############################ ## LINPEAS SPECIFICATIONS ## ############################ root_folders: - /applications #common - /bin #common - /.cache #common - /cdrom #common - /etc #common - $HOMESEARCH #common, use this instead of "/home" - /lib - /lib32 - /lib64 - /media #common - /mnt #common - /opt #common - /private #common - /run - /sbin #common - /snap #common - /srv #common - /sys - /system - /systemd - /tmp #common - /usr #common - /var #common common_file_folders: - /applications - /bin - /.cache - /cdrom - /etc - $HOMESEARCH - /media - /mnt - /opt - /private - /sbin - /snap - /srv - /tmp - /usr - /var common_directory_folders: - /applications - /bin - /.cache - /cdrom - /etc - $HOMESEARCH - /media - /mnt - /opt - /private - /sbin - /snap - /srv - /tmp - /usr - /var peas_checks: "peass{CHECKS}" peas_regexes_markup: "peass{REGEXES}" peas_extrasections_markup: "peass{EXTRA_SECTIONS}" peas_finds_markup: "peass{FINDS_HERE}" find_line_markup: "peass{FIND_PARAMS_HERE}" find_template: > `eval_bckgrd "find peass{FIND_PARAMS_HERE} 2>/dev/null | sort; printf \\\$YELLOW'. '\\\$NC 1>&2;"` peas_storages_markup: "peass{STORAGES_HERE}" storage_line_markup: "peass{STORAGE_PARAMS_HERE}" storage_line_extra_markup: "peass{STORAGE_PARAMS_EXTRA_HERE}" storage_template: > $(echo -e "peass{STORAGE_PARAMS_HERE}" peass{STORAGE_PARAMS_EXTRA_HERE} | sort | uniq | head -n 70) int_hidden_files_markup: "peass{INT_HIDDEN_FILES}" suidVB1_markup: "peass{SUIDVB1_HERE}" suidVB2_markup: "peass{SUIDVB2_HERE}" sudoVB1_markup: "peass{SUDOVB1_HERE}" sudoVB2_markup: "peass{SUDOVB2_HERE}" cap_setuid_markup: "peass{CAP_SETUID_HERE}" cap_setgid_markup: "peass{CAP_SETGID_HERE}" les_markup: "peass{LES}" les2_markup: "peass{LES2}" ############################## ## AUTO GENERATED VARIABLES ## ## FOR WINPEAS & LINPEAS ## ############################## variables_markup: "peass{VARIABLES}" variables: - name: pwd_inside_history value: "enable_autologin|7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@|KEY=|TOKEN=|BEARER=|Authorization:" #################### ## DEFAULT VALUES ## #################### defaults: auto_check: False #The builder will generate a check for the file (only linpeas) bad_regex: "" #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed very_bad_regex: "" #The regex used to color yellow/red check_extra_path: "" #Check if the found files are in a specific path (only linpeas) good_regex: "" #The regex to color green just_list_file: False #Just mention the path to the file, do not cat it line_grep: "" #The regex to grep lines in a file. IMPORTANT: This is the argument for "grep" command so you need to specify the single and double quotes (see examples) only_bad_lines: False #Only print lines containing something red (cnotaining bad_regex) remove_empty_lines: False #Remove empty lines, use only for text files (-I param in grep) remove_path: "" #Not interested in files containing this path (only linpeas) remove_regex: "" #Remove linpeas containing this regex search_in: #By default search in defined common (only linpeas) - common type: f #File by default exec: [] #Cmd to execute with the check (only linpeas) ############## ## EXAMPLES ## ############## #-) In the following example PostgreSQL searches are performed: ## - auto_check is True (by default set it always to True) ## - exec is and array of sh commands to execute, in this case a command is executed to get the postgresql version ## - The file "pgadmin*.db" is searched ### - just_list_file is True, so the content of the list is not going to be read, just the path of the file will be indicated ### - type is f (file, not dir) ### - search_in is "common", so look for this file in common directories ## - The file "pg_hba.conf" is searched ### - bad_regex indicates the content of the file that if found is going to be written in red in the output ### - type is f (file, not dir) ### - remove_empty_lines is True, this indicates that empty lines of the file aren't going to be written in the output ### - remove_regex is a regex to avoid printing lines where the regex is found ### - search_in is "common", so look for this file in common directories #- name: PostgreSQL # value: # config: # auto_check: True # exec: # - 'echo "Version: $(warn_exec psql -V 2>/dev/null)"' # # files: # - name: "pgadmin*.db" # value: # type: f # just_list_file: True # search_in: # - common # # - name: "pg_hba.conf" # value: # bad_regex: "auth|password|md5|user=|pass=|trust" # type: f # remove_empty_lines: True # remove_regex: '\W+\#|^#' # search_in: # - common #-) In the following example Elasticsearch searches are performed: ## - auto_check is True (by default set it always to True) ## - exec is and array of sh commands to execute, in this case a HTTP request is performed to obtain the version ## - The file "elasticsearch.y*ml" is searched ### - line_grep is the grep argument to filter interesting lineas ### - remove_regex is a regex to avoid printing lines where the regex is found ### - type is f (file, not dir) ### - search_in is "common", so look for this file