unified SGID and SUID lists, sudoers colors an search in more logs

2019-04-21 20:47:40 +02:00 · 2019-04-21 20:47:40 +02:00 · 24c40d171b
commit 24c40d171b
parent 30bfc70972
2 changed files with 240 additions and 205 deletions
--- a/README.md
+++ b/README.md
--- a/linPE.sh
+++ b/linPE.sh
@ -7,190 +7,219 @@ B='\033[0;34m'
 NC='\033[0m'
 C=$(printf '\033')

-suidG="/bin/fusermount\|\
-/bin/mount\|\
-/bin/ntfs-3g\|\
-/bin/ping\|\
-/bin/ping6\|\
-/bin/rcp\|\
-/bin/su\|\
-/bin/systemctl\|\
-/bin/umount\|\
-/sbin/mksnap_ffs\|\
-/sbin/mount.cifs\|\
-/sbin/ping\|\
-/sbin/ping6\|\
-/sbin/poweroff\|\
-/sbin/shutdown\|\
-/usr/bin/arping\|\
-/usr/bin/at\|\
-/usr/bin/atq\|\
-/usr/bin/atrm\|\
-/usr/bin/batch\|\
-/usr/bin/bwrap\|\
-/usr/bin/chage\|\
-/usr/bin/chfn\|\
-/usr/bin/chpass\|\
-/usr/bin/chsh\|\
-/usr/bin/crontab\|\
-/usr/bin/doas\|\
-/usr/bin/fusermount\|\
-/usr/bin/gpasswd\|\
-/usr/bin/gpio\|\
-/usr/bin/kismet_capture\|\
-/usr/bin/lppasswd\|\
-/usr/bin/lock\|\
-/usr/bin/login\|\
-/usr/bin/lpq\|\
-/usr/bin/lpr\|\
-/usr/bin/lprm\|\
-/usr/bin/mount\|\
-/usr/bin/mtr\|\
-/usr/bin/newgidmap\|\
-/usr/bin/newgrp\|\
-/usr/bin/newuidmap\|\
-/usr/bin/ntfs-3g\|\
-/usr/bin/opieinfo\|\
-/usr/bin/opiepasswd\|\
-/usr/bin/passwd\|\
-/usr/bin/pkexec\|\
-/usr/bin/quota\|\
-/usr/bin/rlogin\|\
-/usr/bin/rsh\|\
-/usr/bin/staprun\|\
-/usr/bin/su\|\
-/usr/bin/sudo\|\
-/usr/bin/sudoedit\|\
-/usr/bin/traceroute6.iputils\|\
-/usr/bin/umount\|\
-/usr/bin/vmware-user-suid-wrapper\|\
-/usr/bin/vncserver-x11\|\
-/usr/bin/Xvnc\|\
-/usr/lib/chromium/chrome-sandbox\|\
-/usr/lib/dbus-1.0/dbus-daemon-launch-helper\|\
-/usr/lib/eject/dmcrypt-get-device\|\
-/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache\|\
-/usr/libexec/auth/login_chpass\|\
-/usr/libexec/auth/login_lchpass\|\
-/usr/libexec/auth/login_passwd\|\
-/usr/libexec/dbus-1/dbus-daemon-launch-helper\|\
-/usr/libexec/dma-mbox-create\|\
-/usr/libexec/lockspool\|\
-/usr/libexec/ssh-keysign\|\
-/usr/libexec/ulog-helper\|\
-/usr/lib/chromium-browser/chrome-sandbox\|\
-/usr/lib/i386-linux-gnu/lxc/lxc-user-nic\|\
-/usr/lib/openssh/ssh-keysign\|\
-/usr/lib/policykit-1/polkit-agent-helper-1\|\
-/usr/lib/polkit-1/polkit-agent-helper-1\|\
-/usr/lib/pt_chown\|\
-/usr/lib/snapd/snap-confine\|\
-/usr/lib/xorg/Xorg.wrap\|\
-/usr/local/bin/Xorg\|\
-/usr/local/libexec/dbus-daemon-launch-helper\|\
-/usr/sbin/authpf\|\
-/usr/sbin/authpf-noip\|\
-/usr/sbin/exim4\|\
-/usr/sbin/mount.nfs\|\
-/usr/sbin/pam_timestamp_check\|\
-/usr/sbin/ppp\|\
-/usr/sbin/pppd\|\
-/usr/sbin/timedc\|\
-/usr/sbin/traceroute\|\
-/usr/sbin/traceroute6\|\
-/usr/sbin/unix_chkpwd\|\
-/usr/sbin/userhelper\|\
-/usr/sbin/usernetctl\|\
-/usr/X11R6/bin/Xorg\|\
-/usr/kerberos/bin/ksu\|\
-/usr/libexec/openssh/ssh-keysign\|\
-/usr/lib/squid/ncsa_auth\|\
-/usr/lib/squid/pam_auth\|\
-/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper\|\
-/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper\|\
-/usr/lib/news/bin/startinnfeed\|\
-/usr/lib/news/bin/rnews\|\
-/usr/lib/news/bin/inndstart\|\
-/usr/bin/rsh\|\
-/usr/bin/chsh\|\
-/media/.hal-mtab-lock\|\
-/sbin/mount.nfs4\|\
-/sbin/pam_timestamp_check\|\
-/sbin/unix_chkpwd\|\
-/sbin/umount.nfs4\|\
-/usr/sbin/uuidd\|\
-/sbin/mount.nfs\|\
-/sbin/umount.nfs"

