############################ ## LINPEAS SPECIFICATIONS ## ############################ root_folders: - /applications #common - /bin #common - /.cache #common - /cdrom #common - /etc #common - $HOMESEARCH #common, use this instead of "/home" - /lib - /lib32 - /lib64 - /media #common - /mnt #common - /opt #common - /private #common - /run - /sbin #common - /snap #common - /srv #common - /sys - /system - /systemd - /tmp #common - /usr #common - /var #common common_file_folders: - /applications - /bin - /.cache - /cdrom - /etc - $HOMESEARCH - /media - /mnt - /opt - /private - /sbin - /snap - /srv - /tmp - /usr - /var common_directory_folders: - /applications - /bin - /.cache - /cdrom - /etc - $HOMESEARCH - /media - /mnt - /opt - /private - /sbin - /snap - /srv - /tmp - /usr - /var peas_checks: "peass{CHECKS}" peas_regexes_markup: "peass{REGEXES}" peas_extrasections_markup: "peass{EXTRA_SECTIONS}" peas_finds_markup: "peass{FINDS_HERE}" find_line_markup: "peass{FIND_PARAMS_HERE}" find_template: > `eval_bckgrd "find peass{FIND_PARAMS_HERE} 2>/dev/null | sort; printf \\\$YELLOW'. '\\\$NC 1>&2;"` peas_storages_markup: "peass{STORAGES_HERE}" storage_line_markup: "peass{STORAGE_PARAMS_HERE}" storage_line_extra_markup: "peass{STORAGE_PARAMS_EXTRA_HERE}" storage_template: > $(echo -e "peass{STORAGE_PARAMS_HERE}" peass{STORAGE_PARAMS_EXTRA_HERE} | sort | uniq | head -n 70) int_hidden_files_markup: "peass{INT_HIDDEN_FILES}" suidVB1_markup: "peass{SUIDVB1_HERE}" suidVB2_markup: "peass{SUIDVB2_HERE}" sudoVB1_markup: "peass{SUDOVB1_HERE}" sudoVB2_markup: "peass{SUDOVB2_HERE}" cap_setuid_markup: "peass{CAP_SETUID_HERE}" cap_setgid_markup: "peass{CAP_SETGID_HERE}" les_markup: "peass{LES}" les2_markup: "peass{LES2}" fat_linpeas_amicontained_markup: "peass{AMICONTAINED}" fat_linpeas_gitleaks_linux_markup: "peass{GITLEAKS_LINUX}" fat_linpeas_gitleaks_macos_markup: "peass{GITLEAKS_MACOS}" ############################## ## AUTO GENERATED VARIABLES ## ## FOR WINPEAS & LINPEAS ## ############################## variables_markup: "peass{VARIABLES}" variables: - name: pwd_inside_history value: "enable_autologin|7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@|KEY=|TOKEN=|BEARER=|Authorization:" #################### ## DEFAULT VALUES ## #################### defaults: auto_check: False #The builder will generate a check for the file (only linpeas) bad_regex: "" #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed very_bad_regex: "" #The regex used to color yellow/red check_extra_path: "" #Check if the found files are in a specific path (only linpeas) good_regex: "" #The regex to color green just_list_file: False #Just mention the path to the file, do not cat it line_grep: "" #The regex to grep lines in a file. IMPORTANT: This is the argument for "grep" command so you need to specify the single and double quotes (see examples). Use double quotes to indicate the interesting things to grep as winpeas greps the things inside th double qoutes. only_bad_lines: False #Only print lines containing something red (cnotaining bad_regex) remove_empty_lines: False #Remove empty lines, use only for text files (-I param in grep) remove_path: "" #Not interested in files containing this path (only linpeas) remove_regex: "" #Remove linpeas containing this regex search_in: #By default search in defined common (only linpeas) - common type: f #File by default exec: [] #Cmd to execute with the check (only linpeas) ############## ## EXAMPLES ## ############## #-) In the following example PostgreSQL searches are performed: ## - auto_check is True (by default set it always to True) ## - exec is and array of sh commands to execute, in this case a command is executed to get the postgresql version ## - The file "pgadmin*.db" is searched ### - just_list_file is True, so the content of the list is not going to be read, just the path of the file will be indicated ### - type is f (file, not dir) ### - search_in is "common", so look for this file in common directories ## - The file "pg_hba.conf" is searched ### - bad_regex indicates the content of the file that if found is going to be written in red in the output ### - type is f (file, not dir) ### - remove_empty_lines is True, this indicates that empty lines of the file aren't going to be written in the output ### - remove_regex is a regex to avoid printing lines where the regex is found ### - search_in is "common", so look for this file in common directories #- name: PostgreSQL # value: # config: # auto_check: True # exec: # - 'echo "Version: $(warn_exec psql -V 2>/dev/null)"' # # files: # - name: "pgadmin*.db" # value: # type: f # just_list_file: True # search_in: # - common # # - name: "pg_hba.conf" # value: # bad_regex: "auth|password|md5|user=|pass=|trust" # type: f # remove_empty_lines: True # remove_regex: '\W+\#|^#' # search_in: # - common #-) In the following example Elasticsearch searches are performed: ## - auto_check is True (by default set it always to True) ## - exec is and array of sh commands to execute, in this case a HTTP request is performed to obtain the version ## - The file "elasticsearch.y*ml" is searched ### - line_grep is the grep argument to filter interesting lineas ### - remove_regex is a regex to avoid printing lines where the regex is found ### - type is f (file, not dir) ### - search_in