mirror of
https://github.com/carlospolop/PEASS-ng
synced 2025-03-28 18:33:05 +01:00
linpev1.1.4
This commit is contained in:
carlospolop
parent
f9cfdd2004
commit
b7dc96a116
@ -20,6 +20,8 @@ The script **automatically finds a writable directory** and writes the output of
|
||||
|
||||
|
||||
|
||||
Linpe also **exports a new PATH** variable if common folders aren't present in the original PATH variable. It also **exports** `export HISTSIZE=0` so no command executed during the session will be saved in the history file.
|
||||
|
||||
## Colors
|
||||
|
||||
LinPE uses colors to indicate where does each section begin. But **it also uses them the identify potencial misconfigurations**.
|
||||
@ -124,12 +126,15 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
|
||||
- [x] VNC (Credentials)
|
||||
- [x] LDAP database (Credentials)
|
||||
- [x] Open VPN files (Credentials)
|
||||
- [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, root login permitted)
|
||||
- [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, main config parameters in sshd_config)
|
||||
- [X] PAM-SSH (Unexpected "auth" values)
|
||||
- [x] AWS (Files with AWS keys)
|
||||
- [x] NFS (privilege escalation misconfiguration)
|
||||
- [x] Kerberos (configuration & tickets in /tmp)
|
||||
- [x] Kibana (credentials)
|
||||
- [x] Logstash (Username and possible code execution)
|
||||
- [x] Elasticseach (Config info and Version via port 9200)
|
||||
- [x] Vault-ssh (Config values, secrets list and .vault-token files)
|
||||
|
||||
|
||||
- **Generic Interesting Files**
|
||||
|
||||
79
linpe.sh
79
linpe.sh
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
VERSION="v1.1.3"
|
||||
VERSION="v1.1.4"
|
||||
|
||||
C=$(printf '\033')
|
||||
RED="${C}[1;31m"
|
||||
@ -31,11 +31,11 @@ mountpermsG="nosuid\|nouser\|noexec"
|
||||
|
||||
rootcommon="/init$\|upstart-udev-bridge\|udev\|/getty\|cron\|apache2\|/vmtoolsd\|/VGAuthService"
|
||||
|
||||
groupsB="(root)\|(shadow)\|(admin)\|(video)"
|
||||
groupsB="(root)\|(shadow)\|(admin)" #(video) Investigate
|
||||
groupsVB="(sudo)\|(docker)\|(lxd)\|(wheel)\|(disk)"
|
||||
knw_grps='(lpadmin)\|(adm)\|(cdrom)\|(plugdev)\|(nogroup)' #https://www.togaware.com/linux/survivor/Standard_Groups.html
|
||||
|
||||
sidG="/accton$\|/allocate$\|/arping$\|/at$\|/atq$\|/atrm$\|/authpf$\|/authpf-noip$\|/batch$\|/bsd-write$\|/btsockstat$\|/bwrap$\|/cacaocsc$\|/camel-lock-helper-1.2$\|/ccreds_validate$\|/cdrw$\|/chage$\|/check-foreground-console$\|/chrome-sandbox$\|/chsh$\|/cons.saver$\|/crontab$\|/ct$\|/cu$\|/dbus-daemon-launch-helper$\|/deallocate$\|/desktop-create-kmenu$\|/dma$\|/dmcrypt-get-device$\|/doas$\|/dotlockfile$\|/dotlock.mailutils$\|/dtaction$\|/dtfile$\|/dtsession$\|/eject$\|/execabrt-action-install-debuginfo-to-abrt-cache$\|/execdbus-daemon-launch-helper$\|/execdma-mbox-create$\|/execlockspool$\|/execlogin_chpass$\|/execlogin_lchpass$\|/execlogin_passwd$\|/execssh-keysign$\|/execulog-helper$\|/expiry$\|/fdformat$\|/fusermount$\|/gnome-pty-helper$\|/glines$\|/gnibbles$\|/gnobots2$\|/gnome-suspend$\|/gnometris$\|/gnomine