-suidB='aria2c$\|arp$\|ash$\|awk$\|base64$\|bash$\|busybox$\|cat$\|chmod$\|chown$\|cp$\|csh$\|curl$\|cut$\|dash$\|date$\|dd$\|diff$\|dmsetup$\|docker$\|ed$\|emacs$\|env$\|expand$\|expect$\|file$\|find$\|flock$\|fmt$\|fold$\|gdb$\|gimp$\|git$\|grep$\|head$\|ionice$\|ip$\|jjs$\|jq$\|jrunscript$\|ksh$\|ld.so$\|less$\|logsave$\|lua$\|make$\|more$\|mv$\|mysql$\|nano$\|nc$\|nice$\|nl$\|nmap$\|node$\|od$\|openssl$\|perl$\|pg$\|php$\|pic$\|pico$\|python$\|readelf$\|rlwrap$\|rpm$\|rpmquery$\|rsync$\|rvim$\|scp$\|sed$\|setarch$\|shuf$\|socat$\|sort$\|sqlite3$\|stdbuf$\|strace$\|systemctl$\|tail$\|tar$\|taskset$\|tclsh$\|tee$\|telnet$\|tftp$\|time$\|timeout$\|ul$\|unexpand$\|uniq$\|unshare$\|vim$\|watch$\|wget$\|xargs$\|xxd$\|zip$\|zsh$'
+sidG="/accton$\|\
+/allocate$\|\
+/arping$\|\
+/at$\|\
+/atq$\|\
+/atrm$\|\
+/authpf$\|\
+/authpf-noip$\|\
+/batch$\|\
+/bsd-write$\|\
+/btsockstat$\|\
+/bwrap$\|\
+/cacaocsc$\|\
+/camel-lock-helper-1.2$\|\
+/ccreds_validate$\|\
+/cdrw$\|\
+/chage$\|\
+/chfn$\|\
+/chkey$\|\
+/chkperm$\|\
+/chpass$\|\
+/chrome-sandbox$\|\
+/chsh$\|\
+/cons.saver$\|\
+/crontab$\|\
+/ct$\|\
+/cu$\|\
+/dbus-daemon-launch-helper$\|\
+/deallocate$\|\
+/dma$\|\
+/dmcrypt-get-device$\|\
+/doas$\|\
+/dotlockfile$\|\
+/dotlock.mailutils$\|\
+/dtaction$\|\
+/dtappgather$\|\
+/dtfile$\|\
+/dtprintinfo$\|\
+/dtsession$\|\
+/eject$\|\
+/execabrt-action-install-debuginfo-to-abrt-cache$\|\
+/execdbus-daemon-launch-helper$\|\
+/execdma-mbox-create$\|\
+/execlockspool$\|\
+/execlogin_chpass$\|\
+/execlogin_lchpass$\|\
+/execlogin_passwd$\|\
+/execssh-keysign$\|\
+/execulog-helper$\|\
+/exim4$\|\
+/expiry$\|\
+/fdformat$\|\
+/fusermount$\|\
+/gnome-pty-helper$\|\
+/gnome-suspend$\|\
+/gpasswd$\|\
+/gpg$\|\
+/gpio$\|\
+/inndstart$\|\
+/ksu$\|\
+/list_devices$\|\
+/lock$\|\
+/lockdev$\|\
+/lockfile$\|\
+/login$\|\
+/login_activ$\|\
+/login_crypto$\|\
+/login_radius$\|\
+/login_skey$\|\
+/login_snk$\|\
+/login_token$\|\
