This commit is contained in:
carlospolop 2021-12-23 20:38:39 -05:00
parent 1edcf4e28d
commit 84524dfac5
3 changed files with 36 additions and 126 deletions

File diff suppressed because one or more lines are too long

View File

@ -72,7 +72,6 @@ if [ "$(command -v mysql)" ] || [ "$(command -v mysqladmin)" ] || [ "$DEBUG" ];
else echo_no else echo_no
fi fi
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
#-- SI) Mysql credentials #-- SI) Mysql credentials
@ -109,7 +108,6 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then
echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED}," echo "If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');" | sed -${E} "s,.*,${SED_RED},"
fi fi
done done
elif [ "$DEBUG" ]; then echo_not_found
fi fi
echo "" echo ""
@ -140,7 +138,6 @@ if [ "$TIMEOUT" ] && [ "$(command -v psql)" ] || [ "$DEBUG" ]; then # In some O
else echo_no else echo_no
fi fi
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Mongo} peass{Mongo}
@ -177,9 +174,17 @@ peass{Anaconda ks}
peass{VNC} peass{VNC}
peass{OpenVPN}
peass{Ldap} peass{Ldap}
peass{OpenVPN} if [ "$PSTORAGE_LOG4SHELL" ] || [ "$DEBUG" ]; then
print_2title "Searching Log4Shell vulnerable libraries"
printf "%s\n" "$PSTORAGE_LOG4SHELL" | while read f; do
echo "$f" | grep -E "log4j\-core\-(1\.|2\.[0-9][^0-9]|2\.1[0-6])" | sed -${E} "s,log4j\-core\-(1\.|2\.[0-9][^0-9]|2\.1[0-6]),${SED_RED},";
done
echo ""
fi
#-- SI) ssh files #-- SI) ssh files
print_2title "Searching ssl/ssh files" print_2title "Searching ssl/ssh files"
@ -274,7 +279,6 @@ if [ "$pamdpass" ] || [ "$DEBUG" ]; then
print_2title "Passwords inside pam.d" print_2title "Passwords inside pam.d"
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{NFS Exports} peass{NFS Exports}
@ -331,7 +335,6 @@ if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [
klist 2>/dev/null || echo_not_found "klist" klist 2>/dev/null || echo_not_found "klist"
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Knockd} peass{Knockd}
@ -341,8 +344,8 @@ peass{Kibana}
peass{Elasticsearch} peass{Elasticsearch}
##-- SI) Logstash ##-- SI) Logstash
print_2title "Searching logstash files"
if [ "$PSTORAGE_LOGSTASH" ] || [ "$DEBUG" ]; then if [ "$PSTORAGE_LOGSTASH" ] || [ "$DEBUG" ]; then
print_2title "Searching logstash files"
printf "$PSTORAGE_LOGSTASH" printf "$PSTORAGE_LOGSTASH"
printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do
if [ -r "$d/startup.options" ]; then if [ -r "$d/startup.options" ]; then
@ -352,7 +355,6 @@ if [ "$PSTORAGE_LOGSTASH" ] || [ "$DEBUG" ]; then
cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED}," cat "$d/conf.d/out*" | grep "exec\s*{\|command\s*=>" | sed -${E} "s,exec\W*\{|command\W*=>,${SED_RED},"
cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED}," cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -${E} "s,path\W*=>|code\W*=>|ruby\W*\{,${SED_RED},"
done done
elif [ "$DEBUG" ]; then echo_not_found
fi fi
echo "" echo ""
@ -364,7 +366,6 @@ if [ "$PSTORAGE_VAULT_SSH_HELPER" ] || [ "$DEBUG" ]; then
echo "" echo ""
vault secrets list 2>/dev/null vault secrets list 2>/dev/null
printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null printf "%s\n" "$PSTORAGE_VAULT_SSH_TOKEN" | sed -${E} "s,.*,${SED_RED}," 2>/dev/null
elif [ "$DEBUG" ]; then echo_not_found "vault-ssh-helper.hcl"
fi fi
echo "" echo ""
@ -374,7 +375,6 @@ if [ "$adhashes" ] || [ "$DEBUG" ]; then
print_2title "Searching AD cached hashes" print_2title "Searching AD cached hashes"
ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
#-- SI) Screen sessions #-- SI) Screen sessions
@ -391,7 +391,6 @@ if [ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]; then
echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," echo "Other user screen socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done done
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
#-- SI) Tmux sessions #-- SI) Tmux sessions
@ -408,7 +407,6 @@ if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG"
echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW}," echo "Other user tmux socket is writable: $f" | sed "s,$f,${SED_RED_YELLOW},"
done done
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{CouchDB} peass{CouchDB}
@ -431,7 +429,6 @@ if [ "$dovecotpass" ] || [ "$DEBUG" ]; then
done done
fi fi
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Mosquitto} peass{Mosquitto}
@ -470,7 +467,6 @@ if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$DEBUG" ]; then
fi fi
done done
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
@ -481,7 +477,6 @@ if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED}," base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
done done
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
##-- SI) Gitlab ##-- SI) Gitlab
@ -515,7 +510,6 @@ if [ "$(command -v gitlab-rails)" ] || [ "$(command -v gitlab-backup)" ] || [ "$
echo "" echo ""
done done
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{Github} peass{Github}
@ -538,7 +532,6 @@ if [ "$containerd" ] || [ "$DEBUG" ]; then
ctr image list ctr image list
fi fi
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
##-- SI) runc installed ##-- SI) runc installed
@ -550,7 +543,6 @@ if [ "$runc" ] || [ "$DEBUG" ]; then
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
fi fi
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
#-- SI) Docker #-- SI) Docker
@ -564,7 +556,6 @@ if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
fi fi
done done
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
if [ -d "$HOME/.kube" ] || [ -d "/etc/kubernetes" ] || [ -d "/var/lib/localkube" ] || [ "`(env | set) | grep -Ei 'kubernetes|kube' | grep -v "PSTORAGE_KUBELET|USEFUL_SOFTWARE"`" ] || [ "$DEBUG" ]; then if [ -d "$HOME/.kube" ] || [ -d "/etc/kubernetes" ] || [ -d "/var/lib/localkube" ] || [ "`(env | set) | grep -Ei 'kubernetes|kube' | grep -v "PSTORAGE_KUBELET|USEFUL_SOFTWARE"`" ] || [ "$DEBUG" ]; then
@ -595,7 +586,6 @@ if (grep auth= /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q skey) || [ "
else else
ls -ld /etc/skey/ 2>/dev/null ls -ld /etc/skey/ 2>/dev/null
fi fi
elif [ "$DEBUG" ]; then echo_not_found
fi fi
echo "" echo ""
@ -610,7 +600,6 @@ if (grep "auth=" /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q yubikey) |
ls -ld /var/db/yubikey/ 2>/dev/null ls -ld /var/db/yubikey/ 2>/dev/null
fi fi
echo "" echo ""
elif [ "$DEBUG" ]; then echo_not_found
fi fi
peass{SNMP} peass{SNMP}

View File

@ -84,7 +84,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
${YELLOW}-p <PORT(s)> -d <IP/NETMASK>${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139 ${YELLOW}-p <PORT(s)> -d <IP/NETMASK>${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
${YELLOW}-i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 ${YELLOW}-i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
${YELLOW}-t${BLUE} Automatic network scan (host discovery and port scanning) - This option writes to files ${YELLOW}-t${BLUE} Automatic network scan (host discovery and port scanning) - This option writes to files
$GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC" $GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed$NC"
while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do while getopts "h?asd:p:i:P:qo:LMwNDte" opt; do
case "$opt" in case "$opt" in