is "common", so look for this file in common directories #- name: Elasticsearch # value: # config: # auto_check: True # exec: # - echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)" # # files: # - name: "elasticsearch.y*ml" # value: # line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"' # remove_regex: '\W+\#|^#' # type: f # search_in: # - common #-) In the following example Apache searches are performed: ## - auto_check is True (by default set it always to True) ## - exec is and array of sh commands to execute during the check ## - The directory "sites-enabled" is searched ### - type is d (dir) ### - search_in is "common", so look for this file in common directories #### Inside this directory the file "*" is searched (in this case "*" will get all the files, but more specific regex can be used) ##### - bad_regex indicates the content of the file that if found is going to be written in red in the output ##### - only_bad_lines indicate that only lines that contains the regex indicated in bad_regex are going to be printed ##### - remove_empty_lines is True, this indicates that empty lines of the file aren't going to be written in the output ##### - remove_regex is a regex to avoid printing lines where the regex is found #- name: Apache # value: # config: # auto_check: True # exec: # - 'echo "Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"' # - "print_3title 'PHP exec extensions'" # - 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null' # # files: # - name: "sites-enabled" # value: # type: d # files: # - name: "*" # value: # bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" # only_bad_lines: True # remove_empty_lines: True # remove_regex: '^#' # search_in: # - common ############################### ## Files & folders to search ## ############################### search: - name: Systemd value: disable: - winpeas config: auto_check: False files: - name: "*.service" value: type: f search_in: - all - name: Timer value: disable: - winpeas config: auto_check: False files: - name: "*.timer" value: type: f search_in: - all - name: Socket value: disable: - winpeas config: auto_check: False files: - name: "*.socket" value: type: f search_in: - all - name: DBus value: disable: - winpeas config: auto_check: False files: - name: "system.d" value: type: d search_in: - /etc - name: MySQL value: config: auto_check: False files: - name: mysql value: type: d check_extra_path: "^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql" remove_path: "mysql/mysql" search_in: - common - name: "passwd.ibd" value: type: f search_in: - common - name: "password*.ibd" value: type: f search_in: - common - name: "pwd.ibd" value: type: f search_in: - common - name: MariaDB value: config: auto_check: True files: - name: "mariadb.cnf" value: bad_regex: "user.*|password.*" type: f remove_regex: '^#' remove_empty_lines: True search_in: - common - name: "debian.cnf" value: bad_regex: "user.*|password.*" type: f only_bad_lines: True search_in: - common - name: PostgreSQL value: config: auto_check: True exec: - 'echo "Version: $(warn_exec psql -V 2>/dev/null)"' files: - name: "pgadmin*.db" value: type: f just_list_file: True search_in: - common - name: "pg_hba.conf" value: bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: "postgresql.conf" value: bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: "pgsql.conf" value: bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Apache-Nginx value: config: auto_check: True exec: - 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"' - 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"' - if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'; fi - if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi - "print_3title 'PHP exec extensions'" files: - name: "sites-enabled" value: type: d files: - name: "*" value: bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias|command on" remove_empty_lines: True remove_regex: '#' search_in: - common - name: "000-default.conf" value: bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" remove_regex: '#' type: f search_in: - common - name: "php.ini" value: bad_regex: "On" remove_regex: "^;" line_grep: '"allow_"' type: f search_in: - common - name: PHP Sessions value: config: auto_check: True exec: - "ls /var/lib/php/sessions 2>/dev/null || echo_not_found /var/lib/php/sessions" files: - name: "sess_*" value: check_extra_path: '/tmp/.*sess_.*|/var/tmp/.*sess_.*' type: f search_in: - /tmp - /var - /mnt - /private - name: PHP_files value: config: auto_check: False files: - name: "*config*.php" value: type: f search_in: - common - name: "database.php" value: type: f search_in: - common - name: "db.php" value: type: f search_in: - common - name: "storage.php" value: type: f search_in: - common - name: "settings.php" value: type: f search_in: - common - name: Wordpress value: config: auto_check: True files: - name: "wp-config.php" value: bad_regex: "PASSWORD|USER|NAME|HOST" only_bad_lines: True type: f search_in: - common - name: Drupal value: config: auto_check: True files: - name: "settings.php" value: bad_regex: "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'" check_extra_path: "/default/settings.php" only_bad_lines: True type: f search_in: - common - name: Moodle value: config: auto_check: True files: - name: "config.php" value: bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" check_extra_path: "moodle/config.php" only_bad_lines: True type: f search_in: - common - name: Tomcat value: config: auto_check: True files: - name: "tomcat-users.xml" value: bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" line_grep: '"username=|password="' only_bad_lines: True type: f search_in: - common - name: Mongo value: config: auto_check: True exec: - 'echo "Version: $(warn_exec mongo --version 2>/dev/null; warn_exec mongod --version 2>/dev/null)"' - if [ "$(command -v mongo)" ]; then echo "show dbs" | mongo 127.0.0.1 > /dev/null 2>&1;[ "$?" == "0" ] && echo "Possible mongo anonymous authentication" | sed -${E} "s,.