+/login_yubikey$\|\
+/lpc$\|\
+/lpd$\|\
+/lpd-port$\|\
+/lppasswd$\|\
+/lpq$\|\
+/lpr$\|\
+/lprm$\|\
+/lpset$\|\
+/lxc-user-nic$\|\
+/mahjongg$\|\
+/mail-lock$\|\
+/mailq$\|\
+/mail-touchlock$\|\
+/mail-unlock$\|\
+/mksnap_ffs$\|\
+/mlocate$\|\
+/mount$\|\
+/mount.cifs$\|\
+/mount.nfs$\|\
+/mount.nfs4$\|\
+/movemail$\|\
+/mtr$\|\
+/mutt_dotlock$\|\
+/ncsa_auth$\|\
+/netpr$\|\
+/netreport$\|\
+/netstat$\|\
+/newgidmap$\|\
+/newgrp$\|\
+/newtask$\|\
+/newuidmap$\|\
+/ntfs-3g$\|\
+/opieinfo$\|\
+/opiepasswd$\|\
+/pam_auth$\|\
+/pam_extrausers_chkpwd$\|\
+/pam_timestamp_check$\|\
+/pamverifier$\|\
+/passwd$\|\
+/pfexec$\|\
+/ping$\|\
+/ping6$\|\
+/pkexec$\|\
+/pmconfig$\|\
+/polkit-agent-helper-1$\|\
+/postdrop$\|\
+/postqueue$\|\
+/poweroff$\|\
+/ppp$\|\
+/pppd$\|\
+/procmail$\|\
+/pt_chmod$\|\
+/pt_chown$\|\
+/quota$\|\
+/rcp$\|\
+/rdist$\|\
+/remote.unknown$\|\
+/rlogin$\|\
+/rmformat$\|\
+/rnews$\|\
+/rsh$\|\
+/sacadm$\|\
+/screen$\|\
+/sdtcm_convert$\|\
+/sendmail$\|\
+/sendmail.sendmail$\|\
+/shutdown$\|\
+/skeyaudit$\|\
+/skeyinfo$\|\
+/skeyinit$\|\
+/slocate$\|\
+/smpatch$\|\
+/smtpctl$\|\
+/snap-confine$\|\
+/sperl5.8.8$\|\
+/ssh-agent$\|\
+/ssh-keysign$\|\
+/staprun$\|\
+/startinnfeed$\|\
+/stclient$\|\
+/su$\|\
+/sudo$\|\
+/sudoedit$\|\
+/suexec$\|\
+/sys-suspend$\|\
+/systemctl$\|\
+/timedc$\|\
+/tip$\|\
+/traceroute$\|\
+/traceroute6$\|\
+/traceroute6.iputils$\|\
+/trpt$\|\
+/tsoldtlabel$\|\
+/tsoljdslabel$\|\
+/tsolxagent$\|\
+/ufsdump$\|\
+/ufsrestore$\|\
+/umount$\|\
+/umount.nfs$\|\
+/umount.nfs4$\|\
+/unix_chkpwd$\|\
+/uptime$\|\
+/userhelper$\|\
+/usernetctl$\|\
+/utempter$\|\
+/utmp_update$\|\
+/uucico$\|\
+/uucp$\|\
+/uuglist$\|\
+/uuidd$\|\
+/uuname$\|\
+/uusched$\|\
+/uustat$\|\
+/uux$\|\
+/uuxqt$\|\
+/vmware-user-suid-wrapper$\|\
+/vncserver-x11$\|\
+/volrmmount$\|\
+/w$\|\
+/wall$\|\
+/whodo$\|\
+/write$\|\
+/xlock$\|\
+/Xorg$\|\
+/Xorg.wrap$\|\
+/xscreensaver$\|\
+/Xsun$\|\
+/xterm$\|\
+/Xvnc$"