$\|/gnotski$\|/gnotravex$\|/gpasswd$\|/gpg$\|/gpio$\|/gtali\|/.hal-mtab-lock$\|/imapd$\|/inndstart$\|/kismet_capture$\|/ksu$\|/list_devices$\|/locate$\|/lock$\|/lockdev$\|/lockfile$\|/login_activ$\|/login_crypto$\|/login_radius$\|/login_skey$\|/login_snk$\|/login_token$\|/login_yubikey$\|/lpd$\|/lpd-port$\|/lppasswd$\|/lpq$\|/lprm$\|/lpset$\|/lxc-user-nic$\|/mahjongg$\|/mail-lock$\|/mailq$\|/mail-touchlock$\|/mail-unlock$\|/mksnap_ffs$\|/mlocate$\|/mlock$\|/mount.cifs$\|/mount.nfs$\|/mount.nfs4$\|/mtr$\|/mutt_dotlock$\|/ncsa_auth$\|/netpr$\|/netreport$\|/netstat$\|/newgidmap$\|/newtask$\|/newuidmap$\|/opieinfo$\|/opiepasswd$\|/pam_auth$\|/pam_extrausers_chkpwd$\|/pam_timestamp_check$\|/pamverifier$\|/pfexec$\|/ping$\|/ping6$\|/pmconfig$\|/polkit-agent-helper-1$\|/polkit-explicit-grant-helper$\|/polkit-grant-helper$\|/polkit-grant-helper-pam$\|/polkit-read-auth-helper$\|/polkit-resolve-exe-helper$\|/polkit-revoke-helper$\|/polkit-set-default-helper$\|/postdrop$\|/postqueue$\|/poweroff$\|/ppp$\|/procmail$\|/pt_chmod$\|/pwdb_chkpwd$\|/quota$\|/remote.unknown$\|/rlogin$\|/rmformat$\|/rnews$\|/sacadm$\|/same-gnome$\|screen.real$\|/sendmail.sendmail$\|/shutdown$\|/skeyaudit$\|/skeyinfo$\|/skeyinit$\|/slocate$\|/smbmnt$\|/smbumount$\|/smpatch$\|/smtpctl$\|/snap-confine$\|/sperl5.8.8$\|/ssh-agent$\|/ssh-keysign$\|/staprun$\|/startinnfeed$\|/stclient$\|/su$\|/suexec$\|/sys-suspend$\|/timedc$\|/tip$\|/traceroute6$\|/traceroute6.iputils$\|/trpt$\|/tsoldtlabel$\|/tsoljdslabel$\|/tsolxagent$\|/ufsdump$\|/ufsrestore$\|/umount.cifs$\|/umount.nfs$\|/umount.nfs4$\|/unix_chkpwd$\|/uptime$\|/userhelper$\|/userisdnctl$\|/usernetctl$\|/utempter$\|/utmp_update$\|/uucico$\|/uuglist$\|/uuidd$\|/uuname$\|/uusched$\|/uustat$\|/uux$\|/uuxqt$\|/vmware-user-suid-wrapper$\|/vncserver-x11$\|/volrmmount$\|/w$\|/wall$\|/whodo$\|/write$\|/X$\|/Xorg.wrap$\|/xscreensaver$\|/Xsun$\|/Xvnc$"
|
||||
sidG="/accton$\|/allocate$\|/arping$\|/at$\|/atq$\|/atrm$\|/authpf$\|/authpf-noip$\|/batch$\|/bsd-write$\|/btsockstat$\|/bwrap$\|/cacaocsc$\|/camel-lock-helper-1.2$\|/ccreds_validate$\|/cdrw$\|/chage$\|/check-foreground-console$\|/chrome-sandbox$\|/chsh$\|/cons.saver$\|/crontab$\|/ct$\|/cu$\|/dbus-daemon-launch-helper$\|/deallocate$\|/desktop-create-kmenu$\|/dma$\|/dmcrypt-get-device$\|/doas$\|/dotlockfile$\|/dotlock.mailutils$\|/dtaction$\|/dtfile$\|/dtsession$\|/eject$\|/execabrt-action-install-debuginfo-to-abrt-cache$\|/execdbus-daemon-launch-helper$\|/execdma-mbox-create$\|/execlockspool$\|/execlogin_chpass$\|/execlogin_lchpass$\|/execlogin_passwd$\|/execssh-keysign$\|/execulog-helper$\|/expiry$\|/fdformat$\|/fusermount$\|/gnome-pty-helper$\|/glines$\|/gnibbles$\|/gnobots2$\|/gnome-suspend$\|/gnometris$\|/gnomine$\|/gnotski$\|/gnotravex$\|/gpasswd$\|/gpg$\|/gpio$\|/gtali\|/.hal-mtab-lock$\|/imapd$\|/inndstart$\|/kismet_capture$\|/ksu$\|/list_devices$\|/locate$\|/lock$\|/lockdev$\|/lockfile$\|/login_activ$\|/login_crypto$\|/login_radius$\|/login_skey$\|/login_snk$\|/login_token$\|/login_yubikey$\|/lpd$\|/lpd-port$\|/lppasswd$\|/lpq$\|/lprm$\|/lpset$\|/lxc-user-nic$\|