darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.1.3

Browse Source
This commit is contained in:
carlospolop 2019-07-03 21:11:31 +02:00
parent 0a72afdb9e
commit f9cfdd2004
2 changed files with 53 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -12,7 +12,7 @@ This script does not have any dependency.
There is no need even for bash shell, **it runs using /bin/sh**. There is no need even for bash shell, **it runs using /bin/sh**.
It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs). It could take from **2 to 3 minutes** to execute the whole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs).
This script has several lists included inside of it to be able to color the results in order to discover PE vector. This script has several lists included inside of it to be able to color the results in order to discover PE vector.
@ -128,6 +128,8 @@ file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm
- [x] AWS (Files with AWS keys) - [x] AWS (Files with AWS keys)
- [x] NFS (privilege escalation misconfiguration) - [x] NFS (privilege escalation misconfiguration)
- [x] Kerberos (configuration & tickets in /tmp) - [x] Kerberos (configuration & tickets in /tmp)
- [x] Kibana (credentials)
- [x] Logstash (Username and possible code execution)
- **Generic Interesting Files** - **Generic Interesting Files**

57
linpe.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
VERSION="v1.1.2" VERSION="v1.1.3"
C=$(printf '\033') C=$(printf '\033')
RED="${C}[1;31m" RED="${C}[1;31m"
@ -461,6 +461,14 @@ if [ "$apachever" ]; then
echo "" >> $file echo "" >> $file
fi fi
#php coockies files
phpcookies=`ls /var/lib/php/sessions 2>/dev/null`
if [ "$phpcookies" ]; then
printf $Y"[+] "$GREEN"PHPCookies where found\n"$NC >> $file
ls /var/lib/php/sessions 2>/dev/null >> $file
echo "" >> $file
fi
#Wordpress user, password, databname and host #Wordpress user, password, databname and host
wp=`find /var /etc /home /root /tmp /usr /opt -type f -name wp-config.php 2>/dev/null` wp=`find /var /etc /home /root /tmp /usr /opt -type f -name wp-config.php 2>/dev/null`
if [ "$wp" ]; then if [ "$wp" ]; then
@ -618,6 +626,26 @@ if [ "$krbtickets" ]; then
echo "" >> $file echo "" >> $file
fi fi
#Kibana
if [ -f "/etc/kibana/kibana.yml" ]; then
printf $Y"[+] "$GREEN"Found Kibana: /etc/kibana/kibana.yml\n"$NC >> $file
cat /etc/kibana/kibana.yml | grep -v "^#" | grep -v -e '^[[:space:]]*$' | sed "s,username\|password\|host\|port\|elasticsearch\|ssl,${C}[1;31m&${C}[0m," >> $file
echo "" >> $file
fi
#Logstash
if [ -d "/etc/logstash" ]; then
printf $Y"[+] "$GREEN"Found Logstash: /etc/logstash\n"$NC >> $file
if [ -r /etc/logstash/startup.options ]; then
echo "Logstash is running as user:" >> $file
cat /etc/logstash/startup.options 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;95m&${C}[0m," | sed "s,root,${C}[1;31m&${C}[0m," >> $file
fi
cat /etc/logstash/conf.d/out* | grep "exec\s*{\|command\s*=>" | sed "s,exec\s*{\|command\s*=>,${C}[1;31m&${C}[0m," >> $file
cat /etc/logstash/conf.d/filt* | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed "s,path\s*=>\|code\s*=>\|ruby\s*{,${C}[1;31m&${C}[0m," >> $file
echo "" >> $file
fi
echo "" >> $file echo "" >> $file
printf $B"[*] "$GREEN"Gathering files information...\n"$NC printf $B"[*] "$GREEN"Gathering files information...\n"$NC
printf $B"[*] "$GREEN"GENERAL INTERESTING FILES\n"$NC >> $file printf $B"[*] "$GREEN"GENERAL INTERESTING FILES\n"$NC >> $file
@ -672,12 +700,27 @@ printf $Y"[+] "$GREEN".sh files in path\n"$NC >> $file
for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null | sed "s,$pathshG,${C}[1;32m&${C}[0m," >> $file ; done for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null | sed "s,$pathshG,${C}[1;32m&${C}[0m," >> $file ; done
echo "" >> $file echo "" >> $file
printf $Y"[+] "$GREEN"Hashes inside passwd file? Readable shadow file, or /root?\n"$NC >> $file hashespasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null`
printf $B"[i] "$Y"Try to crack the hashes\n"$NC >> $file if [ "$hashespasswd" ]; then
grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," >> $file printf $Y"[+] "$GREEN"Hashes inside passwd file\n"$NC >> $file
cat /etc/shadow /etc/master.passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," >> $file printf $B"[i] "$Y"Try to crack the hashes\n"$NC >> $file
ls -ahl /root/ 2>/dev/null >> $file for h in $hashespasswd; do echo $h | sed "s,.*,${C}[1;31m&${C}[0m," >> $file; done
echo "" >> $file echo "" >> $file
fi
shadowread=`cat /etc/shadow /etc/master.passwd 2>/dev/null`
if [ "$shadowread" ]; then
printf $Y"[+] "$GREEN"Readable Shadow file\n"$NC >> $file
cat /etc/shadow /etc/master.passwd 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," >> $file
echo "" >> $file
fi
rootread=`ls -ahl /root/ 2>/dev/null`
if [ "$rootread" ]; then
printf $Y"[+] "$GREEN"Readable /root\n"$NC >> $file
ls -ahl /root/ 2>/dev/null >> $file
echo "" >> $file
fi
printf $Y"[+] "$GREEN"Files inside \$HOME (limit 20)\n"$NC >> $file printf $Y"[+] "$GREEN"Files inside \$HOME (limit 20)\n"$NC >> $file
ls -la $HOME 2>/dev/null | head -n 23 >> $file ls -la $HOME 2>/dev/null | head -n 23 >> $file