*|kube,${SED_RED},"; fi files: - name: "mongod*.conf" value: type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Rocketchat value: config: auto_check: True files: - name: "rocketchat.service" value: bad_regex: "mongodb://.*" line_grep: '-i "Environment"' type: f search_in: - common - /lib - /systemd - name: Supervisord value: config: auto_check: True files: - name: "supervisord.conf" value: bad_regex: "port.*=|username.*=|password.*=" only_bad_lines: True type: f search_in: - common - name: Cesi value: config: auto_check: True files: - name: "cesi.conf" value: bad_regex: "username.*=|password.*=|host.*=|port.*=|database.*=" only_bad_lines: True type: f search_in: - common - name: Rsync value: config: auto_check: True files: - name: "rsyncd.conf" value: bad_regex: "secrets.*|auth.*users.*=" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: "rsyncd.secrets" value: bad_regex: ".*" type: f search_in: - common - name: Hostapd value: config: auto_check: True files: - name: "hostapd.conf" value: bad_regex: "passphrase.*" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Wifi Connections value: config: auto_check: True files: - name: "system-connections" value: files: - name: "*" value: bad_regex: "psk.*" only_bad_lines: True type: f type: d search_in: - /etc - name: PAM Auth value: config: auto_check: True files: - name: "pam.d" value: files: - name: "sshd" value: bad_regex: ".*" line_grep: '-i "auth"' remove_regex: "^#|^@" type: f type: d search_in: - /etc - name: NFS Exports value: config: auto_check: True files: - name: exports value: very_bad_regex: "no_root_squash|no_all_squash" bad_regex: "insecure" remove_regex: '\W+\#|^#' type: f search_in: - /etc - name: GlusterFS value: config: auto_check: True files: - name: "glusterfs.pem" value: type: f just_list_file: True search_in: - common - name: "glusterfs.ca" value: type: f just_list_file: True search_in: - common - name: "glusterfs.key" value: type: f just_list_file: True search_in: - common - name: Anaconda ks value: config: auto_check: True files: - name: "anaconda-ks.cfg" value: bad_regex: "rootpw.*" only_bad_lines: True type: f search_in: - common - name: Racoon value: config: auto_check: True files: - name: "racoon.conf" value: remove_empty_lines: True bad_regex: "pre_shared_key.*" remove_regex: '^#' type: f search_in: - common - name: "psk.txt" value: remove_empty_lines: True bad_regex: ".*" type: f search_in: - common - name: Kubernetes value: config: auto_check: True exec: - (env || set) | grep -Ei "kubernetes|kube" | grep -v "PSTORAGE_KUBERNETES|USEFUL_SOFTWARE" | sed -${E} "s,kubernetes|kube,${SED_RED}," files: - name: "kubeconfig" value: bad_regex: "server:|cluster:|namespace:|user:|exec:" type: d search_in: - common - name: "kubelet-kubeconfig" value: bad_regex: "server:|cluster:|namespace:|user:|exec:" type: d search_in: - common - name: "psk.txt" value: remove_empty_lines: True bad_regex: ".*" type: f search_in: - common - name: ".kube*" value: files: - name: "config" value: bad_regex: "server:|cluster:|namespace:|user:|exec:" type: d search_in: - common - name: "kubelet" value: files: - name: "kubelet.conf" value: bad_regex: "server:|cluster:|namespace:|user:|exec:" - name: "config.yaml" value: bad_regex: "server:|cluster:|namespace:|user:|exec:" - name: "kubeadm-flags.env" value: remove_empty_lines: True type: d search_in: - /var - name: "kube-proxy" value: type: d search_in: - /var - name: "kubernetes" value: type: d search_in: - /etc - name: VNC value: config: auto_check: True files: - name: ".vnc" value: files: - name: "passwd" value: just_list_file: True type: d search_in: - common - name: "*vnc*.c*nf*" value: bad_regex: ".*" remove_regex: '^#' type: f search_in: - common - name: "*vnc*.ini" value: just_list_file: True type: f search_in: - common - name: "*vnc*.txt" value: bad_regex: ".*" type: f search_in: - common - name: "*vnc*.xml" value: bad_regex: ".*" type: f search_in: - common - name: Ldap value: config: auto_check: True exec: - echo "The password hash is from the {SSHA} to 'structural'" files: - name: "ldap" value: files: - name: "*.bdb" value: bad_regex: "administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator" line_grep: '-i -a -o "description.*" | sort | uniq' type: f type: d search_in: - common - name: Log4Shell value: config: auto_check: False files: - name: "log4j-core*.jar" value: type: f search_in: - common - /lib - /lib32 - /lib64 - name: OpenVPN value: config: auto_check: True files: - name: "*.ovpn" value: bad_regex: "auth-user-pass.