in common directories #- name: Elasticsearch # value: # config: # auto_check: True # exec: # - echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)" # # files: # - name: "elasticsearch.y*ml" # value: # line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"' # remove_regex: '\W+\#|^#' # type: f # search_in: # - common #-) In the following example Apache searches are performed: ## - auto_check is True (by default set it always to True) ## - exec is and array of sh commands to execute during the check ## - The directory "sites-enabled" is searched ### - type is d (dir) ### - search_in is "common", so look for this file in common directories #### Inside this directory the file "*" is searched (in this case "*" will get all the files, but more specific regex can be used) ##### - bad_regex indicates the content of the file that if found is going to be written in red in the output ##### - only_bad_lines indicate that only lines that contains the regex indicated in bad_regex are going to be printed ##### - remove_empty_lines is True, this indicates that empty lines of the file aren't going to be written in the output ##### - remove_regex is a regex to avoid printing lines where the regex is found #- name: Apache # value: # config: # auto_check: True # exec: # - 'echo "Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"' # - "print_3title 'PHP exec extensions'" # - 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null' # # files: # - name: "sites-enabled" # value: # type: d # files: # - name: "*" # value: # bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" # only_bad_lines: True # remove_empty_lines: True # remove_regex: '^#' # search_in: # - common ############################### ## Files & folders to search ## ############################### search: - name: Systemd value: disable: - winpeas config: auto_check: False files: - name: "*.service" value: type: f search_in: - all - name: Timer value: disable: - winpeas config: auto_check: False files: - name: "*.timer" value: type: f search_in: - all - name: Socket value: disable: - winpeas config: auto_check: False files: - name: "*.socket" value: type: f search_in: - all - name: DBus value: disable: - winpeas config: auto_check: False files: - name: "system.d" value: type: d search_in: - /etc - name: MySQL value: config: auto_check: False files: - name: mysql value: type: d check_extra_path: "^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql" remove_path: "mysql/mysql" search_in: - common - name: MariaDB value: config: auto_check: True files: - name: "mariadb.cnf" value: bad_regex: "user.*|password.*" type: f remove_regex: '^#' remove_empty_lines: True search_in: - common - name: "debian.cnf" value: bad_regex: "user.*|password.*" type: f only_bad_lines: True search_in: - common - name: PostgreSQL value: config: auto_check: True exec: - 'echo "Version: $(warn_exec psql -V 2>/dev/null)"' files: - name: "pgadmin*.db" value: type: f just_list_file: True search_in: - common - name: "pg_hba.conf" value: bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: "postgresql.conf" value: bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: "pgsql.conf" value: bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Apache value: config: auto_check: True exec: - 'echo "Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"' - "print_3title 'PHP exec extensions'" - 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null' files: - name: "sites-enabled" value: type: d files: - name: "*" value: bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" only_bad_lines: True remove_empty_lines: True remove_regex: '#' search_in: - common - name: "000-default.conf" value: bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" type: f search_in: - common - name: "php.ini" value: bad_regex: "On" remove_regex: "^;" line_grep: "allow_" type: f search_in: - common - name: PHP Sessions value: config: auto_check: True exec: - "ls /var/lib/php/sessions 2>/dev/null || echo_not_found /var/lib/php/sessions" files: - name: "sess_*" value: check_extra_path: '/tmp/.*sess_.*|/var/tmp/.*sess_.*' type: f search_in: - /tmp - /var - /mnt - /private - name: PHP_files value: config: auto_check: False files: - name: "*config*.php" value: type: f search_in: - common - name: "database.php" value: type: f search_in: - common - name: "db.php" value: type: f search_in: - common - name: "storage.php" value: type: f search_in: - common - name: "settings.php" value: type: f search_in: - common - name: Wordpress value: config: auto_check: True files: - name: "wp-config.php" value: bad_regex: "PASSWORD|USER|NAME|HOST" only_bad_lines: True type: f search_in: - common - name: Drupal value: config: auto_check: True files: - name: "settings.php" value: bad_regex: "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'" check_extra_path: "/default/settings.php" only_bad_lines: True type: f search_in: - common - name: Moodle value: config: auto_check: True files: - name: "config.php" value: bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" check_extra_path: "moodle/config.php" only_bad_lines: True type: f search_in: - common - name: Tomcat value: config: auto_check: True files: - name: "tomcat-users.xml" value: bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" line_grep: '"username=|password="' only_bad_lines: True type: f search_in: - common - name: Mongo value: config: auto_check: True exec: - 'echo "Version: $(warn_exec mongo --version 2>/dev/null; warn_exec mongod --version 2>/dev/null)"' files: - name: "mongod*.conf" value: type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Rocketchat value: config: auto_check: True files: - name: "rocketchat.service" value: bad_regex: "mongodb://.