API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 22nd, 2017
145
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 43.53 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. #A script to enumerate local information from a Linux host
  3. v="version 0.6"
  4. #@rebootuser
  5.  
  6. #help function
  7. usage ()
  8. {
  9. echo -e "\n\e[00;31m#########################################################\e[00m"
  10. echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m"
  11. echo -e "\e[00;31m#########################################################\e[00m"
  12. echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m"
  13. echo -e "\e[00;33m# $v\e[00m\n"
  14. echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00m\n"
  15.  
  16. echo "OPTIONS:"
  17. echo "-k Enter keyword"
  18. echo "-e Enter export location"
  19. echo "-t Include thorough (lengthy) tests"
  20. echo "-r Enter report name"
  21. echo "-h Displays this help text"
  22. echo -e "\n"
  23. echo "Running with no options = limited scans/no output file"
  24.  
  25. echo -e "\e[00;31m#########################################################\e[00m"
  26. }
  27. while getopts "h:k:r:e:t" option; do
  28. case "${option}" in
  29. k) keyword=${OPTARG};;
  30. r) report=${OPTARG}"-"`date +"%d-%m-%y"`;;
  31. e) export=${OPTARG};;
  32. t) thorough=1;;
  33. h) usage; exit;;
  34. *) usage; exit;;
  35. esac
  36. done
  37.  
  38. echo -e "\n\e[00;31m#########################################################\e[00m" |tee -a $report 2>/dev/null
  39. echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" |tee -a $report 2>/dev/null
  40. echo -e "\e[00;31m#########################################################\e[00m" |tee -a $report 2>/dev/null
  41. echo -e "\e[00;33m# www.rebootuser.com\e[00m" |tee -a $report 2>/dev/null
  42. echo -e "\e[00;33m# $version\e[00m\n" |tee -a $report 2>/dev/null
  43.  
  44. echo "Debug Info" |tee -a $report 2>/dev/null
  45.  
  46. if [ "$keyword" ]; then
  47. echo "keyword = $keyword" |tee -a $report 2>/dev/null
  48. else
  49. :
  50. fi
  51.  
  52. if [ "$report" ]; then
  53. echo "report name = $report" |tee -a $report 2>/dev/null
  54. else
  55. :
  56. fi
  57.  
  58. if [ "$export" ]; then
  59. echo "export location = $export" |tee -a $report 2>/dev/null
  60. else
  61. :
  62. fi
  63.  
  64. if [ "$thorough" ]; then
  65. echo "thorough tests = enabled" |tee -a $report 2>/dev/null
  66. else
  67. echo "thorough tests = disabled" |tee -a $report 2>/dev/null
  68. fi
  69.  
  70. sleep 2
  71.  
  72. if [ "$export" ]; then
  73. mkdir $export 2>/dev/null
  74. format=$export/LinEnum-export-`date +"%d-%m-%y"`
  75. mkdir $format 2>/dev/null
  76. else
  77. :
  78. fi
  79.  
  80. who=`whoami` 2>/dev/null |tee -a $report 2>/dev/null
  81. echo -e "\n" |tee -a $report 2>/dev/null
  82.  
  83. echo -e "\e[00;33mScan started at:"; date |tee -a $report 2>/dev/null
  84. echo -e "\e[00m\n" |tee -a $report 2>/dev/null
  85.  
  86. echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" |tee -a $report 2>/dev/null
  87.  
  88. #basic kernel info
  89. unameinfo=`uname -a 2>/dev/null`
  90. if [ "$unameinfo" ]; then
  91. echo -e "\e[00;31mKernel information:\e[00m\n$unameinfo" |tee -a $report 2>/dev/null
  92. echo -e "\n" |tee -a $report 2>/dev/null
  93. else
  94. :
  95. fi
  96.  
  97. procver=`cat /proc/version 2>/dev/null`
  98. if [ "$procver" ]; then
  99. echo -e "\e[00;31mKernel information (continued):\e[00m\n$procver" |tee -a $report 2>/dev/null
  100. echo -e "\n" |tee -a $report 2>/dev/null
  101. else
  102. :
  103. fi
  104.  
  105. #search all *-release files for version info
  106. release=`cat /etc/*-release 2>/dev/null`
  107. if [ "$release" ]; then
  108. echo -e "\e[00;31mSpecific release information:\e[00m\n$release" |tee -a $report 2>/dev/null
  109. echo -e "\n" |tee -a $report 2>/dev/null
  110. else
  111. :
  112. fi
  113.  
  114. #target hostname info
  115. hostnamed=`hostname 2>/dev/null`
  116. if [ "$hostnamed" ]; then
  117. echo -e "\e[00;31mHostname:\e[00m\n$hostnamed" |tee -a $report 2>/dev/null
  118. echo -e "\n" |tee -a $report 2>/dev/null
  119. else
  120. :
  121. fi
  122.  
  123. echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" |tee -a $report 2>/dev/null
  124.  
  125. #current user details
  126. currusr=`id 2>/dev/null`
  127. if [ "$currusr" ]; then
  128. echo -e "\e[00;31mCurrent user/group info:\e[00m\n$currusr" |tee -a $report 2>/dev/null
  129. echo -e "\n" |tee -a $report 2>/dev/null
  130. else
  131. :
  132. fi
  133.  
  134. #last logged on user information
  135. lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null`
  136. if [ "$lastlogedonusrs" ]; then
  137. echo -e "\e[00;31mUsers that have previously logged onto the system:\e[00m\n$lastlogedonusrs" |tee -a $report 2>/dev/null
  138. echo -e "\n" |tee -a $report 2>/dev/null
  139. else
  140. :
  141. fi
  142.  
  143.  
  144. #who else is logged on
  145. loggedonusrs=`w 2>/dev/null`
  146. if [ "$loggedonusrs" ]; then
  147. echo -e "\e[00;31mWho else is logged on:\e[00m\n$loggedonusrs" |tee -a $report 2>/dev/null
  148. echo -e "\n" |tee -a $report 2>/dev/null
  149. else
  150. :
  151. fi
  152.  
  153. #lists all id's and respective group(s)
  154. grpinfo=`for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null`
  155. if [ "$grpinfo" ]; then
  156. echo -e "\e[00;31mGroup memberships:\e[00m\n$grpinfo" |tee -a $report 2>/dev/null
  157. echo -e "\n" |tee -a $report 2>/dev/null
  158. else
  159. :
  160. fi
  161.  
  162. #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method)
  163. hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`
  164. if [ "$hashesinpasswd" ]; then
  165. echo -e "\e[00;33mIt looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" |tee -a $report 2>/dev/null
  166. echo -e "\n" |tee -a $report 2>/dev/null
  167. else
  168. :
  169. fi
  170.  
