darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

linpeasv3.2.6

Browse Source
This commit is contained in:
Carlos Polop 2021-06-24 21:43:17 +02:00
parent af6c3b09da
commit ae7fa59063
3 changed files with 50 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
build_lists/sensitive_files.yaml
View File

@ -211,7 +211,7 @@ search:
bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
only_bad_lines: True only_bad_lines: True
remove_empty_lines: True remove_empty_lines: True
remove_regex: "^#" remove_regex: '^#'
search_in: search_in:
- common - common
@ -477,7 +477,7 @@ search:
search_in: search_in:
- common - common
Open VPN: Open_VPN:
config: config:
auto_check: True auto_check: True
@ -613,7 +613,7 @@ search:
- /usr - /usr
- $HOMESEARCH - $HOMESEARCH
Cloud credentials: Cloud_credentials:
config: config:
auto_check: True auto_check: True
@ -984,7 +984,7 @@ search:
search_in: search_in:
- common - common
Backup Manager: Backup_Manager:
config: config:
auto_check: True auto_check: True
@ -1361,7 +1361,7 @@ search:
? ".htpasswd" ? ".htpasswd"
: :
bad_regex: ".*" bad_regex: ".*"
remove_regex: "^#" remove_regex: '^#'
remove_empty_lines: True remove_empty_lines: True
type: f type: f
search_in: search_in:
@ -1375,7 +1375,7 @@ search:
? ".ldaprc" ? ".ldaprc"
: :
bad_regex: ".*" bad_regex: ".*"
remove_regex: "^#" remove_regex: '^#'
remove_empty_lines: True remove_empty_lines: True
type: f type: f
search_in: search_in:
@ -1389,7 +1389,7 @@ search:
? ".env" ? ".env"
: :
bad_regex: "[pP][aA][sS][sS].*" bad_regex: "[pP][aA][sS][sS].*"
remove_regex: "^#" remove_regex: '^#'
remove_empty_lines: True remove_empty_lines: True
type: f type: f
search_in: search_in:
@ -1403,7 +1403,7 @@ search:
? ".msmtprc" ? ".msmtprc"
: :
bad_regex: "user.*|password.*" bad_regex: "user.*|password.*"
remove_regex: "^#" remove_regex: '^#'
remove_empty_lines: True remove_empty_lines: True
type: f type: f
search_in: search_in:
@ -1543,7 +1543,7 @@ search:
: :
bad_regex: ".*" bad_regex: ".*"
remove_empty_lines: True remove_empty_lines: True
remove_regex: "^#" remove_regex: '^#'
type: d type: d
search_in: search_in:
- common - common
@ -1576,7 +1576,7 @@ search:
search_in: search_in:
- common - common
Interesting logs: Interesting_logs:
config: config:
auto_check: True auto_check: True
@ -1595,7 +1595,7 @@ search:
search_in: search_in:
- common - common
Other Interesting Files: Other_Interesting_Files:
config: config:
auto_check: True auto_check: True

2
linPEAS/README.md
View File

@ -73,6 +73,7 @@ By default linpeas takes around **2 mins** to complete, but It could take from *
- **-a** (all checks) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.** - **-a** (all checks) - This will **execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using `su` with the top2000 passwords.**
- **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk) - **-s** (superfast & stealth) - This will bypass some time consuming checks - **Stealth mode** (Nothing will be written to disk)
- **-P** (Password) - Pass a password that will be used with `sudo -l` and bruteforcing other users - **-P** (Password) - Pass a password that will be used with `sudo -l` and bruteforcing other users
- **-v** (verbose) - Print information about the checks that haven't discovered anything and about the time each check took
This script has **several lists** included inside of it to be able to **color the results** in order to highlight PE vector. This script has **several lists** included inside of it to be able to **color the results** in order to highlight PE vector.
@ -321,7 +322,6 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
- Add more checks - Add more checks
- Mantain updated the list of vulnerable SUID binaries - Mantain updated the list of vulnerable SUID binaries
- Mantain updated all the blacklists used to color the output - Mantain updated all the blacklists used to color the output
- Support for MacOS
If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**. If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues) or you can submit a pull request**.