+" only_bad_lines: True type: f search_in: - common - name: SSH value: config: auto_check: True files: - name: "id_dsa*" value: type: f search_in: - common - name: "id_rsa*" value: type: f search_in: - common - name: "known_hosts" value: type: f search_in: - common - name: "authorized_hosts" value: type: f search_in: - common - name: "authorized_keys" value: good_regex: 'from=[\w\._\-]+' type: f search_in: - common - name: CERTSB4 value: config: auto_check: False files: - name: "*.pem" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common - name: "*.cer" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common - name: "*.crt" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common - name: CERTSBIN value: config: auto_check: False files: - name: "*.csr" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common - name: "*.der" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common - name: CERTSCLIENT value: config: auto_check: False files: - name: "*.pfx" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common - name: "*.p12" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common - name: SSH AGENTS value: config: auto_check: False files: - name: "agent*" value: type: f search_in: - /tmp - name: SSH_CONFIG value: config: auto_check: False files: - name: "ssh*config" value: type: f search_in: - /usr - $HOMESEARCH - name: Cloud Credentials value: config: auto_check: True files: #- name: "credentials" # value: # bad_regex: ".*" # type: f # search_in: # - common - name: "credentials.db" value: bad_regex: ".*" type: f search_in: - common - name: "legacy_credentials.db" value: bad_regex: ".*" type: f search_in: - common - name: "access_tokens.db" value: bad_regex: ".*" type: f search_in: - common - name: "access_tokens.json" value: bad_regex: ".*" type: f search_in: - common - name: "accessTokens.json" value: bad_regex: ".*" type: f search_in: - common - name: "azureProfile.json" value: bad_regex: ".*" type: f search_in: - common - name: "TokenCache.dat" value: bad_regex: ".*" type: f search_in: - common - name: "AzureRMContext.json" value: bad_regex: ".*" type: f search_in: - common - name: ".bluemix" value: files: - name: "config.json" value: bad_regex: ".*" type: d search_in: - common - name: Kerberos value: config: auto_check: False files: - name: "krb5.conf" value: type: f search_in: - common - name: "*.keytab" value: type: f search_in: - common - name: ".k5login" value: type: f search_in: - common - name: "kadm5.acl" value: type: f search_in: - common - name: "secrets.ldb" value: type: f search_in: - common - name: ".secrets.mkey" value: type: f search_in: - common - name: "sssd.conf" value: type: f search_in: - common - name: Kibana value: config: auto_check: True files: - name: "kibana.y*ml" value: bad_regex: "username|password|host|port|elasticsearch|ssl" type: f remove_empty_lines: True remove_regex: '\W+\#|^#|^[[:space:]]*$' search_in: - common - name: Knockd value: config: auto_check: True files: - name: "*knockd*" value: check_extra_path: "/etc/init.d/" type: f search_in: - /etc - name: Logstash value: config: auto_check: False files: - name: "logstash" value: type: d search_in: - common - name: Elasticsearch value: config: auto_check: True exec: - echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)" files: - name: "elasticsearch.y*ml" value: line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"' remove_regex: '\W+\#|^#' type: f search_in: - common - name: Vault_ssh_helper value: config: auto_check: False files: - name: "vault-ssh-helper.hcl" value: type: f search_in: - common - name: Vault_ssh_token value: config: auto_check: False files: - name: ".vault-token" value: type: f search_in: - common - name: CouchDB value: config: auto_check: True files: - name: "couchdb" value: files: - name: "local.ini" value: bad_regex: "admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*" remove_empty_lines: True remove_regex: "^;" type: d search_in: - common - name: Redis value: config: auto_check: True files: - name: "redis.conf" value: bad_regex: "masterauth.*|requirepass.*" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Mosquitto value: config: auto_check: True files: - name: "mosquitto.conf" value: bad_regex: "password_file.*|psk_file.*|allow_anonymous.*true|auth" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Neo4j value: config: auto_check: True files: - name: "neo4j" value: files: - name: "auth" value: bad_regex: ".*" remove_empty_lines: True type: d search_in: - common - name: Cloud Init value: config: auto_check: True files: - name: "cloud.cfg" value: bad_regex: "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy" only_bad_lines: True type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Erlang value: config: auto_check: True files: - name: ".erlang.cookie" value: bad_regex: ".*" type: f search_in: - common - name: GMV Auth value: config: auto_check: True files: - name: "gvm-tools.conf" value: bad_regex: "username.*|password.*" type: f search_in: - common - name: IPSec value: config: auto_check: True files: - name: "ipsec.secrets" value: bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*" type: f search_in: - common - name: "ipsec.conf" value: bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*" type: f search_in: - common - name: IRSSI value: config: auto_check: True files: - name: ".irssi" value: files: - name: "config" value: bad_regex: "password.