-sgid="/sbin/pam_extrausers_chkpwd\|\
-/sbin/unix_chkpwd\|\
-/usr/bin/at\|\
-/usr/bin/atq\|\
-/usr/bin/atrm\|\
-/usr/bin/batch\|\
-/usr/bin/bsd-write\|\
-/usr/bin/btsockstat\|\
-/usr/bin/chage\|\
-/usr/bin/crontab\|\
-/usr/bin/dotlockfile\|\
-/usr/bin/dotlock.mailutils\|\
-/usr/bin/expiry\|\
-/usr/bin/lock\|\
-/usr/bin/lpq\|\
-/usr/bin/lpr\|\
-/usr/bin/lprm\|\
-/usr/bin/mail-unlock\|\
-/usr/bin/mail-touchlock\|\
-/usr/bin/mail-lock\|\
-/usr/bin/mlocate\|\
-/usr/bin/mutt_dotlock\|\
-/usr/bin/netstat\|\
-/usr/bin/screen\|\
-/usr/bin/skeyaudit\|\
-/usr/bin/skeyinfo\|\
-/usr/bin/skeyinit\|\
-/usr/bin/ssh-agent\|\
-/usr/bin/wall\|\
-/usr/bin/write\|\
-/usr/games/mahjongg\|\
-/usr/lib/emacs/24.5/i686-linux-gnu/movemail\|\
-/usr/lib/evolution/camel-lock-helper-1.2\|\
-/usr/libexec/auth/login_activ\|\
-/usr/libexec/auth/login_crypto\|\
-/usr/libexec/auth/login_radius\|\
-/usr/libexec/auth/login_skey\|\
-/usr/libexec/auth/login_snk\|\
-/usr/libexec/auth/login_token\|\
-/usr/libexec/auth/login_yubikey\|\
-/usr/libexec/dma\|\
-/usr/libexec/sendmail/sendmail\|\
-/usr/lib/i386-linux-gnu/utempter/utempter\|\
-/usr/lib/libvte9/gnome-pty-helper\|\
-/usr/lib/mc/cons.saver\|\
-/usr/lib/pt_chown\|\
-/usr/lib/snapd/snap-confine\|\
-/usr/lib/x86_64-linux-gnu/utempter/utempter\|\
-/usr/lib/xemacs-21.4.22/i686-linux-gnu/movemail\|\
-/usr/lib/xorg/Xorg.wrap\|\
-/usr/sbin/authpf\|\
-/usr/sbin/authpf-noip\|\
-/usr/sbin/lpc\|\
-/usr/sbin/lpd\|\
-/usr/sbin/smtpctl\|\
-/usr/sbin/trpt\|\
-/usr/sbin/unix_chkpwd\|\
-/usr/sbin/uuidd\|\
-/usr/X11R6/bin/xlock\|\
-/usr/X11R6/bin/xterm"
+sidB='aria2c$\|arp$\|ash$\|awk$\|base64$\|bash$\|busybox$\|cat$\|chmod$\|chown$\|cp$\|csh$\|curl$\|cut$\|dash$\|date$\|dd$\|diff$\|dmsetup$\|docker$\|ed$\|emacs$\|env$\|expand$\|expect$\|file$\|find$\|flock$\|fmt$\|fold$\|gdb$\|gimp$\|git$\|grep$\|head$\|ionice$\|ip$\|jjs$\|jq$\|jrunscript$\|ksh$\|ld.so$\|less$\|logsave$\|lua$\|make$\|more$\|mv$\|mysql$\|nano$\|nc$\|nice$\|nl$\|nmap$\|node$\|od$\|openssl$\|perl$\|pg$\|php$\|pic$\|pico$\|python$\|readelf$\|rlwrap$\|rpm$\|rpmquery$\|rsync$\|rvim$\|scp$\|sed$\|setarch$\|shuf$\|socat$\|sort$\|sqlite3$\|stdbuf$\|strace$\|systemctl$\|tail$\|tar$\|taskset$\|tclsh$\|tee$\|telnet$\|tftp$\|time$\|timeout$\|ul$\|unexpand$\|uniq$\|unshare$\|vim$\|watch$\|wget$\|xargs$\|xxd$\|zip$\|zsh$'
+sudoB="$(whoami)\|\*\|env_keep+=LD_PRELOAD\|apt-get$\|apt$\|aria2c$\|arp$\|ash$\|awk$\|base64$\|bash$\|busybox$\|cat$\|chmod$\|chown$\|cp$\|cpan$\|cpulimit$\|crontab$\|csh$\|curl$\|cut$\|dash$\|date$\|dd$\|diff$\|dmesg$\|dmsetup$\|dnf$\|docker$\|dpkg$\|easy_install$\|ed$\|emacs$\|env$\|expand$\|expect$\|facter$\|file$\|find$\|flock$\|fmt$\|fold$\|ftp$\|gdb$\|gimp$\|git$\|grep$\|head$\|ionice$\|ip$\|irb$\|jjs$\|journalctl$\|jq$\|jrunscript$\|ksh$\|ld.so$\|less$\|logsave$\|ltrace$\|lua$\|mail$\|make$\|man$\|more$\|mount$\|mtr$\|mv$\|mysql$\|nano$\|nc$\|nice$\|nl$\|nmap$\|node$\|od$\|openssl$\|perl$\|pg$\|php$\|pic$\|pico$\|pip$\|puppet$\|python$\|readelf$\|red$\|rlwrap$\|rpm$\|rpmquery$\|rsync$\|ruby$\|run-mailcap$\|run-parts$\|rvim$\|scp$\|screen$\|script$\|sed$\|service$\|setarch$\|sftp$\|smbclient$\|socat$\|sort$\|sqlite3$\|ssh$\|start-stop-daemon$\|stdbuf$\|strace$\|systemctl$\|tail$\|tar$\|taskset$\|tclsh$\|tcpdump$\|tee$\|telnet$\|tftp$\|time$\|timeout$\|tmux$\|ul$\|unexpand$\|uniq$\|unshare$\|vi$\|vim$\|watch$\|wget$\|wish$\|xargs$\|xxd$\|yum$\|zip$\|zsh$\|zypper$"