  171. #locate custom user accounts with some 'known default' uids
  172. readpasswd=`grep -v "^#" /etc/passwd | awk -F: '$3 == 0 || $3 == 500 || $3 == 501 || $3 == 502 || $3 == 1000 || $3 == 1001 || $3 == 1002 || $3 == 2000 || $3 == 2001 || $3 == 2002 { print }'`
  173. if [ "$readpasswd" ]; then
  174. echo -e "\e[00;31mSample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):\e[00m\n$readpasswd" |tee -a $report 2>/dev/null
  175. echo -e "\n" |tee -a $report 2>/dev/null
  176. else
  177. :
  178. fi
  179.  
  180. if [ "$export" ] && [ "$readpasswd" ]; then
  181. mkdir $format/etc-export/ 2>/dev/null
  182. cp /etc/passwd $format/etc-export/passwd 2>/dev/null
  183. else
  184. :
  185. fi
  186.  
  187. #checks to see if the shadow file can be read
  188. readshadow=`cat /etc/shadow 2>/dev/null`
  189. if [ "$readshadow" ]; then
  190. echo -e "\e[00;33m***We can read the shadow file!\e[00m\n$readshadow" |tee -a $report 2>/dev/null
  191. echo -e "\n" |tee -a $report 2>/dev/null
  192. else
  193. :
  194. fi
  195.  
  196. if [ "$export" ] && [ "$readshadow" ]; then
  197. mkdir $format/etc-export/ 2>/dev/null
  198. cp /etc/shadow $format/etc-export/shadow 2>/dev/null
  199. else
  200. :
  201. fi
  202.  
  203. #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant
  204. readmasterpasswd=`cat /etc/master.passwd 2>/dev/null`
  205. if [ "$readmasterpasswd" ]; then
  206. echo -e "\e[00;33m***We can read the master.passwd file!\e[00m\n$readmasterpasswd" |tee -a $report 2>/dev/null
  207. echo -e "\n" |tee -a $report 2>/dev/null
  208. else
  209. :
  210. fi
  211.  
  212. if [ "$export" ] && [ "$readmasterpasswd" ]; then
  213. mkdir $format/etc-export/ 2>/dev/null
  214. cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null
  215. else
  216. :
  217. fi
  218.  
  219. #all root accounts (uid 0)
  220. echo -e "\e[00;31mSuper user account(s):\e[00m" | tee -a $report 2>/dev/null; grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null |tee -a $report 2>/dev/null
  221. echo -e "\n" |tee -a $report 2>/dev/null
  222.  
  223. #pull out vital sudoers info
  224. sudoers=`cat /etc/sudoers 2>/dev/null | grep -v -e '^$' 2>/dev/null |grep -v "#" 2>/dev/null`
  225. if [ "$sudoers" ]; then
  226. echo -e "\e[00;31mSudoers configuration (condensed):\e[00m$sudoers" | tee -a $report 2>/dev/null
  227. echo -e "\n" |tee -a $report 2>/dev/null
  228. else
  229. :
  230. fi
  231.  
  232. if [ "$export" ] && [ "$sudoers" ]; then
  233. mkdir $format/etc-export/ 2>/dev/null
  234. cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null
  235. else
  236. :
  237. fi
  238.  
  239. #can we sudo without supplying a password
  240. sudoperms=`echo '' | sudo -S -l 2>/dev/null`
  241. if [ "$sudoperms" ]; then
  242. echo -e "\e[00;33mWe can sudo without supplying a password!\e[00m\n$sudoperms" |tee -a $report 2>/dev/null
  243. echo -e "\n" |tee -a $report 2>/dev/null
  244. else
  245. :
  246. fi
  247.  
  248. #known 'good' breakout binaries
  249. sudopwnage=`echo '' | sudo -S -l 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'emacs'\|'vim'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb' | xargs -r ls -la 2>/dev/null`
  250. if [ "$sudopwnage" ]; then
  251. echo -e "\e[00;33m***Possible Sudo PWNAGE!\e[00m\n$sudopwnage" |tee -a $report 2>/dev/null
  252. echo -e "\n" |tee -a $report 2>/dev/null
  253. else
  254. :
  255. fi
  256.  
  257. #checks to see if roots home directory is accessible
  258. rthmdir=`ls -ahl /root/ 2>/dev/null`
  259. if [ "$rthmdir" ]; then
  260. echo -e "\e[00;33m***We can read root's home directory!\e[00m\n$rthmdir" |tee -a $report 2>/dev/null
  261. echo -e "\n" |tee -a $report 2>/dev/null
  262. else
  263. :
  264. fi
  265.  
  266. #displays /home directory permissions - check if any are lax
  267. homedirperms=`ls -ahl /home/ 2>/dev/null`
  268. if [ "$homedirperms" ]; then
  269. echo -e "\e[00;31mAre permissions on /home directories lax:\e[00m\n$homedirperms" |tee -a $report 2>/dev/null
  270. echo -e "\n" |tee -a $report 2>/dev/null
  271. else
  272. :
  273. fi
  274.  
  275. #looks for files we can write to that don't belong to us
  276. if [ "$thorough" = "1" ]; then
  277. grfilesall=`find / -writable -not -user \`whoami\` -type f -not -path "/proc/*" -exec ls -al {} \; 2>/dev/null`
  278. if [ "$grfilesall" ]; then
  279. echo -e "\e[00;31mFiles not owned by user but writable by group:\e[00m\n$grfilesall" |tee -a $report 2>/dev/null
  280. echo -e "\n" |tee -a $report 2>/dev/null
  281. else
  282. :
  283. fi
  284. fi
  285.  
  286. #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch
  287. if [ "$thorough" = "1" ]; then
  288. wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null`
  289. if [ "$wrfileshm" ]; then
  290. echo -e "\e[00;31mWorld-readable files within /home:\e[00m\n$wrfileshm" |tee -a $report 2>/dev/null
  291. echo -e "\n" |tee -a $report 2>/dev/null
  292. else
  293. :
  294. fi
  295. else
  296. :
  297. fi
  298.  
  299. if [ "$thorough" = "1" ]; then
  300. if [ "$export" ] && [ "$wrfileshm" ]; then
  301. mkdir $format/wr-files/ 2>/dev/null
  302. for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null
  303. else
  304. :
  305. fi
  306. else
  307. :
  308. fi
  309.  
  310. #lists current user's home directory contents
  311. if [ "$thorough" = "1" ]; then
  312. homedircontents=`ls -ahl ~ 2>/dev/null`
  313. if [ "$homedircontents" ] ; then
  314. echo -e "\e[00;31mHome directory contents:\e[00m\n$homedircontents" |tee -a $report 2>/dev/null
  315. echo -e "\n" |tee -a $report 2>/dev/null
  316. else
  317. :
  318. fi
  319. else
  320. :
  321. fi
  322.  
  323. #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch
  324. if [ "$thorough" = "1" ]; then
  325. sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;`
  326. if [ "$sshfiles" ]; then
  327. echo -e "\e[00;31mSSH keys/host information found in the following locations:\e[00m\n$sshfiles" |tee -a $report 2>/dev/null
  328. echo -e "\n" |tee -a $report 2>/dev/null
  329. else
  330. :
  331. fi
  332. else
  333. :
  334. fi
  335.  
  336. if [ "$thorough" = "1" ]; then
  337. if [ "$export" ] && [ "$sshfiles" ]; then
  338. mkdir $format/ssh-files/ 2>/dev/null
  339. for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null
  340. else
  341. :
  342. fi
  343. else
  344. :
  345. fi
  346.  
  347. #is root permitted to login via ssh
  348. sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'`
  349. if [ "$sshrootlogin" = "yes" ]; then
  350. echo -e "\e[00;31mRoot is allowed to login via SSH:\e[00m" |tee -a $report 2>/dev/null; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" |tee -a $report 2>/dev/null
  351. echo -e "\n" |tee -a $report 2>/dev/null
  352. else
  353. :
  354. fi
  355.  
  356. echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" |tee -a $report 2>/dev/null
  357.  
  358. #env information
  359. envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null`
  360. if [ "$envinfo" ]; then
  361. echo -e "\e[00;31m Environment information:\e[00m\n$envinfo" |tee -a $report 2>/dev/null
  362. echo -e "\n" |tee -a $report 2>/dev/null
  363. else
  364. :
  365. fi
  366.  
  367. #current path configuration
  368. pathinfo=`echo $PATH 2>/dev/null`
  369. if [ "$pathinfo" ]; then
  370. echo -e "\e[00;31mPath information:\e[00m\n$pathinfo" |tee -a $report 2>/dev/null
  371. echo -e "\n" |tee -a $report 2>/dev/null
  372. else
  373. :
  374. fi
  375.  
  376. #lists available shells
  377. shellinfo=`cat /etc/shells 2>/dev/null`
  378. if [ "$shellinfo" ]; then
  379. echo -e "\e[00;31mAvailable shells:\e[00m\n$shellinfo" |tee -a $report 2>/dev/null
  380. echo -e "\n" |tee -a $report 2>/dev/null
  381. else
  382. :
  383. fi
  384.  
  385. #current umask value with both octal and symbolic output
  386. umask=`umask -S 2>/dev/null & umask 2>/dev/null`
  387. if [ "$umask" ]; then
  388. echo -e "\e[00;31mCurrent umask value:\e[00m\n$umask" |tee -a $report 2>/dev/null
  389. echo -e "\n" |tee -a $report 2>/dev/null
  390. else
  391. :
  392. fi
  393.  
  394. #umask value as in /etc/login.defs
  395. umaskdef=`cat /etc/login.defs 2>/dev/null |grep -i UMASK 2>/dev/null |grep -v "#" 2>/dev/null`
  396. if [ "$umaskdef" ]; then
  397. echo -e "\e[00;31mumask value as specified in /etc/login.defs:\e[00m\n$umaskdef" |tee -a $report 2>/dev/null
  398. echo -e "\n" |tee -a $report 2>/dev/null
  399. else
  400. :
  401. fi
  402.  
  403. #password policy information as stored in /etc/login.defs
  404. logindefs=`cat /etc/login.defs 2>/dev/null | grep "PASS_MAX_DAYS\|PASS_MIN_DAYS\|PASS_WARN_AGE\|ENCRYPT_METHOD" 2>/dev/null | grep -v "#" 2>/dev/null`
  405. if [ "$logindefs" ]; then
  406. echo -e "\e[00;31mPassword and storage information:\e[00m\n$logindefs" |tee -a $report 2>/dev/null
  407. echo -e "\n" |tee -a $report 2>/dev/null
  408. else
  409. :
  410. fi
  411.  
  412. if [ "$export" ] && [ "$logindefs" ]; then
  413. mkdir $format/etc-export/ 2>/dev/null
  414. cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null
  415. else
  416. :
  417. fi
  418.  
  419. echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" |tee -a $report 2>/dev/null
  420.  
  421. #are there any cron jobs configured
  422. cronjobs=`ls -la /etc/cron* 2>/dev/null`
  423. if [ "$cronjobs" ]; then
  424. echo -e "\e[00;31mCron jobs:\e[00m\n$cronjobs" |tee -a $report 2>/dev/null
  425. echo -e "\n" |tee -a $report 2>/dev/null
  426. else
  427. :
  428. fi
  429.  
  430. #can we manipulate these jobs in any way
  431. cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
  432. if [ "$cronjobwwperms" ]; then
  433. echo -e "\e[00;33m***World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" |tee -a $report 2>/dev/null
  434. echo -e "\n" |tee -a $report 2>/dev/null
  435. else
  436. :
  437. fi
  438.  
  439. #contab contents
  440. crontab=`cat /etc/crontab 2>/dev/null`
  441. if [ "$crontab" ]; then
  442. echo -e "\e[00;31mCrontab contents:\e[00m\n$crontab" |tee -a $report 2>/dev/null
  443. echo -e "\n" |tee -a $report 2>/dev/null
  444. else
  445. :
  446. fi
  447.  
  448. crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null`
  449. if [ "$crontabvar" ]; then
  450. echo -e "\e[00;31mAnything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" |tee -a $report 2>/dev/null
  451. echo -e "\n" |tee -a $report 2>/dev/null
  452. else
  453. :
  454. fi
  455.  
  456. anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null`
  457. if [ "$anacronjobs" ]; then
  458. echo -e "\e[00;31mAnacron jobs and associated file permissions:\e[00m\n$anacronjobs" |tee -a $report 2>/dev/null
  459. echo -e "\n" |tee -a $report 2>/dev/null
  460. else
  461. :
  462. fi
  463.  
  464. anacrontab=`ls -la /var/spool/anacron 2>/dev/null`
  465. if [ "$anacrontab" ]; then
  466. echo -e "\e[00;31mWhen were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" |tee -a $report 2>/dev/null
  467. echo -e "\n" |tee -a $report 2>/dev/null
  468. else
  469. :
  470. fi
  471.  
  472. #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command)
  473. cronother=`cat /etc/passwd | cut -d ":" -f 1 | xargs -n1 crontab -l -u 2>/dev/null`
  474. if [ "$cronother" ]; then
  475. echo -e "\e[00;31mJobs held by all users:\e[00m\n$cronother" |tee -a $report 2>/dev/null
  476. echo -e "\n" |tee -a $report 2>/dev/null
  477. else
  478. :
  479. fi
  480.  
  481. echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" |tee -a $report 2>/dev/null
  482.  
