diff --git a/.gitignore b/.gitignore index 936c13b..107c347 100755 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,6 @@ winPEAS/winPEASexe/winPEAS/bin/Debug/* obj bin packages +*cpython* +*/*cpython* +launch.json \ No newline at end of file diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml index 7c72915..230e96c 100644 --- a/build_lists/sensitive_files.yaml +++ b/build_lists/sensitive_files.yaml @@ -63,7 +63,7 @@ common_directory_folders: peas_finds_markup: "peass{FINDS_HERE}" find_line_markup: "peass{FIND_PARAMS_HERE}" find_template: > - `eval_bckgrd "find peass{FIND_PARAMS_HERE} 2>/dev/null | sort; printf \\\$Y'. '\\\$NC 1>&2;"` + `eval_bckgrd "find peass{FIND_PARAMS_HERE} 2>/dev/null | sort; printf \\\$YELLOW'. '\\\$NC 1>&2;"` peas_storages_markup: "peass{STORAGES_HERE}" storage_line_markup: "peass{STORAGE_PARAMS_HERE}" @@ -434,6 +434,34 @@ search: search_in: - common + ? "*vnc*.c*nf*" + : + bad_regex: ".*" + type: f + search_in: + - common + + ? "*vnc*.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "*vnc*.txt" + : + bad_regex: ".*" + type: f + search_in: + - common + + ? "*vnc*.xml" + : + bad_regex: ".*" + type: f + search_in: + - common + Ldap: config: auto_check: True @@ -651,6 +679,30 @@ search: search_in: - common + ? "TokenCache.dat" + : + bad_regex: ".*" + type: f + search_in: + - common + + ? "AzureRMContext.json" + : + bad_regex: ".*" + type: f + search_in: + - common + + ? ".bluemix" + : + files: + ? "config.json" + : + bad_regex: ".*" + type: d + search_in: + - common + Kerberos: config: auto_check: False @@ -937,6 +989,13 @@ search: search_in: - common + ? "filezilla.xml" + : + just_list_file: True + type: f + search_in: + - common + Backup Manager: config: auto_check: True @@ -1406,6 +1465,98 @@ search: search_in: - common + Keepass: + config: + auto_check: True + + files: + ? "*.kdbx" + : + just_list_file: True + type: f + search_in: + - common + + ? "KeePass.config*" + : + just_list_file: True + type: f + search_in: + - common + + ? "KeePass.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "KeePass.enforced*" + : + just_list_file: True + type: f + search_in: + - common + + FTP: + config: + auto_check: True + + files: + ? "*.ftpconfig" + : + just_list_file: True + type: f + search_in: + - common + + ? "ffftp.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "ftp.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "ftp.config" + : + just_list_file: True + type: f + search_in: + - common + + ? "ws_ftp.ini" + : + just_list_file: True + type: f + search_in: + - common + + Interesting logs: + config: + auto_check: True + + files: + ? "access.log" + : + just_list_file: True + type: f + search_in: + - common + + ? "error.log" + : + just_list_file: True + type: f + search_in: + - common + Other Interesting Files: config: auto_check: True @@ -1474,6 +1625,361 @@ search: search_in: - common + Windows Files: + config: + auto_check: True + + files: + ? "unattend.inf" + : + just_list_file: True + type: f + search_in: + - common + + ? "*.rdg" + : + just_list_file: True + type: f + search_in: + - common + + ? "AppEvent.Evt" + : + just_list_file: True + type: f + search_in: + - common + + ? "ConsoleHost_history.txt" + : + just_list_file: True + type: f + search_in: + - common + + ? "FreeSSHDservice.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "NetSetup.log" + : + just_list_file: True + type: f + search_in: + - common + + ? "Ntds.dit" + : + just_list_file: True + type: f + search_in: + - common + + ? "RDCMan.settings" + : + just_list_file: True + type: f + search_in: + - common + + ? "SAM" + : + just_list_file: True + type: f + search_in: + - common + + ? "SYSTEM" + : + just_list_file: True + type: f + search_in: + - common + + ? "SecEvent.Evt" + : + just_list_file: True + type: f + search_in: + - common + + ? "appcmd.exe" + : + just_list_file: True + type: f + search_in: + - common + + ? "bash.exe" + : + just_list_file: True + type: f + search_in: + - common + + ? "datasources.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "default.sav" + : + just_list_file: True + type: f + search_in: + - common + + ? "drives.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "groups.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "https-xampp.conf" + : + just_list_file: True + type: f + search_in: + - common + + ? "https.conf" + : + just_list_file: True + type: f + search_in: + - common + + ? "iis6.log" + : + just_list_file: True + type: f + search_in: + - common + + ? "index.dat" + : + just_list_file: True + type: f + search_in: + - common + + ? "my.cnf" + : + just_list_file: True + type: f + search_in: + - common + + ? "my.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "ntuser.dat" + : + just_list_file: True + type: f + search_in: + - common + + ? "pagefile.sys" + : + just_list_file: True + type: f + search_in: + - common + + ? "php.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "printers.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "recentservers.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "scclient.exe" + : + just_list_file: True + type: f + search_in: + - common + + ? "scheduledtasks.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "security" + : + just_list_file: True + type: f + search_in: + - common + + ? "security.sav" + : + just_list_file: True + type: f + search_in: + - common + + ? "server.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "services.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "setupinfo" + : + just_list_file: True + type: f + search_in: + - common + + ? "setupinfo.bak" + : + just_list_file: True + type: f + search_in: + - common + + ? "sitemanager.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "sites.