mirror of
https://github.com/carlospolop/PEASS-ng
synced 2025-02-21 10:30:58 +01:00
linpeasv2.2.5
This commit is contained in:
parent
8cdc60dd3d
commit
9a1894f740
linPEAS
@ -183,7 +183,7 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
|
||||
- [x] Password policy
|
||||
|
||||
- **Software Information**
|
||||
- [x] MySQl (Version, user being configured, loging as "root:root","root:toor","root:", user hashes extraction via DB and file, possible backup user configured, credentials in config)
|
||||
- [x] MySQl (Version, user being configured, loging as "root:root","root:toor","root:", user hashes extraction via DB and file, possible backup user configured, credentials in config, cmd exec library)
|
||||
- [x] PostgreSQL (Version, try login in "template0" and "template1" as: "postgres:", "psql:", file DBs, Config)
|
||||
- [x] Apache (Version)
|
||||
- [x] PHP cookies
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
VERSION="v2.2.3"
|
||||
VERSION="v2.2.5"
|
||||
|
||||
###########################################
|
||||
#---------------) Colors (----------------#
|
||||
@ -49,7 +49,7 @@ groupsB="(root)\|(shadow)\|(admin)" #(video) Investigate
|
||||
groupsVB="(sudo)\|(docker)\|(lxd)\|(wheel)\|(disk)\|(lxc)"
|
||||
knw_grps='(lpadmin)\|(adm)\|(cdrom)\|(plugdev)\|(nogroup)' #https://www.togaware.com/linux/survivor/Standard_Groups.html
|
||||
|
||||
sidG="/abuild-sudo$\|/accton$\|/allocate$\|/arping$\|/at$\|/atq$\|/atrm$\|/authpf$\|/authpf-noip$\|/batch$\|/bbsuid$\|/bsd-write$\|/btsockstat$\|/bwrap$\|/cacaocsc$\|/camel-lock-helper-1.2$\|/ccreds_validate$\|/cdrw$\|/chage$\|/check-foreground-console$\|/chrome-sandbox$\|/chsh$\|/cons.saver$\|/crontab$\|/ct$\|/cu$\|/dbus-daemon-launch-helper$\|/deallocate$\|/desktop-create-kmenu$\|/dma$\|/dmcrypt-get-device$\|/doas$\|/dotlockfile$\|/dotlock.mailutils$\|/dtaction$\|/dtfile$\|/dtsession$\|/eject$\|/execabrt-action-install-debuginfo-to-abrt-cache$\|/execdbus-daemon-launch-helper$\|/execdma-mbox-create$\|/execlockspool$\|/execlogin_chpass$\|/execlogin_lchpass$\|/execlogin_passwd$\|/execssh-keysign$\|/execulog-helper$\|/expiry$\|/fdformat$\|/fusermount$\|/gnome-pty-helper$\|/glines$\|/gnibbles$\|/gnobots2$\|/gnome-suspend$\|/gnometris$\|/gnomine$\|/gnotski$\|/gnotravex$\|/gpasswd$\|/gpg$\|/gpio$\|/gtali\|/.hal-mtab-lock$\|/imapd$\|/inndstart$\|/kismet_capture$\|/ksu$\|/list_devices$\|/locate$\|/lock$\|/lockdev$\|/lockfile$\|/login_activ$\|/login_crypto$\|/login_radius$\|/login_skey$\|/login_snk$\|/login_token$\|/login_yubikey$\|/lpd$\|/lpd-port$\|/lppasswd$\|/lpq$\|/lprm$\|/lpset$\|/lxc-user-nic$\|/mahjongg$\|/mail-lock$\|/mailq$\|/mail-touchlock$\|/mail-unlock$\|/mksnap_ffs$\|/mlocate$\|/mlock$\|/mount.cifs$\|/mount.nfs$\|/mount.nfs4$\|/mtr$\|/mutt_dotlock$\|/ncsa_auth$\|/netpr$\|/netreport$\|/netstat$\|/newgidmap$\|/newtask$\|/newuidmap$\|/opieinfo$\|/opiepasswd$\|/pam_auth$\|/pam_extrausers_chkpwd$\|/pam_timestamp_check$\|/pamverifier$\|/pfexec$\|/ping$\|/ping6$\|/pmconfig$\|/polkit-agent-helper-1$\|/polkit-explicit-grant-helper$\|/polkit-grant-helper$\|/polkit-grant-helper-pam$\|/polkit-read-auth-helper$\|/polkit-resolve-exe-helper$\|/polkit-revoke-helper$\|/polkit-set-default-helper$\|/postdrop$\|/postqueue$\|/poweroff$\|/ppp$\|/procmail$\|/pt_chmod$\|/pwdb_chkpwd$\|/quota$\|/remote.unknown$\|/rlogin$\|/rmformat$\|/rnews$\|/run-mailcap$\|/sacadm$\|/same-gnome$\|screen.real$\|/sendmail.sendmail$\|/shutdown$\|/skeyaudit$\|/skeyinfo$\|/skeyinit$\|/slocate$\|/smbmnt$\|/smbumount$\|/smpatch$\|/smtpctl$\|/snap-confine$\|/sperl5.8.8$\|/ssh-agent$\|/ssh-keysign$\|/staprun$\|/startinnfeed$\|/stclient$\|/su$\|/suexec$\|/sys-suspend$\|/telnetlogin$\|/timedc$\|/tip$\|/traceroute6$\|/traceroute6.iputils$\|/trpt$\|/tsoldtlabel$\|/tsoljdslabel$\|/tsolxagent$\|/ufsdump$\|/ufsrestore$\|/umount.cifs$\|/umount.nfs$\|/umount.nfs4$\|/unix_chkpwd$\|/uptime$\|/userhelper$\|/userisdnctl$\|/usernetctl$\|/utempter$\|/utmp_update$\|/uucico$\|/uuglist$\|/uuidd$\|/uuname$\|/uusched$\|/uustat$\|/uux$\|/uuxqt$\|/vmware-user-suid-wrapper$\|/vncserver-x11$\|/volrmmount$\|/w$\|/wall$\|/whodo$\|/write$\|/X$\|/Xorg.wrap$\|/xscreensaver$\|/Xsun$\|/Xvnc$"
|
||||
sidG="/abuild-sudo$\|/accton$\|/allocate$\|/arping$\|/at$\|/atq$\|/atrm$\|/authpf$\|/authpf-noip$\|/batch$\|/bbsuid$\|/bsd-write$\|/btsockstat$\|/bwrap$\|/cacaocsc$\|/camel-lock-helper-1.2$\|/ccreds_validate$\|/cdrw$\|/chage$\|/check-foreground-console$\|/chrome-sandbox$\|/chsh$\|/cons.saver$\|/crontab$\|/ct$\|/cu$\|/dbus-daemon-launch-helper$\|/deallocate$\|/desktop-create-kmenu$\|/dma$\|/dmcrypt-get-device$\|/doas$\|/dotlockfile$\|/dotlock.mailutils$\|/dtaction$\|/dtfile$\|/dtsession$\|/eject$\|/execabrt-action-install-debuginfo-to-abrt-cache$\|/execdbus-daemon-launch-helper$\|/execdma-mbox-create$\|/execlockspool$\|/execlogin_chpass$\|/execlogin_lchpass$\|/execlogin_passwd$\|/execssh-keysign$\|/execulog-helper$\|/expiry$\|/fdformat$\|/fusermount$\|/gnome-pty-helper$\|/glines$\|/gnibbles$\|/gnobots2$\|/gnome-suspend$\|/gnometris$\|/gnomine$\|/gnotski$\|/gnotravex$\|/gpasswd$\|/gpg$\|/gpio$\|/gtali\|/.hal-mtab-lock$\|/imapd$\|/inndstart$\|/kismet_capture$\|/kismet_cap_linux_bluetooth$\|/kismet_cap_linux_wifi$\|/kismet_cap_nrf_mousejack$\|/ksu$\|/list_devices$\|/locate$\|/lock$\|/lockdev$\|/lockfile$\|/login_activ$\|/login_crypto$\|/login_radius$\|/login_skey$\|/login_snk$\|/login_token$\|/login_yubikey$\|/lpd$\|/lpd-port$\|/lppasswd$\|/lpq$\|/lprm$\|/lpset$\|/lxc-user-nic$\|/mahjongg$\|/mail-lock$\|/mailq$\|/mail-touchlock$\|/mail-unlock$\|/mksnap_ffs$\|/mlocate$\|/mlock$\|/mount.cifs$\|/mount.nfs$\|/mount.nfs4$\|/mtr$\|/mutt_dotlock$\|/ncsa_auth$\|/netpr$\|/netreport$\|/netstat$\|/newgidmap$\|/newtask$\|/newuidmap$\|/opieinfo$\|/opiepasswd$\|/pam_auth$\|/pam_extrausers_chkpwd$\|/pam_timestamp_check$\|/pamverifier$\|/pfexec$\|/ping$\|/ping6$\|/pmconfig$\|/polkit-agent-helper-1$\|/polkit-explicit-grant-helper$\|/polkit-grant-helper$\|/polkit-grant-helper-pam$\|/polkit-read-auth-helper$\|/polkit-resolve-exe-helper$\|/polkit-revoke-helper$\|/polkit-set-default-helper$\|/postdrop$\|/postqueue$\|/poweroff$\|/ppp$\|/procmail$\|/pt_chmod$\|/pwdb_chkpwd$\|/quota$\|/remote.unknown$\|/rlogin$\|/rmformat$\|/rnews$\|/run-mailcap$\|/sacadm$\|/same-gnome$\|screen.real$\|/sendmail.sendmail$\|/shutdown$\|/skeyaudit$\|/skeyinfo$\|/skeyinit$\|/slocate$\|/smbmnt$\|/smbumount$\|/smpatch$\|/smtpctl$\|/snap-confine$\|/sperl5.8.8$\|/ssh-agent$\|/ssh-keysign$\|/staprun$\|/startinnfeed$\|/stclient$\|/su$\|/suexec$\|/sys-suspend$\|/telnetlogin$\|/timedc$\|/tip$\|/traceroute6$\|/traceroute6.iputils$\|/trpt$\|/tsoldtlabel$\|/tsoljdslabel$\|/tsolxagent$\|/ufsdump$\|/ufsrestore$\|/umount.cifs$\|/umount.nfs$\|/umount.nfs4$\|/unix_chkpwd$\|/uptime$\|/userhelper$\|/userisdnctl$\|/usernetctl$\|/utempter$\|/utmp_update$\|/uucico$\|/uuglist$\|/uuidd$\|/uuname$\|/uusched$\|/uustat$\|/uux$\|/uuxqt$\|/vmware-user-suid-wrapper$\|/vncserver-x11$\|/volrmmount$\|/w$\|/wall$\|/whodo$\|/write$\|/X$\|/Xorg.wrap$\|/xscreensaver$\|/Xsun$\|/Xvnc$"
|
||||
#Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION
|
||||
sidB="/apache2%Read_root_passwd__apache2_-f_/etc/shadow\
|
||||
/chfn$%SuSE_9.3/10\
|
||||
@ -225,13 +225,13 @@ HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
|
||||
$Y-h$B To show this message
|
||||
$Y-q$B Do not show banner
|
||||
$Y-a$B All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly
|
||||
$Y-s$B SuperFast (don't check 1min of processes, su brute and other time consuming checks) - Stealth mode
|
||||
$Y-s$B SuperFast (don't check some time consuming checks) - Stealth mode
|
||||
$Y-n$B Do not export env variables related with history
|
||||
$Y-o$B Only execute selected checks (SysI, Devs, AvaSof, ProCronSrvcs, Net, UsrI, SofI, IntFiles). Select a comma separated list.