  483. #nic information
  484. nicinfo=`/sbin/ifconfig -a 2>/dev/null`
  485. if [ "$nicinfo" ]; then
  486. echo -e "\e[00;31mNetwork & IP info:\e[00m\n$nicinfo" |tee -a $report 2>/dev/null
  487. echo -e "\n" |tee -a $report 2>/dev/null
  488. else
  489. :
  490. fi
  491.  
  492. arpinfo=`arp -a 2>/dev/null`
  493. if [ "$arpinfo" ]; then
  494. echo -e "\e[00;31mARP history:\e[00m\n$arpinfo" |tee -a $report 2>/dev/null
  495. echo -e "\n" |tee -a $report 2>/dev/null
  496. else
  497. :
  498. fi
  499.  
  500. #dns settings
  501. nsinfo=`cat /etc/resolv.conf 2>/dev/null | grep "nameserver"`
  502. if [ "$nsinfo" ]; then
  503. echo -e "\e[00;31mNameserver(s):\e[00m\n$nsinfo" |tee -a $report 2>/dev/null
  504. echo -e "\n" |tee -a $report 2>/dev/null
  505. else
  506. :
  507. fi
  508.  
  509. #default route configuration
  510. defroute=`route 2>/dev/null | grep default`
  511. if [ "$defroute" ]; then
  512. echo -e "\e[00;31mDefault route:\e[00m\n$defroute" |tee -a $report 2>/dev/null
  513. echo -e "\n" |tee -a $report 2>/dev/null
  514. else
  515. :
  516. fi
  517.  
  518. #listening TCP
  519. tcpservs=`netstat -antp 2>/dev/null`
  520. if [ "$tcpservs" ]; then
  521. echo -e "\e[00;31mListening TCP:\e[00m\n$tcpservs" |tee -a $report 2>/dev/null
  522. echo -e "\n" |tee -a $report 2>/dev/null
  523. else
  524. :
  525. fi
  526.  
  527. #listening UDP
  528. udpservs=`netstat -anup 2>/dev/null`
  529. if [ "$udpservs" ]; then
  530. echo -e "\e[00;31mListening UDP:\e[00m\n$udpservs" |tee -a $report 2>/dev/null
  531. echo -e "\n" |tee -a $report 2>/dev/null
  532. else
  533. :
  534. fi
  535.  
  536. echo -e "\e[00;33m### SERVICES #############################################\e[00m" |tee -a $report 2>/dev/null
  537.  
  538. #running processes
  539. psaux=`ps aux 2>/dev/null`
  540. if [ "$psaux" ]; then
  541. echo -e "\e[00;31mRunning processes:\e[00m\n$psaux" |tee -a $report 2>/dev/null
  542. echo -e "\n" |tee -a $report 2>/dev/null
  543. else
  544. :
  545. fi
  546.  
  547. #lookup process binary path and permissisons
  548. procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null`
  549. if [ "$procperm" ]; then
  550. echo -e "\e[00;31mProcess binaries & associated permissions (from above list):\e[00m\n$procperm" |tee -a $report 2>/dev/null
  551. echo -e "\n" |tee -a $report 2>/dev/null
  552. else
  553. :
  554. fi
  555.  
  556. if [ "$export" ] && [ "$procperm" ]; then
  557. procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null`
  558. mkdir $format/ps-export/ 2>/dev/null
  559. for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null
  560. else
  561. :
  562. fi
  563.  
  564. #anything 'useful' in inetd.conf
  565. inetdread=`cat /etc/inetd.conf 2>/dev/null`
  566. if [ "$inetdread" ]; then
  567. echo -e "\e[00;31mContents of /etc/inetd.conf:\e[00m\n$inetdread" |tee -a $report 2>/dev/null
  568. echo -e "\n" |tee -a $report 2>/dev/null
  569. else
  570. :
  571. fi
  572.  
  573. if [ "$export" ] && [ "$inetdread" ]; then
  574. mkdir $format/etc-export/ 2>/dev/null
  575. cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null
  576. else
  577. :
  578. fi
  579.  
  580. #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each
  581. inetdbinperms=`cat /etc/inetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null`
  582. if [ "$inetdbinperms" ]; then
  583. echo -e "\e[00;31mThe related inetd binary permissions:\e[00m\n$inetdbinperms" |tee -a $report 2>/dev/null
  584. echo -e "\n" |tee -a $report 2>/dev/null
  585. else
  586. :
  587. fi
  588.  
  589. xinetdread=`cat /etc/xinetd.conf 2>/dev/null`
  590. if [ "$xinetdread" ]; then
  591. echo -e "\e[00;31mContents of /etc/xinetd.conf:\e[00m\n$xinetdread" |tee -a $report 2>/dev/null
  592. echo -e "\n" |tee -a $report 2>/dev/null
  593. else
  594. :
  595. fi
  596.  
  597. if [ "$export" ] && [ "$xinetdread" ]; then
  598. mkdir $format/etc-export/ 2>/dev/null
  599. cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null
  600. else
  601. :
  602. fi
  603.  
  604. xinetdincd=`cat /etc/xinetd.conf 2>/dev/null |grep "/etc/xinetd.d" 2>/dev/null`
  605. if [ "$xinetdincd" ]; then
  606. echo -e "\e[00;31m/etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m" ls -la /etc/xinetd.d 2>/dev/null |tee -a $report 2>/dev/null
  607. echo -e "\n" |tee -a $report 2>/dev/null
  608. else
  609. :
  610. fi
  611.  
  612. #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each
  613. xinetdbinperms=`cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null`
  614. if [ "$xinetdbinperms" ]; then
  615. echo -e "\e[00;31mThe related xinetd binary permissions:\e[00m\n$xinetdbinperms" |tee -a $report 2>/dev/null
  616. echo -e "\n" |tee -a $report 2>/dev/null
  617. else
  618. :
  619. fi
  620.  
  621. initdread=`ls -la /etc/init.d 2>/dev/null`
  622. if [ "$initdread" ]; then
  623. echo -e "\e[00;31m/etc/init.d/ binary permissions:\e[00m\n$initdread" |tee -a $report 2>/dev/null
  624. echo -e "\n" |tee -a $report 2>/dev/null
  625. else
  626. :
  627. fi
  628.  
  629. #init.d files NOT belonging to root!
  630. initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
  631. if [ "$initdperms" ]; then
  632. echo -e "\e[00;31m/etc/init.d/ files not belonging to root (uid 0):\e[00m\n$initdperms" |tee -a $report 2>/dev/null
  633. echo -e "\n" |tee -a $report 2>/dev/null
  634. else
  635. :
  636. fi
  637.  
  638. rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null`
  639. if [ "$rcdread" ]; then
  640. echo -e "\e[00;31m/etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" |tee -a $report 2>/dev/null
  641. echo -e "\n" |tee -a $report 2>/dev/null
  642. else
  643. :
  644. fi
  645.  
