> $FILE && last >> $FILE;
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;
    if [ -r "/etc/passwd" ]; then echo "Password file:" >> $FILE && ls -la /etc/passwd >> $FILE && cat /etc/passwd 2>/dev/null | sed '/^$/d' >> $FILE;
    echo "" >> $FILE && echo "UID 0 accounts" && grep 'x:0:' /etc/passwd >> $FILE;

    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi

    if [ -e "/etc/shadow" ]; then echo "Shadow file:" >> $FILE && ls -la /etc/shadow >> $FILE && cat /etc/shadow 2>/dev/null | sed '/^$/d' >> $FILE;
    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi
    if [ -e "/etc/group" ]; then echo "Group file:" >> $FILE && ls -la /etc/group >> $FILE && cat /etc/group 2>/dev/null | sed '/^$/d' >> $FILE;
    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi


    if [ -e /etc/sudoers ]; then echo "SUDOers file:" >> $FILE && ls -la /etc/sudoers >> $FILE && cat /etc/sudoers 2>/dev/null | grep -v "#" | sed '/^$/d' >> $FILE;
    echo ""  >> $FILE;
    echo "Sudoers wheel group restrictions:" >> $FILE && grep pam_wheel.so /etc/pam.d/su >> $FILE;
    echo "-----------------------------------------------------" >> $FILE; fi
    echo "" >> $FILE;
fi


# -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
# System configurations and Fingerprinting section
echo "" >> $FILE;
if [ $SYSTEMCONF = "y" ]; then
    if [ $STDOUT="y" ]; then echo "SYSTEMCONF"; fi
    echo "######################################################################################################################################################" >> $FILE;
    echo "SYSTEMCONF" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo "" >> $FILE;

# -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Running processes section
    if [ $PROCESSES = "y" ]; then
        echo "-----------------------------------------------------" >> $FILE;
            if [ $STDOUT="y" ]; then echo "PROCESSES"; fi
        echo "PROCESSES" >> $FILE;
        echo "-----------------------------------------------------" >> $FILE;
# Adjust output format here ->
        ps auxgw | grep -v " TIME COMMAND" | sort -n >> $FILE; echo "" >> $FILE;
    fi

# /etc/motd
    if [ -e /etc/motd ]; then echo "MOTD extraction" >> $FILE;
        echo "`ls -la /etc/motd`:" >> $FILE && cat /etc/motd 2>/dev/null >> $FILE;
    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi

# Sysctl on boot
    if [ -e /etc/sysctl.conf ]; then echo "Sysctl permissions and extraction" >> $FILE && echo `ls -la /etc/sysctl.conf` >> $FILE && grep -v "#" /etc/sysctl.conf 2>/dev/null | sed '/^$/d' >> $FILE;
    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi

# NFS Exports - add checks for insecure configuration
    if [ -e /etc/exports ]; then echo "NFS Exports extraction" >> $FILE;
        echo "`ls -la /etc/exports`:" >> $FILE && cat /etc/exports 2>/dev/null | sed '/^$/d' >> $FILE;
    echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE; fi

# SUID DUMPABLE
# needs to be 1 or 2
# http://www.exploit-db.com/exploits/8369/
    if [ `cat /proc/sys/fs/suid_dumpable` -ne "0" ]; then
        echo "suid_dumpable: `cat /proc/sys/fs/suid_dumpable` << ALERT check exploit 8369: #http://www.exploit-db.com/exploits/8369/" >> $FILE
    fi


# ASLR - sysctl kernel.randomize_va_space = 2
# ../Documentation/sysctl/kernel.txt
# This option can be used to select the type of process address space randomization that is used in the system, for architectures that support this feature.
# 0 - Turn the process address space randomization off. This is the default for architectures that do not support this feature anyways, and kernels that are booted with the "norandmaps" parameter.
# 1 - Make the addresses of mmap base, stack and VDSO page randomized. This, among other things, implies that shared libraries will be loaded to random addresses. Also for PIE-linked binaries,
#    the location of code start is randomized. This is the default if the CONFIG_COMPAT_BRK option is enabled.
# 2 - Additionally enable heap randomization. This is the default if CONFIG_COMPAT_BRK is disabled.
    if [ $OSNAME = "Linux" ]; then
        echo "ASLR - Address Space Layout Randomization:" >> $FILE;
        /sbin/sysctl kernel.randomize_va_space >> $FILE;
        if [ `/sbin/sysctl kernel.randomize_va_space | awk '{print $3}'` -eq 0 ]; then echo "WARNING: ASLR set to 0" >> $FILE;
        fi
        echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
    fi