|
||||
$Y-d <IP/NETMASK>$B Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24
|
||||
$Y-p <PORT(s)> -d <IP/NETMASK>$B Discover hosts looking for TCP open ports (via nc). By default ports 80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
|
||||
$Y-p <PORT(s)> -d <IP/NETMASK>$B Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
|
||||
$Y-i <IP> [-p <PORT(s)>]$B Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
|
||||
$GREEN Notice$B that if you select some network action, any PE check will be performed\n\n"
|
||||
$GREEN Notice$B that if you select some network action, no PE check will be performed\n\n"
|
||||
|
||||
while getopts "h?asd:p:i:qo:" opt; do
|
||||
case "$opt" in
|
||||
@ -927,7 +927,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
fi
|
||||
|
||||
#-- 5SI) Mysql credentials
|
||||
printf $Y"[+] "$GREEN"Looking for mysql credentials\n"$NC
|
||||
printf $Y"[+] "$GREEN"Looking for mysql credentials and exec\n"$NC
|
||||
mysqldirs=`find /etc /usr/var/lib /var/lib -type d -name mysql -not -path "*mysql/mysql" 2>/dev/null`
|
||||
if [ "$mysqldirs" ]; then
|
||||
for d in $mysqldirs; do
|
||||
@ -959,6 +959,12 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
cat "$f" | grep -v "^#" | grep -v "^$" | sed "s,password.*,${C}[1;31m&${C}[0m,"
|
||||
fi
|
||||
done
|
||||
mysqlexec=`whereis lib_mysqludf_sys.so 2>/dev/null | grep "lib_mysqludf_sys\.so"`
|
||||
if [ "$mysqlexec" ]; then
|
||||
echo "Found $mysqlexec"
|
||||
echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed "s,.*,${C}[1;31m&${C}[0m,"
|
||||
fi
|
||||
done
|
||||
done
|
||||
else echo_not_found
|
||||
fi
|
||||
@ -968,14 +974,14 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
printf $Y"[+] "$GREEN"PostgreSQL version and pgadmin credentials\n"$NC
|
||||
postgver=`psql -V 2>/dev/null`
|
||||
postgdb=`find /var /etc /home /root /tmp /usr /opt -type f -name "pgadmin*.db" 2>/dev/null`
|
||||
postgconfs=`find /var /etc /home /root /tmp /usr /opt -type f -name "pg_hba.conf" 2>/dev/null`
|
||||
postgconfs=`find /var /etc /home /root /tmp /usr /opt -type f \( -name "pg_hba.conf" -o -name "postgresql.conf" -o -name pgsql.conf \) 2>/dev/null`
|
||||
if [ "$postgver" ] || [ "$postgdb" ] || [ "$postgconfs" ]; then
|
||||
if [ "$postgver" ]; then echo "Version: $postgver"; fi
|
||||
if [ "$postgdb" ]; then echo "PostgreSQL database: $postgdb" | sed "s,.*,${C}[1;31m&${C}[0m,"; fi
|
||||
for f in $postgconfs; do
|
||||
if [ -r $f ]; then
|
||||
echo "Found readable $f"
|
||||
cat "$f" | grep -v "^#" | grep -v "^$" | sed "s,auth\|password\|md5,${C}[1;31m&${C}[0m," 2>/dev/null
|
||||
cat "$f" | grep -v "^#" | grep -v "^$" | sed "s,auth\|password\|md5\|user=\|pass=,${C}[1;31m&${C}[0m," 2>/dev/null
|
||||
fi
|
||||
done
|
||||
else echo_not_found
|
||||
@ -1086,14 +1092,20 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
|
||||
echo ""
|
||||
|
||||
#-- 15SI) Rsyncd conf file
|
||||
rsyncd=`find /var /etc /home /root /tmp /usr /opt -name rsyncd.conf 2>/dev/null`
|
||||
rsyncd=`find /var /etc /home /root /tmp /usr /opt \( -name rsyncd.conf -o -name rsyncd.secrets \) 2>/dev/null`
|
||||
printf $Y"[+] "$GREEN"Looking for Rsyncd config file\n"$NC
|
||||
if [ "$rsyncd" ]; then
|
||||
printf "$rsyncd\n"
|
||||