  646. #init.d files NOT belonging to root!
  647. rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
  648. if [ "$rcdperms" ]; then
  649. echo -e "\e[00;31m/etc/rc.d/init.d files not belonging to root (uid 0):\e[00m\n$rcdperms" |tee -a $report 2>/dev/null
  650. echo -e "\n" |tee -a $report 2>/dev/null
  651. else
  652. :
  653. fi
  654.  
  655. usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null`
  656. if [ "$usrrcdread" ]; then
  657. echo -e "\e[00;31m/usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" |tee -a $report 2>/dev/null
  658. echo -e "\n" |tee -a $report 2>/dev/null
  659. else
  660. :
  661. fi
  662.  
  663. #rc.d files NOT belonging to root!
  664. usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null`
  665. if [ "$usrrcdperms" ]; then
  666. echo -e "\e[00;31m/usr/local/etc/rc.d files not belonging to root (uid 0):\e[00m\n$usrrcdperms" |tee -a $report 2>/dev/null
  667. echo -e "\n" |tee -a $report 2>/dev/null
  668. else
  669. :
  670. fi
  671.  
  672. echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" |tee -a $report 2>/dev/null
  673.  
  674. #sudo version - check to see if there are any known vulnerabilities with this
  675. sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null`
  676. if [ "$sudover" ]; then
  677. echo -e "\e[00;31mSudo version:\e[00m\n$sudover" |tee -a $report 2>/dev/null
  678. echo -e "\n" |tee -a $report 2>/dev/null
  679. else
  680. :
  681. fi
  682.  
  683. #mysql details - if installed
  684. mysqlver=`mysql --version 2>/dev/null`
  685. if [ "$mysqlver" ]; then
  686. echo -e "\e[00;31mMYSQL version:\e[00m\n$mysqlver" |tee -a $report 2>/dev/null
  687. echo -e "\n" |tee -a $report 2>/dev/null
  688. else
  689. :
  690. fi
  691.  
  692. #checks to see if root/root will get us a connection
  693. mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null`
  694. if [ "$mysqlconnect" ]; then
  695. echo -e "\e[00;33m***We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" |tee -a $report 2>/dev/null
  696. echo -e "\n" |tee -a $report 2>/dev/null
  697. else
  698. :
  699. fi
  700.  
  701. #mysql version details
  702. mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null`
  703. if [ "$mysqlconnectnopass" ]; then
  704. echo -e "\e[00;33m***We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" |tee -a $report 2>/dev/null
  705. echo -e "\n" |tee -a $report 2>/dev/null
  706. else
  707. :
  708. fi
  709.  
  710. #postgres details - if installed
  711. postgver=`psql -V 2>/dev/null`
  712. if [ "$postgver" ]; then
  713. echo -e "\e[00;31mPostgres version:\e[00m\n$postgver" |tee -a $report 2>/dev/null
  714. echo -e "\n" |tee -a $report 2>/dev/null
  715. else
  716. :
  717. fi
  718.  
  719. #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
  720. postcon1=`psql -U postgres template0 -c 'select version()' 2>/dev/null | grep version`
  721. if [ "$postcon1" ]; then
  722. echo -e "\e[00;33m***We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" |tee -a $report 2>/dev/null
  723. echo -e "\n" |tee -a $report 2>/dev/null
  724. else
  725. :
  726. fi
  727.  
  728. postcon11=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`
  729. if [ "$postcon11" ]; then
  730. echo -e "\e[00;33m***We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" |tee -a $report 2>/dev/null
  731. echo -e "\n" |tee -a $report 2>/dev/null
  732. else
  733. :
  734. fi
  735.  
  736. postcon2=`psql -U pgsql template0 -c 'select version()' 2>/dev/null | grep version`
  737. if [ "$postcon2" ]; then
  738. echo -e "\e[00;33m***We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" |tee -a $report 2>/dev/null
  739. echo -e "\n" |tee -a $report 2>/dev/null
  740. else
  741. :
  742. fi
  743.  
  744. postcon22=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`
  745. if [ "$postcon22" ]; then
  746. echo -e "\e[00;33m***We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" |tee -a $report 2>/dev/null
  747. echo -e "\n" |tee -a $report 2>/dev/null
  748. else
  749. :
  750. fi
  751.  
  752. #apache details - if installed
  753. apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null`
  754. if [ "$apachever" ]; then
  755. echo -e "\e[00;31mApache version:\e[00m\n$apachever" |tee -a $report 2>/dev/null
  756. echo -e "\n" |tee -a $report 2>/dev/null
  757. else
  758. :
  759. fi
  760.  
  761. #what account is apache running under
  762. apacheusr=`cat /etc/apache2/envvars 2>/dev/null |grep -i 'user\|group' 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null`
  763. if [ "$apacheusr" ]; then
  764. echo -e "\e[00;31mApache user configuration:\e[00m\n$apacheusr" |tee -a $report 2>/dev/null
  765. echo -e "\n" |tee -a $report 2>/dev/null
  766. else
  767. :
  768. fi
  769.  
  770. if [ "$export" ] && [ "$apacheusr" ]; then
  771. mkdir --parents $format/etc-export/apache2/ 2>/dev/null
  772. cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null
  773. else
  774. :
  775. fi
  776.  
  777. #installed apache modules
  778. apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null`
  779. if [ "$apachemodules" ]; then
  780. echo -e "\e[00;31mInstalled Apache modules:\e[00m\n$apachemodules" |tee -a $report 2>/dev/null
  781. echo -e "\n" |tee -a $report 2>/dev/null
  782. else
  783. :
  784. fi
  785.  
  786. #anything in the default http home dirs
  787. apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`
  788. if [ "$apachehomedirs" ]; then
  789. echo -e "\e[00;31mAnything in the Apache home dirs?:\e[00m\n$apachehomedirs" |tee -a $report 2>/dev/null
  790. echo -e "\n" |tee -a $report 2>/dev/null
  791. else
  792. :
  793. fi
  794.  
  795. echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" |tee -a $report 2>/dev/null
  796.  
  797. #checks to see if various files are installed
  798. echo -e "\e[00;31mUseful file locations:\e[00m" |tee -a $report 2>/dev/null; which nc 2>/dev/null |tee -a $report 2>/dev/null; which netcat 2>/dev/null |tee -a $report 2>/dev/null; which wget 2>/dev/null |tee -a $report 2>/dev/null; which nmap 2>/dev/null |tee -a $report 2>/dev/null; which gcc 2>/dev/null |tee -a $report 2>/dev/null
  799. echo -e "\n" |tee -a $report 2>/dev/null
  800.  