*" line_grep: '-i "Environment"' type: f search_in: - common - /lib - /systemd - name: Supervisord value: config: auto_check: True files: - name: "supervisord.conf" value: bad_regex: "port.*=|username.*=|password.*=" only_bad_lines: True type: f search_in: - common - name: Cesi value: config: auto_check: True files: - name: "cesi.conf" value: bad_regex: "username.*=|password.*=|host.*=|port.*=|database.*=" only_bad_lines: True type: f search_in: - common - name: Rsync value: config: auto_check: True files: - name: "rsyncd.conf" value: bad_regex: "secrets.*|auth.*users.*=" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: "rsyncd.secrets" value: bad_regex: ".*" type: f search_in: - common - name: Hostapd value: config: auto_check: True files: - name: "hostapd.conf" value: bad_regex: "passphrase.*" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Wifi Connections value: config: auto_check: True files: - name: "system-connections" value: files: - name: "*" value: bad_regex: "psk.*" only_bad_lines: True type: f type: d search_in: - /etc - name: PAM Auth value: config: auto_check: True files: - name: "pam.d" value: files: - name: "sshd" value: bad_regex: ".*" line_grep: '-i "auth"' remove_regex: "^#|^@" type: f type: d search_in: - /etc - name: NFS Exports value: config: auto_check: True files: - name: exports value: very_bad_regex: "no_root_squash|no_all_squash" bad_regex: "insecure" remove_regex: '\W+\#|^#' type: f search_in: - /etc - name: Anaconda ks value: config: auto_check: True files: - name: "anaconda-ks.cfg" value: bad_regex: "rootpw.*" only_bad_lines: True type: f search_in: - common - name: Racoon value: config: auto_check: True files: - name: "racoon.conf" value: remove_empty_lines: True bad_regex: "pre_shared_key.*" remove_regex: '^#' type: f search_in: - common - name: "psk.txt" value: remove_empty_lines: True bad_regex: ".*" type: f search_in: - common - name: Kubelet value: config: auto_check: True files: - name: "kubelet" value: files: - name: "kubeconfig" value: bad_regex: "server:|cluster:|namespace:|user:|exec:" type: d search_in: - /var - name: "kube-proxy" value: files: - name: "kubeconfig" value: bad_regex: "cluster:|certificate-authority-data:|namespace:|user:|token:" type: d search_in: - /var - name: VNC value: config: auto_check: True files: - name: ".vnc" value: files: - name: "passwd" value: just_list_file: True type: d search_in: - common - name: "*vnc*.c*nf*" value: bad_regex: ".*" type: f search_in: - common - name: "*vnc*.ini" value: just_list_file: True type: f search_in: - common - name: "*vnc*.txt" value: bad_regex: ".*" type: f search_in: - common - name: "*vnc*.xml" value: bad_regex: ".*" type: f search_in: - common - name: Ldap value: config: auto_check: True exec: - echo "The password hash is from the {SSHA} to 'structural'" files: - name: "ldap" value: files: - name: "*.bdb" value: bad_regex: "administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator" line_grep: '-i -a -o "description.*" | sort | uniq' type: f type: d search_in: - common - name: Log4Shell value: config: auto_check: False files: - name: "log4j-core*.jar" value: type: f search_in: - common - /lib - /lib32 - /lib64 - name: OpenVPN value: config: auto_check: True files: - name: "*.ovpn" value: bad_regex: "auth-user-pass.+" only_bad_lines: True type: f search_in: - common - name: SSH value: config: auto_check: True files: - name: "id_dsa*" value: type: f search_in: - common - name: "id_rsa*" value: type: f search_in: - common - name: "known_hosts" value: type: f search_in: - common - name: "authorized_hosts" value: type: f search_in: - common - name: "authorized_keys" value: good_regex: 'from=[\w\._\-]+' type: f search_in: - common - name: CERTSB4 value: config: auto_check: False files: - name: "*.pem" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common - name: "*.cer" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common - name: "*.crt" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common - name: CERTSBIN value: config: auto_check: False files: - name: "*.csr" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common - name: "*.der" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common - name: CERTSCLIENT value: config: auto_check: False files: - name: "*.pfx" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common - name: "*.p12" value: type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common - name: SSH AGENTS value: config: auto_check: False files: - name: "agent*" value: type: f search_in: - /tmp - /private - name: SSH_CONFIG value: config: auto_check: False files: - name: "ssh*config" value: type: f search_in: - /usr - $HOMESEARCH - name: Cloud Credentials value: config: auto_check: True files: - name: "credentials" value: bad_regex: ".