# CRONTAB
    if [ -e /etc/crontab ]; then echo "System Crontab extraction" >> $FILE;
        echo "`ls -la /etc/crontab`:" >> $FILE && grep -v "#" /etc/crontab 2>/dev/null | sed '/^$/d' >> $FILE;
        echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
    fi
fi


if [ $LANGUAGES = "y" ]; then
    if [ $STDOUT="y" ]; then echo "LANGUAGES"; fi
    echo "" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo "LANGUAGES" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo "" >> $FILE;

# gcc version
    if [ -e "`command -v gcc 2>/dev/null`" ]; then echo "GCC Version:" >> $FILE && echo "$GCC" >> $FILE && $GCC -v >> $FILE 2>&1;
        echo "-----------------------------------------------------" >> $FILE;
        echo "" >> $FILE;
    fi

# perl version
    if [ -e `command -v perl 2>/dev/null` ]; then echo "Perl Version:" >> $FILE &&echo $PERL >>$FILE && $PERL -v 2>/dev/null | head -n 2 | sed '/^$/d' >> $FILE;
        echo "-----------------------------------------------------" >> $FILE;
        echo "" >> $FILE;
    fi

# PHP version
    if [ -e "`command -v php 2>/dev/null`" ]; then echo "PHP extraction" >> $FILE && $PHP -v >> $FILE;
    echo "" >> $FILE;
        for i in `find /etc -name php.ini 2>/dev/null`;
            do ls -la $i >> $FILE && cat $i | grep -v ";" | sed '/^$/d' >> $FILE && echo "" >> $FILE;
            done
        echo "-----------------------------------------------------" >> $FILE;
        echo "" >> $FILE;
    fi

# Ruby version
    if [ -e "`command -v ruby 2>/dev/null`" ]; then echo "RUBY Version:" >> $FILE && $RUBY -v >> $FILE;
        echo "-----------------------------------------------------" >> $FILE;
        echo "" >> $FILE;
    fi
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;
fi

# -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Application Finger printing section
##Search for specific config files and extract contents
if [ $APPLICATIONS = "y" ]; then
    if [ $STDOUT="y" ]; then echo "APPLICATIONS"; fi
    echo "" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo "APPLICATIONS" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo "" >> $FILE;

# HTTPD
#   - check permissions on DocumentRoot
#   - extract virtual hostnames
    if [ -x "`command -v httpd 2>/dev/null`" ]; then echo "HTTPD Extraction" >>$FILE && echo $HTTPD >> $FILE && echo $HTTPDVER >> $FILE;
#if [ -r $HTTPDCONF ]; then echo "HTTPD configuration" >> $FILE;
        echo "DocumentRoot:" >> $FILE; echo $DOCUMENTROOT >> $FILE; echo "" >> $FILE;
        echo "$HTTPDCONF:" >> $FILE;
        echo "`ls -la $HTTPDCONF`:" >> $FILE;
        grep -v "#" $HTTPDCONF 2>/dev/null | sed '/^$/d' >> $FILE;
        echo "" >> $FILE;
        echo "-----------------------------------------------------" >> $FILE;
        echo "" >> $FILE;
    fi; #fi

# APACHE
#   - check permissions on DocumentRoot
#   - extract virtual hostnames
    if [ -x "`command -v apache2 2>/dev/null`" ]; then echo "Apache2 Extraction" >>$FILE && echo $APACHE >> $FILE && echo $APACHEVER >> $FILE;
        if [ -r $APACHECONF ]; then echo "Apache2 configuration" >> $FILE;
            echo "DocumentRoot:" >> $FILE; echo $DOCUMENTROOT >> $FILE; echo "" >> $FILE;
            echo "$APACHECONF:" >> $FILE;
            echo "`ls -la $APACHECONF`:" >> $FILE;
            grep -v "#" $APACHECONF 2>/dev/null | sed '/^$/d' >> $FILE;
            echo "" >> $FILE;
            echo "Enabled Modules:" >> $FILE; ls -la /etc/apache2/mods-enabled/ >> $FILE; echo "" >> $FILE;
            echo "Apache Environment Variables:" >> $FILE;
            grep -v "#" /etc/apache2/envvars 2>/dev/null | sed '/^$/d' >> $FILE;
            echo "-----------------------------------------------------" >> $FILE;
            echo "" >> $FILE;
        fi;
    fi;