65
linPEAS/builder/linpeas_base.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
VERSION="v3.2.5" VERSION="v3.2.6"
ADVISORY="This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission." ADVISORY="This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission."
########################################### ###########################################
@ -56,6 +56,7 @@ CHECKS="SysI,Container,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI,IntFiles"
WAIT="" WAIT=""
PASSWORD="" PASSWORD=""
NOCOLOR="" NOCOLOR=""
VERBOSE=""
THREADS="`((grep -c processor /proc/cpuinfo 2>/dev/null) || ((command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n"`" THREADS="`((grep -c processor /proc/cpuinfo 2>/dev/null) || ((command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n"`"
[ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2 [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
[ -n "$THREADS" ] && eTHREADS="2" #If THREADS is null, put number 2 [ -n "$THREADS" ] && eTHREADS="2" #If THREADS is null, put number 2
@ -69,6 +70,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
${YELLOW}-w${BLUE} Wait execution between big blocks ${YELLOW}-w${BLUE} Wait execution between big blocks
${YELLOW}-n${BLUE} Do not export env variables related with history and do not check Internet connectivity ${YELLOW}-n${BLUE} Do not export env variables related with history and do not check Internet connectivity
${YELLOW}-N${BLUE} Do not use colours ${YELLOW}-N${BLUE} Do not use colours
${YELLOW}-v${BLUE} Verbose execution
${YELLOW}-P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' ${YELLOW}-P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
${YELLOW}-o${BLUE} Only execute selected checks (SysI, Container, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles). Select a comma separated list. ${YELLOW}-o${BLUE} Only execute selected checks (SysI, Container, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles). Select a comma separated list.
${YELLOW}-L${BLUE} Force linpeas execution. ${YELLOW}-L${BLUE} Force linpeas execution.
@ -78,7 +80,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
${YELLOW}-i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080 ${YELLOW}-i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
$GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC" $GREEN Notice${BLUE} that if you select some network action, no PE check will be performed$NC"
while getopts "h?asnd:p:i:P:qo:LMwN" opt; do while getopts "h?asnd:p:i:P:qo:LMwNv" opt; do
case "$opt" in case "$opt" in
h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;; h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
a) FAST="";; a) FAST="";;
@ -94,6 +96,7 @@ while getopts "h?asnd:p:i:P:qo:LMwN" opt; do
M) MACPEAS="1";; M) MACPEAS="1";;
w) WAIT=1;; w) WAIT=1;;
N) NOCOLOR="1";; N) NOCOLOR="1";;
v) VERBOSE="1";;
esac esac
done done
@ -532,7 +535,9 @@ fi
########################################### ###########################################
echo_not_found (){ echo_not_found (){
printf $DG"$1 Not Found\n"$NC if [ "$VERBOSE" ]; then
printf $DG"$1 Not Found\n"$NC
fi
} }
warn_exec(){ warn_exec(){
@ -544,32 +549,38 @@ echo_no (){
} }
print_title(){ print_title(){
END_T2_TIME=`date +%s 2>/dev/null` if [ "$VERBOSE" ]; then
if [ "$START_T2_TIME" ]; then END_T2_TIME=`date +%s 2>/dev/null`
TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME)) if [ "$START_T2_TIME" ]; then
printf $DG"This check took $TOTAL_T2_TIME seconds\n"$NC TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME))
printf $DG"This check took $TOTAL_T2_TIME seconds\n"$NC
fi
END_T1_TIME=`date +%s 2>/dev/null`
if [ "$START_T1_TIME" ]; then
TOTAL_T1_TIME=$(($END_T1_TIME - $START_T1_TIME))
printf $DG"The total section execution took $TOTAL_T1_TIME seconds\n"$NC
echo ""
fi
START_T1_TIME=`date +%s 2>/dev/null`
fi fi
END_T1_TIME=`date +%s 2>/dev/null`
if [ "$START_T1_TIME" ]; then
TOTAL_T1_TIME=$(($END_T1_TIME - $START_T1_TIME))
printf $DG"The total section execution took $TOTAL_T1_TIME seconds\n"$NC
echo ""
fi
START_T1_TIME=`date +%s 2>/dev/null`
printf ${BLUE}"════════════════════════════════════╣ "$GREEN"$1"${BLUE}" ╠════════════════════════════════════\n"$NC printf ${BLUE}"════════════════════════════════════╣ "$GREEN"$1"${BLUE}" ╠════════════════════════════════════\n"$NC
} }
print_2title(){ print_2title(){
END_T2_TIME=`date +%s 2>/dev/null` if [ "$VERBOSE" ]; then
if [ "$START_T2_TIME" ]; then END_T2_TIME=`date +%s 2>/dev/null`
TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME)) if [ "$START_T2_TIME" ]; then
printf $DG"This check took $TOTAL_T2_TIME seconds\n"$NC TOTAL_T2_TIME=$(($END_T2_TIME - $START_T2_TIME))
echo "" printf $DG"This check took $TOTAL_T2_TIME seconds\n"$NC
echo ""
fi
START_T2_TIME=`date +%s 2>/dev/null`
fi fi
START_T2_TIME=`date +%s 2>/dev/null`
printf ${BLUE}"╔══════════╣ "$GREEN"$1\n"$NC #There are 10 "═" printf ${BLUE}"╔══════════╣ "$GREEN"$1\n"$NC #There are 10 "═"
} }
@ -1962,7 +1973,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
peass{Ldap} peass{Ldap}
peass{Open VPN} peass{Open_VPN}
#-- SI) ssh files #-- SI) ssh files
print_2title "Searching ssl/ssh files" print_2title "Searching ssl/ssh files"
@ -2181,7 +2192,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
peass{Neo4j} peass{Neo4j}
peass{Cloud credentials} peass{Cloud_credentials}
peass{Cloud-Init} peass{Cloud-Init}
@ -2199,7 +2210,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
peass{Filezilla} peass{Filezilla}
peass{Backup Manager} peass{Backup_Manager}
##-- SI) passwd files (splunk) ##-- SI) passwd files (splunk)
print_2title "Searching uncommon passwd files (splunk)" print_2title "Searching uncommon passwd files (splunk)"
@ -2337,11 +2348,11 @@ if [ "`echo $CHECKS | grep SofI`" ]; then
peass{EXTRA_SECTIONS} peass{EXTRA_SECTIONS}
peass{Interesting logs} peass{Interesting_logs}
peass{Windows Files} peass{Windows_Files}
peass{Other Interesting Files} peass{Other_Interesting_Files}
echo "" echo ""