 intfol="\./\|/etc/\|/root/\|/home/\|/var/log/\|/mnt/\|/usr/local/sbin/\|/usr/sbin/\|/sbin/\|/usr/local/bin/\|/usr/bin/\|/bin/\|/usr/local/games/\|/usr/games/\|/usr/lib/"`echo $PATH 2>/dev/null| sed 's/:/\\\|/g'`

 sh_usrs=`cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|/\\\|/g'`"ImPoSSssSiBlEee"
 nosh_usrs=`cat /etc/passwd 2>/dev/null | grep -i -v "sh$" | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|/\\\|/g'`"ImPoSSssSiBlEee"
-knw_usrs='daemon\|message+\|syslog\|www-data\|mail\|noboby\|Debian-+\|rtkit\|systemd+'
-
+knw_usrs='daemon\|message+\|syslog\|www\|www-data\|mail\|noboby\|Debian-+\|rtkit\|systemd+'
+USER=`whoami`
+HOME=/home/$USER

 if [ "$(/usr/bin/id -u)" -eq "0" ]; then printf $B"[*] "$RED"YOU ARE ALREADY ROOT!!! (nothing is going to be executed)\n"$NC; exit; fi

@ -222,7 +251,7 @@ sestatus 2>/dev/null >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"Useful software?\n"$NC >> $file
-which nc ncat netcat wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file
+which nc ncat netcat wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch 2>/dev/null >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"Capabilities\n"$NC >> $file
@ -230,7 +259,7 @@ getcap -r / 2>/dev/null >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"Environment\n"$NC >> $file
-(set || env) 2>/dev/null | grep -v "suidG\|suidB\|sgid\|intfol\|_usrs" >> $file
+(set || env) 2>/dev/null | grep -v "sidG\|sidB\|sudoB\|intfol\|_usrs" >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"Cleaned proccesses\n"$NC >> $file
@ -245,8 +274,8 @@ printf $Y"[+] "$RED"Services\n"$NC >> $file
 (/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file
 echo "" >> $file