# MYSQL
    if [ -x "`command -v mysql 2>/dev/null`" ]; then echo "MySQL Extraction:" >> $FILE && echo "$MYSQL:" >>$FILE && echo $MYSQLVER >> $FILE;
        if [ -e $MYSQLCONF ]; then echo "MySQL configuration" >> $FILE;
            echo "`ls -la $MYSQLCONF`:" >> $FILE; grep -v "#" $MYSQLCONF 2>/dev/null | sed '/^$/d' >> $FILE;
            echo "-----------------------------------------------------" >> $FILE;
            echo "" >> $FILE;
        fi;
    fi;

# SSHD
    if [ -x "`command -v sshd 2>/dev/null`" ]; then echo "SSHD Extraction:" >> $FILE && echo "$SSH:" >> $FILE && $SSH -V >> $FILE 2>&1;
        echo "" >> $FILE;
        if [ -e $SSHDCONF ]; then echo "SSHD configuration:" >> $FILE;
            echo "`ls -la $SSHDCONF`:" >> $FILE; grep -v "#" $SSHDCONF 2>/dev/null | sed '/^$/d' >> $FILE;
            if [ `grep "PermitRootLogin " /etc/ssh/sshd_config | grep -v "#" | awk '{print  $2}'` = "yes" ]; then echo "ALERT: Root login permitted" >> $FILE; fi
            echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
        fi;
    fi;

# Samba config
    if [ -x "`command -v smbd 2>/dev/null`" ]; then echo "Samba Extraction" >> $FILE && echo "$SAMBA:" >> $FILE && $SAMBAVER >> $FILE;
        if [ -e $SAMBACONF ]; then echo "Samba configuration" >> $FILE;
            echo "" >> $FILE;
            echo "`ls -la $SAMBACONF`:" >> $FILE; grep -v ";" $SAMBACONF 2>/dev/null | sed '/^$/d' >> $FILE;
            echo "-----------------------------------------------------" >> $FILE; echo "" >> $FILE;
        fi;
    fi;

# other potential daemons
# snmpd config
# inetd/xinetd.conf
# Snort
# DNS? named?
# Sendmail? Aliases file?
# NFS?  /etc/exports?
# Squid?
# webmin
# Syslogd as a logging server?

fi


if [ $PKGMGMT = "y" ]; then
    if [ $STDOUT="y" ]; then echo "PACKAGE MANAGEMENT"; fi
    echo ""  >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo "PACKAGE MANAGEMENT" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo ""  >> $FILE;
    if [ $OSNAME = "Linux" ]; then
        if [ -e "/etc/debian_version" ]; then echo "Debian Version: `cat /etc/debian_version`" 2>/dev/null >> $FILE;
            DPKG=`whereis dpkg | awk '{print $2}' 2>/dev/null`;
            if [ -x $DPKG ]; then PKGMGR=$DPKG; FLAGS="-l";
            fi;
        fi;

        if [ -e "/etc/redhat-release" ]; then echo "Redhat Release: `cat /etc/redhat-release`" 2>/dev/null >> $FILE;
            RPM=`whereis rpm | awk '{print $2}' 2>/dev/null`;
            if [ -x $RPM ]; then PKGMGR=$RPM; FLAGS="-qa | sort";
            fi;
        fi;

        if [ -e "/etc/gentoo-release" ];
            then echo "Gentoo Release:: `cat /etc/gentoo-release`" 2>/dev/null >>$FILE;
            ls -la /var/db/pkg/* | awk '{print $9}' | sort -n | uniq 2>/dev/null | sed '/^$/d' >> $FILE;
#EMERGE=`whereis emerge | awk '{print $2}' 2>/dev/null`;
#if [ -x $EMERGE ]; then PKGMGR=$EMERGE; FLAGS="";

#if [ -e "/etc/gentoo-release" ]; then echo "Gentoo Release:: `cat /etc/gentoo-release`" 2>/dev/null >>$FILE;
#EMERGE=`whereis emerge | awk '{print $2}' 2>/dev/null`;
#if [ -x $EMERGE ]; then PKGMGR=$EMERGE; FLAGS="";