/mahjongg$\|/mail-lock$\|/mailq$\|/mail-touchlock$\|/mail-unlock$\|/mksnap_ffs$\|/mlocate$\|/mlock$\|/mount.cifs$\|/mount.nfs$\|/mount.nfs4$\|/mtr$\|/mutt_dotlock$\|/ncsa_auth$\|/netpr$\|/netreport$\|/netstat$\|/newgidmap$\|/newtask$\|/newuidmap$\|/opieinfo$\|/opiepasswd$\|/pam_auth$\|/pam_extrausers_chkpwd$\|/pam_timestamp_check$\|/pamverifier$\|/pfexec$\|/ping$\|/ping6$\|/pmconfig$\|/polkit-agent-helper-1$\|/polkit-explicit-grant-helper$\|/polkit-grant-helper$\|/polkit-grant-helper-pam$\|/polkit-read-auth-helper$\|/polkit-resolve-exe-helper$\|/polkit-revoke-helper$\|/polkit-set-default-helper$\|/postdrop$\|/postqueue$\|/poweroff$\|/ppp$\|/procmail$\|/pt_chmod$\|/pwdb_chkpwd$\|/quota$\|/remote.unknown$\|/rlogin$\|/rmformat$\|/rnews$\|/sacadm$\|/same-gnome$\|screen.real$\|/sendmail.sendmail$\|/shutdown$\|/skeyaudit$\|/skeyinfo$\|/skeyinit$\|/slocate$\|/smbmnt$\|/smbumount$\|/smpatch$\|/smtpctl$\|/snap-confine$\|/sperl5.8.8$\|/ssh-agent$\|/ssh-keysign$\|/staprun$\|/startinnfeed$\|/stclient$\|/su$\|/suexec$\|/sys-suspend$\|/telnetlogin$\|/timedc$\|/tip$\|/traceroute6$\|/traceroute6.iputils$\|/trpt$\|/tsoldtlabel$\|/tsoljdslabel$\|/tsolxagent$\|/ufsdump$\|/ufsrestore$\|/umount.cifs$\|/umount.nfs$\|/umount.nfs4$\|/unix_chkpwd$\|/uptime$\|/userhelper$\|/userisdnctl$\|/usernetctl$\|/utempter$\|/utmp_update$\|/uucico$\|/uuglist$\|/uuidd$\|/uuname$\|/uusched$\|/uustat$\|/uux$\|/uuxqt$\|/vmware-user-suid-wrapper$\|/vncserver-x11$\|/volrmmount$\|/w$\|/wall$\|/whodo$\|/write$\|/X$\|/Xorg.wrap$\|/xscreensaver$\|/Xsun$\|/Xvnc$"
|
||||
#Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION
|
||||
sidB="/apache2%Read_root_passwd__apache2_-f_/etc/shadow\
|
||||
/chfn$%SuSE_9.3/10\
|
||||
@ -97,7 +97,7 @@ ADDPATH=":/usr/local/sbin\
|
||||
:/bin"
|
||||
spath=":$PATH"
|
||||
for P in $ADDPATH; do
|
||||
if [ ! -z "${spath##*$P*}" ]; then export PATH="$PATH$P"; fi
|
||||
if [ ! -z "${spath##*$P*}" ]; then export PATH="$PATH$P" 2>/dev/null; fi
|
||||
done
|
||||
writeB="\.sh$\|\./\|/etc/\|/sys/\|/lib/systemd\|/lib\|/root\|/home/\|/var/log/\|/mnt/\|/usr/local/sbin\|/usr/sbin\|/sbin/\|/usr/local/bin\|/usr/bin\|/bin\|/usr/local/games\|/usr/games\|/usr/lib\|/etc/rc.d/\|"
|
||||
writeVB="/etc/init\|/etc/sys\|/etc/shadow\|/etc/passwd\|/etc/cron\|"`echo $PATH 2>/dev/null| sed 's/:/\\\|/g'`
|
||||
@ -199,6 +199,7 @@ fi
|
||||
printf $Y"[+] "$GREEN"Environment\n"$NC >> $file
|
||||
printf $B"[i] "$Y"Any private information inside environment variables?\n"$NC >> $file
|
||||
(env || set) 2>/dev/null | grep -v "^VERSION=\|pwd_inside_history\|kernelDCW_Ubuntu_Precise_1\|kernelDCW_Ubuntu_Precise_2\|kernelDCW_Ubuntu_Trusty_1\|kernelDCW_Ubuntu_Trusty_2\|kernelDCW_Ubuntu_Xenial\|kernelDCW_Rhel5\|kernelDCW_Rhel6_1\|kernelDCW_Rhel6_2\|kernelDCW_Rhel7\|^sudovB=\|^rootcommon=\|^mounted=\|^mountG=\|^notmounted=\|^mountpermsB=\|^mountpermsG=\|^kernelB=\|^C=\|^RED=\|^GREEN=\|^Y=\|^B=\|^NC=\|TIMEOUT=\|groupsB=\|groupsVB=\|knw_grps=\|sidG=\|sidB=\|sidVB=\|sudoB=\|sudoVB=\|sudocapsB=\|capsB=\|\notExtensions=\|Wfolders=\|writeB=\|writeVB=\|_usrs=\|compiler=\|PWD=\|LS_COLORS=\|pathshG=\|notBackup=" | sed "s,pwd\|passw,${C}[1;31m&${C}[0m,Ig" >> $file