*" type: d search_in: - common - name: Keyring value: config: auto_check: True files: - name: "keyrings" value: type: d search_in: - common - name: "*.keyring" value: just_list_file: True type: f search_in: - common - name: "*.keystore" value: just_list_file: True type: f search_in: - common - name: "*.jks" value: just_list_file: True type: f search_in: - common - name: Filezilla value: config: auto_check: True files: - name: "filezilla" value: files: - name: "sitemanager.xml" value: bad_regex: "Host.*|Port.*|Protocol.*|User.*|Pass.*" remove_empty_lines: True remove_regex: "^;" type: d search_in: - common - name: "filezilla.xml" value: just_list_file: True type: f search_in: - common - name: "recentservers.xml" value: just_list_file: True type: f search_in: - common - name: Backup Manager value: config: auto_check: True files: - name: "storage.php" value: bad_regex: "password|pass|user|database|host" line_grep: >- "'pass'|'password'|'user'|'database'|'host'" type: f search_in: - common - name: "database.php" value: bad_regex: "password|pass|user|database|host" line_grep: >- "'pass'|'password'|'user'|'database'|'host'" only_bad_lines: True type: f search_in: - common - name: Splunk value: config: auto_check: False files: - name: "passwd" value: type: f search_in: - common - name: GitLab value: config: auto_check: False files: - name: "secrets.yml" value: type: f remove_path: "/lib" search_in: - common - name: "gitlab.yml" value: type: f remove_path: "/lib" search_in: - common - name: "gitlab.rm" value: type: f remove_path: "/lib" search_in: - common - name: PGP-GPG value: config: auto_check: True exec: - '( (command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null' - '( (command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null' - '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null' files: - name: "*.pgp" value: type: f search_in: - common - name: "*.gpg" value: type: f search_in: - common - name: "*.gnupg" value: type: f remove_path: "README.gnupg" search_in: - common - name: Cache Vi value: disable: - winpeas config: auto_check: True files: - name: "*.swp" value: just_list_file: True type: f search_in: - common - name: "*.viminfo" value: just_list_file: True type: f search_in: - common - name: Docker value: config: auto_check: False files: - name: "docker.socket" value: type: f search_in: - common - name: "docker.sock" value: type: f search_in: - common - name: "Dockerfile" value: type: f search_in: - common - name: "docker-compose.yml" value: type: f search_in: - common - name: "dockershim.sock" value: type: f search_in: - common - name: "containerd.sock" value: type: f search_in: - common - name: "crio.sock" value: type: f search_in: - common - name: "frakti.sock" value: type: f search_in: - common - name: "rktlet.sock" value: type: f search_in: - common - name: Firefox value: disable: - winpeas config: auto_check: True files: - name: ".mozilla" value: files: - name: "places.sqlite" value: just_list_file: True - name: "bookmarkbackups" value: just_list_file: True - name: "formhistory.sqlite" value: just_list_file: True - name: "handlers.json" value: just_list_file: True - name: "persdict.dat" value: just_list_file: True - name: "addons.json" value: just_list_file: True - name: "cookies.sqlite" value: just_list_file: True - name: "cache2" value: just_list_file: True - name: "startupCache" value: just_list_file: True - name: "favicons.sqlite" value: just_list_file: True - name: "prefs.js" value: just_list_file: True - name: "downloads.sqlite" value: just_list_file: True - name: "thumbnails" value: just_list_file: True - name: "logins.json" value: just_list_file: True - name: "key4.db" value: just_list_file: True - name: "key3.db" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: "Firefox" value: files: - name: "places.sqlite" value: just_list_file: True - name: "bookmarkbackups" value: just_list_file: True - name: "formhistory.sqlite" value: just_list_file: True - name: "handlers.json" value: just_list_file: True - name: "persdict.dat" value: just_list_file: True - name: "addons.json" value: just_list_file: True - name: "cookies.sqlite" value: just_list_file: True - name: "cache2" value: just_list_file: True - name: "startupCache" value: just_list_file: True - name: "favicons.sqlite" value: just_list_file: True - name: "prefs.js" value: just_list_file: True - name: "downloads.sqlite" value: just_list_file: True - name: "thumbnails" value: just_list_file: True - name: "logins.json" value: just_list_file: True - name: "key4.db" value: just_list_file: True - name: "key3.db" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: Chrome value: disable: - winpeas config: auto_check: True files: - name: "google-chrome" value: files: - name: "History" value: just_list_file: True - name: "Cookies" value: just_list_file: True - name: "Cache" value: just_list_file: True - name: "Bookmarks" value: just_list_file: True - name: "Web Data" value: just_list_file: True - name: "Favicons" value: just_list_file: True - name: "Login Data" value: just_list_file: True - name: "Current Session" value: just_list_file: True - name: "Current Tabs" value: just_list_file: True - name: "Last Session" value: just_list_file: True - name: "Last Tabs" value: just_list_file: True - name: "Extensions" value: just_list_file: True - name: "Thumbnails" value: just_list_file: True - name: "Preferences" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: "Chrome" value: files: - name: "History" value: just_list_file: True - name: "Cookies" value: just_list_file: True - name: "Cache" value: just_list_file: True - name: "Bookmarks" value: just_list_file: True - name: "Web Data" value: just_list_file: True - name: "Favicons" value: just_list_file: True - name: "Login Data" value: just_list_file: True - name: "Current Session" value: just_list_file: True - name: "Current Tabs" value: just_list_file: True - name: "Last Session" value: just_list_file: True - name: "Last Tabs" value: just_list_file: True - name: "Extensions" value: just_list_file: True - name: "Thumbnails" value: just_list_file: True - name: "Preferences" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: Opera value: disable: - winpeas config: auto_check: True files: - name: "com.operasoftware.Opera" value: files: - name: "History" value: just_list_file: True - name: "Cookies" value: just_list_file: True - name: "Cache" value: just_list_file: True - name: "Bookmarks" value: just_list_file: True - name: "Web Data" value: just_list_file: True - name: "Favicons" value: just_list_file: True - name: "Login Data" value: just_list_file: True - name: "Current Session" value: just_list_file: True - name: "Current Tabs" value: just_list_file: True - name: "Last Session" value: just_list_file: True - name: "Last Tabs" value: just_list_file: True - name: "Extensions" value: just_list_file: True - name: "Thumbnails" value: just_list_file: True - name: "Preferences" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: Safari value: disable: - winpeas config: auto_check: True files: - name: "Safari" value: files: - name: "History.db" value: just_list_file: True - name: "Downloads.plist" value: just_list_file: True - name: "Book-marks.plist" value: just_list_file: True - name: "TopSites.plist" value: just_list_file: True - name: "UserNotificationPermissions.plist" value: just_list_file: True - name: "LastSession.plist" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: Autologin value: disable: - winpeas config: auto_check: True files: - name: "autologin" value: bad_regex: "passwd" type: f search_in: - common - name: "autologin.conf" value: bad_regex: "passwd" type: f search_in: - common - name: FastCGI value: config: auto_check: True files: - name: "fastcgi_params" value: bad_regex: "DB_NAME|DB_USER|DB_PASS" only_bad_lines: True type: f search_in: - common - name: SNMP value: config: auto_check: True files: - name: "snmpd.conf" value: bad_regex: "rocommunity|rwcommunity|extend.*" only_bad_lines: True type: f search_in: - common - name: Pypirc value: config: auto_check: True files: - name: ".pypirc" value: bad_regex: "username|password" type: f search_in: - common - name: Postfix value: config: auto_check: True files: - name: "postfix" value: files: - name: "master.cf" value: bad_regex: "user=|argv=" remove_empty_lines: True line_grep: '"user="' type: d search_in: - common - name: CloudFlare value: config: auto_check: True files: - name: ".cloudflared" value: type: d just_list_file: True search_in: - common - name: History value: config: auto_check: False files: - name: '*_history*' value: bad_regex: "$pwd_inside_history" line_grep: '-a "$pwd_inside_history"' type: f search_in: - common - name: Http_conf value: config: auto_check: True files: - name: "httpd.conf" value: bad_regex: "htaccess.*|htpasswd.*" only_bad_lines: True remove_regex: '\W+\#|^#' remove_empty_lines: True type: f search_in: - common - name: Htpasswd value: config: auto_check: True files: - name: ".htpasswd" value: bad_regex: ".*" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Ldaprc value: config: auto_check: True files: - name: ".ldaprc" value: bad_regex: ".*" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Env value: config: auto_check: True files: - name: ".env" value: bad_regex: "[pP][aA][sS][sS].*|[tT][oO][kK][eE][N]|[dD][bB]" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Msmtprc value: config: auto_check: True files: - name: ".msmtprc" value: bad_regex: "user.*|password.*" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: InfluxDB value: config: auto_check: True files: - name: "influxdb.conf" value: bad_regex: "auth-enabled.*=.*false|token|https-private-key" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Zabbix value: config: auto_check: True files: - name: "zabbix_server.conf" value: bad_regex: "DBName|DBUser|DBPassword" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: "zabbix_agentd.conf" value: bad_regex: "TLSPSKFile|psk" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: "zabbix" value: files: - name: "*.psk" value: bad_regex: ".