1
mirror of https://github.com/carlospolop/PEASS-ng synced 2024-11-27 14:13:38 +01:00
PEASS-ng/checks/README.md
carlospolop 8828871b34 v2.1.3
2019-10-25 22:59:46 +02:00

3.5 KiB

LinPEAS - Linux Privilege Escalation Awsome Script (with colors!!)

Also valid for Unix systems

What does linpeas look for

  • System Information

    • SO & kernel version
    • Sudo version
    • PATH
    • Date
    • System stats
    • Environment vars
    • SElinux
    • Printers
    • Dmesg (signature verifications)
    • Container?
  • Devices

    • sd* in /dev
    • Unmounted filesystems
  • Available Software

    • Useful software
    • Installed compilers
  • Processes & Cron & Services

    • Cleaned processes
    • Binary processes permissions
    • Different processes executed during 1 min
    • Cron jobs
    • Services
  • Network Information

    • Hostname, hosts & dns
    • Content of /etc/inetd.conf
    • Networks and neighbours
    • Iptables rules
    • Active ports
    • Sniff permissions (tcpdump)
  • Users Information

    • Info about current user
    • PGP keys
    • sudo -l without password
    • doas config file
    • Pkexec policy
    • Try to login using su as other users (using null pass and the username)
    • List of superusers
    • List of users with console
    • Login info
    • List of all users
    • Clipboard and highlighted text
  • Software Information

    • MySQl (Version, user being configured, loging as "root:root","root:toor","root:", user hashes extraction via DB and file, possible backup user configured)
    • PostgreSQL (Version, try login in "template0" and "template1" as: "postgres:", "psql:")
    • Apache (Version)
    • PHP cookies
    • Wordpress (Database credentials)
    • Tomcat (Credentials)
    • Mongo (Version)
    • Supervisor (Credentials)
    • Cesi (Credentials)
    • Rsyncd (Credentials)
    • Hostapd (Credentials)
    • Wifi (Credentials)
    • Anaconda-ks (Credentials)
    • VNC (Credentials)
    • LDAP database (Credentials)
    • Open VPN files (Credentials)
    • SSH (private keys, known_hosts, authorized_hosts, authorized_keys, main config parameters in sshd_config, certificates, agents)
    • PAM-SSH (Unexpected "auth" values)
    • Cloud Credentials (credenals-AWS-, credentials.gb-GC-, legacy_credentials-GC-, access_tokens.db-GC-, accessTokens.json-Azure-, azureProfile.json-Azure-)
    • NFS (privilege escalation misconfiguration)
    • Kerberos (configuration & tickets in /tmp)
    • Kibana (credentials)
    • Logstash (Username and possible code execution)
    • Elasticseach (Config info and Version via port 9200)
    • Vault-ssh (Config values, secrets list and .vault-token files)
    • screen and tmux sessions
  • Generic Interesting Files

    • SUID & SGID files
    • Capabilities
    • .sh scripts in PATH
    • Hashes (passwd, shadow & master.passwd)
    • Try to read root dir
    • Files owned by root inside /home
    • List of readable files belonging to root and not world readable
    • Root files inside a folder owned by the current user
    • Reduced list of files inside my home and /home
    • Mails
    • Backup files
    • DB files
    • Web files
    • Files that can contain passwords (and search for passwords inside *_history files)
    • List of all hidden files
    • List ALL writable files for current user (global, user and groups)
    • Inside /tmp, /var/tmp and /var/backups
    • Password ins config PHP files
    • Get IPs, passwords and emails from logs
    • "pwd" and "passw" inside files (and get most probable lines)