mirror of
https://github.com/carlospolop/PEASS-ng
synced 2024-11-27 14:13:38 +01:00
3.5 KiB
3.5 KiB
LinPEAS - Linux Privilege Escalation Awsome Script (with colors!!)
Also valid for Unix systems
What does linpeas look for
-
System Information
- SO & kernel version
- Sudo version
- PATH
- Date
- System stats
- Environment vars
- SElinux
- Printers
- Dmesg (signature verifications)
- Container?
-
Devices
- sd* in /dev
- Unmounted filesystems
-
Available Software
- Useful software
- Installed compilers
-
Processes & Cron & Services
- Cleaned processes
- Binary processes permissions
- Different processes executed during 1 min
- Cron jobs
- Services
-
Network Information
- Hostname, hosts & dns
- Content of /etc/inetd.conf
- Networks and neighbours
- Iptables rules
- Active ports
- Sniff permissions (tcpdump)
-
Users Information
- Info about current user
- PGP keys
sudo -l
without password- doas config file
- Pkexec policy
- Try to login using
su
as other users (using null pass and the username) - List of superusers
- List of users with console
- Login info
- List of all users
- Clipboard and highlighted text
-
Software Information
- MySQl (Version, user being configured, loging as "root:root","root:toor","root:", user hashes extraction via DB and file, possible backup user configured)
- PostgreSQL (Version, try login in "template0" and "template1" as: "postgres:", "psql:")
- Apache (Version)
- PHP cookies
- Wordpress (Database credentials)
- Tomcat (Credentials)
- Mongo (Version)
- Supervisor (Credentials)
- Cesi (Credentials)
- Rsyncd (Credentials)
- Hostapd (Credentials)
- Wifi (Credentials)
- Anaconda-ks (Credentials)
- VNC (Credentials)
- LDAP database (Credentials)
- Open VPN files (Credentials)
- SSH (private keys, known_hosts, authorized_hosts, authorized_keys, main config parameters in sshd_config, certificates, agents)
- PAM-SSH (Unexpected "auth" values)
- Cloud Credentials (credenals-AWS-, credentials.gb-GC-, legacy_credentials-GC-, access_tokens.db-GC-, accessTokens.json-Azure-, azureProfile.json-Azure-)
- NFS (privilege escalation misconfiguration)
- Kerberos (configuration & tickets in /tmp)
- Kibana (credentials)
- Logstash (Username and possible code execution)
- Elasticseach (Config info and Version via port 9200)
- Vault-ssh (Config values, secrets list and .vault-token files)
- screen and tmux sessions
-
Generic Interesting Files
- SUID & SGID files
- Capabilities
- .sh scripts in PATH
- Hashes (passwd, shadow & master.passwd)
- Try to read root dir
- Files owned by root inside /home
- List of readable files belonging to root and not world readable
- Root files inside a folder owned by the current user
- Reduced list of files inside my home and /home
- Mails
- Backup files
- DB files
- Web files
- Files that can contain passwords (and search for passwords inside *_history files)
- List of all hidden files
- List ALL writable files for current user (global, user and groups)
- Inside /tmp, /var/tmp and /var/backups
- Password ins config PHP files
- Get IPs, passwords and emails from logs
- "pwd" and "passw" inside files (and get most probable lines)