  801. #limited search for installed compilers
  802. compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null`
  803. if [ "$compiler" ]; then
  804. echo -e "\e[00;31mInstalled compilers:\e[00m\n$compiler" |tee -a $report 2>/dev/null
  805. echo -e "\n" |tee -a $report 2>/dev/null
  806. else
  807. :
  808. fi
  809.  
  810. #manual check - lists out sensitive files, can we read/modify etc.
  811. echo -e "\e[00;31mCan we read/write sensitive files:\e[00m" |tee -a $report 2>/dev/null; ls -la /etc/passwd 2>/dev/null |tee -a $report 2>/dev/null; ls -la /etc/group 2>/dev/null |tee -a $report 2>/dev/null; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null |tee -a $report 2>/dev/null; ls -la /etc/master.passwd 2>/dev/null |tee -a $report 2>/dev/null
  812. echo -e "\n" |tee -a $report 2>/dev/null
  813.  
  814. #search for suid files - this can take some time so is only 'activated' with thorough scanning switch (as are all suid scans below)
  815. if [ "$thorough" = "1" ]; then
  816. findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;`
  817. if [ "$findsuid" ]; then
  818. echo -e "\e[00;31mSUID files:\e[00m\n$findsuid" |tee -a $report 2>/dev/null
  819. echo -e "\n" |tee -a $report 2>/dev/null
  820. else
  821. :
  822. fi
  823. else
  824. :
  825. fi
  826.  
  827. if [ "$thorough" = "1" ]; then
  828. if [ "$export" ] && [ "$findsuid" ]; then
  829. mkdir $format/suid-files/ 2>/dev/null
  830. for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null
  831. else
  832. :
  833. fi
  834. else
  835. :
  836. fi
  837.  
  838. #list of 'interesting' suid files - feel free to make additions
  839. if [ "$thorough" = "1" ]; then
  840. intsuid=`find / -perm -4000 -type f 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'vim'\|'emacs'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb\|pl' | xargs -r ls -la 2>/dev/null`
  841. if [ "$intsuid" ]; then
  842. echo -e "\e[00;33m***Possibly interesting SUID files:\e[00m\n$intsuid" |tee -a $report 2>/dev/null
  843. echo -e "\n" |tee -a $report 2>/dev/null
  844. else
  845. :
  846. fi
  847. else
  848. :
  849. fi
  850.  
  851. #lists word-writable suid files
  852. if [ "$thorough" = "1" ]; then
  853. wwsuid=`find / -perm -4007 -type f -exec ls -la {} 2>/dev/null \;`
  854. if [ "$wwsuid" ]; then
  855. echo -e "\e[00;31mWorld-writable SUID files:\e[00m\n$wwsuid" |tee -a $report 2>/dev/null
  856. echo -e "\n" |tee -a $report 2>/dev/null
  857. else
  858. :
  859. fi
  860. else
  861. :
  862. fi
  863.  
  864. #lists world-writable suid files owned by root
  865. if [ "$thorough" = "1" ]; then
  866. wwsuidrt=`find / -uid 0 -perm -4007 -type f -exec ls -la {} 2>/dev/null \;`
  867. if [ "$wwsuidrt" ]; then
  868. echo -e "\e[00;31mWorld-writable SUID files owned by root:\e[00m\n$wwsuidrt" |tee -a $report 2>/dev/null
  869. echo -e "\n" |tee -a $report 2>/dev/null
  870. else
  871. :
  872. fi
  873. else
  874. :
  875. fi
  876.  
  877. #search for guid files - this can take some time so is only 'activated' with thorough scanning switch (as are all guid scans below)
  878. if [ "$thorough" = "1" ]; then
  879. findguid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null \;`
  880. if [ "$findguid" ]; then
  881. echo -e "\e[00;31mGUID files:\e[00m\n$findguid" |tee -a $report 2>/dev/null
  882. echo -e "\n" |tee -a $report 2>/dev/null
  883. else
  884. :
  885. fi
  886. else
  887. :
  888. fi
  889.  
  890. if [ "$thorough" = "1" ]; then
  891. if [ "$export" ] && [ "$findguid" ]; then
  892. mkdir $format/guid-files/ 2>/dev/null
  893. for i in $findguid; do cp $i $format/guid-files/; done 2>/dev/null
  894. else
  895. :
  896. fi
  897. else
  898. :
  899. fi
  900.  
  901. #list of 'interesting' guid files - feel free to make additions
  902. if [ "$thorough" = "1" ]; then
  903. intguid=`find / -perm -2000 -type f 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'emacs'\|'vim'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb\|pl' | xargs -r ls -la 2>/dev/null`
  904. if [ "$intguid" ]; then
  905. echo -e "\e[00;33m***Possibly interesting GUID files:\e[00m\n$intguid" |tee -a $report 2>/dev/null
  906. echo -e "\n" |tee -a $report 2>/dev/null
  907. else
  908. :
  909. fi
  910. else
  911. :
  912. fi
  913.  
  914. #lists world-writable guid files
  915. if [ "$thorough" = "1" ]; then
  916. wwguid=`find / -perm -2007 -type f -exec ls -la {} 2>/dev/null \;`
  917. if [ "$wwguid" ]; then
  918. echo -e "\e[00;31mWorld-writable GUID files:\e[00m\n$wwguid" |tee -a $report 2>/dev/null
  919. echo -e "\n" |tee -a $report 2>/dev/null
  920. else
  921. :
  922. fi
  923. else
  924. :
  925. fi
  926.  
  927. #lists world-writable guid files owned by root
  928. if [ "$thorough" = "1" ]; then
  929. wwguidrt=`find / -uid 0 -perm -2007 -type f -exec ls -la {} 2>/dev/null \;`
  930. if [ "$wwguidrt" ]; then
  931. echo -e "\e[00;31mAWorld-writable GUID files owned by root:\e[00m\n$wwguidrt" |tee -a $report 2>/dev/null
  932. echo -e "\n" |tee -a $report 2>/dev/null
  933. else
  934. :
  935. fi
  936. else
  937. :
  938. fi
  939.  
  940. #list all world-writable files excluding /proc
  941. if [ "$thorough" = "1" ]; then
  942. wwfiles=`find / ! -path "*/proc/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;`
  943. if [ "$wwfiles" ]; then
  944. echo -e "\e[00;31mWorld-writable files (excluding /proc):\e[00m\n$wwfiles" |tee -a $report 2>/dev/null
  945. echo -e "\n" |tee -a $report 2>/dev/null
  946. else
  947. :
  948. fi
  949. else
  950. :
  951. fi
  952.  
  953. if [ "$thorough" = "1" ]; then
  954. if [ "$export" ] && [ "$wwfiles" ]; then
  955. mkdir $format/ww-files/ 2>/dev/null
  956. for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null
  957. else
  958. :
  959. fi
  960. else
  961. :
  962. fi
  963.  