*" type: f search_in: - common - name: "credentials.db" value: bad_regex: ".*" type: f search_in: - common - name: "legacy_credentials.db" value: bad_regex: ".*" type: f search_in: - common - name: "access_tokens.db" value: bad_regex: ".*" type: f search_in: - common - name: "access_tokens.json" value: bad_regex: ".*" type: f search_in: - common - name: "accessTokens.json" value: bad_regex: ".*" type: f search_in: - common - name: "azureProfile.json" value: bad_regex: ".*" type: f search_in: - common - name: "TokenCache.dat" value: bad_regex: ".*" type: f search_in: - common - name: "AzureRMContext.json" value: bad_regex: ".*" type: f search_in: - common - name: ".bluemix" value: files: - name: "config.json" value: bad_regex: ".*" type: d search_in: - common - name: Kerberos value: config: auto_check: False files: - name: "krb5.conf" value: type: f search_in: - common - name: "krb5.keytab" value: type: f search_in: - common - name: ".k5login" value: type: f search_in: - common - name: "kadm5.acl" value: type: f search_in: - common - name: "secrets.ldb" value: type: f search_in: - common - name: ".secrets.mkey" value: type: f search_in: - common - name: "sssd.conf" value: type: f search_in: - common - name: Kibana value: config: auto_check: True files: - name: "kibana.y*ml" value: bad_regex: "username|password|host|port|elasticsearch|ssl" type: f remove_empty_lines: True remove_regex: '\W+\#|^#|^[[:space:]]*$' search_in: - common - name: Knockd value: config: auto_check: True files: - name: "*knockd*" value: check_extra_path: "/etc/init.d/" type: f search_in: - /etc - name: Logstash value: config: auto_check: False files: - name: "logstash" value: type: d search_in: - common - name: Elasticsearch value: config: auto_check: True exec: - echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)" files: - name: "elasticsearch.y*ml" value: line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"' remove_regex: '\W+\#|^#' type: f search_in: - common - name: Vault_ssh_helper value: config: auto_check: False files: - name: "vault-ssh-helper.hcl" value: type: f search_in: - common - name: Vault_ssh_token value: config: auto_check: False files: - name: ".vault-token" value: type: f search_in: - common - name: CouchDB value: config: auto_check: True files: - name: "couchdb" value: files: - name: "local.ini" value: bad_regex: "admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*" remove_empty_lines: True remove_regex: "^;" type: d search_in: - common - name: Redis value: config: auto_check: True files: - name: "redis.conf" value: bad_regex: "masterauth.*|requirepass.*" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Mosquitto value: config: auto_check: True files: - name: "mosquitto.conf" value: bad_regex: "password_file.*|psk_file.*|allow_anonymous.*true|auth" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Neo4j value: config: auto_check: True files: - name: "neo4j" value: files: - name: "auth" value: bad_regex: ".*" remove_empty_lines: True type: d search_in: - common - name: Cloud Init value: config: auto_check: True files: - name: "cloud.cfg" value: bad_regex: "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy" only_bad_lines: True type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common - name: Erlang value: config: auto_check: True files: - name: ".erlang.cookie" value: bad_regex: ".*" type: f search_in: - common - name: GMV Auth value: config: auto_check: True files: - name: "gvm-tools.conf" value: bad_regex: "username.*|password.*" type: f search_in: - common - name: IPSec value: config: auto_check: True files: - name: "ipsec.secrets" value: bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*" type: f search_in: - common - name: "ipsec.conf" value: bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*" type: f search_in: - common - name: IRSSI value: config: auto_check: True files: - name: ".irssi" value: files: - name: "config" value: bad_regex: "password.*" type: d search_in: - common - name: Keyring value: config: auto_check: True files: - name: "keyrings" value: type: d search_in: - common - name: "*.keyring" value: just_list_file: True type: f search_in: - common - name: "*.keystore" value: just_list_file: True type: f search_in: - common - name: "*.jks" value: just_list_file: True type: f search_in: - common - name: Filezilla value: config: auto_check: True files: - name: "filezilla" value: files: - name: "sitemanager.xml" value: bad_regex: "Host.*|Port.*|Protocol.*|User.*|Pass.