-printf $Y"[+] "$RED"Different processes executed during 1 min (frequent cron?)\n"$NC >> $file
-if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi
+printf $Y"[+] "$RED"Different processes executed during 1 min (interesting is low number of repetitions)\n"$NC >> $file
+if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq -c | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi
 echo "" >> $file

 printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file
@ -305,8 +334,11 @@ printf $Y"[+] "$RED"Me\n"$NC >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"Sudo -l without password & /etc/sudoers\n"$NC >> $file
-echo '' | sudo -S -l -k 2>/dev/null >> $file
-cat /etc/sudoers 2>/dev/null >> $file #Add to one-liner  
+echo '' | sudo -S -l -k 2>/dev/null | sed "s,$sudoB,${C}[31m&${C}[0m," >> $file
+cat /etc/sudoers 2>/dev/null | sed "s,$sudoB,${C}[31m&${C}[0m," >> $file #Add to one-liner  
+echo "" >> $file
+
+printf $Y"[+] "$RED"Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file
@ -335,15 +367,15 @@ echo "[+]Gathering files information..."
 printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file 
 echo "" >> $file
 printf $Y"[+] "$RED"SUID\n"$NC >> $file
-find / -perm -4000 2>/dev/null | sed "s,$suidG,${C}[32m&${C}[0m," | sed "s,$suidB,${C}[31m&${C}[0m," >> $file
+find / -perm -4000 2>/dev/null | sed "s,$sidG,${C}[32m&${C}[0m," | sed "s,$sidB,${C}[31m&${C}[0m," >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"SGID\n"$NC >> $file
-find / -perm -g=s -type f 2>/dev/null | sed "s,$sgid,${C}[32m&${C}[0m," >> $file
+find / -perm -g=s -type f 2>/dev/null | sed "s,$sidG,${C}[32m&${C}[0m," | sed "s,$sidB,${C}[31m&${C}[0m," >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file
-ls -la $HOME 2>/dev/null | head -n 20 >> $file
+ls -la $HOME 2>/dev/null | head -n 23 >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file
@ -392,8 +424,6 @@ ls -a /tmp /var/tmp /var/backups 2>/dev/null | head 105 >> $file
 echo "" >> $file

 printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file
-USER=`whoami`
-HOME=/home/$USER
 find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq | sed "s,$intfol,${C}[31m&${C}[0m," >> $file
 for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs' | sed "s,$intfol,${C}[31m&${C}[0m,"; done >> $file
 echo "" >> $file
@ -409,16 +439,20 @@ printf $Y"[+] "$RED"Backup files?\n"$NC >> $file
 find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*bck*" \) 2>/dev/null >> $file
 echo "" >> $file

-printf $Y"[+] "$RED"Find IPs & passwords inside logs\n"$NC >> $file
-grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file
-grep -a -R -i 'password' /var/log/ 2>/dev/null | sort | uniq >> $file #Add to one-liner 
+printf $Y"[+] "$RED"Finding IPs inside logs\n"$NC >> $file
+grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" /var/log/ 2>/dev/null | sort | uniq -c >> $file #Add to one-liner
 echo "" >> $file

-printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc and list possible web(/var/www) and config(/etc) passwords\n"$NC >> $file
-grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file
+printf $Y"[+] "$RED"Finding passwords inside logs\n"$NC >> $file
+grep -a -R -i "pwd\|passw" /var/log/ 2>/dev/null | sort | uniq -c >> $file #Add to one-liner
+echo "" >> $file
+
+printf $Y"[+] "$RED"Finding emails inside logs\n"$NC >> $file
+grep -R -E -a -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" /var/log/ 2>/dev/null | sort | uniq -c >> $file #Add to one-liner 
+echo "" >> $file 
+
+printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /etc, /root and list possible web(/var/www) and config(/etc) passwords\n"$NC >> $file
+grep -lRi "pwd\|passw" /home /var/www /root 2>/dev/null | sort | uniq -c >> $file
 grep -R -i "password.* = ['\"]" /var/www | sed '/^.\{150\}./d' | grep "\.php" >> $file #Add to one-liner
 grep -R -i "password" /etc 2>/dev/null | grep "conf" | grep -v "#" >> $file #Add to one-liner
 echo "" >> $file
-
-printf $Y"[+] "$RED"Sudo -l (you need to put the password and the result appear in console)\n"$NC >> $file
-sudo -l