  964. #are any .plan files accessible in /home (could contain useful information)
  965. usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
  966. if [ "$usrplan" ]; then
  967. echo -e "\e[00;31mPlan file permissions and contents:\e[00m\n$usrplan" |tee -a $report 2>/dev/null
  968. echo -e "\n" |tee -a $report 2>/dev/null
  969. else
  970. :
  971. fi
  972.  
  973. if [ "$export" ] && [ "$usrplan" ]; then
  974. mkdir $format/plan_files/ 2>/dev/null
  975. for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
  976. else
  977. :
  978. fi
  979.  
  980. bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
  981. if [ "$bsdusrplan" ]; then
  982. echo -e "\e[00;31mPlan file permissions and contents:\e[00m\n$bsdusrplan" |tee -a $report 2>/dev/null
  983. echo -e "\n" |tee -a $report 2>/dev/null
  984. else
  985. :
  986. fi
  987.  
  988. if [ "$export" ] && [ "$bsdusrplan" ]; then
  989. mkdir $format/plan_files/ 2>/dev/null
  990. for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null
  991. else
  992. :
  993. fi
  994.  
  995. #are there any .rhosts files accessible - these may allow us to login as another user etc.
  996. rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
  997. if [ "$rhostsusr" ]; then
  998. echo -e "\e[00;31mrhost config file(s) and file contents:\e[00m\n$rhostsusr" |tee -a $report 2>/dev/null
  999. echo -e "\n" |tee -a $report 2>/dev/null
  1000. else
  1001. :
  1002. fi
  1003.  
  1004. if [ "$export" ] && [ "$rhostsusr" ]; then
  1005. mkdir $format/rhosts/ 2>/dev/null
  1006. for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
  1007. else
  1008. :
  1009. fi
  1010.  
  1011. bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
  1012. if [ "$bsdrhostsusr" ]; then
  1013. echo -e "\e[00;31mrhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" |tee -a $report 2>/dev/null
  1014. echo -e "\n" |tee -a $report 2>/dev/null
  1015. else
  1016. :
  1017. fi
  1018.  
  1019. if [ "$export" ] && [ "$bsdrhostsusr" ]; then
  1020. mkdir $format/rhosts 2>/dev/null
  1021. for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null
  1022. else
  1023. :
  1024. fi
  1025.  
  1026. rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;`
  1027. if [ "$rhostssys" ]; then
  1028. echo -e "\e[00;31mHosts.equiv file details and file contents: \e[00m\n$rhostssys" |tee -a $report 2>/dev/null
  1029. echo -e "\n" |tee -a $report 2>/dev/null
  1030. else
  1031. :
  1032. fi
  1033.  
  1034. if [ "$export" ] && [ "$rhostssys" ]; then
  1035. mkdir $format/rhosts/ 2>/dev/null
  1036. for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null
  1037. else
  1038. :
  1039. fi
  1040.  
  1041. #list nfs shares/permisisons etc.
  1042. nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null`
  1043. if [ "$nfsexports" ]; then
  1044. echo -e "\e[00;31mNFS config details: \e[00m\n$nfsexports" |tee -a $report 2>/dev/null
  1045. echo -e "\n" |tee -a $report 2>/dev/null
  1046. else
  1047. :
  1048. fi
  1049.  
  1050. if [ "$export" ] && [ "$nfsexports" ]; then
  1051. mkdir $format/etc-export/ 2>/dev/null
  1052. cp /etc/exports $format/etc-export/exports 2>/dev/null
  1053. else
  1054. :
  1055. fi
  1056.  
  1057. #looking for credentials in /etc/fstab
  1058. fstab=`cat /etc/fstab 2>/dev/null |grep username |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; cat /etc/fstab 2>/dev/null |grep password |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; cat /etc/fstab 2>/dev/null |grep domain |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`
  1059. if [ "$fstab" ]; then
  1060. echo -e "\e[00;33m***Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" |tee -a $report 2>/dev/null
  1061. echo -e "\n" |tee -a $report 2>/dev/null
  1062. else
  1063. :
  1064. fi
  1065.  
  1066. if [ "$export" ] && [ "$fstab" ]; then
  1067. mkdir $format/etc-exports/ 2>/dev/null
  1068. cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
  1069. else
  1070. :
  1071. fi
  1072.  
  1073. fstabcred=`cat /etc/fstab 2>/dev/null |grep cred |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null`
  1074. if [ "$fstabcred" ]; then
  1075. echo -e "\e[00;33m***/etc/fstab contains a credentials file!\e[00m\n$fstabcred" |tee -a $report 2>/dev/null
  1076. echo -e "\n" |tee -a $report 2>/dev/null
  1077. else
  1078. :
  1079. fi
  1080.  
  1081. if [ "$export" ] && [ "$fstabcred" ]; then
  1082. mkdir $format/etc-exports/ 2>/dev/null
  1083. cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null
  1084. else
  1085. :
  1086. fi
  1087.  
  1088. #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located
  1089. if [ "$keyword" = "" ]; then
  1090. echo -e "Can't search *.conf files as no keyword was entered\n" |tee -a $report 2>/dev/null
  1091. else
  1092. confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
  1093. if [ "$confkey" ]; then
  1094. echo -e "\e[00;31mFind keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" |tee -a $report 2>/dev/null
  1095. echo -e "\n" |tee -a $report 2>/dev/null
  1096. else
  1097. echo -e "\e[00;31mFind keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" |tee -a $report 2>/dev/null
  1098. echo -e "'$keyword' not found in any .conf files" |tee -a $report 2>/dev/null
  1099. echo -e "\n" |tee -a $report 2>/dev/null
  1100. fi
  1101. fi
  1102.  
  1103. if [ "$keyword" = "" ]; then
  1104. :
  1105. else
  1106. if [ "$export" ] && [ "$confkey" ]; then
  1107. confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
  1108. mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null
  1109. for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null
  1110. else
  1111. :
  1112. fi
  1113. fi
  1114.  
  1115. #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located
  1116. if [ "$keyword" = "" ];then
  1117. echo -e "Can't search *.log files as no keyword was entered\n" |tee -a $report 2>/dev/null
  1118. else
  1119. logkey=`find / -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
  1120. if [ "$logkey" ]; then
  1121. echo -e "\e[00;31mFind keyword ($keyword) in .log files (output format filepath:identified line number where keyword appears):\e[00m\n$logkey" |tee -a $report 2>/dev/null
  1122. echo -e "\n" |tee -a $report 2>/dev/null
  1123. else
  1124. echo -e "\e[00;31mFind keyword ($keyword) in .log files (recursive 2 levels):\e[00m" |tee -a $report 2>/dev/null
  1125. echo -e "'$keyword' not found in any .log files"
  1126. echo -e "\n" |tee -a $report 2>/dev/null
  1127. fi
  1128. fi
  1129.  