# ls -la /var/db/pkg/* | awk '{print $9}' | sort -n | uniq <- gives a "niceish" list of packages installed, bypassing the root/portage-group restrictions of running a portage query
# emerge --info gives nicely formatted system information
        fi;
    fi;
    if [ $OSNAME = "FreeBSD" ]; then
        PKGINFO=`whereis pkg_info | awk '{print $2}' 2>/dev/null`;
        if [ -x $PKGINFO ]; then PKGMGR=$PKGINFO; FLAGS="";
        fi;
    fi;

    if [ -x $PKGMGR ]; then $PKGMGR $FLAGS >> $FILE;
    echo "-----------------------------------------------------" >> $FILE;
    echo "" >> $FILE;
    fi;

#Pulseaudio
    file `whereis pulseaudio | awk '{print $2}'` 2>/dev/null >> $FILE;
    `whereis pulseaudio | awk '{print $2}'` --version 2>/dev/null >> $FILE;
    ls -al `whereis pulseaudio | awk '{print $2}'` 2>/dev/null >> $FILE;
    echo "ALERT: Pulseaudio exists - investigate further and check pulseaudio exploits" >> $FILE;
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;
fi;

#Open Files
# lsof -i
if [ $FILESRCH = "y" ]; then
    if [ $STDOUT="y" ]; then echo "FILE SYSTEMS and FIND extractions"; fi
    echo "######################################################################################################################################################" >> $FILE;
    echo "FILE SYSTEMS and FIND extractions" >> $FILE;
    echo "######################################################################################################################################################" >> $FILE;
    echo ""  >> $FILE;
    echo ""  >> $FILE;
    echo "Partitions:" >> $FILE && df -h >> $FILE;
    echo ""  >> $FILE;
# /etc/fstab?
    if [ -e /etc/fstab ]; then echo "File System Table file" >>$FILE &&  ls -la /etc/fstab >> $FILE && cat /etc/fstab 2>/dev/null >> $FILE;
        echo "" >> $FILE && echo "Active mounts" >> $FILE && mount >> $FILE
        echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
    fi;

# SUID binaries files
    echo "SUID binaries:"  >> $FILE;
    SUID=`find $BINARYDIR -perm -4000 -print 2>/dev/null`
    for  i in $SUID;
        do ls -la $i >> $FILE;
        done;
    echo ""  >> $FILE;

    if [ $SUIDLIB = "y" ]; then
        for i in $SUID;
            do echo "<<-- `ls -la $i | awk '{print $1,$3,$4,$8,$9}'`: -->> " >> $FILE && \
                ldd $i | grep / | awk '{print $3}' | sed '/^$/d' | sort | uniq | xargs ls -laH \
                | awk '{print $1,$3,$4,$8,$9}' >> $FILE && echo "" >> $FILE;
            done
    fi;

# SGID binaries files
    echo "SGID binaries:"  >> $FILE;
    find $BINARYDIR -perm -2000 -print | xargs ls -la 2>/dev/null >> $FILE;
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;

# World writeable directories and files
    echo "World Writeable Files and Directories:"  >> $FILE;
    for w in "$WORLDIR"; do
        find / -path $w -o -perm -2 ! -type l -ls 2>/dev/null >> $FILE;
    done;
    echo "-----------------------------------------------------" >> $FILE;
    echo ""  >> $FILE;

# Known_hosts file and file bruteforcing
# http://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/
    echo "Retrieved SSH User and key files:" >> $FILE;
    for p in "$HOMEDIR"; do
        find / -path $p \( -name "known_hosts" -o -name "id_rsa*" -o -name "authorized_hosts" -o -name "id_dsa*" \
            -o -name "identity" \) -print -exec ls -la {} \; -exec cat {} \; 2>/dev/null >> $FILE;
    done
    echo "" >> $FILE;

    echo "Retrieved Core dump files:" >> $FILE;
    find / -type f -regex ".*/core\.[0-9][0-9][0-9][0-9]$" -print -exec ls -la {} \; -exec strings {} \; 2> /dev/null