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "software" + : + just_list_file: True + type: f + search_in: + - common + + ? "software.sav" + : + just_list_file: True + type: f + search_in: + - common + + ? "sysprep.inf" + : + just_list_file: True + type: f + search_in: + - common + + ? "sysprep.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "system.sav" + : + just_list_file: True + type: f + search_in: + - common + + ? "unattend.txt" + : + just_list_file: True + type: f + search_in: + - common + + ? "unattend.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "unattended.xml" + : + just_list_file: True + type: f + search_in: + - common + + ? "wcx_ftp.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "web*.config" + : + just_list_file: True + type: f + search_in: + - common + + ? "winscp.ini" + : + just_list_file: True + type: f + search_in: + - common + + ? "wsl.exe" + : + just_list_file: True + type: f + search_in: + - common + # Final section Database: config: @@ -1539,4 +2045,4 @@ search: : type: f search_in: - - common \ No newline at end of file + - common diff --git a/linPEAS/builder/linpeas_base.sh b/linPEAS/builder/linpeas_base.sh index 4899cff..6e7fc06 100755 --- a/linPEAS/builder/linpeas_base.sh +++ b/linPEAS/builder/linpeas_base.sh @@ -73,13 +73,12 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, ${YELLOW}-o${BLUE} Only execute selected checks (SysI, Container, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles). Select a comma separated list. ${YELLOW}-L${BLUE} Force linpeas execution. ${YELLOW}-M${BLUE} Force macpeas execution. - ${YELLOW}-t${BLUE} Threads to search files inside the system (by default it's the number of CPU threads). ${YELLOW}-d ${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24 ${YELLOW}-p -d ${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 ${YELLOW}-i [-p ]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 $GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC" -while getopts "h?asnd:p:i:P:qo:LMwt:N" opt; do +while getopts "h?asnd:p:i:P:qo:LMwN" opt; do case "$opt" in h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;; a) FAST="";; @@ -94,7 +93,6 @@ while getopts "h?asnd:p:i:P:qo:LMwt:N" opt; do L) MACPEAS="";; M) MACPEAS="1";; w) WAIT=1;; - t) THREADS=$OPTARG;; N) NOCOLOR="1";; esac done @@ -1001,7 +999,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ] || [ "`echo $CHECKS | grep #----------) Caching Finds (--------------# ########################################### - printf $GREEN"Caching directories using${YELLOW} $THREADS$GREEN threads "$NC + printf $GREEN"Caching directories "$NC #Get home @@ -2313,6 +2311,14 @@ if [ "`echo $CHECKS | grep SofI`" ]; then peass{Msmtprc} + peass{Keepass} + + peass{FTP} + + peass{Interesting logs} + + peass{Windows Files} + peass{Other Interesting Files} echo "" @@ -2615,7 +2621,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Others files in my dirs if ! [ "$IAMROOT" ]; then print_2title "Searching folders owned by me containing others files on it (limit 100)" - (find / -type d -user "$USER" ! -path "/proc/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" -type f -or -type d -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;13m&${C}[0m,g" + (find / -type d -user "$USER" ! -path "/proc/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec dirname {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;13m&${C}[0m,g" echo "" fi diff --git a/linPEAS/builder/linpeas_builder.py b/linPEAS/builder/linpeas_builder.py index c7ebbc3..181d76b 100644 --- a/linPEAS/builder/linpeas_builder.py +++ b/linPEAS/builder/linpeas_builder.py @@ -1,12 +1,18 @@ from .src.peasLoaded import PEASLoaded from .src.linpeasBuilder import LinpeasBuilder +from .src.yamlGlobals import FINAL_LINPEAS_PATH +import os +import stat #python3 -m builder.linpeas_builder def main(): ploaded = PEASLoaded() lbuilder = LinpeasBuilder(ploaded) lbuilder.build() + lbuilder.write_linpeas(FINAL_LINPEAS_PATH) + st = os.stat(FINAL_LINPEAS_PATH) + os.chmod(FINAL_LINPEAS_PATH, st.st_mode | stat.S_IEXEC) if __name__ == "__main__": diff --git a/linPEAS/builder/src/linpeasBuilder.py b/linPEAS/builder/src/linpeasBuilder.py index 9feafd2..2ccba5f 100644 --- a/linPEAS/builder/src/linpeasBuilder.py +++ b/linPEAS/builder/src/linpeasBuilder.py @@ -15,7 +15,6 @@ from .yamlGlobals import ( FIND_LINE_MARKUP, STORAGE_LINE_MARKUP, STORAGE_LINE_EXTRA_MARKUP, - FINAL_LINPEAS_PATH ) @@ -60,8 +59,6 @@ class LinpeasBuilder: peass_marks = self.__get_peass_marks() assert len(peass_marks) == 0, f"There are peass marks left: {', '.join(peass_marks)}" - self.__write_linpeas() - def __get_peass_marks(self): return re.findall(r'peass\{[\w\-\._ ]*\}', self.linpeas_sh) @@ -171,12 +168,13 @@ class LinpeasBuilder: def __construct_file_line(self, precord: PEASRecord, frecord: FileRecord, init: bool = True) -> str: real_regex = frecord.regex[1:] if frecord.regex.startswith("*") else frecord.regex - real_regex = real_regex.replace("*",".*").replace(".","\\.") + real_regex = real_regex.replace(".","\\.").replace("*",".*") real_regex += "$" analise_line = "" if init: - analise_line = 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; ' + analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then echo_not_found "'+frecord.regex+'"; fi; ' + analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; ' #If just list, just list the file/directory if frecord.just_list_file: @@ -234,7 +232,7 @@ class LinpeasBuilder: """Substitude the markup with the actual code""" self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char is't needed - def __write_linpeas(self): + def write_linpeas(self, path): """Write on disk the final linpeas""" - with open(FINAL_LINPEAS_PATH, "w") as f: + with open(path, "w") as f: f.write(self.linpeas_sh) \ No newline at end of file