for f in $rsyncd; do cat "$f" 2>/dev/null | grep -v "^#" | grep "uid.*=|\gid.*=\|path.*=\|auth.*users.*=\|secrets.*file.*=\|hosts.*allow.*=\|hosts.*deny.*=" | sed "s,secrets.*,${C}[1;31m&${C}[0m,"; done
|
||||
for f in $rsyncd; do
|
||||
printf "$f\n"
|
||||
if [ `echo "$f" | grep -i "secrets"` ]; then
|
||||
cat "$f" 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"
|
||||
else
|
||||
cat "$f" 2>/dev/null | grep -v "^#" | grep -v "^$" | sed "s,secrets.*\|auth.*users.*=,${C}[1;31m&${C}[0m,"
|
||||
fi
|
||||
echo ""
|
||||
done
|
||||
else echo_not_found "rsyncd.conf"
|
||||
fi
|
||||
echo ""
|
||||
|
||||
##-- 16SI) Hostapd conf file
|
||||
printf $Y"[+] "$GREEN"Looking for Hostapd config file\n"$NC
|
||||
@ -1461,7 +1473,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
##-- 11IF) Readable files belonging to root and not world readable
|
||||
if ! [ "$IAMROOT" ]; then
|
||||
printf $Y"[+] "$GREEN"Readable files belonging to root and readable by me but not world readable\n"$NC
|
||||
(for f in `find / -type f -user root ! -perm -o=r 2>/dev/null`; do if [ -r $f ]; then ls -l $f 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"; fi; done) || echo_not_found
|
||||
(for f in `find / -type f -user root ! -perm -o=r 2>/dev/null | grep -v "\.journal"`; do if [ -r $f ]; then ls -l $f 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m,"; fi; done) || echo_not_found
|
||||
echo ""
|
||||
fi
|
||||
|
||||
@ -1493,7 +1505,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
|
||||
##-- 17IF) DB files
|
||||
printf $Y"[+] "$GREEN"Looking for tables inside readable .db/.sqlite files (limit 100)\n"$NC
|
||||
dbfiles=`find /var /etc /home /root /tmp /usr /opt -type f \( -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" \) 2>/dev/null | grep -v "/man/\|^/usr/" | head -n 100`
|
||||
dbfiles=`find /var /etc /home /root /tmp /opt -type f \( -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" \) 2>/dev/null | grep -v "/man/\|^/usr/\|^/var/cache/" | head -n 100`
|
||||
if [ "$dbfiles" ]; then
|
||||
SQLITEPYTHON=""
|
||||
for f in $dbfiles; do
|
||||
@ -1520,10 +1532,10 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
|
||||
columns=`$SQLITEPYTHON -c "print(__import__('sqlite3').connect('$f').cursor().execute('SELECT sql FROM sqlite_master WHERE type!=\'meta\' AND sql NOT NULL AND name =\'$t\';').fetchall()[0][0])" 2>/dev/null`
|
||||
fi
|
||||
#Check found columns for interesting fields
|
||||
INTCOLUMN=`echo "$columns" | grep -i "username\|passw\|credential\|email"`
|
||||
INTCOLUMN=`echo "$columns" | grep -i "username\|passw\|credential\|email\|hash\|salt"`
|
||||
if [ "$INTCOLUMN" ]; then
|
||||
printf $B" --> Found for interesting column names in$NC $t $DG(output limit 10)\n"$NC | sed "s,user.*\|credential.*,${C}[1;31m&${C}[0m,g"
|
||||
printf "$columns\n" | sed "s,username\|passw\|credential\|email\|$t,${C}[1;31m&${C}[0m,g"
|
||||
printf "$columns\n" | sed "s,username\|passw\|credential\|email\|hash\|salt\|$t,${C}[1;31m&${C}[0m,g"
|
||||
(sqlite3 $f "select * from $t" || $SQLITEPYTHON -c "print(', '.join([str(x) for x in __import__('sqlite3').connect('$f').cursor().execute('SELECT * FROM \'$t\';').fetchall()[0]]))") 2>/dev/null | head
|
||||
fi
|
||||
done
|
||||
|
Loading…
x
Reference in New Issue
Block a user