*" remove_empty_lines: True type: d search_in: - common - name: Github value: config: auto_check: True files: - name: ".github" value: just_list_file: True type: f search_in: - common - name: ".gitconfig" value: just_list_file: True type: f search_in: - common - name: ".git-credentials" value: just_list_file: True type: f search_in: - common - name: ".git" value: just_list_file: True type: f search_in: - common - name: Svn value: config: auto_check: True files: - name: ".svn" value: just_list_file: True type: d search_in: - common - name: Keepass value: config: auto_check: True files: - name: "*.kdbx" value: just_list_file: True type: f search_in: - common - name: "KeePass.config*" value: just_list_file: True type: f search_in: - common - name: "KeePass.ini" value: just_list_file: True type: f search_in: - common - name: "KeePass.enforced*" value: just_list_file: True type: f search_in: - common - name: Pre-Shared Keys value: config: auto_check: True files: - name: "*.psk" value: just_list_file: True type: f search_in: - common - name: Pass Store Directories value: config: auto_check: True files: - name: ".password-store" value: just_list_file: True type: d search_in: - common - name: FTP value: config: auto_check: True files: - name: "*.ftpconfig" value: just_list_file: True type: f search_in: - common - name: "ffftp.ini" value: just_list_file: True type: f search_in: - common - name: "ftp.ini" value: just_list_file: True type: f search_in: - common - name: "ftp.config" value: just_list_file: True type: f search_in: - common - name: "sites.ini" value: just_list_file: True type: f search_in: - common - name: "wcx_ftp.ini" value: just_list_file: True type: f search_in: - common - name: "winscp.ini" value: just_list_file: True type: f search_in: - common - name: "ws_ftp.ini" value: just_list_file: True type: f search_in: - common - name: Bind value: config: auto_check: True files: - name: "bind" value: files: - name: "*" value: just_list_file: True - name: "*.key" value: bad_regex: ".*" remove_empty_lines: True remove_regex: '^#' type: d search_in: - /etc #False possitives in home - /var - /usr - name: SeedDMS value: config: auto_check: True files: - name: "seeddms*" value: files: - name: "settings.xml" value: bad_regex: "[pP][aA][sS][sS]" line_grep: '"="' type: d search_in: - common - name: Ddclient value: config: auto_check: True files: - name: "ddclient.conf" value: bad_regex: ".*password.*" type: f search_in: - common - name: kcpassword value: config: auto_check: False files: - name: "kcpassword" value: just_list_file: True type: f search_in: - common - name: Sentry value: config: auto_check: True files: - name: "sentry" value: files: - name: "config.yml" value: bad_regex: "*key*" remove_empty_lines: True remove_regex: '^#' type: d search_in: - common - name: "sentry.conf.py" value: bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*" remove_empty_lines: True remove_regex: '^#' type: f search_in: - common - name: Strapi value: config: auto_check: True files: - name: "environments" value: files: - name: "custom.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "database.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "request.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "response.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "security.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "server.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True type: d search_in: - common - name: Cacti value: config: auto_check: True files: - name: "cacti" value: files: - name: "config.php" value: bad_regex: "database_pw.*|database_user.*|database_pass.*" line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"' - name: "config.php.dist" value: bad_regex: "database_pw.*|database_user.*|database_pass.*" line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"' - name: "installer.php" value: bad_regex: "database_pw.*|database_user.*|database_pass.*" line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"' - name: "check_all_pages" value: bad_regex: "database_pw.*|database_user.*|database_pass.*" line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"' type: d search_in: - common - name: Roundcube value: config: auto_check: True files: - name: "roundcube" value: files: - name: "config.inc.php" value: bad_regex: "db_dsnw" line_grep: '"config\["' type: d search_in: - common - name: Passbolt value: config: auto_check: True files: - name: "passbolt.php" value: bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*" line_grep: '"host|port|username|password|database"' remove_empty_lines: True remove_regex: '^#' type: f search_in: - common - name: Jetty value: config: auto_check: True files: - name: "jetty-realm.properties" value: bad_regex: ".*" remove_empty_lines: True remove_regex: '^#' type: f search_in: - common - name: Wget value: config: auto_check: True files: - name: ".wgetrc" value: bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*" remove_empty_lines: True remove_regex: '^#' type: f search_in: - common - name: Interesting logs value: config: auto_check: True files: - name: "access.log" value: just_list_file: True type: f search_in: - common - name: "error.log" value: just_list_file: True type: f search_in: - common - name: Other Interesting value: config: auto_check: True files: - name: ".bashrc" value: just_list_file: True type: f search_in: - common - name: ".google_authenticator" value: just_list_file: True type: f search_in: - common - name: "hosts.equiv" value: just_list_file: True type: f search_in: - common - name: ".lesshst" value: just_list_file: True type: f search_in: - common - name: ".plan" value: just_list_file: True type: f search_in: - common - name: ".profile" value: just_list_file: True type: f search_in: - common - name: ".recently-used.xbel" value: just_list_file: True type: f search_in: - common - name: ".rhosts" value: just_list_file: True type: f search_in: - common - name: ".sudo_as_admin_successful" value: just_list_file: True type: f search_in: - common - name: Windows value: config: auto_check: True files: - name: "unattend.inf" value: just_list_file: True type: f search_in: - common - name: "*.rdg" value: just_list_file: True type: f search_in: - common - name: "AppEvent.Evt" value: just_list_file: True type: f search_in: - common - name: "ConsoleHost_history.txt" value: just_list_file: True type: f search_in: - common - name: "FreeSSHDservice.ini" value: just_list_file: True type: f search_in: - common - name: "NetSetup.log" value: just_list_file: True type: f search_in: - common - name: "Ntds.dit" value: just_list_file: True type: f search_in: - common - name: "protecteduserkey.bin" value: just_list_file: True type: f search_in: - common - name: "RDCMan.settings" value: just_list_file: True type: f search_in: - common - name: "SAM" value: just_list_file: True type: f search_in: - common - name: "SYSTEM" value: just_list_file: True type: f search_in: - common - name: "SecEvent.Evt" value: just_list_file: True type: f search_in: - common - name: "appcmd.exe" value: just_list_file: True type: f search_in: - common - name: "bash.exe" value: just_list_file: True type: f search_in: - common - name: "datasources.xml" value: just_list_file: True type: f search_in: - common - name: "default.sav" value: just_list_file: True type: f search_in: - common - name: "drives.xml" value: just_list_file: True type: f search_in: - common - name: "groups.xml" value: just_list_file: True type: f search_in: - common - name: "https-xampp.conf" value: just_list_file: True type: f search_in: - common - name: "https.conf" value: just_list_file: True type: f search_in: - common - name: "iis6.log" value: just_list_file: True type: f search_in: - common - name: "index.dat" value: just_list_file: True type: f search_in: - common - name: "my.cnf" value: just_list_file: True type: f search_in: - common - name: "my.ini" value: just_list_file: True type: f search_in: - common - name: "ntuser.dat" value: just_list_file: True type: f search_in: - common - name: "pagefile.sys" value: just_list_file: True type: f search_in: - common - name: "printers.xml" value: just_list_file: True type: f search_in: - common - name: "recentservers.xml" value: just_list_file: True type: f search_in: - common - name: "scclient.exe" value: just_list_file: True type: f search_in: - common - name: "scheduledtasks.xml" value: just_list_file: True type: f search_in: - common - name: "security.sav" value: just_list_file: True type: f search_in: - common - name: "server.xml" value: just_list_file: True type: f search_in: - common - name: "setupinfo" value: just_list_file: True type: f search_in: - common - name: "setupinfo.bak" value: just_list_file: True type: f search_in: - common - name: "sitemanager.xml" value: just_list_file: True type: f search_in: - common - name: "sites.ini" value: just_list_file: True type: f search_in: - common - name: "software" value: just_list_file: True type: f search_in: - common - name: "software.sav" value: just_list_file: True type: f search_in: - common - name: "sysprep.inf" value: just_list_file: True type: f search_in: - common - name: "sysprep.xml" value: just_list_file: True type: f search_in: - common - name: "system.sav" value: just_list_file: True type: f search_in: - common - name: "unattend.txt" value: just_list_file: True type: f search_in: - common - name: "unattend.xml" value: just_list_file: True type: f search_in: - common - name: "unattended.xml" value: just_list_file: True type: f search_in: - common - name: "wcx_ftp.ini" value: just_list_file: True type: f search_in: - common - name: "ws_ftp.ini" value: just_list_file: True type: f search_in: - common - name: "web*.config" value: just_list_file: True type: f search_in: - common - name: "winscp.ini" value: just_list_file: True type: f search_in: - common - name: "wsl.exe" value: just_list_file: True type: f search_in: - common - name: Other Windows value: config: auto_check: True disable: - linpeas files: - name: "security" value: just_list_file: True type: f search_in: - common - name: "services.xml" value: just_list_file: True type: f search_in: - common - name: "system" value: just_list_file: True type: f search_in: - common # Final section - name: Database value: config: auto_check: False files: - name: "*.db" value: remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common - name: "*.sqlite" value: remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common - name: "*.sqlite3" value: remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common - name: Backups value: config: auto_check: False files: - name: "backup" value: type: f search_in: - common - name: "backups" value: type: f search_in: - common - name: Password Files value: config: auto_check: False files: - name: "*password*" value: just_list_file: True type: f search_in: - common - name: "*credential*" value: just_list_file: True type: f search_in: - common - name: "creds*" value: just_list_file: True type: f search_in: - common - name: "*.key" value: just_list_file: True type: f search_in: - common