# Temporary directories contents
    if [ -e /tmp ]; then echo "Contents - /tmp" >>$FILE && ls -la /tmp 2>/dev/null >> $FILE && find /tmp -name "*" >> $FILE;
        echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
    fi
    if [ -e /tmp ]; then echo "Contents - /var/tmp" >>$FILE && ls -la /var/tmp 2>/dev/null >> $FILE && find /var/tmp -name "*" >> $FILE;
        echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
    fi
    if [ -e /tmp ]; then echo "Contents - /dev/shm" >>$FILE && ls -la /dev/shm 2>/dev/null >> $FILE && find /dev/shm -name "*" >> $FILE;
        echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
    fi

# Home directory permissions?
    if [ $HOMELIST = "y" ]; then
        if [ -e /home ]; then echo "Contents - /home" >>$FILE &&  ls -la /home 2>/dev/null >> $FILE #&& find /home -name "*" >> $FILE;
            echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
        fi;
            if [ -e ~/ ]; then echo "Contents - `whoami` ~/" >>$FILE && ls -la ~/ 2>/dev/null >> $FILE && find ~/ -name "*" >> $FILE;
            echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
        fi;
        if [ $WHO != "root" ]; then echo "Contents - /root" >>$FILE &&  ls -la /root 2>/dev/null >> $FILE && find /root -name "*" >> $FILE;
            echo "-----------------------------------------------------" >> $FILE; echo ""  >> $FILE;
        fi;
    fi;

# End of intensive file system searches
    echo "" >> $FILE;
fi;
#-----------------------------------------------------------------------------------------------------------------

if [ $KERNELCONF = "y" ]; then
    if [ $STDOUT="y" ]; then echo "Kernel configurations extractions"; fi
        echo "Kernel Configuration files (check for supported options like CAM support, ReiserFS...:"  >> $FILE;
        echo Kernel Configurations found: >> $FILE;
        ls -la /proc/config.gz 2>/dev/null >> $FILE && `ls -la /boot | grep config` 2>/dev/null >> $FILE;
        echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE;

        if [ -e "/proc/config.gz" ]; then ls -la /proc/config.gz >> $FILE && zcat /proc/config.gz 2>/dev/null | sed '/^$/d' >> $FILE; fi;
            echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE;
            echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE;
            for i in `ls /boot | grep config`; do file /boot/$i >> $FILE && cat /boot/$i | sed '/^$/d' >> $FILE && echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE && echo "-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------" >> $FILE; done;

fi;

echo "######################################################################################################################################################" >> $FILE;
echo "VERY BASIC LOGFILE PARSING - identify clients of the system" >> $FILE;
echo "######################################################################################################################################################" >> $FILE;
echo >> $FILE;
if [ $LOGPROC = "y" ]; then
    if [ $APACHELOG = "y" ]; then
        echo "Apache2 client Sources:" >>$FILE;
        for f in `grep access.log -R /etc/apache2/* | grep -v "#" | cut -d : -f 2 | awk '{ print $2}' | sort | uniq`; do echo $f >> $FILE && cat $f 2>/dev/null | awk '{print $1,$7,$8,$9}' | sort | uniq -c | sort -rn | head -n 30 | sed '/^$/d'>> $FILE && echo $f.1 >> $FILE && cat $f.1 2>/dev/null | awk '{print $1,$7,$8,$9}' | sort | uniq -c | sort -rn | head -n 30 | sed '/^$/d' >> $FILE;
        done;
    fi;
    echo "" >>$FILE;
    if [ $SSHDLOGS = "y" ]; then
        echo "SSHD Login Sources:" >>$FILE;
        for u in `grep "sshd:session): session opened for user" /var/log/auth.log | awk '{print $11}' | sort | uniq`; do echo $u >> $FILE && grep "publickey for $u from" /var/log/auth.log | awk '{print$6,$7,$8,"user: "$9,$10,$11,$14,$15,$16}' | sort | uniq -c | sed '/^$/d' >> $FILE;
        done;
    fi;
    echo "" >>$FILE;
    if [ $POSTFIXLOGS = "y" ]; then
        echo "Postfix client Sources:" >> $FILE;
        zgrep status=sent mail.log* 2>/dev/null | awk '{ print $7,$8}' | sort | uniq -c | sed '/^$/d'>> $FILE;
    fi
fi;

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
# end of scripted enumeration
# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
chmod 600 $FILE;
echo >> $FILE;
echo >> $FILE;
echo "EOF -- End of File" >> $FILE;
echo "Output file is: $FILE"