|
||||
export HISTSIZE=0 2>/dev/null
|
||||
echo "" >> $file
|
||||
|
||||
printf $Y"[+] "$GREEN"Cleaned proccesses\n"$NC >> $file
|
||||
@ -560,7 +561,7 @@ if [ -d "/var/lib/ldap" ]; then
|
||||
fi
|
||||
|
||||
#ovpn
|
||||
ovpn=`find /etc /user /home /root -name .ovpn 2>/dev/null`
|
||||
ovpn=`find /etc /usr /home /root -name .ovpn 2>/dev/null`
|
||||
if [ "$ovpn" ]; then
|
||||
printf $Y"[+] "$GREEN".ovpn files found, searching for auth-user-pass files\n"$NC >> $file
|
||||
echo $ovpn
|
||||
@ -568,8 +569,7 @@ if [ "$ovpn" ]; then
|
||||
fi
|
||||
|
||||
#SSH
|
||||
ssh=`find /home /user /root /etc /opt /var /mnt \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null`
|
||||
sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'`
|
||||
ssh=`find /home /usr /root /etc /opt /var /mnt \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \; 2>/dev/null`
|
||||
privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home /root /mnt /etc 2>/dev/null`
|
||||
if [ "$ssh" ] || [ "$sshrootlogin" ] || [ "$privatekeyfiles" ]; then
|
||||
printf $Y"[+] "$GREEN"SSH Files\n"$NC >> $file
|
||||
@ -579,11 +579,10 @@ if [ "$ssh" ]; then
|
||||
echo $ssh >> $file
|
||||
fi
|
||||
|
||||
if [ "$sshrootlogin" = "yes" ]; then
|
||||
echo "SSH root login is PERMITTED"| sed "s,.*,${C}[1;31m&${C}[0m," >> $file
|
||||
fi
|
||||
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed "s,PermitRootLogin.*es\|PermitEmptyPasswords.*es\|ChallengeResponseAuthentication.*es,${C}[1;31m&${C}[0m," >> $file
|
||||
|
||||
if [ "$privatekeyfiles" ]; then
|
||||
privatekeyfilesgrep=`grep -L "\"\|'\|(" $privatekeyfiles` # Check there are not that symbols in the file
|
||||
privatekeyfilesgrep=`grep -L "\"\|'\|(" $privatekeyfiles` # Check there aren't unexpected symbols in the file
|
||||
fi
|
||||
if [ "$privatekeyfilesgrep" ]; then
|
||||
printf "Private SSH keys found!:\n$privatekeyfilesgrep" | sed "s,.*,${C}[1;31m&${C}[0m," >> $file
|
||||
@ -593,6 +592,14 @@ if [ "$ssh" ] || [ "$sshrootlogin" ] || [ "$privatekeyfiles" ]; then
|
||||
echo "" >> $file
|
||||
fi
|
||||
|
||||
#PAM-SHH
|
||||
pamssh=`cat /etc/pam.d/sshd 2>/dev/null | grep -v "^#\|^@" | grep -i auth`
|
||||
if [ "$pamssh" ]; then
|
||||
printf $Y"[+] "$GREEN"Unexpected auth lines in /etc/pam.d/sshd were detected\n"$NC >> $file
|
||||
cat /etc/pam.d/sshd 2>/dev/null | grep -v "^#\|^@" | grep -i auth | sed "s,.*,${C}[1;31m&${C}[0m," >> $file
|
||||
echo "" >> $file
|
||||
fi
|
||||
|
||||
#AWS
|
||||
awskeyfiles=`grep -rli "aws_secret_access_key" /home /root /mnt /etc 2>/dev/null | grep -v $(basename "$0")`
|
||||
if [ "$awskeyfiles" ]; then
|
||||
@ -627,21 +634,49 @@ if [ "$krbtickets" ]; then
|
||||
fi
|
||||
|
||||
#Kibana
|
||||
if [ -f "/etc/kibana/kibana.yml" ]; then
|
||||
printf $Y"[+] "$GREEN"Found Kibana: /etc/kibana/kibana.yml\n"$NC >> $file
|
||||
cat /etc/kibana/kibana.yml | grep -v "^#" | grep -v -e '^[[:space:]]*$' | sed "s,username\|password\|host\|port\|elasticsearch\|ssl,${C}[1;31m&${C}[0m," >> $file