*" remove_empty_lines: True remove_regex: "^;" type: d search_in: - common - name: "filezilla.xml" value: just_list_file: True type: f search_in: - common - name: "recentservers.xml" value: just_list_file: True type: f search_in: - common - name: Backup Manager value: config: auto_check: True files: - name: "storage.php" value: bad_regex: "password|pass|user|database|host" line_grep: >- "'pass'|'password'|'user'|'database'|'host'" type: f search_in: - common - name: "database.php" value: bad_regex: "password|pass|user|database|host" line_grep: >- "'pass'|'password'|'user'|'database'|'host'" only_bad_lines: True type: f search_in: - common - name: Splunk value: config: auto_check: False files: - name: "passwd" value: type: f search_in: - common - name: GitLab value: config: auto_check: False files: - name: "secrets.yml" value: type: f remove_path: "/lib" search_in: - common - name: "gitlab.yml" value: type: f remove_path: "/lib" search_in: - common - name: "gitlab.rm" value: type: f remove_path: "/lib" search_in: - common - name: PGP-GPG value: config: auto_check: True exec: - '( (command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null' - '( (command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null' - '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null' files: - name: "*.pgp" value: type: f search_in: - common - name: "*.gpg" value: type: f search_in: - common - name: "*.gnupg" value: type: f remove_path: "README.gnupg" search_in: - common - name: Cache Vi value: disable: - winpeas config: auto_check: True files: - name: "*.swp" value: just_list_file: True type: f search_in: - common - name: "*.viminfo" value: just_list_file: True type: f search_in: - common - name: Docker value: config: auto_check: False files: - name: "docker.socket" value: type: f search_in: - common - name: "docker.sock" value: type: f search_in: - common - name: "Dockerfile" value: type: f search_in: - common - name: "docker-compose.yml" value: type: f search_in: - common - name: Firefox value: disable: - winpeas config: auto_check: True files: - name: ".mozilla" value: files: - name: "places.sqlite" value: just_list_file: True - name: "bookmarkbackups" value: just_list_file: True - name: "formhistory.sqlite" value: just_list_file: True - name: "handlers.json" value: just_list_file: True - name: "persdict.dat" value: just_list_file: True - name: "addons.json" value: just_list_file: True - name: "cookies.sqlite" value: just_list_file: True - name: "cache2" value: just_list_file: True - name: "startupCache" value: just_list_file: True - name: "favicons.sqlite" value: just_list_file: True - name: "prefs.js" value: just_list_file: True - name: "downloads.sqlite" value: just_list_file: True - name: "thumbnails" value: just_list_file: True - name: "logins.json" value: just_list_file: True - name: "key4.db" value: just_list_file: True - name: "key3.db" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: "Firefox" value: files: - name: "places.sqlite" value: just_list_file: True - name: "bookmarkbackups" value: just_list_file: True - name: "formhistory.sqlite" value: just_list_file: True - name: "handlers.json" value: just_list_file: True - name: "persdict.dat" value: just_list_file: True - name: "addons.json" value: just_list_file: True - name: "cookies.sqlite" value: just_list_file: True - name: "cache2" value: just_list_file: True - name: "startupCache" value: just_list_file: True - name: "favicons.sqlite" value: just_list_file: True - name: "prefs.js" value: just_list_file: True - name: "downloads.sqlite" value: just_list_file: True - name: "thumbnails" value: just_list_file: True - name: "logins.json" value: just_list_file: True - name: "key4.db" value: just_list_file: True - name: "key3.db" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: Chrome value: disable: - winpeas config: auto_check: True files: - name: "google-chrome" value: files: - name: "History" value: just_list_file: True - name: "Cookies" value: just_list_file: True - name: "Cache" value: just_list_file: True - name: "Bookmarks" value: just_list_file: True - name: "Web Data" value: just_list_file: True - name: "Favicons" value: just_list_file: True - name: "Login Data" value: just_list_file: True - name: "Current Session" value: just_list_file: True - name: "Current Tabs" value: just_list_file: True - name: "Last Session" value: just_list_file: True - name: "Last Tabs" value: just_list_file: True - name: "Extensions" value: just_list_file: True - name: "Thumbnails" value: just_list_file: True - name: "Preferences" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: "Chrome" value: files: - name: "History" value: just_list_file: True - name: "Cookies" value: just_list_file: True - name: "Cache" value: just_list_file: True - name: "Bookmarks" value: just_list_file: True - name: "Web Data" value: just_list_file: True - name: "Favicons" value: just_list_file: True - name: "Login Data" value: just_list_file: True - name: "Current Session" value: just_list_file: True - name: "Current Tabs" value: just_list_file: True - name: "Last Session" value: just_list_file: True - name: "Last Tabs" value: just_list_file: True - name: "Extensions" value: just_list_file: True - name: "Thumbnails" value: just_list_file: True - name: "Preferences" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: Opera value: disable: - winpeas config: auto_check: True files: - name: "com.operasoftware.Opera" value: files: - name: "History" value: just_list_file: True - name: "Cookies" value: just_list_file: True - name: "Cache" value: just_list_file: True - name: "Bookmarks" value: just_list_file: True - name: "Web Data" value: just_list_file: True - name: "Favicons" value: just_list_file: True - name: "Login Data" value: just_list_file: True - name: "Current Session" value: just_list_file: True - name: "Current Tabs" value: just_list_file: True - name: "Last Session" value: just_list_file: True - name: "Last Tabs" value: just_list_file: True - name: "Extensions" value: just_list_file: True - name: "Thumbnails" value: just_list_file: True - name: "Preferences" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: Safari value: disable: - winpeas config: auto_check: True files: - name: "Safari" value: files: - name: "History.db" value: just_list_file: True - name: "Downloads.plist" value: just_list_file: True - name: "Book-marks.plist" value: just_list_file: True - name: "TopSites.plist" value: just_list_file: True - name: "UserNotificationPermissions.plist" value: just_list_file: True - name: "LastSession.plist" value: just_list_file: True type: d search_in: - $HOMESEARCH - name: Autologin value: disable: - winpeas config: auto_check: True files: - name: "autologin" value: bad_regex: "passwd" type: f search_in: - common - name: "autologin.conf" value: bad_regex: "passwd" type: f search_in: - common - name: FastCGI value: config: auto_check: True files: - name: "fastcgi_params" value: bad_regex: "DB_NAME|DB_USER|DB_PASS" only_bad_lines: True type: f search_in: - common - name: SNMP value: config: auto_check: True files: - name: "snmpd.conf" value: bad_regex: "rocommunity|rwcommunity|extend.*" only_bad_lines: True type: f search_in: - common - name: Pypirc value: config: auto_check: True files: - name: ".pypirc" value: bad_regex: "username|password" type: f search_in: - common - name: Postfix value: config: auto_check: True files: - name: "postfix" value: files: - name: "master.cf" value: bad_regex: "user=|argv=" remove_empty_lines: True line_grep: '"user="' type: d search_in: - common - name: CloudFlare value: config: auto_check: True files: - name: ".cloudflared" value: type: d just_list_file: True search_in: - common - name: History value: config: auto_check: False files: - name: '*_history*' value: bad_regex: "$pwd_inside_history" line_grep: '-a "$pwd_inside_history"' type: f search_in: - common - name: Http_conf value: config: auto_check: True files: - name: "httpd.conf" value: bad_regex: "htaccess.*|htpasswd.*" only_bad_lines: True remove_regex: '\W+\#|^#' remove_empty_lines: True type: f search_in: - common - name: Htpasswd value: config: auto_check: True files: - name: ".htpasswd" value: bad_regex: ".*" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Ldaprc value: config: auto_check: True files: - name: ".ldaprc" value: bad_regex: ".*" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Env value: config: auto_check: True files: - name: ".env" value: bad_regex: "[pP][aA][sS][sS].*|[tT][oO][kK][eE][N]|[dD][bB]" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Msmtprc value: config: auto_check: True files: - name: ".msmtprc" value: bad_regex: "user.*|password.*" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: InfluxDB value: config: auto_check: True files: - name: "influxdb.conf" value: bad_regex: "auth-enabled.*=.*false|token|https-private-key" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: Zabbix value: config: auto_check: True files: - name: "zabbix_server.conf" value: bad_regex: "DBName|DBUser|DBPassword" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: "zabbix_agentd.conf" value: bad_regex: "TLSPSKFile|psk" remove_regex: '^#' remove_empty_lines: True type: f search_in: - common - name: "zabbix" value: files: - name: "*.psk" value: bad_regex: ".*" remove_empty_lines: True type: d search_in: - common - name: Github value: config: auto_check: True files: - name: ".github" value: just_list_file: True type: f search_in: - common - name: ".gitconfig" value: just_list_file: True type: f search_in: - common - name: ".git-credentials" value: just_list_file: True type: f search_in: - common - name: ".git" value: just_list_file: True type: f search_in: - common - name: Svn value: config: auto_check: True files: - name: ".svn" value: just_list_file: True type: d search_in: - common - name: Keepass value: config: auto_check: True files: - name: "*.kdbx" value: just_list_file: True type: f search_in: - common - name: "KeePass.config*" value: just_list_file: True type: f search_in: - common - name: "KeePass.ini" value: just_list_file: True type: f search_in: - common - name: "KeePass.enforced*" value: just_list_file: True type: f search_in: - common - name: Pre-Shared Keys value: config: auto_check: True files: - name: "*.psk" value: just_list_file: True type: f search_in: - common - name: Pass Store Directories value: config: auto_check: True files: - name: ".password-store" value: just_list_file: True type: d search_in: - common - name: FTP value: config: auto_check: True files: - name: "*.ftpconfig" value: just_list_file: True type: f search_in: - common - name: "ffftp.ini" value: just_list_file: True type: f search_in: - common - name: "ftp.ini" value: just_list_file: True type: f search_in: - common - name: "ftp.config" value: just_list_file: True type: f search_in: - common - name: "sites.ini" value: just_list_file: True type: f search_in: - common - name: "wcx_ftp.ini" value: just_list_file: True type: f search_in: - common - name: "winscp.ini" value: just_list_file: True type: f search_in: - common - name: "ws_ftp.ini" value: just_list_file: True type: f search_in: - common - name: Bind value: config: auto_check: True files: - name: "bind" value: files: - name: "*" value: just_list_file: True - name: "*.key" value: bad_regex: ".*" remove_empty_lines: True remove_regex: '^#' type: d search_in: - /etc #False possitives in home - /var - /usr - name: SeedDMS value: config: auto_check: True files: - name: "seeddms*" value: files: - name: "settings.xml" value: bad_regex: "[pP][aA][sS][sS]" line_grep: '"="' type: d search_in: - common - name: Ddclient value: config: auto_check: True files: - name: "ddclient.conf" value: bad_regex: ".*password.*" type: f search_in: - common - name: kcpassword value: config: auto_check: False files: - name: "kcpassword" value: just_list_file: True type: f search_in: - common - name: Sentry value: config: auto_check: True files: - name: "sentry" value: files: - name: "config.yml" value: bad_regex: "*key*" remove_empty_lines: True remove_regex: '^#' type: d search_in: - common - name: "sentry.conf.py" value: bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*" remove_empty_lines: True remove_regex: '^#' type: f search_in: - common - name: Strapi value: config: auto_check: True files: - name: "environments" value: files: - name: "custom.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "database.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "request.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "response.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "security.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True - name: "server.json" value: bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*" remove_empty_lines: True type: d search_in: - common - name: Cacti value: config: auto_check: True files: - name: "cacti" value: files: - name: "config.php" value: bad_regex: "database_pw.*|database_user.*|database_pass.*" line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"' - name: "config.php.dist" value: bad_regex: "database_pw.*|database_user.*|database_pass.*" line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"' - name: "installer.php" value: bad_regex: "database_pw.*|database_user.*|database_pass.*" line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"' - name: "check_all_pages" value: bad_regex: "database_pw.*|database_user.*|database_pass.*" line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"' type: d search_in: - common - name: Roundcube value: config: auto_check: True files: - name: "roundcube" value: files: - name: "config.inc.php" value: bad_regex: "db_dsnw" line_grep: '"config\["' type: d search_in: - common - name: Passbolt value: config: auto_check: True files: - name: "passbolt.php" value: bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*" line_grep: '"host|port|username|password|database"' remove_empty_lines: True remove_regex: '^#' type: f search_in: - common - name: Jetty value: config: auto_check: True files: - name: "jetty-realm.properties" value: bad_regex: ".*" remove_empty_lines: True remove_regex: '^#' type: f search_in: - common - name: Wget value: config: auto_check: True files: - name: ".wgetrc" value: bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*" remove_empty_lines: True remove_regex: '^#' type: f search_in: - common - name: Interesting logs value: config: auto_check: True files: - name: "access.log" value: just_list_file: True type: f search_in: - common - name: "error.log" value: just_list_file: True type: f search_in: - common - name: Other Interesting Files value: config: auto_check: True files: - name: ".bashrc" value: just_list_file: True type: f search_in: - common - name: ".google_authenticator" value: just_list_file: True type: f search_in: - common - name: "hosts.equiv" value: just_list_file: True type: f search_in: - common - name: ".lesshst" value: just_list_file: True type: f search_in: - common - name: ".plan" value: just_list_file: True type: f search_in: - common - name: ".profile" value: just_list_file: True type: f search_in: - common - name: ".recently-used.xbel" value: just_list_file: True type: f search_in: - common - name: ".rhosts" value: just_list_file: True type: f search_in: - common - name: ".sudo_as_admin_successful" value: just_list_file: True type: f search_in: - common - name: Windows Files value: config: auto_check: True files: - name: "unattend.inf" value: just_list_file: True type: f search_in: - common - name: "*.rdg" value: just_list_file: True type: f search_in: - common - name: "AppEvent.Evt" value: just_list_file: True type: f search_in: - common - name: "ConsoleHost_history.txt" value: just_list_file: True type: f search_in: - common - name: "FreeSSHDservice.ini" value: just_list_file: True type: f search_in: - common - name: "NetSetup.log" value: just_list_file: True type: f search_in: - common - name: "Ntds.dit" value: just_list_file: True type: f search_in: - common - name: "protecteduserkey.bin" value: just_list_file: True type: f search_in: - common - name: "RDCMan.settings" value: just_list_file: True type: f search_in: - common - name: "SAM" value: just_list_file: True type: f search_in: - common - name: "SYSTEM" value: just_list_file: True type: f search_in: - common - name: "SecEvent.Evt" value: just_list_file: True type: f search_in: - common - name: "appcmd.exe" value: just_list_file: True type: f search_in: - common - name: "bash.exe" value: just_list_file: True type: f search_in: - common - name: "datasources.xml" value: just_list_file: True type: f search_in: - common - name: "default.sav" value: just_list_file: True type: f search_in: - common - name: "drives.xml" value: just_list_file: True type: f search_in: - common - name: "groups.xml" value: just_list_file: True type: f search_in: - common - name: "https-xampp.conf" value: just_list_file: True type: f search_in: - common - name: "https.conf" value: just_list_file: True type: f search_in: - common - name: "iis6.log" value: just_list_file: True type: f search_in: - common - name: "index.dat" value: just_list_file: True type: f search_in: - common - name: "my.cnf" value: just_list_file: True type: f search_in: - common - name: "my.ini" value: just_list_file: True type: f search_in: - common - name: "ntuser.dat" value: just_list_file: True type: f search_in: - common - name: "pagefile.sys" value: just_list_file: True type: f search_in: - common - name: "printers.xml" value: just_list_file: True type: f search_in: - common - name: "recentservers.xml" value: just_list_file: True type: f search_in: - common - name: "scclient.exe" value: just_list_file: True type: f search_in: - common - name: "scheduledtasks.xml" value: just_list_file: True type: f search_in: - common - name: "security.sav" value: just_list_file: True type: f search_in: - common - name: "server.xml" value: just_list_file: True type: f search_in: - common - name: "setupinfo" value: just_list_file: True type: f search_in: - common - name: "setupinfo.bak" value: just_list_file: True type: f search_in: - common - name: "sitemanager.xml" value: just_list_file: True type: f search_in: - common - name: "sites.ini" value: just_list_file: True type: f search_in: - common - name: "software" value: just_list_file: True type: f search_in: - common - name: "software.sav" value: just_list_file: True type: f search_in: - common - name: "sysprep.inf" value: just_list_file: True type: f search_in: - common - name: "sysprep.xml" value: just_list_file: True type: f search_in: - common - name: "system.sav" value: just_list_file: True type: f search_in: - common - name: "unattend.txt" value: just_list_file: True type: f search_in: - common - name: "unattend.xml" value: just_list_file: True type: f search_in: - common - name: "unattended.xml" value: just_list_file: True type: f search_in: - common - name: "wcx_ftp.ini" value: just_list_file: True type: f search_in: - common - name: "ws_ftp.ini" value: just_list_file: True type: f search_in: - common - name: "web*.config" value: just_list_file: True type: f search_in: - common - name: "winscp.ini" value: just_list_file: True type: f search_in: - common - name: "wsl.exe" value: just_list_file: True type: f search_in: - common - name: Other Windows Files value: config: auto_check: True disable: - linpeas files: - name: "security" value: just_list_file: True type: f search_in: - common - name: "services.xml" value: just_list_file: True type: f search_in: - common - name: "system" value: just_list_file: True type: f search_in: - common # Final section - name: Database value: config: auto_check: False files: - name: "*.db" value: remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common - name: "*.sqlite" value: remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common - name: "*.sqlite3" value: remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common - name: Backups value: config: auto_check: False files: - name: "backup" value: type: f search_in: - common - name: "backups" value: type: f search_in: - common - name: Password Files value: config: auto_check: False files: - name: "*password*" value: just_list_file: True type: f search_in: - common - name: "*credential*" value: just_list_file: True type: f search_in: - common - name: "creds*" value: just_list_file: True type: f search_in: - common - name: "*.key" value: just_list_file: True type: f search_in: - common