  1130. if [ "$keyword" = "" ];then
  1131. :
  1132. else
  1133. if [ "$export" ] && [ "$logkey" ]; then
  1134. logkeyfile=`find / -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
  1135. mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null
  1136. for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null
  1137. else
  1138. :
  1139. fi
  1140. fi
  1141.  
  1142. #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located
  1143. if [ "$keyword" = "" ];then
  1144. echo -e "Can't search *.ini files as no keyword was entered\n" |tee -a $report 2>/dev/null
  1145. else
  1146. inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null`
  1147. if [ "$inikey" ]; then
  1148. echo -e "\e[00;31mFind keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" |tee -a $report 2>/dev/null
  1149. echo -e "\n" |tee -a $report 2>/dev/null
  1150. else
  1151. echo -e "\e[00;31mFind keyword ($keyword) in .ini files (recursive 2 levels):\e[00m" |tee -a $report 2>/dev/null
  1152. echo -e "'$keyword' not found in any .ini files" |tee -a $report 2>/dev/null
  1153. echo -e "\n"
  1154. fi
  1155. fi
  1156.  
  1157. if [ "$keyword" = "" ];then
  1158. :
  1159. else
  1160. if [ "$export" ] && [ "$inikey" ]; then
  1161. inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null`
  1162. mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null
  1163. for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null
  1164. else
  1165. :
  1166. fi
  1167. fi
  1168.  
  1169. #quick extract of .conf files from /etc - only 1 level
  1170. allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null`
  1171. if [ "$allconf" ]; then
  1172. echo -e "\e[00;31mAll *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" |tee -a $report 2>/dev/null
  1173. echo -e "\n" |tee -a $report 2>/dev/null
  1174. else
  1175. :
  1176. fi
  1177.  
  1178. if [ "$export" ] && [ "$allconf" ]; then
  1179. mkdir $format/conf-files/ 2>/dev/null
  1180. for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null
  1181. else
  1182. :
  1183. fi
  1184.  
  1185. #extract any user history files that are accessible
  1186. usrhist=`ls -la ~/.*_history 2>/dev/null`
  1187. if [ "$usrhist" ]; then
  1188. echo -e "\e[00;31mCurrent user's history files:\e[00m\n$usrhist" |tee -a $report 2>/dev/null
  1189. echo -e "\n" |tee -a $report 2>/dev/null
  1190. else
  1191. :
  1192. fi
  1193.  
  1194. if [ "$export" ] && [ "$usrhist" ]; then
  1195. mkdir $format/history_files/ 2>/dev/null
  1196. for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null
  1197. else
  1198. :
  1199. fi
  1200.  
  1201. #can we read roots *_history files - could be passwords stored etc.
  1202. roothist=`ls -la /root/.*_history 2>/dev/null`
  1203. if [ "$roothist" ]; then
  1204. echo -e "\e[00;33m***Root's history files are accessible!\e[00m\n$roothist" |tee -a $report 2>/dev/null
  1205. echo -e "\n" |tee -a $report 2>/dev/null
  1206. else
  1207. :
  1208. fi
  1209.  
  1210. if [ "$export" ] && [ "$roothist" ]; then
  1211. mkdir $format/history_files/ 2>/dev/null
  1212. cp $roothist $format/history_files/ 2>/dev/null
  1213. else
  1214. :
  1215. fi
  1216.  
  1217. #is there any mail accessible
  1218. readmail=`ls -la /var/mail 2>/dev/null`
  1219. if [ "$readmail" ]; then
  1220. echo -e "\e[00;31mAny interesting mail in /var/mail:\e[00m\n$readmail" |tee -a $report 2>/dev/null
  1221. echo -e "\n" |tee -a $report 2>/dev/null
  1222. else
  1223. :
  1224. fi
  1225.  
  1226. #can we read roots mail
  1227. readmailroot=`head /var/mail/root 2>/dev/null`
  1228. if [ "$readmailroot" ]; then
  1229. echo -e "\e[00;33m***We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" |tee -a $report 2>/dev/null
  1230. echo -e "\n" |tee -a $report 2>/dev/null
  1231. else
  1232. :
  1233. fi
  1234.  
  1235. if [ "$export" ] && [ "$readmailroot" ]; then
  1236. mkdir $format/mail-from-root/ 2>/dev/null
  1237. cp $readmailroot $format/mail-from-root/ 2>/dev/null
  1238. else
  1239. :
  1240. fi
  1241.  
  1242. #specific checks - check to see if we're in a docker container
  1243. dockercontainer=`cat /proc/self/cgroup 2>/dev/null | grep -i docker 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`
  1244. if [ "$dockercontainer" ]; then
  1245. echo -e "\e[00;33mLooks like we're in a Docker container:\e[00m\n$dockercontainer" |tee -a $report 2>/dev/null
  1246. echo -e "\n" |tee -a $report 2>/dev/null
  1247. else
  1248. :
  1249. fi
  1250.  
  1251. #specific checks - check to see if we're a docker host
  1252. dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null`
  1253. if [ "$dockerhost" ]; then
  1254. echo -e "\e[00;33mLooks like we're hosting Docker:\e[00m\n$dockerhost" |tee -a $report 2>/dev/null
  1255. echo -e "\n" |tee -a $report 2>/dev/null
  1256. else
  1257. :
  1258. fi
  1259.  
  1260. #specific checks - are we a member of the docker group
  1261. dockergrp=`id | grep -i docker 2>/dev/null`
  1262. if [ "$dockergrp" ]; then
  1263. echo -e "\e[00;33mWe're a member of the (docker) group - could possibly misuse these rights!:\e[00m\n$dockergrp" |tee -a $report 2>/dev/null
  1264. echo -e "\n" |tee -a $report 2>/dev/null
  1265. else
  1266. :
  1267. fi
  1268.  
  1269. #specific checks - are there any docker files present
  1270. dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;`
  1271. if [ "$dockerfiles" ]; then
  1272. echo -e "\e[00;31mAnything juicy in the Dockerfile?:\e[00m\n$dockerfiles" |tee -a $report 2>/dev/null
  1273. echo -e "\n" |tee -a $report 2>/dev/null
  1274. else
  1275. :
  1276. fi
  1277.  
  1278. #specific checks - are there any docker files present
  1279. dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;`
  1280. if [ "$dockeryml" ]; then
  1281. echo -e "\e[00;31mAnything juicy in docker-compose.yml?:\e[00m\n$dockeryml" |tee -a $report 2>/dev/null
  1282. echo -e "\n" |tee -a $report 2>/dev/null
  1283. else
  1284. :
  1285. fi
  1286.  
  1287. echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" |tee -a $report 2>/dev/null
  1288.  
  1289. #EndOfScript
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!