|
||||
kibana=`find /etc /usr /home /root -name "kibana.y*ml" 2>/dev/null`
|
||||
if [ "$kibana" ]; then
|
||||
printf $Y"[+] "$GREEN"Found Kibana\n"$NC >> $file
|
||||
echo $kibana >> $file
|
||||
for f in $kibana; do cat $f 2>/dev/null || grep -v "^#" | grep -v -e '^[[:space:]]*$' | sed "s,username\|password\|host\|port\|elasticsearch\|ssl,${C}[1;31m&${C}[0m," >> $file; done
|
||||
echo "" >> $file
|
||||
fi
|
||||
|
||||
#Logstash
|
||||
if [ -d "/etc/logstash" ]; then
|
||||
printf $Y"[+] "$GREEN"Found Logstash: /etc/logstash\n"$NC >> $file
|
||||
if [ -r /etc/logstash/startup.options ]; then
|
||||
echo "Logstash is running as user:" >> $file
|
||||
cat /etc/logstash/startup.options 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," >> $file
|
||||
fi
|
||||
cat /etc/logstash/conf.d/out* | grep "exec\s*{\|command\s*=>" | sed "s,exec\s*{\|command\s*=>,${C}[1;31m&${C}[0m," >> $file
|
||||
cat /etc/logstash/conf.d/filt* | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed "s,path\s*=>\|code\s*=>\|ruby\s*{,${C}[1;31m&${C}[0m," >> $file
|
||||
logstash=`find /etc /usr /home /root -type d -name logstash 2>/dev/null`
|
||||
if [ "$logstash" ]; then
|
||||
printf $Y"[+] "$GREEN"Found logstash directory\n"$NC >> $file
|
||||
echo $logstash
|
||||
for d in $logstash; do
|
||||
if [ -r $d/startup.options ]; then
|
||||
echo "Logstash is running as user:" >> $file
|
||||
cat $d/startup.options 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," >> $file
|
||||
fi
|
||||
cat $d/conf.d/out* | grep "exec\s*{\|command\s*=>" | sed "s,exec\s*{\|command\s*=>,${C}[1;31m&${C}[0m," >> $file
|
||||
cat $d/conf.d/filt* | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed "s,path\s*=>\|code\s*=>\|ruby\s*{,${C}[1;31m&${C}[0m," >> $file
|
||||
done
|
||||
echo "" >> $file
|
||||
fi
|
||||
|
||||
#Elasticsearch
|
||||
elasticsearch=`find /etc /usr /home /root -name "elasticsearch.y*ml" 2>/dev/null`
|
||||
if [ "$elasticsearch" ]; then
|
||||
printf $Y"[+] "$GREEN"Found Elasticsearch\n"$NC >> $file
|
||||
echo $elasticsearch >> $file
|
||||
for f in $elasticsearch; do cat $f 2>/dev/null || grep -v "^#" | grep -v -e '^[[:space:]]*$' | grep "path.data\|path.logs\|cluster.name\|node.name\|network.host\|discovery.zen.ping.unicast.hosts" >> $file; done
|
||||
echo "Version: $(curl -X GET '10.10.10.115:9200' 2>/dev/null | grep number | cut -d ':' -f 2)" >> $file
|
||||
echo "" >> $file
|
||||
fi
|
||||
|
||||
#Vault-ssh
|
||||
vaultssh=`find /etc /usr /home /root -name vault-ssh-helper.hcl 2>/dev/null`
|
||||
if [ "$vaultssh" ]; then
|
||||
printf $Y"[+] "$GREEN"Found Vault-ssh\n"$NC >> $file
|
||||
echo $vaultssh >> $file
|
||||
for f in $vaultssh; do cat $f 2>/dev/null >> $file; vault-ssh-helper -verify-only -config $f 2>/dev/null >> $file; done
|
||||
echo "" >> $file
|
||||
vault secrets list 2>/dev/null >> $file
|
||||
find /etc /usr /home /root -name ".vault-token" 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null >> $file
|
||||
echo "" >> $file
|
||||
fi
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user